Bug 513624 - fuzzing romfs creates kernel panic
Summary: fuzzing romfs creates kernel panic
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Eric Sandeen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-24 14:52 UTC by Steve Grubb
Modified: 2010-12-05 06:41 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-05 06:41:10 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
image reproducing latest crash (1.76 MB, application/octet-stream)
2009-07-24 14:52 UTC, Steve Grubb
no flags Details

Description Steve Grubb 2009-07-24 14:52:38 UTC
Created attachment 355029 [details]
image reproducing latest crash

Description of problem:
Running fsfuzzer against the romfs yields a kernel panic quickly

Version-Release number of selected component (if applicable):
kernel-2.6.31-0.81.rc3.git4

Steps to Reproduce:
1. ./fsfuzz romfs

Actual results:
Jul 24 10:43:49 livestrong kernel: ROMFS MTD (C) 2007 Red Hat, Inc.
Jul 24 10:43:49 livestrong kernel: ROMFS: Mounting image 'rom 4a69c550' through the block layer
Jul 24 10:43:49 livestrong kernel: general protection fault: 0000 [#1] SMP
Jul 24 10:43:49 livestrong kernel: last sysfs file: /sys/devices/virtual/block/loop0/removable
Jul 24 10:43:49 livestrong kernel: CPU 0
Jul 24 10:43:49 livestrong kernel: Modules linked in: romfs cpufreq_ondemand powernow_k8 freq_table uinput arc4 snd_atiixp_modem snd_atiixp ecb b43 mac80211 cfg80211 rfkill ssb snd_ac97_codec ac97_bus snd_pcm 8139too sdhci_pci tifm_7xx1 video tifm_core snd_timer sdhci 8139cp yenta_socket rsrc_nonstatic firewire_ohci snd wmi firewire_core mmc_core mii output amd64_edac_mod soundcore snd_page_alloc edac_core i2c_piix4 k8temp hwmon shpchp crc_itu_t joydev ata_generic pata_acpi pata_atiixp radeon ttm drm i2c_algo_bit i2c_core [last unloaded: pcspkr]
Jul 24 10:43:49 livestrong kernel: Pid: 1623, comm: fstest Not tainted 2.6.31-0.81.rc3.git4.fc12.x86_64 #1 Presario V2000 (EC182UA#ABA)
Jul 24 10:43:49 livestrong kernel: RIP: 0010:[<ffffffff81163908>]  [<ffffffff81163908>] __find_get_block_slow+0x2d/0x120
Jul 24 10:43:49 livestrong kernel: RSP: 0018:ffff880034dbdbc8  EFLAGS: 00010246
Jul 24 10:43:49 livestrong kernel: RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000c
Jul 24 10:43:49 livestrong kernel: RDX: 0000000000000000 RSI: 000000000000032d RDI: 72656c69706d6f63
Jul 24 10:43:49 livestrong kernel: RBP: ffff880034dbdc08 R08: 0000000000000008 R09: 0000000022dcbe42
Jul 24 10:43:49 livestrong kernel: R10: ffffffff81dd90c0 R11: 0000000000000000 R12: 72656c69706d6f63
Jul 24 10:43:49 livestrong kernel: R13: 000000000000032d R14: ffff880034dc0508 R15: 0000000000000000
Jul 24 10:43:49 livestrong kernel: FS:  00007fa1094e86f0(0000) GS:ffff88000265a000(0000) knlGS:0000000000000000
Jul 24 10:43:49 livestrong kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Jul 24 10:43:49 livestrong kernel: CR2: 00007f0778285010 CR3: 0000000034db7000 CR4: 00000000000006f0
