On 14/07/2020 14.31, Jan Kara wrote: > On Mon 13-07-20 19:14:47, Ritesh Harjani wrote: >> On 7/13/20 6:28 PM, Jan Kara wrote: >>> From: Wolfgang Frisch >>> >>> When extent tree is corrupted we can hit BUG_ON in >>> ext4_es_cache_extent(). Check for this and abort caching instead of >>> crashing the machine. >> >> Was it intentionally made corrupted by crafting a corrupted disk image? > > I'm not sure how Wolfgang hit the issue. I'd expect some fs image > fuzzing... Wolfgang?The bug was discovered accidentally when we tried to use a physically defective USB flash drive. It was possible to partition and format the device but the subsequent mount operation unearthed this problem. As it was impossible to image the defective drive entirely, I used blktrace(8) to gather a minimal list of read operations executed by mount . A script then copied just the necessary blocks from the device into a sparse QCOW2 image that is attached to the original bug report [1]. >> Are there more such logic in place which checks for such corruption at other >> places? > > That's a good question. But now that I'm looking at it ext4_ext_check() > should actually catch a corruption like this. It is only the path in > ext4_find_extent()->ext4_cache_extents() that can face the issue so > probably instead of a fix in ext4_cache_extents() we should rather add more > careful extent info checks for the extents contained directly in the inode. > I'll look into it. That sounds very reasonable. I see you already implemented it! Best regards Wolfgang [1] https://bugzilla.suse.com/show_bug.cgi?id=1173485 -- Wolfgang Frisch Security Engineer OpenPGP fingerprint: A2E6 B7D4 53E9 544F BC13 D26B D9B3 56BD 4D4A 2D15 SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director: Felix Imendörffer