* [Bug 200127] New: Kernel crashes in xfs_alloc_get_freelist() when writing to a corrupted xfs image
@ 2018-06-18 20:04 bugzilla-daemon
0 siblings, 0 replies; only message in thread
From: bugzilla-daemon @ 2018-06-18 20:04 UTC (permalink / raw)
To: linux-xfs
https://bugzilla.kernel.org/show_bug.cgi?id=200127
Bug ID: 200127
Summary: Kernel crashes in xfs_alloc_get_freelist() when
writing to a corrupted xfs image
Product: File System
Version: 2.5
Kernel Version: 4.17
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: XFS
Assignee: filesystem_xfs@kernel-bugs.kernel.org
Reporter: wen.xu@gatech.edu
Regression: No
Created attachment 276653
--> https://bugzilla.kernel.org/attachment.cgi?id=276653&action=edit
The (compressed) crafted image which causes crash
- Reproduce
# mkdir mnt
# mount -t xfs final.img mnt
# gcc -o poc poc.c
# ./poc ./mnt
- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>
#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <linux/falloc.h>
#include <linux/loop.h>
static void activity(char *mpoint) {
char *foo_bar_baz;
int err;
static int buf[8192];
memset(buf, 0, sizeof(buf));
err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
if (fd >= 0) {
write(fd, (char *)buf, 517);
write(fd, (char *)buf, sizeof(buf));
close(fd);
}
}
int main(int argc, char *argv[]) {
activity(argv[1]);
return 0;
}
- Kernel message
[ 928.647644] XFS (loop0): Mounting V5 Filesystem
[ 928.695568] XFS (loop0): Ending clean mount
[ 930.628501] XFS (loop0): Corruption warning: Metadata has LSN (32:0) ahead
of current LSN (1:237). Please unmount and run xfs_repair (>= v4.3) to resolve.
[ 930.628552] XFS (loop0): Metadata corruption detected at
xfs_agfl_verify+0x1b3/0x1d0, xfs_agfl block 0x3
[ 930.630745] XFS (loop0): Unmount and run xfs_repair
[ 930.631766] XFS (loop0): First 128 bytes of corrupted metadata buffer:
[ 930.633147] 0000000014fe3de9: 58 41 46 4c 00 00 00 00 f8 b6 90 f9 45 76 45
29 XAFL........EvE)
[ 930.637675] 000000004dd0ed1c: b1 1a cc a5 61 96 39 9c 00 00 00 20 00 00 00
00 ....a.9.... ....
[ 930.639479] 000000001dc25501: 58 e5 62 3f 00 00 0e b3 00 00 0e b4 00 00 0e
b5 X.b?............
[ 930.641303] 00000000b877670b: 00 00 0e b6 00 00 0e b7 00 00 0e b8 ff ff ff
ff ................
[ 930.643108] 00000000152a84a5: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ................
[ 930.644892] 00000000ff2008d7: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ................
[ 930.646716] 00000000f060ca7a: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ................
[ 930.648502] 000000006b464d8a: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ................
[ 930.650359] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at
daddr 0x3 len 1 error 117
[ 930.652270] XFS (loop0): page discard on page 0000000005fd24f3, inode
0x75e5, offset 0.