Jul 24 10:43:49 livestrong kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jul 24 10:43:49 livestrong kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jul 24 10:43:49 livestrong kernel: Process fstest (pid: 1623, threadinfo ffff880034dbc000, task ffff880027cba4a0)
Jul 24 10:43:49 livestrong kernel: Stack:
Jul 24 10:43:49 livestrong kernel: 0000000000000008 0000000022dcbe42 0000000000000000 0000000000000000
Jul 24 10:43:49 livestrong kernel: <0> 72656c69706d6f63 000000000000032d ffff880034dc0508 000000000000032d
Jul 24 10:43:49 livestrong kernel: <0> ffff880034dbdca8 ffffffff81163f31 ffff880027cba890 000000000000fa20
Jul 24 10:43:49 livestrong kernel: Call Trace:
Jul 24 10:43:49 livestrong kernel: [<ffffffff81163f31>] __find_get_block+0xcc/0x1e3
Jul 24 10:43:49 livestrong kernel: [<ffffffff8116407b>] __getblk+0x33/0x2e2
Jul 24 10:43:49 livestrong kernel: [<ffffffff814f0bb4>] ? _cond_resched+0x3f/0x5e
Jul 24 10:43:49 livestrong kernel: [<ffffffff811669f9>] __bread+0x22/0x91
Jul 24 10:43:49 livestrong kernel: [<ffffffff81270991>] ? memchr+0x1f/0x46
Jul 24 10:43:49 livestrong kernel: [<ffffffffa035c02c>] sb_bread+0x2c/0x42 [romfs]
Jul 24 10:43:49 livestrong kernel: [<ffffffffa035c362>] romfs_dev_read+0x65/0xdb [romfs]
Jul 24 10:43:49 livestrong kernel: [<ffffffff8114ccb3>] ? vfs_readdir+0x65/0xd9
Jul 24 10:43:49 livestrong kernel: [<ffffffffa035c6dc>] romfs_readdir+0x124/0x1c0 [romfs]
Jul 24 10:43:49 livestrong kernel: [<ffffffff8114ca83>] ? filldir+0x0/0xe7
Jul 24 10:43:49 livestrong kernel: Code: 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 18 0f 1f 44 00 00 b9 0c 00 00 00 45 31 ff 65 48 8b 04 25 28 00 00 00 48 89 45 c8 31 c0 <4c> 8b 67 08 49 89 f5 41 2b 8c 24 a8 00 00 00 4d 8b b4 24 28 02
Jul 24 10:43:49 livestrong kernel: RIP  [<ffffffff81163908>] __find_get_block_slow+0x2d/0x120
Jul 24 10:43:49 livestrong kernel: RSP <ffff880034dbdbc8>
Jul 24 10:43:49 livestrong kernel: ---[ end trace f17bf1f30b46fcb3 ]---
Jul 24 10:43:50 livestrong kernel: general protection fault: 0000 [#2] SMP
Jul 24 10:43:50 livestrong kernel: last sysfs file: /sys/devices/virtual/block/loop0/range
Jul 24 10:43:50 livestrong kernel: CPU 0
Jul 24 10:43:50 livestrong kernel: Modules linked in: romfs cpufreq_ondemand powernow_k8 freq_table uinput arc4 snd_atiixp_modem snd_atiixp ecb b43 mac80211 cfg80211 rfkill ssb snd_ac97_codec ac97_bus snd_pcm 8139too sdhci_pci tifm_7xx1 video tifm_core snd_timer sdhci 8139cp yenta_socket rsrc_nonstatic firewire_ohci snd wmi firewire_core mmc_core mii output amd64_edac_mod soundcore snd_page_alloc edac_core i2c_piix4 k8temp hwmon shpchp crc_itu_t joydev ata_generic pata_acpi pata_atiixp radeon ttm drm i2c_algo_bit i2c_core [last unloaded: pcspkr]
Jul 24 10:43:50 livestrong kernel: Pid: 23, comm: pdflush Tainted: G      D    2.6.31-0.81.rc3.git4.fc12.x86_64 #1 Presario V2000 (EC182UA#ABA)
Jul 24 10:43:50 livestrong kernel: RIP: 0010:[<ffffffff8113f250>]  [<ffffffff8113f250>] sync_supers+0x38/0xd3
