z_erofs_extent.plen == 0x2000000 can lead to crash
Gao Xiang
hsiangkao at linux.alibaba.com
Thu Oct 2 10:21:38 AEST 2025
Hi Robert,
On 2025/10/2 05:57, rtm at csail.mit.edu wrote:
> Here's a corrupt erofs image that can cause a crash:
>
> # wget http://www.rtmrtm.org/rtm/erofs4a.img
> # mount -t erofs -o loop erofs4a.img /mnt
> # cat < /mnt/d/y > /dev/null
> kernel BUG at block/blk-mq.c:1152!
> Oops: invalid opcode: 0000 [#1] SMP PTI
> CPU: 11 UID: 0 PID: 1315 Comm: cat Not tainted 6.17.0-01737-g50c19e20ed2e #29 PREEMPT(voluntary)
> Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
> RIP: 0010:blk_mq_end_request+0x28/0x30
>
> The problem is that the inner "do" loop of z_erofs_submit_queue() runs
> without bound submitting read requests, because bvec.bv_len is zero.
> The reason for the zero is that the broken filesystem image contains
> an z_erofs_extent.plen of 0x2000000. This looks non-zero to the
>
> } else if (map->m_plen) {
>
> in z_erofs_map_blocks_ext(), but then the code does
>
> map->m_plen &= Z_EROFS_EXTENT_PLEN_MASK;
>
> causing m_plen to be zero.
Thanks for the report, I will fix.
Thanks,
Gao Xiang
>
> If CONFIG_EROFS_FS_DEBUG, the problem is caught by
> z_erofs_submit_queue()'s
>
> DBG_BUGON(bvec.bv_len < sb->s_blocksize);
>
> Robert Morris
> rtm at mit.edu
>
More information about the Linux-erofs
mailing list