z_erofs_extent.plen == 0x2000000 can lead to crash

rtm at csail.mit.edu rtm at csail.mit.edu
Thu Oct 2 07:57:10 AEST 2025


Here's a corrupt erofs image that can cause a crash:

# wget http://www.rtmrtm.org/rtm/erofs4a.img
# mount -t erofs -o loop erofs4a.img /mnt
# cat < /mnt/d/y > /dev/null
 kernel BUG at block/blk-mq.c:1152!
 Oops: invalid opcode: 0000 [#1] SMP PTI
 CPU: 11 UID: 0 PID: 1315 Comm: cat Not tainted 6.17.0-01737-g50c19e20ed2e #29 PREEMPT(voluntary)
 Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
 RIP: 0010:blk_mq_end_request+0x28/0x30

The problem is that the inner "do" loop of z_erofs_submit_queue() runs
without bound submitting read requests, because bvec.bv_len is zero.
The reason for the zero is that the broken filesystem image contains
an z_erofs_extent.plen of 0x2000000. This looks non-zero to the

        } else if (map->m_plen) {

in z_erofs_map_blocks_ext(), but then the code does

                        map->m_plen &= Z_EROFS_EXTENT_PLEN_MASK;

causing m_plen to be zero.

If CONFIG_EROFS_FS_DEBUG, the problem is caught by
z_erofs_submit_queue()'s

                                DBG_BUGON(bvec.bv_len < sb->s_blocksize);

Robert Morris
rtm at mit.edu



More information about the Linux-erofs mailing list