[Bug 200359] New: BUG() in reiserfs_in_journal when writing file on a reiserfs filesystem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

https://bugzilla.kernel.org/show_bug.cgi?id=200359

            Bug ID: 200359
           Summary: BUG() in reiserfs_in_journal when writing file on a
                    reiserfs filesystem
           Product: File System
           Version: 2.5
    Kernel Version: 4.18
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ReiserFS
          Assignee: reiserfs-devel@xxxxxxxxxxxxxxx
          Reporter: wen.xu@xxxxxxxxxx
        Regression: No

Created attachment 277013
  --> https://bugzilla.kernel.org/attachment.cgi?id=277013&action=edit
The (compressed) crafted image which causes crash

- Reproduce (4.18)
# mkdir mnt
# mount -t reiserfs -o acl,user_xattr 113.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
    #define _GNU_SOURCE
    #include <sys/types.h>
    #include <sys/mount.h>
    #include <sys/mman.h>
    #include <sys/stat.h>
    #include <sys/xattr.h>

    #include <dirent.h>
    #include <errno.h>
    #include <error.h>
    #include <fcntl.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>

    #include <linux/falloc.h>
    #include <linux/loop.h>

    static void activity(char *mpoint) {

      char *foo_bar_baz;
      int err;

      static int buf[8192];
      memset(buf, 0, sizeof(buf));

      err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);

      int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
      if (fd >= 0) { 
        write(fd, (char *)buf, 517); 
        write(fd, (char *)buf, sizeof(buf)); 
        close(fd); 
      }  

    }

    int main(int argc, char *argv[]) {
      activity(argv[1]);
      return 0;
    }