[ 930.654025]
==================================================================
[ 930.655513] BUG: KASAN: null-ptr-deref in xfs_alloc_get_freelist+0x115/0x350
[ 930.656938] Read of size 8 at addr 0000000000000028 by task a.out/1406
[ 930.658621] CPU: 0 PID: 1406 Comm: a.out Not tainted 4.17.0-rc4-kasan #2
[ 930.658624] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 930.658632] Call Trace:
[ 930.658644] dump_stack+0x7b/0xb5
[ 930.658653] kasan_report+0x10c/0x390
[ 930.658658] ? xfs_alloc_get_freelist+0x115/0x350
[ 930.658663] __asan_load8+0x54/0x90
[ 930.658668] xfs_alloc_get_freelist+0x115/0x350
[ 930.658674] ? xfs_free_agfl_block+0x90/0x90
[ 930.658679] ? xfs_alloc_space_available+0x128/0x170
[ 930.658689] xfs_alloc_fix_freelist+0x35b/0x830
[ 930.658698] ? __fput+0x17a/0x380
[ 930.658703] ? xfs_alloc_read_agf+0x340/0x340
[ 930.658707] ? kasan_check_write+0x14/0x20
[ 930.658711] ? new_slab+0x450/0x660
[ 930.658716] ? ___slab_alloc+0x26e/0x4b0
[ 930.658723] ? kasan_check_write+0x14/0x20
[ 930.658730] ? xfs_perag_get+0x4c/0xf0
[ 930.658735] ? xfs_alloc_vextent+0x1fa/0x990
[ 930.658740] xfs_alloc_vextent+0x215/0x990
[ 930.658746] xfs_bmap_extents_to_btree+0x30d/0x940
[ 930.658752] ? xfs_bmse_can_merge+0xb0/0xb0
[ 930.658758] ? percpu_counter_add_batch+0x22/0xa0
[ 930.658766] ? xfs_mod_fdblocks+0x77/0x220
[ 930.658775] __xfs_bunmapi+0x11d5/0x1430
[ 930.658782] ? xfs_bmapi_remap+0x750/0x750
[ 930.658789] ? io_serial_out+0x37/0x50
[ 930.658796] ? serial8250_console_write+0x215/0x480
[ 930.658801] ? serial8250_start_tx+0x370/0x370
[ 930.658805] ? __asan_loadN+0xf/0x20
[ 930.658809] ? xfs_bmapi_update_map+0x76/0x1c0
[ 930.658814] ? xfs_bmapi_read+0x4e8/0x620
[ 930.658822] ? _kstrtoull+0x7e/0x110
[ 930.658825] ? _parse_integer+0xb0/0xb0
[ 930.658832] ? vprintk_emit+0x373/0x450
[ 930.658837] xfs_bunmapi+0x2c/0x60
[ 930.658844] xfs_bmap_punch_delalloc_range+0x170/0x240
[ 930.658848] ? xfs_getbmap+0xe80/0xe80
[ 930.658852] ? kstrtoint+0x6c/0xd0
[ 930.658855] ? _kstrtol+0xc0/0xc0
[ 930.658861] ? xfs_emerg+0x170/0x170
[ 930.658871] ? down_write+0x41/0x50
[ 930.658876] xfs_aops_discard_page+0x178/0x1d0
[ 930.658881] xfs_do_writepage+0x90c/0x9d0
[ 930.658886] ? xfs_add_to_ioend+0x600/0x600
[ 930.658894] ? invalid_page_referenced_vma+0x130/0x130
[ 930.658899] ? pmdp_huge_clear_flush+0x10/0x10
[ 930.658903] ? percpu_counter_add_batch+0x22/0xa0
[ 930.658911] ? clear_page_dirty_for_io+0x334/0x450
[ 930.658916] write_cache_pages+0x3cd/0x770
[ 930.658922] ? iomap_dirty_actor+0x310/0x310
[ 930.658926] ? xfs_add_to_ioend+0x600/0x600
[ 930.658931] ? clear_page_dirty_for_io+0x450/0x450
[ 930.658935] ? up_write+0x16/0x40
[ 930.658939] ? xfs_iunlock+0x11a/0x150
[ 930.658946] ? xfs_file_fsync+0x460/0x460
[ 930.658951] xfs_vm_writepages+0xd3/0x130
[ 930.658954] ? xfs_vm_readpage+0xc0/0xc0
[ 930.658960] ? xfs_file_write_iter+0x16a/0x1a0
[ 930.658964] do_writepages+0x37/0xb0
[ 930.658970] __filemap_fdatawrite_range+0x19a/0x1f0
[ 930.658975] ? delete_from_page_cache_batch+0x4e0/0x4e0
[ 930.658981] ? may_open_dev+0x50/0x50
[ 930.658986] ? locks_remove_file+0x9f/0x2a0
[ 930.658991] filemap_flush+0x1c/0x20
[ 930.658995] xfs_release+0x1b7/0x1f0
[ 930.659000] xfs_file_release+0x15/0x20
