Intentionally corrupted vfat fs causing BUG

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sami Liedes <sami.liedes@iki.fi>
To: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: linux-fsdevel@vger.kernel.org
Subject: Intentionally corrupted vfat fs causing BUG
Date: Fri, 10 Oct 2014 23:57:06 +0300	[thread overview]
Message-ID: <20141010205706.GJ27150@sli.dy.fi> (raw)

Hi!

I ran some fuzz tests on a vfat filesystem on 3.17 and found a
filesystem that differs from a pristine filesystem by one bit and
causes a kernel BUG. This seems to be an old bug; I can also replicate
it on a 3.3.4 kernel I happened to have lying around.

The set of operations I run for filesystems is this:

   mount $TARGET_DEV /mnt -t vfat
   cd /mnt
   timeout 30 cp -r doc doc2 >&/dev/null
   timeout 30 find -xdev >&/dev/null
   timeout 30 find -xdev -print0 2>/dev/null |xargs -0 touch -- >&/dev/null
   timeout 30 mkdir tmp >&/dev/null
   timeout 30 echo whoah >tmp/filu >&/dev/null
   timeout 30 rm -rf /mnt/* >&/dev/null
   cd /
   umount /mnt

The backtrace seems to indicate that the BUG happens at the rm phase.

You can get the pristine filesystem from

   http://www.niksula.hut.fi/~sliedes/vfat/testimg.vfat.bz2

The broken filesystem is at

   http://www.niksula.hut.fi/~sliedes/vfat/testimg.vfat.24.min.bz2

The only difference is this one bit:

--- /dev/fd/63  2014-10-10 23:23:09.424422610 +0300
+++ /dev/fd/62  2014-10-10 23:23:09.424422610 +0300
@@ -1977,7 +1977,7 @@
 0008d230  08 39 08 39 00 00 bc 0d  08 39 13 00 00 00 00 00  |.9.9.....9......|
 0008d240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 *
-0008da00  2e 20 20 20 20 20 20 20  20 20 20 10 00 00 bc 0d  |.          .....|
+0008da00  2e 20 20 20 20 20 20 20  20 20 60 10 00 00 bc 0d  |.         `.....|
 0008da10  08 39 08 39 00 00 bc 0d  08 39 0b 01 00 00 00 00  |.9.9.....9......|
 0008da20  2e 2e 20 20 20 20 20 20  20 20 20 10 00 00 bc 0d  |..         .....|
 0008da30  08 39 08 39 00 00 bc 0d  08 39 13 00 00 00 00 00  |.9.9.....9......|


Backtrace on 3.17:

[    1.363073] ------------[ cut here ]------------
[    1.363437] kernel BUG at fs/namei.c:2430!
[    1.363749] invalid opcode: 0000 [#1] SMP
[    1.364088] CPU: 0 PID: 889 Comm: rm Not tainted 3.17.0+ #32
[    1.364517] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[    1.365291] task: ffff880000066360 ti: ffff8800063b0000 task.ti: ffff8800063b0000
[    1.365813] RIP: 0010:[<ffffffff8116c998>]  [<ffffffff8116c998>] may_delete+0x128/0x140
[    1.365813] RSP: 0018:ffff8800063b3e38  EFLAGS: 00010293
[    1.365813] RAX: ffff8800065cf120 RBX: ffff8800065cf240 RCX: ffff8800000663b0
[    1.365813] RDX: 0000000000000001 RSI: ffff8800065cf240 RDI: ffff880006631858
[    1.365813] RBP: ffff8800063b3e58 R08: 0000000000000000 R09: 0000000000000001
[    1.365813] R10: 0000000000000000 R11: 0000000000000044 R12: ffff8800066313b0
[    1.365813] R13: ffff880006631858 R14: 0000000000000007 R15: 00000000fffffffe
[    1.365813] FS:  0000000000000000(0000) GS:ffff880007c00000(0063) knlGS:00000000f7609940
[    1.365813] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[    1.365813] CR2: 00000000ff967000 CR3: 000000000637f000 CR4: 00000000000006b0
[    1.365813] Stack:
[    1.365813]  ffff8800065cf240 0000000000000000 ffff880006631858 0000000000000007
[    1.365813]  ffff8800063b3e80 ffffffff81173699 ffff880006334000 0000000000000000
[    1.365813]  0000000008faf1e4 ffff8800063b3f68 ffffffff81173905 ffff8800065cf240
[    1.365813] Call Trace:
[    1.365813]  [<ffffffff81173699>] vfs_rmdir+0x19/0xf0
[    1.365813]  [<ffffffff81173905>] do_rmdir+0x195/0x1d0
[    1.365813]  [<ffffffff810aa11d>] ? trace_hardirqs_on_caller+0x15d/0x200
[    1.365813]  [<ffffffff8165e9cb>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[    1.365813]  [<ffffffff81173d95>] SyS_unlinkat+0x25/0x40
[    1.365813]  [<ffffffff8188e888>] sysenter_dispatch+0x7/0x2a
[    1.365813] Code: 41 5e 5d c3 0f 1f 80 00 00 00 00 b8 ff ff ff ff eb c4 90 0f 0b 66 0f 1f 44 00 00 48 39 5b 40 75 a2 b8 f0 ff ff ff eb ae 0f 1f 00 <0f> 0b 66 0f 1f 44 00 00 b8 fe ff ff ff eb 9c 66 0f 1f 84 00 00
[    1.365813] RIP  [<ffffffff8116c998>] may_delete+0x128/0x140
[    1.365813]  RSP <ffff8800063b3e38>
[    1.378725] ---[ end trace 15817999647273ef ]---
[    1.379086] Kernel panic - not syncing: Fatal exception
[    1.379592] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
[    1.380349] Rebooting in 1 seconds..

	Sami

next             reply	other threads:[~2014-10-10 21:05 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-10 20:57 Sami Liedes [this message]
2014-10-11 10:20 ` Intentionally corrupted vfat fs causing BUG Richard Weinberger
2014-10-12 12:08 ` OGAWA Hirofumi
2014-10-12 19:04   ` Richard Weinberger
2014-10-12 20:40     ` Sami Liedes
2014-10-13  7:57     ` OGAWA Hirofumi
2014-10-13  8:22       ` Richard Weinberger
2014-10-13  8:35         ` OGAWA Hirofumi
2014-10-13  8:39           ` Richard Weinberger
2014-10-13  8:59             ` OGAWA Hirofumi
2014-10-13 14:36               ` Richard Weinberger
2014-10-19 16:36               ` Richard Weinberger
2014-10-23 15:28                 ` OGAWA Hirofumi
2014-10-23 16:01                   ` Al Viro
2014-10-23 16:16                     ` Al Viro
2014-10-23 16:45                       ` OGAWA Hirofumi
2014-10-23 16:50                         ` OGAWA Hirofumi
2014-10-23 16:55                           ` Richard Weinberger
2014-10-23 16:55                         ` Al Viro
2014-10-23 17:21                           ` Al Viro
2014-10-23 17:58                             ` OGAWA Hirofumi
2014-10-23 20:46                             ` Sami Liedes
2014-10-23 17:35                           ` OGAWA Hirofumi
2014-10-23 17:54                           ` J. Bruce Fields
2014-10-23 18:05                             ` Al Viro
2014-10-23 18:16                               ` J. Bruce Fields
2014-10-23 16:56                         ` Al Viro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141010205706.GJ27150@sli.dy.fi \
    --to=sami.liedes@iki.fi \
    --cc=hirofumi@mail.parknet.co.jp \
    --cc=linux-fsdevel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.