z_erofs_extent.plen == 0x2000000 can lead to crash
rtm at csail.mit.edu
rtm at csail.mit.edu
Thu Oct 2 07:57:10 AEST 2025
Here's a corrupt erofs image that can cause a crash:
# wget http://www.rtmrtm.org/rtm/erofs4a.img
# mount -t erofs -o loop erofs4a.img /mnt
# cat < /mnt/d/y > /dev/null
kernel BUG at block/blk-mq.c:1152!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 11 UID: 0 PID: 1315 Comm: cat Not tainted 6.17.0-01737-g50c19e20ed2e #29 PREEMPT(voluntary)
Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
RIP: 0010:blk_mq_end_request+0x28/0x30
The problem is that the inner "do" loop of z_erofs_submit_queue() runs
without bound submitting read requests, because bvec.bv_len is zero.
The reason for the zero is that the broken filesystem image contains
an z_erofs_extent.plen of 0x2000000. This looks non-zero to the
} else if (map->m_plen) {
in z_erofs_map_blocks_ext(), but then the code does
map->m_plen &= Z_EROFS_EXTENT_PLEN_MASK;
causing m_plen to be zero.
If CONFIG_EROFS_FS_DEBUG, the problem is caught by
z_erofs_submit_queue()'s
DBG_BUGON(bvec.bv_len < sb->s_blocksize);
Robert Morris
rtm at mit.edu
More information about the Linux-erofs
mailing list