[ 930.659003] __fput+0x17a/0x380
[ 930.659008] ____fput+0xe/0x10
[ 930.659015] task_work_run+0xc8/0xf0
[ 930.659023] exit_to_usermode_loop+0xf2/0x100
[ 930.659027] do_syscall_64+0x138/0x170
[ 930.659033] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 930.659050] RIP: 0033:0x7fb3beeb28f0
[ 930.659054] RSP: 002b:00007ffd93f35298 EFLAGS: 00000246 ORIG_RAX:
0000000000000003
[ 930.659063] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007fb3beeb28f0
[ 930.659065] RDX: 0000000000008000 RSI: 0000000000601080 RDI:
0000000000000003
[ 930.659068] RBP: 00007ffd93f352d0 R08: 000000000102d010 R09:
0000000000000000
[ 930.659070] R10: 0000000000000690 R11: 0000000000000246 R12:
00000000004005c0
[ 930.659073] R13: 00007ffd93f353d0 R14: 0000000000000000 R15:
0000000000000000
[ 930.659077]
==================================================================
[ 930.660551] Disabling lock debugging due to kernel taint
[ 930.660672] BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
[ 930.662391] PGD 80000001e5d10067 P4D 80000001e5d10067 PUD 1e5d11067 PMD 0
[ 930.663791] Oops: 0000 [#1] SMP KASAN PTI
[ 930.664637] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4
mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl
drm_kms_helper crct10dif_pclmul syscopyarea crc32_pclmul sysfillrect sysimgblt
fb_sys_fops ttm aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper
floppy 8139cp pata_acpi mii
[ 930.674527] CPU: 0 PID: 1406 Comm: a.out Tainted: G B
4.17.0-rc4-kasan #2
[ 930.676159] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 930.678079] RIP: 0010:xfs_alloc_get_freelist+0x119/0x350
[ 930.679157] RSP: 0018:ffff8801f3e66d08 EFLAGS: 00010282
[ 930.680222] RAX: ffff8801f1e02008 RBX: ffff8801f1e02000 RCX:
0000000000000000
[ 930.681668] RDX: 0000000000000000 RSI: 0000000000000297 RDI:
0000000000000297
[ 930.683109] RBP: ffff8801f3e66dd0 R08: ffffed003ee03ebb R09:
ffffed003ee03ebb
[ 930.684546] R10: 0000000000000001 R11: ffffed003ee03eba R12:
ffff8801f1741880
[ 930.685989] R13: ffff8801f3e66e58 R14: 0000000000000000 R15:
0000000000000000
[ 930.687431] FS: 00007fb3bf3a0700(0000) GS:ffff8801f7000000(0000)
knlGS:0000000000000000
[ 930.689054] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 930.690226] CR2: 0000000000000028 CR3: 00000001e59ac000 CR4:
00000000000006f0
[ 930.691674] Call Trace:
[ 930.692200] ? xfs_free_agfl_block+0x90/0x90
[ 930.693076] ? xfs_alloc_space_available+0x128/0x170
[ 930.694106] xfs_alloc_fix_freelist+0x35b/0x830
[ 930.695040] ? __fput+0x17a/0x380
[ 930.695732] ? xfs_alloc_read_agf+0x340/0x340
[ 930.696630] ? kasan_check_write+0x14/0x20
[ 930.697477] ? new_slab+0x450/0x660
[ 930.698216] ? ___slab_alloc+0x26e/0x4b0
[ 930.699030] ? kasan_check_write+0x14/0x20
[ 930.699878] ? xfs_perag_get+0x4c/0xf0
[ 930.700655] ? xfs_alloc_vextent+0x1fa/0x990
[ 930.701537] xfs_alloc_vextent+0x215/0x990
[ 930.702396] xfs_bmap_extents_to_btree+0x30d/0x940
[ 930.703378] ? xfs_bmse_can_merge+0xb0/0xb0
[ 930.704242] ? percpu_counter_add_batch+0x22/0xa0
[ 930.705212] ? xfs_mod_fdblocks+0x77/0x220
[ 930.706070] __xfs_bunmapi+0x11d5/0x1430
[ 930.707302] ? xfs_bmapi_remap+0x750/0x750
[ 930.708158] ? io_serial_out+0x37/0x50
[ 930.708942] ? serial8250_console_write+0x215/0x480
