From: bugzilla-daemon@bugzilla.kernel.org
To: linux-ext4@vger.kernel.org
Subject: [Bug 202879] Segmentation fault while running crafted program
Date: Thu, 14 Mar 2019 00:43:13 +0000 [thread overview]
Message-ID: <bug-202879-13602-XWaAmVffIR@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-202879-13602@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=202879
Jungyeon (jungyeon@gatech.edu) changed:
What |Removed |Added
----------------------------------------------------------------------------
Kernel Version|5.0-rc8 |5.0.0
--- Comment #6 from Jungyeon (jungyeon@gatech.edu) ---
Sorry for my lack of explanation.
Yes, LKL is Linux Kernel Library. poc-01.c is a program that calls lists of
system calls in userspace and the craft image is a potentially faulty image to
test error cases.
We are going to release our source code so that you can build the ext4-combined
shortly. We needs some clean-up inside the codes before making it public.
I'm attaching stack dump at the last.
The problem here is that bh is NULL at the first place of this function, so
that it leads to an error on J_ASSERT_JH(jh, jh->b_jcount >= 0).
To get the stack dump, I temporarily inserted BUG_ON on condition of jh being
NULL.
Additionally I used Linux version 5.0.0+ for this trace (and in the linked
ext4-combined binary)
2534 static void __journal_remove_journal_head(struct buffer_head *bh)
2535 {
2536 struct journal_head *jh = bh2jh(bh);
2537
2538 BUG_ON(jh == NULL);
2539 J_ASSERT_JH(jh, jh->b_jcount >= 0);
2540 J_ASSERT_JH(jh, jh->b_transaction == NULL);
2541 J_ASSERT_JH(jh, jh->b_next_transaction == NULL);
2542 J_ASSERT_JH(jh, jh->b_cp_transaction == NULL);
2543 J_ASSERT_JH(jh, jh->b_jlist == BJ_None);
2544 J_ASSERT_BH(bh, buffer_jbd(bh));
2545 J_ASSERT_BH(bh, jh2bh(jh) == bh);
2546 BUFFER_TRACE(bh, "remove journal_head");
2547 if (jh->b_frozen_data) {
2548 printk(KERN_WARNING "%s: freeing b_frozen_data\n", __func__);
2549 jbd2_free(jh->b_frozen_data, bh->b_size);
2550 }
- Stack dump
[ 0.089081] BUG: failure at
fs/jbd2/journal.c:2538/__journal_remove_journal_head()!
[ 0.089096] Kernel panic - not syncing: BUG!
[ 0.089101] Call Trace:
[ 0.089110] (____ptrval____): [<55555559bc94>] .LC81+0x5f/0xfb
[ 0.089118] (____ptrval____): [<5555555c6025>] major_names+0x75/0x80
[ 0.089125] (____ptrval____): [<5555555978f4>] .LC11+0x14/0x20
[ 0.089133] (____ptrval____): [<5555556b1e40>] submit_bh+0x40/0x50
[ 0.089141] (____ptrval____): [<55555580286d>]
jbd2_journal_put_journal_head+0x6cd/0x6d0
[ 0.089147] (____ptrval____): [<5555557ec6e8>]
__jbd2_journal_refile_buffer+0x2d8/0x3c0
[ 0.089153] (____ptrval____): [<5555557f641a>]
__jbd2_journal_remove_checkpoint+0x17a/0x2f0
[ 0.089164] (____ptrval____): [<5555557eff12>]
jbd2_journal_commit_transaction+0x2fc2/0x3fc0
[ 0.089173] (____ptrval____): [<555555597353>] .LC18+0x3/0x10
[ 0.089181] (____ptrval____): [<5555555b8fb9>] try_to_wake_up+0x169/0x190
[ 0.089190] (____ptrval____): [<5555558031be>] kjournald2+0x34e/0x400
[ 0.089199] (____ptrval____): [<5555555bfd30>]
autoremove_wake_function+0x0/0x40
[ 0.089206] (____ptrval____): [<5555555978f4>] .LC11+0x14/0x20
[ 0.089214] (____ptrval____): [<5555555b3acb>] kthread+0x15b/0x170
[ 0.089221] (____ptrval____): [<555555802e70>] kjournald2+0x0/0x400
[ 0.089228] (____ptrval____): [<5555555b3970>] kthread+0x0/0x170
[ 0.089237] (____ptrval____): [<5555555970ab>] uidhash_table+0x3b/0x40
Thanks.
--
You are receiving this mail because:
You are watching the assignee of the bug.
next prev parent reply other threads:[~2019-03-14 0:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-11 18:57 [Bug 202879] New: Segmentation fault while running crafted program bugzilla-daemon
2019-03-11 18:58 ` [Bug 202879] " bugzilla-daemon
2019-03-11 18:59 ` bugzilla-daemon
2019-03-13 16:24 ` bugzilla-daemon
2019-03-13 17:13 ` bugzilla-daemon
2019-03-13 17:41 ` bugzilla-daemon
2019-03-14 0:43 ` bugzilla-daemon [this message]
2019-03-14 18:15 ` bugzilla-daemon
2019-03-25 3:40 ` bugzilla-daemon
2019-03-25 3:41 ` bugzilla-daemon
2019-04-05 20:12 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-202879-13602-XWaAmVffIR@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).