From: Vegard Nossum <vegard.nossum@oracle.com>
To: linux-ext4@vger.kernel.org, Michael Halcrow <mhalcrow@google.com>
Cc: Ildar Muslukhov <ildarm@google.com>, Jaegeuk Kim <jaegeuk@kernel.org>
Subject: kernel BUG at fs/ext4/inode.c:3709! (Re: open bugs found by fuzzing)
Date: Fri, 15 Jul 2016 15:39:19 +0200 [thread overview]
Message-ID: <5788E787.106@oracle.com> (raw)
In-Reply-To: <5787FFBA.70406@oracle.com>
On 07/14/2016 11:10 PM, Vegard Nossum wrote:
> 3. kernel BUG at fs/ext4/inode.c:3709!
> http://139.162.151.198/f/ext4/5bdefda69f39b2f2c56d9b67d5b7d9e2cc8dfd5f
I don't see any evidence of memory corruption here, so this one seems
pretty straightforward: we have an encrypted orphan inode and when we
try to truncate it during the orphan list cleanup it results in a BUG
because we haven't loaded the encryption key for it.
The inode in question has ->i_ino == 16 so I don't think this has
anything to do with special inodes.
Something quick and dirty like this does solve the BUG_ON() for me, but
it looks a lot like papering over an underlying bug:
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 5a6277d..794b33a 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3735,9 +3735,11 @@ static int __ext4_block_zero_page_range(handle_t
*handle,
if (S_ISREG(inode->i_mode) &&
ext4_encrypted_inode(inode)) {
/* We expect the key to be set. */
- BUG_ON(!fscrypt_has_encryption_key(inode));
- BUG_ON(blocksize != PAGE_SIZE);
- WARN_ON_ONCE(fscrypt_decrypt_page(page));
+ if (list_empty(&EXT4_I(inode)->i_orphan)) {
+ BUG_ON(!fscrypt_has_encryption_key(inode));
+ BUG_ON(blocksize != PAGE_SIZE);
+ WARN_ON_ONCE(fscrypt_decrypt_page(page));
+ }
}
}
if (ext4_should_journal_data(inode)) {
I'm a bit puzzled that we're actually creating a mapping and trying to
decrypt here in the first place, since if this is an orphan inode that
is being recovered at mount time it means that we know _for sure_ that
there is no existing memory mappings and we're truncating it to 0.
Anyway, adding some Ccs.
Vegard
next prev parent reply other threads:[~2016-07-15 13:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-14 21:10 open bugs found by fuzzing Vegard Nossum
2016-07-15 13:39 ` Vegard Nossum [this message]
2016-07-15 17:24 ` kernel BUG at fs/ext4/inode.c:3709! (Re: open bugs found by fuzzing) Theodore Ts'o
2016-07-15 17:57 ` Vegard Nossum
2016-07-15 19:49 ` Theodore Ts'o
2016-07-16 16:15 ` Vegard Nossum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5788E787.106@oracle.com \
--to=vegard.nossum@oracle.com \
--cc=ildarm@google.com \
--cc=jaegeuk@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=mhalcrow@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.