[ 930.709970] ? serial8250_start_tx+0x370/0x370
[ 930.710891] ? __asan_loadN+0xf/0x20
[ 930.711637] ? xfs_bmapi_update_map+0x76/0x1c0
[ 930.712557] ? xfs_bmapi_read+0x4e8/0x620
[ 930.713394] ? _kstrtoull+0x7e/0x110
[ 930.714162] ? _parse_integer+0xb0/0xb0
[ 930.714965] ? vprintk_emit+0x373/0x450
[ 930.715768] xfs_bunmapi+0x2c/0x60
[ 930.716486] xfs_bmap_punch_delalloc_range+0x170/0x240
[ 930.717544] ? xfs_getbmap+0xe80/0xe80
[ 930.718338] ? kstrtoint+0x6c/0xd0
[ 930.719049] ? _kstrtol+0xc0/0xc0
[ 930.719746] ? xfs_emerg+0x170/0x170
[ 930.720496] ? down_write+0x41/0x50
[ 930.721230] xfs_aops_discard_page+0x178/0x1d0
[ 930.722164] xfs_do_writepage+0x90c/0x9d0
[ 930.723000] ? xfs_add_to_ioend+0x600/0x600
[ 930.723871] ? invalid_page_referenced_vma+0x130/0x130
[ 930.724931] ? pmdp_huge_clear_flush+0x10/0x10
[ 930.725868] ? percpu_counter_add_batch+0x22/0xa0
[ 930.726842] ? clear_page_dirty_for_io+0x334/0x450
[ 930.727832] write_cache_pages+0x3cd/0x770
[ 930.728686] ? iomap_dirty_actor+0x310/0x310
[ 930.729569] ? xfs_add_to_ioend+0x600/0x600
[ 930.730454] ? clear_page_dirty_for_io+0x450/0x450
[ 930.731447] ? up_write+0x16/0x40
[ 930.732143] ? xfs_iunlock+0x11a/0x150
[ 930.732927] ? xfs_file_fsync+0x460/0x460
[ 930.733774] xfs_vm_writepages+0xd3/0x130
[ 930.734611] ? xfs_vm_readpage+0xc0/0xc0
[ 930.735434] ? xfs_file_write_iter+0x16a/0x1a0
[ 930.736356] do_writepages+0x37/0xb0
[ 930.737107] __filemap_fdatawrite_range+0x19a/0x1f0
[ 930.738126] ? delete_from_page_cache_batch+0x4e0/0x4e0
[ 930.739208] ? may_open_dev+0x50/0x50
[ 930.739976] ? locks_remove_file+0x9f/0x2a0
[ 930.740843] filemap_flush+0x1c/0x20
[ 930.741608] xfs_release+0x1b7/0x1f0
[ 930.757355] xfs_file_release+0x15/0x20
[ 930.758172] __fput+0x17a/0x380
[ 930.758835] ____fput+0xe/0x10
[ 930.759480] task_work_run+0xc8/0xf0
[ 930.760231] exit_to_usermode_loop+0xf2/0x100
[ 930.761137] do_syscall_64+0x138/0x170
[ 930.761933] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 930.762975] RIP: 0033:0x7fb3beeb28f0
[ 930.763719] RSP: 002b:00007ffd93f35298 EFLAGS: 00000246 ORIG_RAX:
0000000000000003
[ 930.765265] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007fb3beeb28f0
[ 930.766727] RDX: 0000000000008000 RSI: 0000000000601080 RDI:
0000000000000003
[ 930.768177] RBP: 00007ffd93f352d0 R08: 000000000102d010 R09:
0000000000000000
[ 930.769623] R10: 0000000000000690 R11: 0000000000000246 R12:
00000000004005c0
[ 930.771085] R13: 00007ffd93f353d0 R14: 0000000000000000 R15:
0000000000000000
[ 930.772540] Code: 1c 25 28 00 00 00 0f 85 4f 02 00 00 48 81 c4 a0 00 00 00
5b 41 5c 41 5d 41 5e 41 5f 5d c3 49 8d 7f 28 e8 ab a2 da ff 48 8d 43 08 <4d> 8b
77 28 48 89 c7 48 89 85 50 ff ff ff e8 94 a1 da ff 8b 53
[ 930.776398] RIP: xfs_alloc_get_freelist+0x119/0x350 RSP: ffff8801f3e66d08
[ 930.777790] CR2: 0000000000000028
[ 930.778588] ---[ end trace b21925e6ee7e4fcf ]---
Reported by Wen Xu from SSLab at Gatech.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-06-18 20:04 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-18 20:04 [Bug 200127] New: Kernel crashes in xfs_alloc_get_freelist() when writing to a corrupted xfs image bugzilla-daemon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.