[Bugme-new] [Bug 11412] New: Crash in vfs_readlink() on intentionally corrupted ext2 fs

bugme-daemon at bugzilla.kernel.org bugme-daemon at bugzilla.kernel.org
Sat Aug 23 07:03:15 PDT 2008 

http://bugzilla.kernel.org/show_bug.cgi?id=11412

           Summary: Crash in vfs_readlink() on intentionally corrupted ext2
                    fs
           Product: File System
           Version: 2.5
     KernelVersion: 2.6.27-rc4 + patches for #10976 & #11266
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext2
        AssignedTo: akpm at osdl.org
        ReportedBy: sliedes at cc.hut.fi


Distribution: Minimal Debian sid (unstable)
Hardware Environment: qemu x86
Problem Description:

I've now seen this happen twice, but unfortunately have not found a way to
reproduce it (running the same tests on the same corrupted fs doesn't reproduce
it).

I've been torture testing ext2 with broken filesystems. Apparently in these
crashes there's something wrong with the const char *link passed to
vfs_readlink(), as the crash is in strlen().

The two crashes happened after running four parallel tests for 17 hours, so I
guess that's about the rate at which I can reproduce this if more tests are
needed (but I'll gladly run the same tests with any patches, because I do have
spare CPU time).

Here are the two backtraces I've seen:

---------- hdb.6993 ----------
***** zzuffing ***** seed 6993
[42596.659321] EXT2-fs error (device hdb): ext2_valid_block_bitmap: Invalid
block bitmap - block_group = 0, block = 34
[42596.669321] BUG: unable to handle kernel paging request at c12be000
[42596.669321] IP: [<c045e979>] strlen+0xd/0x17
[42596.669321] *pde = 0788c163 *pte = 012be160
[42596.669321] Oops: 0000 [#1] DEBUG_PAGEALLOC
[42596.669321]
[42596.669321] Pid: 12667, comm: cp Not tainted (2.6.27-rc4 #1)
[42596.669321] EIP: 0060:[<c045e979>] EFLAGS: 00000283 CPU: 0
[42596.669321] EIP is at strlen+0xd/0x17
[42596.669321] EAX: 00000000 EBX: c12bd000 ECX: ffffefff EDX: 08202f60
[42596.669321] ESI: c12bd000 EDI: c12be000 EBP: c711ceec ESP: c711cee8
[42596.669321]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[42596.669321] Process cp (pid: 12667, ti=c711c000 task=c7ad2680
task.ti=c711c000)
[42596.669321] Stack: 00000401 c711cf04 c026b189 08202f60 c10277a0 c3af28e8
c10277a0 c711cf78
[42596.669321]        c026b288 c12bd000 00000401 08202f60 00000000 00000000
c0b8a5e0 00000246
[42596.669321]        00000001 00000246 c0b8a5e0 c494c000 00000000 c12bd000
c0545199 c494c000
[42596.669321] Call Trace:
[42596.669321]  [<c026b189>] ? vfs_readlink+0x22/0x49
[42596.669321]  [<c026b288>] ? generic_readlink+0x55/0x7e
[42596.669321]  [<c0545199>] ? _spin_unlock+0x1d/0x20
[42596.669321]  [<c027a38f>] ? mnt_drop_write+0x55/0x130
[42596.669321]  [<c0266f66>] ? sys_readlinkat+0x5e/0x78
[42596.669321]  [<c0266fa7>] ? sys_readlink+0x27/0x29
[42596.669321]  [<c0202f3e>] ? syscall_call+0x7/0xb
[42596.669321]  =======================
[42596.669321] Code: 55 89 e5 56 89 c6 89 d0 88 c4 ac 38 e0 74 09 84 c0 75 f7
be 01 00 00 00 89 f0 48 5e 5d c3 55 89 e5 57 89 c7 b9 ff ff ff ff 31 c0 <f2> ae
f7 d1 49 89 c8 5f 5d c3 55 89 e5 57 31 ff 85 c9 74 0e 89
[42596.669321] EIP: [<c045e979>] strlen+0xd/0x17 SS:ESP 0068:c711cee8
[42596.669321] ---[ end trace f964ba82de460dfa ]---
[42596.719321] EXT2-fs error (device hdb): ext2_check_page: bad entry in
directory #1281: inode out of bounds - offset=0, inode=67110145, rec_len=12,
name_len=1
[42596.719321] EXT2-fs error (device hdb): ext2_readdir: bad page in #1281
[42596.779321] EXT2-fs error (device hdb): ext2_readdir: bad page in #1281
[42596.919321] EXT2-fs error (device hdb): ext2_readdir: bad page in #1281
[... still got some EXT2 errors after this]
----------

