lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CABymUCN+NSzkunRqFs8LgqjT6vXz-gyyZYn0hQWf8V9kmcO0Hw@mail.gmail.com>
Date:   Fri, 18 Nov 2022 12:26:49 +0800
From:   Jun Nie <jun.nie@...aro.org>
To:     Ye Bin <yebin@...weicloud.com>
Cc:     tytso@....edu, adilger.kernel@...ger.ca,
        linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
        jack@...e.cz, Ye Bin <yebin10@...wei.com>,
        syzbot+4faa160fa96bfba639f8@...kaller.appspotmail.com
Subject: Re: [PATCH] ext4: fix kernel BUG in 'ext4_write_inline_data_end()'

Ye Bin <yebin@...weicloud.com> 于2022年11月18日周五 10:30写道:
>
> From: Ye Bin <yebin10@...wei.com>
>
> Syzbot report follow issue:
> ------------[ cut here ]------------
> kernel BUG at fs/ext4/inline.c:227!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 1 PID: 3629 Comm: syz-executor212 Not tainted 6.1.0-rc5-syzkaller-00018-g59d0d52c30d4 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
> RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:227
> RSP: 0018:ffffc90003b3f368 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffff8880704e16c0 RCX: 0000000000000000
> RDX: ffff888021763a80 RSI: ffffffff821e31a4 RDI: 0000000000000006
> RBP: 000000000006818e R08: 0000000000000006 R09: 0000000000068199
> R10: 0000000000000079 R11: 0000000000000000 R12: 000000000000000b
> R13: 0000000000068199 R14: ffffc90003b3f408 R15: ffff8880704e1c82
> FS:  000055555723e3c0(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fffe8ac9080 CR3: 0000000079f81000 CR4: 0000000000350ee0
> Call Trace:
>  <TASK>
>  ext4_write_inline_data_end+0x2a3/0x12f0 fs/ext4/inline.c:768
>  ext4_write_end+0x242/0xdd0 fs/ext4/inode.c:1313
>  ext4_da_write_end+0x3ed/0xa30 fs/ext4/inode.c:3063
>  generic_perform_write+0x316/0x570 mm/filemap.c:3764
>  ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285
>  ext4_file_write_iter+0x8bc/0x16e0 fs/ext4/file.c:700
>  call_write_iter include/linux/fs.h:2191 [inline]
>  do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735
>  do_iter_write+0x182/0x700 fs/read_write.c:861
>  vfs_iter_write+0x74/0xa0 fs/read_write.c:902
>  iter_file_splice_write+0x745/0xc90 fs/splice.c:686
>  do_splice_from fs/splice.c:764 [inline]
>  direct_splice_actor+0x114/0x180 fs/splice.c:931
>  splice_direct_to_actor+0x335/0x8a0 fs/splice.c:886
>  do_splice_direct+0x1ab/0x280 fs/splice.c:974
>  do_sendfile+0xb19/0x1270 fs/read_write.c:1255
>  __do_sys_sendfile64 fs/read_write.c:1323 [inline]
>  __se_sys_sendfile64 fs/read_write.c:1309 [inline]
>  __x64_sys_sendfile64+0x1d0/0x210 fs/read_write.c:1309
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> ---[ end trace 0000000000000000 ]---
>
> Above issue may happens as follows:
> ext4_da_write_begin
>   ext4_da_write_inline_data_begin
>     ext4_da_convert_inline_data_to_extent
>       ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
> ext4_da_write_end
>
> ext4_run_li_request
>   ext4_mb_prefetch
>     ext4_read_block_bitmap_nowait
>       ext4_validate_block_bitmap
>         ext4_mark_group_bitmap_corrupted(sb, block_group, EXT4_GROUP_INFO_BBITMAP_CORRUPT)
>          percpu_counter_sub(&sbi->s_freeclusters_counter,grp->bb_free);
>           -> sbi->s_freeclusters_counter become zero
> ext4_da_write_begin
>   if (ext4_nonda_switch(inode->i_sb)) -> As freeclusters_counter is zero will return true
>     *fsdata = (void *)FALL_BACK_TO_NONDELALLOC;
>     ext4_write_begin
> ext4_da_write_end
>   if (write_mode == FALL_BACK_TO_NONDELALLOC)
>     ext4_write_end
>       if (inline_data)
>         ext4_write_inline_data_end
>           ext4_write_inline_data
>             BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
>            -> As inode is already convert to extent, so 'pos + len' > inline_size
>            -> then trigger BUG.
>
> To solve above issue, there's need to judge inode if has EXT4_STATE_MAY_INLINE_DATA
> flag in 'ext4_write_end()'. 'ext4_has_inline_data()' flag only cleared after do
> write back, EXT4_STATE_MAY_INLINE_DATA flag indicate that inode has inline data,
> so use this flag in 'ext4_write_end()' is suitable.
>
> Fixes:f19d5870cbf7("ext4: add normal write support for inline data")
> Reported-by: syzbot+4faa160fa96bfba639f8@...kaller.appspotmail.com
> Reported-by: Jun Nie <jun.nie@...aro.org>
> Signed-off-by: Ye Bin <yebin10@...wei.com>
> ---
>  fs/ext4/inode.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index fca47470c85a..89404d1aa1d5 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -1309,7 +1309,7 @@ static int ext4_write_end(struct file *file,
>
>         trace_ext4_write_end(inode, pos, len, copied);
>
> -       if (ext4_has_inline_data(inode))
> +       if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
>                 return ext4_write_inline_data_end(inode, pos, len, copied, page);
>
>         copied = block_write_end(file, mapping, pos, len, copied, page, fsdata);
> --
> 2.31.1
>

Acked-by: Jun Nie <jun.nie@...aro.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