z_erofs_extent.plen == 0x2000000 can lead to crash

Gao Xiang hsiangkao at linux.alibaba.com
Thu Oct 2 10:21:38 AEST 2025


Hi Robert,

On 2025/10/2 05:57, rtm at csail.mit.edu wrote:
> Here's a corrupt erofs image that can cause a crash:
> 
> # wget http://www.rtmrtm.org/rtm/erofs4a.img
> # mount -t erofs -o loop erofs4a.img /mnt
> # cat < /mnt/d/y > /dev/null
>   kernel BUG at block/blk-mq.c:1152!
>   Oops: invalid opcode: 0000 [#1] SMP PTI
>   CPU: 11 UID: 0 PID: 1315 Comm: cat Not tainted 6.17.0-01737-g50c19e20ed2e #29 PREEMPT(voluntary)
>   Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
>   RIP: 0010:blk_mq_end_request+0x28/0x30
> 
> The problem is that the inner "do" loop of z_erofs_submit_queue() runs
> without bound submitting read requests, because bvec.bv_len is zero.
> The reason for the zero is that the broken filesystem image contains
> an z_erofs_extent.plen of 0x2000000. This looks non-zero to the
> 
>          } else if (map->m_plen) {
> 
> in z_erofs_map_blocks_ext(), but then the code does
> 
>                          map->m_plen &= Z_EROFS_EXTENT_PLEN_MASK;
> 
> causing m_plen to be zero.

Thanks for the report, I will fix.

Thanks,
Gao Xiang

> 
> If CONFIG_EROFS_FS_DEBUG, the problem is caught by
> z_erofs_submit_queue()'s
> 
>                                  DBG_BUGON(bvec.bv_len < sb->s_blocksize);
> 
> Robert Morris
> rtm at mit.edu
> 



More information about the Linux-erofs mailing list