And another:

---------- hdb.10006449 ----------
***** zzuffing ***** seed 10006449
[38407.575040] attempt to access beyond end of device
[38407.575040] hdb: rw=0, want=150706, limit=20480
[38407.575040] Buffer I/O error on device hdb, logical block 75352
[38407.585040] attempt to access beyond end of device
[38407.585040] hdb: rw=0, want=150706, limit=20480
[38407.585040] Buffer I/O error on device hdb, logical block 75352
[38407.595040] BUG: unable to handle kernel paging request at c1388000
[38407.595040] IP: [<c045e979>] strlen+0xd/0x17
[38407.595040] *pde = 0788c163 *pte = 01388160
[38407.595040] Oops: 0000 [#1] DEBUG_PAGEALLOC
[38407.595040]
[38407.595040] Pid: 11247, comm: cp Not tainted (2.6.27-rc4 #1)
[38407.595040] EIP: 0060:[<c045e979>] EFLAGS: 00000297 CPU: 0
[38407.595040] EIP is at strlen+0xd/0x17
[38407.595040] EAX: 00000000 EBX: c1387000 ECX: ffffefff EDX: 09dca7d8
[38407.595040] ESI: c1387000 EDI: c1388000 EBP: c69e6eec ESP: c69e6ee8
[38407.595040]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[38407.595040] Process cp (pid: 11247, ti=c69e6000 task=c791cd00
task.ti=c69e6000)
[38407.595040] Stack: 00000401 c69e6f04 c026b189 09dca7d8 c10290e0 c4f62ab0
c10290e0 c69e6f78
[38407.595040]        c026b288 c1387000 00000401 09dca7d8 00000000 00000000
c0b8a5e0 00000246
[38407.595040]        00000001 00000246 c0b8a5e0 c3d81080 00000000 c1387000
c0545199 c3d81080
[38407.595040] Call Trace:
[38407.595040]  [<c026b189>] ? vfs_readlink+0x22/0x49
[38407.595040]  [<c026b288>] ? generic_readlink+0x55/0x7e
[38407.595040]  [<c0545199>] ? _spin_unlock+0x1d/0x20
[38407.595040]  [<c027a38f>] ? mnt_drop_write+0x55/0x130
[38407.595040]  [<c0266f66>] ? sys_readlinkat+0x5e/0x78
[38407.595040]  [<c0266fa7>] ? sys_readlink+0x27/0x29
[38407.595040]  [<c0202f3e>] ? syscall_call+0x7/0xb
[38407.595040]  =======================
[38407.595040] Code: 55 89 e5 56 89 c6 89 d0 88 c4 ac 38 e0 74 09 84 c0 75 f7
be 01 00 00 00 89 f0 48 5e 5d c3 55 89 e5 57 89 c7 b9 ff ff ff ff 31 c0 <f2> ae
f7 d1 49 89 c8 5f 5d c3 55 89 e5 57 31 ff 85 c9 74 0e 89
[38407.595040] EIP: [<c045e979>] strlen+0xd/0x17 SS:ESP 0068:c69e6ee8
[38407.595040] ---[ end trace 77c6ae736e5146bf ]---
[38407.645040] attempt to access beyond end of device
[38407.645040] hdb: rw=0, want=2147503082, limit=20480
[38407.645040] Buffer I/O error on device hdb, logical block 1073751540
[38407.645040] attempt to access beyond end of device
----------


-- 
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the Bugme-new mailing list