Re: [BUG] ext4: BUG_ON in ext4_write_inline_data (fs/ext4/inline.c:240)

[Jan Kara]

Hello!

On Tue 21-04-26 19:32:43, Zw Tang wrote:
> I am reporting a kernel BUG in ext4 triggered by a syzkaller reproducer on
> Linux 7.0.0-08391-g1d51b370a0f8.

Sorry but we don't generally debug fuzzer issues not being reported by
syzbot. It provides much better tracking, deduplication and general
handling of issues which significantly speeds up debugging. If you have
some interesting modification of syzkaller, please contribute it upstream
so that everybody can benefit.
								Honza

> 
> The first fatal issue happens in the ext4 inline data write path:
> sendfile64 -> ext4_file_write_iter -> ext4_da_write_end ->
> ext4_write_inline_data_end -> ext4_write_inline_data.
> 
> The crash is reported as:
> 
> kernel BUG at fs/ext4/inline.c:240
> 
> and RIP points to:
> 
> ext4_write_inline_data+0x3d0/0x490
> 
> This looks like an ext4 inline-data boundary/state inconsistency triggered
> while writing to an ext4 image crafted by syzkaller. The later
> KASAN: slab-use-after-free in rwsem_down_write_slowpath() appears to be a
> secondary effect after the primary ext4 BUG, likely during teardown/unlink
> after the filesystem failure.
> 
> Reproducer:
> C reproducer: pastebin.com/raw/3LmK5Kxg
> console output: pastebin.com/raw/C0XjNMXp
> kernel config: pastebin.com/raw/aq1V3cLk
> 
> Kernel:
> HEAD commit:
> git tree: <e.g. torvalds/linux>
> kernel version: 7.0.0-08391-g1d51b370a0f8 #1 PREEMPT(lazy) (QEMU)
> 
> Relevant log:
> 
> [ 1329.147750] kernel BUG at fs/ext4/inline.c:240!
> [ 1329.148692] Oops: invalid opcode: 0000 [#1] SMP KASAN
> [ 1329.149543] CPU: 0 UID: 0 PID: 334 Comm: repro1 Tainted: G W
> 7.0.0-08391-g1d51b370a0f8 #1 PREEMPT(lazy)
> [ 1329.153249] RIP: 0010+0x3d0/0x490
> [ 1329.167978] ext4_write_inline_data_end+0x293/0xc90
> [ 1329.170566] ext4_da_write_end+0x521/0xec0
> [ 1329.176842] ext4_buffered_write_iter+0x11a/0x430
> [ 1329.177610] ext4_file_write_iter+0x561/0x1840
> [ 1329.185052] iter_file_splice_write+0xa33/0x11c0
> [ 1329.190820] direct_splice_actor+0x18f/0x7a0
> [ 1329.198893] do_splice_direct+0x41/0x50
> [ 1329.200276] do_sendfile+0xa86/0xda0
> [ 1329.203110] __x64_sys_sendfile64+0x1cf/0x210
> 
> There is also an ext4 metadata inconsistency message right after the BUG:
> 
> [ 1329.221770] EXT4-fs error (device loop1):
> ext4_mb_generate_buddy:1314: group 0, block bitmap and bg descriptor
> inconsistent: 25 vs 150994969 free clusters
> 
> and later a secondary report:
> 
> [ 1329.274881] BUG: KASAN: slab-use-after-free in
> rwsem_down_write_slowpath+0x15e9/0x1640
> 
> Based on the log, I believe the primary issue to investigate is the BUG in
> fs/ext4/inline.c, while the later rwsem report is probably fallout after
> the ext4 failure.
> 
> Please let me know if more information is needed.
> 
> Thanks.
-- 
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR