Syzkaller reports use-after-free Read as follows: ------------[ cut here ]------------ BUG: KASAN: use-after-free in bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline] BUG: KASAN: use-after-free in search_by_entry_key+0x81f/0x960 fs/reiserfs/namei.c:165 Read of size 4 at addr ffff8880715ee014 by task syz-executor352/3611 CPU: 0 PID: 3611 Comm: syz-executor352 Not tainted 5.19.0-rc1-syzkaller-00263-g1c27f1fc1549 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline] search_by_entry_key+0x81f/0x960 fs/reiserfs/namei.c:165 reiserfs_find_entry.part.0+0x139/0xdf0 fs/reiserfs/namei.c:322 reiserfs_find_entry fs/reiserfs/namei.c:368 [inline] reiserfs_lookup+0x24a/0x490 fs/reiserfs/namei.c:368 __lookup_slow+0x24c/0x480 fs/namei.c:1701 lookup_one_len+0x16a/0x1a0 fs/namei.c:2730 reiserfs_lookup_privroot+0x92/0x280 fs/reiserfs/xattr.c:980 reiserfs_fill_super+0x21bb/0x2fb0 fs/reiserfs/super.c:2176 mount_bdev+0x34d/0x410 fs/super.c:1367 legacy_get_tree+0x105/0x220 fs/fs_context.c:610 vfs_get_tree+0x89/0x2f0 fs/super.c:1497 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1320/0x1fa0 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK> The buggy address belongs to the physical page: page:ffffea0001c57b80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x715ee flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001c57bc8 ffff8880b9a403c0 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed Memory state around the buggy address: ffff8880715edf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880715edf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880715ee000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880715ee080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880715ee100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== The cause is that the value of rbound in bin_search_in_dir_item() is out of bounds. To be more specific, struct buffer_head's b_data field contains the entry headers array, according to set_de_item_location(). So the array's length should be less than the size of b_data, or it may access the invalid memory. This patch solves it by checking the array's size with b_data's size. Signed-off-by: Hawkins Jiawei <yin31149@xxxxxxxxx> --- v2: - rename subject from search_by_entry_key() to bin_search_in_dir_item() fs/reiserfs/namei.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c index 3d7a35d6a18b..c4c056ffafde 100644 --- a/fs/reiserfs/namei.c +++ b/fs/reiserfs/namei.c @@ -33,7 +33,11 @@ static int bin_search_in_dir_item(struct reiserfs_dir_entry *de, loff_t off) int rbound, lbound, j; lbound = 0; - rbound = ih_entry_count(ih) - 1; + if (ih_location(ih) + ih_entry_count(ih) * IH_SIZE >= + de->de_bh->b_size) + rbound = (de->de_bh->b_size - ih_location(ih)) / IH_SIZE - 1; + else + rbound = ih_entry_count(ih) - 1; for (j = (rbound + lbound) / 2; lbound <= rbound; j = (rbound + lbound) / 2) { -- 2.25.1