- Kernel message
[  224.175132] REISERFS (device loop0): found reiserfs format "3.6" with
standard journal
[  224.175227] REISERFS (device loop0): using ordered data mode
[  224.175233] reiserfs: using flush barriers
[  224.176089] REISERFS (device loop0): journal params: device loop0, size
8192, journal first block 18, max trans len 1024, max batch 900, max commit age
30, max trans age 30
[  224.178402] REISERFS (device loop0): checking transaction log (loop0)
[  225.017145] REISERFS (device loop0): Using r5 hash to sort names
[  232.979039] ------------[ cut here ]------------
[  232.979047] kernel BUG at fs/reiserfs/journal.c:509!
[  232.980370] invalid opcode: 0000 [#1] SMP KASAN PTI
[  232.981416] CPU: 1 PID: 1363 Comm: a.out Not tainted 4.18.0-rc1+ #8
[  232.982725] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  232.984725] RIP: 0010:reiserfs_in_journal+0x223/0x280
[  232.985777] Code: ff 48 8b 5b 40 48 85 db 74 22 48 8d 7b 10 e8 d4 54 e9 ff
8b 43 10 49 39 c7 75 dd 48 8d 7b 08 e8 c3 55 e9 ff 4c 3b 63 08 75 ce <0f> 0b 31
c0 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 49 8d 7c
[  232.989616] RSP: 0018:ffff8801e92a71d8 EFLAGS: 00010246
[  232.990711] RAX: 0000000000000000 RBX: ffffc90001409048 RCX:
ffffffffa550820d
[  232.992162] RDX: dffffc0000000000 RSI: dffffc0000000000 RDI:
ffffc90001409050
[  232.993613] RBP: ffff8801e92a7228 R08: ffff8801e92a72a8 R09:
0000000000002014
[  232.995074] R10: 0000000000000001 R11: ffffed003a0d8cb4 R12:
ffff8801f264bb80
[  232.996524] R13: 000000000000da48 R14: ffffc90000eee000 R15:
0000000000002013
[  232.997991] FS:  00007f3c02af0700(0000) GS:ffff8801f6f00000(0000)
knlGS:0000000000000000
[  232.999629] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  233.000806] CR2: 00007f3c025a1760 CR3: 00000001edd28000 CR4:
00000000000006e0
[  233.002286] Call Trace:
[  233.002827]  scan_bitmap_block.constprop.16+0x2a3/0x550
[  233.003925]  ? reiserfs_discard_all_prealloc+0x90/0x90
[  233.005040]  ? kasan_check_write+0x14/0x20
[  233.005919]  reiserfs_allocate_blocknrs+0x1104/0x1e90
[  233.006958]  ? scan_bitmap_block.constprop.16+0x550/0x550
[  233.008066]  reiserfs_new_unf_blocknrs2+0xab/0xe0
[  233.009033]  ? reiserfs_find_actor+0x70/0x70
[  233.009928]  ? memcpy+0x45/0x50
[  233.010584]  reiserfs_get_block+0x13b0/0x1c40
[  233.011483]  ? reiserfs_commit_write+0x390/0x390
[  233.012432]  ? __slab_free+0x30a/0x350
[  233.013240]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  233.014188]  ? ___cache_free+0x9d/0xa0
[  233.014996]  ? __srcu_read_unlock+0x23/0x40
[  233.015866]  ? quarantine_reduce+0x16c/0x180
[  233.016747]  ? kasan_unpoison_shadow+0x36/0x50
[  233.017673]  ? kasan_kmalloc+0xad/0xe0
[  233.018464]  ? memcg_kmem_put_cache+0x1b/0xa0
[  233.019367]  ? kmem_cache_alloc+0x17c/0x1e0
[  233.020233]  ? kasan_check_write+0x14/0x20
[  233.021098]  ? create_empty_buffers+0x17e/0x1d0
[  233.022049]  __block_write_begin_int+0x296/0x940
[  233.023003]  ? reiserfs_commit_write+0x390/0x390
[  233.023958]  ? __block_write_begin_int+0x296/0x940
[  233.025061]  ? reiserfs_commit_write+0x390/0x390
[  233.026127]  ? __breadahead+0xd0/0xd0
[  233.026894]  ? reiserfs_wait_on_write_block+0xa6/0x140
[  233.027964]  ? reiserfs_allow_writes+0x50/0x50
[  233.028912]  ? pagecache_get_page+0xca/0x2f0
[  233.029821]  ? wait_for_stable_page+0x77/0xf0
[  233.030726]  __block_write_begin+0x11/0x20
[  233.031577]  reiserfs_write_begin+0x1a5/0x380
[  233.032492]  ? timespec64_trunc+0x5c/0x90
[  233.033327]  generic_perform_write+0x192/0x320
[  233.034264]  ? __bpf_trace_filemap_set_wb_err+0x10/0x10
[  233.035342]  ? file_update_time+0x1d2/0x270
[  233.036211]  ? current_time+0x110/0x110
[  233.037012]  ? save_stack+0xb5/0xd0
[  233.037756]  __generic_file_write_iter+0x261/0x2e0
[  233.038765]  ? do_syscall_64+0x78/0x170
[  233.039567]  generic_file_write_iter+0x19d/0x2d0
[  233.040536]  __vfs_write+0x286/0x410
[  233.041289]  ? kernel_read+0xa0/0xa0
[  233.042073]  ? common_file_perm+0x11b/0x2e0
[  233.042943]  ? may_open_dev+0x50/0x50
[  233.043707]  ? apparmor_task_setrlimit+0x270/0x270
[  233.044695]  ? fsnotify+0x590/0x7d0
[  233.045426]  ? rw_verify_area+0x78/0x140
[  233.046253]  vfs_write+0xf9/0x260
[  233.046947]  ksys_write+0xb4/0x140
[  233.047661]  ? __ia32_sys_read+0x50/0x50
[  233.048483]  ? vm_brk+0x20/0x20
[  233.049147]  __x64_sys_write+0x43/0x50
[  233.049941]  do_syscall_64+0x78/0x170
[  233.050710]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  233.051771] RIP: 0033:0x7f3c026022c0
[  233.052517] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24
[  233.056376] RSP: 002b:00007ffdc107fd68 EFLAGS: 00000246 ORIG_RAX:
0000000000000001
[  233.057925] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007f3c026022c0
[  233.059368] RDX: 0000000000000205 RSI: 0000000000601080 RDI:
0000000000000003
[  233.060812] RBP: 00007ffdc107fda0 R08: 0000000000d66010 R09:
0000000000000000
[  233.067840] R10: 000000000000086f R11: 0000000000000246 R12:
00000000004005c0
[  233.069322] R13: 00007ffdc107fea0 R14: 0000000000000000 R15:
0000000000000000
[  233.070825] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4
soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq
async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper
crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul
aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi
floppy
[  233.081267] ---[ end trace 2e85051acb5f6dc1 ]---
[  233.082280] RIP: 0010:reiserfs_in_journal+0x223/0x280
[  233.083331] Code: ff 48 8b 5b 40 48 85 db 74 22 48 8d 7b 10 e8 d4 54 e9 ff
8b 43 10 49 39 c7 75 dd 48 8d 7b 08 e8 c3 55 e9 ff 4c 3b 63 08 75 ce <0f> 0b 31
c0 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 49 8d 7c
[  233.087286] RSP: 0018:ffff8801e92a71d8 EFLAGS: 00010246
[  233.088410] RAX: 0000000000000000 RBX: ffffc90001409048 RCX:
ffffffffa550820d
[  233.089880] RDX: dffffc0000000000 RSI: dffffc0000000000 RDI:
ffffc90001409050
[  233.091341] RBP: ffff8801e92a7228 R08: ffff8801e92a72a8 R09:
0000000000002014
[  233.092830] R10: 0000000000000001 R11: ffffed003a0d8cb4 R12:
ffff8801f264bb80
[  233.094302] R13: 000000000000da48 R14: ffffc90000eee000 R15:
0000000000002013
[  233.095757] FS:  00007f3c02af0700(0000) GS:ffff8801f6f00000(0000)
knlGS:0000000000000000
[  233.097437] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  233.098636] CR2: 00007f3c025a1760 CR3: 00000001edd28000 CR4:
00000000000006e0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/journal.c#L509
        /* is it in the current transaction.  This should never happen */
        if ((cn = get_journal_hash_dev(sb, journal->j_hash_table, bl))) {
                BUG();
                return 1;
        }

Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech.

-- 
You are receiving this mail because:
You are the assignee for the bug.--
To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux File System Development]     [Linux BTRFS]     [Linux NFS]     [Linux Filesystems]     [Ext4 Filesystem]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Resources]

  Powered by Linux