Jul 24 10:43:50 livestrong kernel: RSP: 0018:ffff8800344f1d50  EFLAGS: 00010287
Jul 24 10:43:50 livestrong kernel: RAX: 5f74757074756f24 RBX: ffff880034dc0000 RCX: ffffffff8113f243
Jul 24 10:43:50 livestrong kernel: RDX: 0000000000000000 RSI: ffffffff817431f8 RDI: 0000000000000246
Jul 24 10:43:50 livestrong kernel: RBP: ffff8800344f1d70 R08: 0000000000000002 R09: 0000000000000000
Jul 24 10:43:50 livestrong kernel: R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
Jul 24 10:43:50 livestrong kernel: R13: ffff8800344f1d90 R14: 0000000000000000 R15: 0000000000094020
Jul 24 10:43:50 livestrong kernel: FS:  00007f16ac097910(0000) GS:ffff88000265a000(0000) knlGS:0000000000000000
Jul 24 10:43:50 livestrong kernel: CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
Jul 24 10:43:50 livestrong kernel: CR2: 00000000006d8898 CR3: 00000000378c6000 CR4: 00000000000006f0
Jul 24 10:43:50 livestrong kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jul 24 10:43:50 livestrong kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jul 24 10:43:50 livestrong kernel: Process pdflush (pid: 23, threadinfo ffff8800344f0000, task ffff8800344ea4a0)
Jul 24 10:43:50 livestrong kernel: Stack:
Jul 24 10:43:50 livestrong kernel: ffff8800344f1dc0 000000002cb27325 ffff8800344f1e28 0000000000000001
Jul 24 10:43:50 livestrong kernel: <0> ffff8800344f1e00 ffffffff810ff5f4 ffff8800344f1db0 0000000000000000
Jul 24 10:43:50 livestrong kernel: <0> 0000000000000000 0000000000000000 ffff8800344f1dd0 0000000000000000
Jul 24 10:43:50 livestrong kernel: Call Trace:
Jul 24 10:43:50 livestrong kernel: [<ffffffff810ff5f4>] wb_kupdate+0x45/0x147
Jul 24 10:43:50 livestrong kernel: [<ffffffff811005c7>] ? pdflush+0x0/0x26c
Jul 24 10:43:50 livestrong kernel: [<ffffffff81100737>] pdflush+0x170/0x26c
Jul 24 10:43:50 livestrong kernel: [<ffffffff810ff5af>] ? wb_kupdate+0x0/0x147
Jul 24 10:43:50 livestrong kernel: [<ffffffff8107f339>] kthread+0xa5/0xad
Jul 24 10:43:50 livestrong kernel: [<ffffffff8101412a>] child_rip+0xa/0x20
Jul 24 10:43:50 livestrong kernel: [<ffffffff81013a90>] ? restore_args+0x0/0x30
Jul 24 10:43:50 livestrong kernel: [<ffffffff8107f294>] ? kthread+0x0/0xad
Jul 24 10:43:50 livestrong kernel: [<ffffffff81014120>] ? child_rip+0x0/0x20
Jul 24 10:43:50 livestrong kernel: Code: 44 00 00 48 c7 c7 e0 31 74 81 65 48 8b 04 25 28 00 00 00 48 89 45 e8 31 c0 e8 0f 42 3b 00 48 8b 1d 86 3f 60 00 eb 69 48 8b 43 38 <48> 83 78 38 00 74 5b 80 7b 21 00 74 55 ff 83 88 01 00 00 4c 8d
Jul 24 10:43:50 livestrong kernel: RIP  [<ffffffff8113f250>] sync_supers+0x38/0xd3
Jul 24 10:43:50 livestrong kernel: RSP <ffff8800344f1d50>
Jul 24 10:43:50 livestrong kernel: ---[ end trace f17bf1f30b46fcb4 ]---

Comment 1 Bug Zapper 2009-11-16 11:06:10 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 2 Bug Zapper 2010-11-04 10:41:47 UTC
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 3 Bug Zapper 2010-12-05 06:41:10 UTC
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.