https://bugzilla.kernel.org/show_bug.cgi?id=200345 Bug ID: 200345 Summary: Invalid memory access in free_bitmap_node() when mounting a reiserfs filesystem Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 276999 --> https://bugzilla.kernel.org/attachment.cgi?id=276999&action=edit The (compressed) crafted image which causes crash - Reproduce (4.18) # mkdir mnt # mount -t reiserfs -o acl,user_xattr 22.img mnt - Kernel message [ 263.183748] REISERFS (device loop0): found reiserfs format "3.6" with standard journal [ 263.183804] REISERFS (device loop0): using ordered data mode [ 263.183810] reiserfs: using flush barriers [ 263.185791] REISERFS (device loop0): journal params: device loop0, size 8320, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 263.188198] REISERFS (device loop0): checking transaction log (loop0) [ 263.641303] REISERFS (device loop0): replayed 2 transactions in 0 seconds [ 264.487907] REISERFS warning: reiserfs-5090 is_tree_node: node level 0 does not match to the expected one -1 [ 264.487915] REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 0. Fsck? [ 264.489937] REISERFS (device loop0): Remounting filesystem read-only [ 264.489967] REISERFS error (device loop0): vs-13070 reiserfs_read_locked_inode: i/o failure occurred trying to find stat data of [1 2 0x0 SD] [ 264.492768] REISERFS warning: reiserfs-5090 is_tree_node: node level 0 does not match to the expected one -1 [ 264.492772] REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 0. Fsck? [ 264.495086] BUG: unable to handle kernel paging request at ffffc90000e77000 [ 264.496504] PGD 1f697f067 P4D 1f697f067 PUD 1f6988067 PMD 1f424b067 PTE 0 [ 264.497892] Oops: 0000 [#1] SMP KASAN PTI [ 264.498741] CPU: 1 PID: 1353 Comm: mount Not tainted 4.18.0-rc1+ #8 [ 264.500005] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 264.501959] RIP: 0010:cleanup_bitmap_list.isra.11+0x1ca/0x250 [ 264.503130] Code: 92 00 00 00 4c 89 f7 e8 c4 71 e9 ff 49 8b 0e 49 63 dd 48 8d 04 dd 00 00 00 00 48 8d 1c 01 48 89 45 d0 48 89 df e8 a6 71 e9 ff <48> 8b 1b 48 85 db 0f 84 70 ff ff ff 49 8d 7c 24 18 e8 90 71 e9 ff [ 264.506914] RSP: 0018:ffff8801f11bf908 EFLAGS: 00010246 [ 264.507981] RAX: 0000000000000000 RBX: ffffc90000e77000 RCX: ffffffffa550662a [ 264.509408] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90000e77000 [ 264.510849] RBP: ffff8801f11bf960 R08: ffffed0039ac0001 R09: ffffed0039ac0001 [ 264.512277] R10: 0000000000000001 R11: ffffed0039ac0000 R12: ffff8801e63b4500 [ 264.513707] R13: 0000000000000200 R14: ffffc90000f0e190 R15: ffff8801f1a9f700 [ 264.548358] FS: 00007f8a6212e840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 264.549983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 264.551159] CR2: ffffc90000e77000 CR3: 00000001f1d0c000 CR4: 00000000000006e0 [ 264.552604] Call Trace: [ 264.553128] free_list_bitmaps+0x35/0x70 [ 264.553930] free_journal_ram+0x8f/0x1e0 [ 264.554746] journal_release_error+0x55/0x70 [ 264.555618] reiserfs_fill_super+0x900/0x1550 [ 264.556509] ? finish_unfinished+0x940/0x940 [ 264.557421] ? netdev_bits+0x50/0x50 [ 264.558185] ? __asan_loadN+0xf/0x20 [ 264.558932] ? format_decode+0x2af/0x4a0 [ 264.559736] ? vsnprintf+0x55f/0x980 [ 264.560472] ? pointer+0x520/0x520 [ 264.561198] ? up_write+0x16/0x40 [ 264.561886] ? snprintf+0x96/0xd0 [ 264.562583] ? vsprintf+0x20/0x20 [ 264.563279] ? set_blocksize+0x90/0x140 [ 264.564075] mount_bdev+0x1c5/0x210 [ 264.564793] ? finish_unfinished+0x940/0x940 [ 264.565665] get_super_block+0x15/0x20 [ 264.566445] mount_fs+0x60/0x1a0 [ 264.567123] ? alloc_vfsmnt+0x309/0x360 [ 264.567913] vfs_kern_mount+0x6b/0x1a0 [ 264.568684] do_mount+0x34a/0x18c0 [ 264.569412] ? lockref_put_or_lock+0xcf/0x160 [ 264.570304] ? copy_mount_string+0x20/0x20 [ 264.571151] ? kasan_kmalloc+0xad/0xe0 [ 264.571922] ? kmem_cache_alloc_trace+0x102/0x200 [ 264.572878] ? copy_mount_options+0x4b/0x190 [ 264.573753] ? copy_mount_options+0xd5/0x190 [ 264.574634] ksys_mount+0x83/0xd0 [ 264.575320] __x64_sys_mount+0x67/0x80 [ 264.576111] do_syscall_64+0x78/0x170 [ 264.576882] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 264.577922] RIP: 0033:0x7f8a61a0eb9a [ 264.578662] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 [ 264.582455] RSP: 002b:00007ffff18e8788 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 264.583963] RAX: ffffffffffffffda RBX: 0000000001a57030 RCX: 00007f8a61a0eb9a [ 264.585382] RDX: 0000000001a57210 RSI: 0000000001a58f50 RDI: 0000000001a5fee0 [ 264.586821] RBP: 0000000000000000 R08: 0000000001a57230 R09: 0000000000000017 [ 264.588248] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001a5fee0 [ 264.589671] R13: 0000000001a57210 R14: 0000000000000000 R15: 0000000000000005 [ 264.591115] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 264.600894] CR2: ffffc90000e77000 [ 264.601585] ---[ end trace 2e85051acb5f6dc1 ]--- [ 264.602540] RIP: 0010:cleanup_bitmap_list.isra.11+0x1ca/0x250 [ 264.603695] Code: 92 00 00 00 4c 89 f7 e8 c4 71 e9 ff 49 8b 0e 49 63 dd 48 8d 04 dd 00 00 00 00 48 8d 1c 01 48 89 45 d0 48 89 df e8 a6 71 e9 ff <48> 8b 1b 48 85 db 0f 84 70 ff ff ff 49 8d 7c 24 18 e8 90 71 e9 ff [ 264.607495] RSP: 0018:ffff8801f11bf908 EFLAGS: 00010246 [ 264.608549] RAX: 0000000000000000 RBX: ffffc90000e77000 RCX: ffffffffa550662a [ 264.609984] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90000e77000 [ 264.611422] RBP: ffff8801f11bf960 R08: ffffed0039ac0001 R09: ffffed0039ac0001 [ 264.612846] R10: 0000000000000001 R11: ffffed0039ac0000 R12: ffff8801e63b4500 [ 264.614275] R13: 0000000000000200 R14: ffffc90000f0e190 R15: ffff8801f1a9f700 [ 264.615711] FS: 00007f8a6212e840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 264.617319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 264.618482] CR2: ffffc90000e77000 CR3: 00000001f1d0c000 CR4: 00000000000006e0 - Reason Kernel crashes here: https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/journal.c#L186 if (journal->j_free_bitmap_nodes > REISERFS_MAX_BITMAP_NODES) { kfree(bn->data); kfree(bn); which indicates that `bn` passed in from cleanup_bitmap_list() is invalid. Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
