https://bugzilla.kernel.org/show_bug.cgi?id=200361 Bug ID: 200361 Summary: Kernel panic in update_stat_data() when accessing a file on a reiserfs filesystem Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 277015 --> https://bugzilla.kernel.org/attachment.cgi?id=277015&action=edit The (compressed) crafted image which causes crash - Reproduce # mkdir mnt # mount -t reiserfs -o acl,user_xattr 31.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *foo_bar_baz; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); int fd = open(foo_bar_baz, O_RDONLY, 0); if (fd >= 0) { void *mem = mmap(NULL, 4096, PROT_READ, MAP_PRIVATE | MAP_POPULATE, fd, 0); if (mem != MAP_FAILED) munmap(mem, 4096); close(fd); } } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 949.720812] REISERFS (device loop0): found reiserfs format "3.6" with standard journal [ 949.720899] REISERFS (device loop0): using ordered data mode [ 949.720905] reiserfs: using flush barriers [ 949.724305] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 949.727088] REISERFS (device loop0): checking transaction log (loop0) [ 950.557910] REISERFS (device loop0): Using r5 hash to sort names [ 950.558231] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 967.052214] REISERFS panic (device loop0): vs-13065 update_stat_data: key [5 15 0x0 SD], found item *3.5*[5 15 0x0 IND], item_len 8, item_location 2972, free_space(entry_count) 0 [ 967.052279] ------------[ cut here ]------------ [ 967.052282] kernel BUG at fs/reiserfs/prints.c:369! [ 967.059616] invalid opcode: 0000 [#1] SMP KASAN PTI [ 967.060669] CPU: 0 PID: 1429 Comm: a.out Not tainted 4.18.0-rc1+ #8 [ 967.061944] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 967.063902] RIP: 0010:__reiserfs_panic+0xe2/0x130 [ 967.064864] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 [ 967.068599] RSP: 0018:ffff8801efa77760 EFLAGS: 00010282 [ 967.069671] RAX: 00000000000000a6 RBX: ffffffffa693af60 RCX: 0000000000000000 [ 967.071092] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003df4eee2 [ 967.072513] RBP: ffff8801efa77810 R08: ffffed003edc4f21 R09: ffffed003edc4f21 [ 967.073948] R10: 0000000000000001 R11: ffffed003edc4f20 R12: ffff8801ee98e600 [ 967.075367] R13: ffffffffa693b980 R14: ffff8801cd360000 R15: ffff8801cd3601c8 [ 967.076797] FS: 00007f88c4a10700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 967.078394] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 967.079537] CR2: 00007f88c44c1760 CR3: 00000001f136c000 CR4: 00000000000006f0 [ 967.080980] Call Trace: [ 967.081504] ? reiserfs_debug+0x10/0x10 [ 967.082289] reiserfs_update_sd_size+0x44f/0x590 [ 967.083227] ? make_le_item_head+0x130/0x130 [ 967.084133] ? mutex_unlock+0x22/0x40 [ 967.084903] ? do_journal_begin_r+0x46c/0x6d0 [ 967.085789] ? journal_begin+0x10f/0x1e0 [ 967.086585] reiserfs_dirty_inode+0x149/0x160 [ 967.087465] ? reiserfs_dirty_inode+0x149/0x160 [ 967.088383] ? reiserfs_unfreeze+0x70/0x70 [ 967.089254] ? timespec64_trunc+0x5c/0x90 [ 967.090072] ? timespec64_trunc+0x5c/0x90 [ 967.090902] __mark_inode_dirty+0x220/0x4f0 [ 967.091754] ? timespec64_trunc+0x90/0x90 [ 967.092571] generic_update_time+0xd7/0x170 [ 967.093435] touch_atime+0x164/0x190 [ 967.094169] ? __atime_needs_update+0x360/0x360 [ 967.095101] ? kasan_kmalloc+0xad/0xe0 [ 967.095891] generic_file_mmap+0x80/0x90 [ 967.096702] mmap_region+0x5dc/0x8d0 [ 967.097449] do_mmap+0x543/0x790 [ 967.098126] vm_mmap_pgoff+0x182/0x1f0 [ 967.098896] ? vma_is_stack_for_current+0x60/0x60 [ 967.099852] ? putname+0x80/0x90 [ 967.100518] ? __fget+0xbe/0x110 [ 967.101202] ksys_mmap_pgoff+0x2a9/0x3a0 [ 967.102011] ? find_mergeable_anon_vma+0x60/0x60 [ 967.102964] ? filp_open+0x60/0x60 [ 967.103666] ? vm_brk+0x20/0x20 [ 967.104338] __x64_sys_mmap+0x94/0xb0 [ 967.105115] do_syscall_64+0x78/0x170 [ 967.105868] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 967.106903] RIP: 0033:0x7f88c452c6ba [ 967.107631] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 [ 967.111428] RSP: 002b:00007ffdc414efb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 967.112949] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f88c452c6ba [ 967.114365] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000 [ 967.115783] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000 [ 967.117209] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000 [ 967.118626] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000 [ 967.120051] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 967.129773] ---[ end trace 2e85051acb5f6dc1 ]--- [ 967.130773] RIP: 0010:__reiserfs_panic+0xe2/0x130 [ 967.131719] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 [ 967.135581] RSP: 0018:ffff8801efa77760 EFLAGS: 00010282 [ 967.136638] RAX: 00000000000000a6 RBX: ffffffffa693af60 RCX: 0000000000000000 [ 967.138147] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003df4eee2 [ 967.139572] RBP: ffff8801efa77810 R08: ffffed003edc4f21 R09: ffffed003edc4f21 [ 967.140988] R10: 0000000000000001 R11: ffffed003edc4f20 R12: ffff8801ee98e600 [ 967.142435] R13: ffffffffa693b980 R14: ffff8801cd360000 R15: ffff8801cd3601c8 [ 967.143851] FS: 00007f88c4a10700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 967.145453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 967.146642] CR2: 00007f88c44c1760 CR3: 00000001f136c000 CR4: 00000000000006f0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/inode.c#L1434 if (!is_statdata_le_ih(ih)) reiserfs_panic(inode->i_sb, "vs-13065", "key %k, found item %h", INODE_PKEY(inode), ih); Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
