Description:
Writing to some file on a broken VFAT partition causes kernel bug
Kernel version: v4.17-rc7
How to reproduce:
1. Compile kernel v4.17-rc7 with config attached
2. Unpack the vfat.img and mount it as vfat (suppose /mnt is the mount point)
3. Run `echo > /mnt/xyz`
What happens:
[ 1.538155] ------------[ cut here ]------------
[ 1.538274] kernel BUG at fs/fat/inode.c:162!
[ 1.538693] invalid opcode: 0000 [#1] SMP NOPTI
[ 1.538796] Modules linked in:
[ 1.538996] CPU: 0 PID: 991 Comm: sh Not tainted 4.17.0-rc7 #2
[ 1.539094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1ubuntu1 04/01/2014
[ 1.539266] RIP: 0010:fat_get_block+0x200/0x230
[ 1.539334] RSP: 0018:ffff906900a2fb78 EFLAGS: 00000246
[ 1.539419] RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff906900a2fb88
[ 1.539509] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
[ 1.539600] RBP: ffff8a379db508f8 R08: ffff906900a2fb90 R09: 0000000000000200
[ 1.539690] R10: 0000000000000000 R11: ffff8a379db10958 R12: ffff8a379db10958
[ 1.539781] R13: ffff8a379d590000 R14: 0000000000000001 R15: 0000000000000000
[ 1.539904] FS: 0000000000fd38c0(0000) GS:ffff8a379f800000(0000)
knlGS:0000000000000000
[ 1.540006] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.540082] CR2: 000000000056789c CR3: 000000001d598000 CR4: 00000000000006f0
[ 1.540221] Call Trace:
[ 1.540710] __block_write_begin_int+0x134/0x550
[ 1.540806] ? fat_add_cluster+0x80/0x80
[ 1.540869] ? notify_change+0x383/0x400
[ 1.540927] ? fat_add_cluster+0x80/0x80
[ 1.540982] block_write_begin+0x3f/0xa0
[ 1.541036] ? do_truncate+0x84/0xc0
[ 1.541088] cont_write_begin+0x232/0x330
[ 1.541146] ? fat_add_cluster+0x80/0x80
[ 1.541200] ? path_openat+0x5f7/0x1620
[ 1.541255] fat_write_begin+0x2d/0x60
[ 1.541310] ? fat_add_cluster+0x80/0x80
[ 1.541367] generic_perform_write+0xb1/0x1b0
[ 1.541431] __generic_file_write_iter+0xfd/0x190
[ 1.541497] generic_file_write_iter+0xe1/0x1e0
[ 1.541560] __vfs_write+0xfc/0x160
[ 1.541616] vfs_write+0xa8/0x190
[ 1.541667] ksys_write+0x4d/0xb0
[ 1.541718] do_syscall_64+0x43/0xf0
[ 1.541772] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1.541936] RIP: 0033:0x486804
[ 1.541981] RSP: 002b:00007ffd17e241f8 EFLAGS: 00000246 ORIG_RAX:
0000000000000001
[ 1.542081] RAX: ffffffffffffffda RBX: 0000000000fd38a0 RCX: 0000000000486804
[ 1.542199] RDX: 0000000000000001 RSI: 0000000000fd6fc0 RDI: 0000000000000001
[ 1.542283] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000fd6fc0
[ 1.542367] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000fd6fc0
[ 1.542450] R13: 0000000000000001 R14: 0000000000000001 R15: 00007ffd17e24260
[ 1.542573] Code: d0 00 00 00 49 89 44 24 18 49 89 54 24 30 49 8b
45 18 49 89 44 24 20 41 0f b6 45 14 e9 b9 fe ff ff 41 89 c2 e9 bb fe
ff ff 0f 0b <0f> 0b e8 79 87 dc ff 48 8b 4d b0 48 c7 c2 c8 bc 9f 91 be
01 00
[ 1.542995] RIP: fat_get_block+0x200/0x230 RSP: ffff906900a2fb78
[ 1.543289] ---[ end trace 0266ed39a6ec740a ]---
(full kernel log is attached)
--
Anatoly
Anatoly Trosinenko <[email protected]> writes:
> Description:
>
> Writing to some file on a broken VFAT partition causes kernel bug
Thanks. This patch should fix this issue.
--
OGAWA Hirofumi <[email protected]>
[PATCH] fat: Use fat_fs_error() instead of BUG_ON() in __fat_get_block()
If file size and FAT cluster chain is not matched (corrupted image),
we can hit BUG_ON(!phys) in __fat_get_block().
So, use fat_fs_error() instead.
Signed-off-by: OGAWA Hirofumi <[email protected]>
---
fs/fat/inode.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff -puN fs/fat/inode.c~vfat-dont-bugon fs/fat/inode.c
--- linux/fs/fat/inode.c~vfat-dont-bugon 2018-06-02 20:15:04.441920069 +0900
+++ linux-hirofumi/fs/fat/inode.c 2018-06-02 20:15:04.442920067 +0900
@@ -158,8 +158,13 @@ static inline int __fat_get_block(struct
err = fat_bmap(inode, iblock, &phys, &mapped_blocks, create, false);
if (err)
return err;
+ if (!phys) {
+ fat_fs_error(sb,
+ "invalid FAT chain (i_pos %lld, last_block %ld)",
+ MSDOS_I(inode)->i_pos, last_block);
+ return -EIO;
+ }
- BUG_ON(!phys);
BUG_ON(*max_blocks != mapped_blocks);
set_buffer_new(bh_result);
map_bh(bh_result, sb, phys);
_
Thank you, it works!
сб, 2 июн. 2018 г. в 14:19, OGAWA Hirofumi <[email protected]>:
>
> Anatoly Trosinenko <[email protected]> writes:
>
> > Description:
> >
> > Writing to some file on a broken VFAT partition causes kernel bug
>
> Thanks. This patch should fix this issue.
> --
> OGAWA Hirofumi <[email protected]>
>
>
> [PATCH] fat: Use fat_fs_error() instead of BUG_ON() in __fat_get_block()
>
> If file size and FAT cluster chain is not matched (corrupted image),
> we can hit BUG_ON(!phys) in __fat_get_block().
>
> So, use fat_fs_error() instead.
>
> Signed-off-by: OGAWA Hirofumi <[email protected]>
> ---
>
> fs/fat/inode.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff -puN fs/fat/inode.c~vfat-dont-bugon fs/fat/inode.c
> --- linux/fs/fat/inode.c~vfat-dont-bugon 2018-06-02 20:15:04.441920069 +0900
> +++ linux-hirofumi/fs/fat/inode.c 2018-06-02 20:15:04.442920067 +0900
> @@ -158,8 +158,13 @@ static inline int __fat_get_block(struct
> err = fat_bmap(inode, iblock, &phys, &mapped_blocks, create, false);
> if (err)
> return err;
> + if (!phys) {
> + fat_fs_error(sb,
> + "invalid FAT chain (i_pos %lld, last_block %ld)",
> + MSDOS_I(inode)->i_pos, last_block);
> + return -EIO;
> + }
>
> - BUG_ON(!phys);
> BUG_ON(*max_blocks != mapped_blocks);
> set_buffer_new(bh_result);
> map_bh(bh_result, sb, phys);
> _
--
Anatoly