* [PATCH] ext4: Add extend check to prevent BUG() in ext4_es_end @ 2022-09-30 20:25 Tadeusz Struk 2022-10-11 18:38 ` Tadeusz Struk 0 siblings, 1 reply; 3+ messages in thread From: Tadeusz Struk @ 2022-09-30 20:25 UTC (permalink / raw) To: Theodore Ts'o Cc: Tadeusz Struk, Andreas Dilger, linux-ext4, linux-kernel, stable, syzbot+a22dc4b0744ac658ed9b Syzbot reported an issue with ext4 extents. The reproducer creates a corrupted ext4 fs image in memory, and mounts it as a loop device. It invokes the ext4_cache_extents() and ext4_find_extent(), which eventually triggers a BUG() in ext4_es_end() causing a kernel crash. It triggers on mainline, and every kernel version back to v4.14. Add a call ext4_ext_check_inode() in ext4_find_extent() to prevent the crash. To: "Theodore Ts'o" <tytso@mit.edu> Cc: "Andreas Dilger" <adilger.kernel@dilger.ca> Cc: <linux-ext4@vger.kernel.org> Cc: <linux-kernel@vger.kernel.org> Cc: <stable@vger.kernel.org> Link: https://syzkaller.appspot.com/bug?id=641e7a4b900015c5d7a729d6cc1fba7a928a88f9 Reported-by: syzbot+a22dc4b0744ac658ed9b@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org> --- fs/ext4/extents.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 5235974126bd..c7b5a11e1abc 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -897,6 +897,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, goto err; } + ret = ext4_ext_check_inode(inode); + if (ret) { + EXT4_ERROR_INODE(inode, "inode has invalid extent"); + goto err; + } + if (path) { ext4_ext_drop_refs(path); if (depth > path[0].p_maxdepth) { -- 2.37.3 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] ext4: Add extend check to prevent BUG() in ext4_es_end 2022-09-30 20:25 [PATCH] ext4: Add extend check to prevent BUG() in ext4_es_end Tadeusz Struk @ 2022-10-11 18:38 ` Tadeusz Struk 2022-11-28 21:16 ` Theodore Ts'o 0 siblings, 1 reply; 3+ messages in thread From: Tadeusz Struk @ 2022-10-11 18:38 UTC (permalink / raw) To: Theodore Ts'o Cc: Andreas Dilger, linux-ext4, linux-kernel, stable, syzbot+a22dc4b0744ac658ed9b On 9/30/22 13:25, Tadeusz Struk wrote: > Syzbot reported an issue with ext4 extents. The reproducer creates > a corrupted ext4 fs image in memory, and mounts it as a loop device. > It invokes the ext4_cache_extents() and ext4_find_extent(), which > eventually triggers a BUG() in ext4_es_end() causing a kernel crash. > It triggers on mainline, and every kernel version back to v4.14. > Add a call ext4_ext_check_inode() in ext4_find_extent() to prevent > the crash. > > To: "Theodore Ts'o"<tytso@mit.edu> > Cc: "Andreas Dilger"<adilger.kernel@dilger.ca> > Cc:<linux-ext4@vger.kernel.org> > Cc:<linux-kernel@vger.kernel.org> > Cc:<stable@vger.kernel.org> > > Link:https://syzkaller.appspot.com/bug?id=641e7a4b900015c5d7a729d6cc1fba7a928a88f9 > Reported-by:syzbot+a22dc4b0744ac658ed9b@syzkaller.appspotmail.com > Signed-off-by: Tadeusz Struk<tadeusz.struk@linaro.org> Hi, Any comments/feedback on this one? -- Thanks, Tadeusz ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ext4: Add extend check to prevent BUG() in ext4_es_end 2022-10-11 18:38 ` Tadeusz Struk @ 2022-11-28 21:16 ` Theodore Ts'o 0 siblings, 0 replies; 3+ messages in thread From: Theodore Ts'o @ 2022-11-28 21:16 UTC (permalink / raw) To: Tadeusz Struk Cc: Andreas Dilger, linux-ext4, linux-kernel, stable, syzbot+a22dc4b0744ac658ed9b On Tue, Oct 11, 2022 at 11:38:37AM -0700, Tadeusz Struk wrote: > On 9/30/22 13:25, Tadeusz Struk wrote: > > Syzbot reported an issue with ext4 extents. The reproducer creates > > a corrupted ext4 fs image in memory, and mounts it as a loop device. > > It invokes the ext4_cache_extents() and ext4_find_extent(), which > > eventually triggers a BUG() in ext4_es_end() causing a kernel crash. > > It triggers on mainline, and every kernel version back to v4.14. > > Add a call ext4_ext_check_inode() in ext4_find_extent() to prevent > > the crash. > > > > To: "Theodore Ts'o"<tytso@mit.edu> > > Cc: "Andreas Dilger"<adilger.kernel@dilger.ca> > > Cc:<linux-ext4@vger.kernel.org> > > Cc:<linux-kernel@vger.kernel.org> > > Cc:<stable@vger.kernel.org> > > > > Link:https://syzkaller.appspot.com/bug?id=641e7a4b900015c5d7a729d6cc1fba7a928a88f9 > > Reported-by:syzbot+a22dc4b0744ac658ed9b@syzkaller.appspotmail.com > > Signed-off-by: Tadeusz Struk<tadeusz.struk@linaro.org> > > Any comments/feedback on this one? Hi, I can't replicate the problem using the syzkaller repro: root@kvm-xfstests:/vdc# /vtmp/repro [ 14.840406] loop0: detected capacity change from 0 to 1051 [ 14.840965] EXT4-fs (loop0): ext4_check_descriptors: Checksum for group 0 failed (60935!=0) [ 14.841468] EXT4-fs error (device loop0): ext4_ext_check_inode:520: inode #2: comm repro: pblk 0 bad header/extent: invalid magic - magic 9fe4, entries 42, max 0(0), depth 0(0) [ 14.842188] EXT4-fs (loop0): get root inode failed [ 14.842401] EXT4-fs (loop0): mount failed And by inspection, if there is a corrupted inode, it should have been caught much sooner, in ext4_iget(): } else if (!ext4_has_inline_data(inode)) { /* validate the block references in the inode */ if (!(EXT4_SB(sb)->s_mount_state & EXT4_FC_REPLAY) && (S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) || (S_ISLNK(inode->i_mode) && !ext4_inode_is_fast_symlink(inode)))) { if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) ret = ext4_ext_check_inode(inode); else ret = ext4_ind_check_inode(inode); } } if (ret) goto bad_inode; ... and this check has been around for quite some time. It's much more efficient to check for a corrupted inode data structure at the time when the inode is read into memory, as opposed to every single time we try to lookup a logical->physical block map, in ext4_find_extent(). If you can reproduce a failure on a modern kernel, please let me know, but it looks like syzkaller had only reported it on androd-54, android-5-10, linux-4.14, and linux-4.19 in any case. Cheers, - Ted ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-28 21:16 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-09-30 20:25 [PATCH] ext4: Add extend check to prevent BUG() in ext4_es_end Tadeusz Struk 2022-10-11 18:38 ` Tadeusz Struk 2022-11-28 21:16 ` Theodore Ts'o
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).