Ubuntu
linux package

ext4: BUG_ON on null-pointer when mounting corrupted filesystem

Bug #801087 reported by halfdog on 2011-06-23

This bug report is a duplicate of: Bug #806929: CVE-2011-2493. Edit Remove

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Linux	Fix Released	Medium	linux-kernel-bugs #32082
	linux (Ubuntu)	New	Undecided	Unassigned

Bug Description

Seems that fs/ext4/super.c:__save_error_info calls mod_timer
before timer->function is set at end of fs/ext4/super.c:ext4_fill_super via
sbi->s_err_report.function = print_daily_error_info;

This causes BUG_ON(!timer->function) in kernel/timer.c:__mod_timer

Confirmed, patch available, see https://lkml.org/lkml/2011/6/19/193

Device stays blocked, mount receives segfault. Reboot fails because unmounting not possible.

[ 2823.694907] ------------[ cut here ]------------
[ 2823.695673] kernel BUG at /build/buildd/linux-2.6.38/kernel/timer.c:668!
[ 2823.695910] invalid opcode: 0000 [#3] SMP
[ 2823.696591] last sysfs file: /sys/devices/virtual/block/loop0/uevent
[ 2823.696594] Modules linked in: dm_crypt ppdev psmouse parport_pc parport serio_raw shpchp i2c_piix4 mptspi mptscsih mptbase floppy pcnet32 scsi_transport_spi
[ 2823.696594]
[ 2823.696594] Pid: 1008, comm: mount Tainted: G D 2.6.38-8-generic #42-Ubuntu VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
[ 2823.696594] EIP: 0060:[<c105e392>] EFLAGS: 00010246 CPU: 0
[ 2823.696594] EIP is at mod_timer+0x232/0x250
[ 2823.696594] EAX: 00000000 EBX: 0153378b ECX: 00000000 EDX: 0153378b
[ 2823.696594] ESI: cbc0e220 EDI: 00001385 EBP: c1ba1d54 ESP: c1ba1d38
[ 2823.696594] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 2823.696594] Process mount (pid: 1008, ti=c1ba0000 task=c9623f20 task.ti=c1ba0000)
[ 2823.696594] Stack:
[ 2823.696594] 00000122 00000000 0153378b 00000000 cbc22400 c98c297c 00001385 c1ba1d6c
[ 2823.696594] c11c144a c152b447 c98c2800 00000000 00000000 c1ba1d78 c11c5aa6 c910fd08
[ 2823.696594] c1ba1dac c11c7816 c1ba1d90 cb743b28 00000000 cbc22400 00000000 c1ba1df4
[ 2823.696594] Call Trace:
[ 2823.696594] [<c11c144a>] __save_error_info.clone.59+0x7a/0xf0
[ 2823.696594] [<c11c5aa6>] save_error_info+0x16/0x30
[ 2823.696594] [<c11c7816>] ext4_error_inode+0x46/0xe0
[ 2823.696594] [<c11af8f7>] ext4_iget+0x697/0x730
[ 2823.696594] [<c15097cd>] ? _raw_spin_lock+0xd/0x10
[ 2823.696594] [<c106838d>] ? __alloc_workqueue_key+0x19d/0x470
[ 2823.696594] [<c11ca874>] ext4_fill_super+0x1254/0x1a70
[ 2823.696594] [<c10fc1ac>] ? pcpu_alloc+0x26c/0x360
[ 2823.696594] [<c1129a21>] mount_bdev+0x191/0x1d0
[ 2823.696594] [<c11c9620>] ? ext4_fill_super+0x0/0x1a70
[ 2823.696594] [<c11bfd0f>] ext4_mount+0x1f/0x30
[ 2823.696594] [<c11c9620>] ? ext4_fill_super+0x0/0x1a70
[ 2823.696594] [<c1129315>] vfs_kern_mount+0x75/0x250
[ 2823.696594] [<c113fa63>] ? get_fs_type+0x33/0xb0
[ 2823.696594] [<c11bfcf0>] ? ext4_mount+0x0/0x30
[ 2823.696594] [<c112954e>] do_kern_mount+0x3e/0xe0
[ 2823.696594] [<c1142993>] do_mount+0x1b3/0x1e0
[ 2823.696594] [<c1142d2b>] sys_mount+0x6b/0xa0
[ 2823.696594] [<c1509bf4>] syscall_call+0x7/0xb
[ 2823.696594] Code: ff 8b 5d ec 29 c3 c1 eb 08 e9 18 fe ff ff 8d 76 00 c7 45 e4 01 00 00 00 8b 45 e4 83 c4 10 5b 5e 5f 5d c3 8b 5d e8 e9 c3 fe ff ff <0f> 0b 8b 55 04 89 f0 e8 02 f9 ff ff e9 0a fe ff ff 8d b6 00 00
[ 2823.696594] EIP: [<c105e392>] mod_timer+0x232/0x250 SS:ESP 0068:c1ba1d38
[ 2823.833903] ---[ end trace 5f96819bf291fd14 ]---

Reproduce:

dd if=/dev/zero bs=1M count=64 of=test
mkfs.ext4 -F test
echo -n " " | dd of=test bs=1 count=1 seek=297195 conv=notrunc
mount -o loop test /mnt/test
Segmentation fault

# lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

# apt-cache policy linux-image-2.6.38-8-generic
linux-image-2.6.38-8-generic:
  Installed: 2.6.38-8.42
  Candidate: 2.6.38-8.42
  Version table:
*** 2.6.38-8.42 0
        500 http://archive.ubuntu.com/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status