Dear Linux developers, Here is the link to the reproducers. C reproducer: https://drive.google.com/file/d/1Zpylo9ayWUtnFSkdTS2qszoAxomB_h5P/view?usp=share_link Syz reproducer: https://drive.google.com/file/d/1wW_xyEfybUkYVK-By0qNqsSosIsWRmqJ/view?usp=share_link The bug persists in Linux v6.0.0. I hope it is helpful to you. [ 51.239162][ T6622] kernel BUG at fs/reiserfs/prints.c:390! [ 51.239539][ T6622] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 51.239948][ T6622] CPU: 0 PID: 6622 Comm: a.out Not tainted 6.0.0 #38 [ 51.240371][ T6622] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 51.240998][ T6622] RIP: 0010:__reiserfs_panic+0x12f/0x140 [ 51.241373][ T6622] Code: 40 fa a7 8a 48 0f 44 c8 48 0f 44 d8 48 c7 c7 40 fb a7 8a 4c 89 fe 48 89 da 4d 89 f0 49 c7 c1 a0 3e 0f 91 31 c0 e8 10 73 0a 08 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 [ 51.242602][ T6622] RSP: 0018:ffffc90009997380 EFLAGS: 00010246 [ 51.242995][ T6622] RAX: 00000000000000a7 RBX: ffffffff8aa789e0 RCX: 46d2c6edc7752800 [ 51.243496][ T6622] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 51.244008][ T6622] RBP: ffffc90009997470 R08: ffffffff816b75fc R09: ffffed100c7867e1 [ 51.244504][ T6622] R10: ffffed100c7867e1 R11: 0000000000000000 R12: ffffffff8aa78a20 [ 51.245015][ T6622] R13: ffffc900099973a0 R14: ffffffff8c6888a2 R15: ffff888014d8e6a8 [ 51.245518][ T6622] FS: 00007f1e44cb9700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000 [ 51.246087][ T6622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 51.246502][ T6622] CR2: 000055af26e96c80 CR3: 0000000021e44000 CR4: 0000000000750ef0 [ 51.247008][ T6622] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 51.247510][ T6622] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 51.248009][ T6622] PKRU: 55555554 [ 51.248239][ T6622] Call Trace: [ 51.248457][ T6622] <TASK> [ 51.248645][ T6622] ? reiserfs_debug+0x10/0x10 [ 51.248941][ T6622] reiserfs_update_sd_size+0xf98/0x1080 [ 51.249285][ T6622] ? restart_transaction+0x1d0/0x1d0 [ 51.249648][ T6622] ? journal_begin+0x1f1/0x350 [ 51.249964][ T6622] reiserfs_mkdir+0x715/0x8b0 [ 51.250257][ T6622] ? reiserfs_symlink+0x850/0x850 [ 51.250569][ T6622] ? down_write+0x10d/0x170 [ 51.250854][ T6622] ? down_read_killable+0x80/0x80 [ 51.251166][ T6622] ? __up_read+0x7a0/0x7a0 [ 51.251442][ T6622] reiserfs_xattr_init+0x34b/0x730 [ 51.251786][ T6622] reiserfs_fill_super+0x31bd/0x37d0 [ 51.252118][ T6622] ? widen_string+0x3a/0x340 [ 51.252411][ T6622] ? reiserfs_kill_sb+0x150/0x150 [ 51.252722][ T6622] ? string+0x2b0/0x2b0 [ 51.252983][ T6622] ? vsnprintf+0x1cd0/0x1cd0 [ 51.253269][ T6622] ? vsnprintf+0x1bf4/0x1cd0 [ 51.253566][ T6622] ? __ptr_to_hashval+0x2f0/0x2f0 [ 51.253886][ T6622] ? snprintf+0xc0/0x110 [ 51.254150][ T6622] ? vscnprintf+0x80/0x80 [ 51.254423][ T6622] ? set_blocksize+0x1d5/0x360 [ 51.254733][ T6622] mount_bdev+0x26c/0x3a0 [ 51.254996][ T6622] ? reiserfs_kill_sb+0x150/0x150 [ 51.255303][ T6622] legacy_get_tree+0xea/0x180 [ 51.255590][ T6622] ? remove_save_link+0x4a0/0x4a0 [ 51.255895][ T6622] vfs_get_tree+0x86/0x270 [ 51.256166][ T6622] path_mount+0x1a09/0x2c10 [ 51.256461][ T6622] ? kasan_quarantine_put+0xc0/0x210 [ 51.256790][ T6622] ? slab_free_freelist_hook+0x12e/0x1a0 [ 51.257137][ T6622] ? mark_mounts_for_expiry+0x520/0x520 [ 51.257478][ T6622] ? user_path_at_empty+0x149/0x1a0 [ 51.257812][ T6622] ? kmem_cache_free+0x95/0x1d0 [ 51.258119][ T6622] ? user_path_at_empty+0x149/0x1a0 [ 51.258446][ T6622] __se_sys_mount+0x2f9/0x3b0 [ 51.258738][ T6622] ? vtime_user_exit+0x2b2/0x3e0 [ 51.259032][ T6622] ? __x64_sys_mount+0xc0/0xc0 [ 51.259315][ T6622] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 51.259666][ T6622] ? lockdep_hardirqs_on+0x8d/0x130 [ 51.259990][ T6622] ? __x64_sys_mount+0x1c/0xc0 [ 51.260272][ T6622] do_syscall_64+0x3d/0x90 [ 51.260538][ T6622] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.260886][ T6622] RIP: 0033:0x7f1e442e948a [ 51.261154][ T6622] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d de f9 2a 00 f7 d8 64 89 01 48 [ 51.262264][ T6622] RSP: 002b:00007f1e44cb8d38 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 51.262750][ T6622] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1e442e948a [ 51.263207][ T6622] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f1e44cb8e70 [ 51.263663][ T6622] RBP: 00007f1e44cb8ef0 R08: 00007f1e44cb8d70 R09: 0000000000000030 [ 51.264120][ T6622] R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff8eeaa83e [ 51.264576][ T6622] R13: 00007fff8eeaa83f R14: 00007f1e44c99000 R15: 0000000000000003 [ 51.265036][ T6622] </TASK> [ 51.265215][ T6622] Modules linked in: [ 51.277512][ T6622] ---[ end trace 0000000000000000 ]--- [ 51.277881][ T6622] RIP: 0010:__reiserfs_panic+0x12f/0x140 [ 51.278221][ T6622] Code: 40 fa a7 8a 48 0f 44 c8 48 0f 44 d8 48 c7 c7 40 fb a7 8a 4c 89 fe 48 89 da 4d 89 f0 49 c7 c1 a0 3e 0f 91 31 c0 e8 10 73 0a 08 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 [ 51.279354][ T6622] RSP: 0018:ffffc90009997380 EFLAGS: 00010246 [ 51.279728][ T6622] RAX: 00000000000000a7 RBX: ffffffff8aa789e0 RCX: 46d2c6edc7752800 [ 51.280214][ T6622] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 51.280695][ T6622] RBP: ffffc90009997470 R08: ffffffff816b75fc R09: ffffed100c7867e1 [ 51.281164][ T6622] R10: ffffed100c7867e1 R11: 0000000000000000 R12: ffffffff8aa78a20 [ 51.282917][ T6622] R13: ffffc900099973a0 R14: ffffffff8c6888a2 R15: ffff888014d8e6a8 [ 51.283402][ T6622] FS: 00007f1e44cb9700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000 [ 51.283948][ T6622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 51.284340][ T6622] CR2: 00007efcd65b9520 CR3: 0000000021e44000 CR4: 0000000000750ef0 [ 51.284807][ T6622] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 51.285295][ T6622] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 51.285775][ T6622] PKRU: 55555554 [ 51.285992][ T6622] Kernel panic - not syncing: Fatal exception [ 51.286478][ T6622] Kernel Offset: disabled [ 51.286740][ T6622] Rebooting in 86400 seconds.. Best, Wei On Sun, 30 Oct 2022 at 18:25, Wei Chen <harperchen1110@xxxxxxxxx> wrote: > > Dear Linux Developer, > > Recently when using our tool to fuzz kernel, the following crash was triggered: > > HEAD commit: 64570fbc14f8 Linux 5.15-rc5 > git tree: upstream > compiler: gcc 8.0.1 > console output: > https://drive.google.com/file/d/1laVB52iSmAz7ATjvqKgcZw9Qf3pVh50t/view?usp=share_link > kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: Wei Chen <harperchen1110@xxxxxxxxx> > > REISERFS (device loop0): Using rupasov hash to sort names > REISERFS panic (device loop0): vs-13065 update_stat_data: key [1 2 0x0 > IND], found item *3.6* [1 2 0x0 IND], item_len 44, item_location 4052, > free_space(entry_count) 0 > ------------[ cut here ]------------ > kernel BUG at fs/reiserfs/prints.c:390! > invalid opcode: 0000 [#1] PREEMPT SMP > CPU: 0 PID: 12506 Comm: syz-executor.0 Not tainted 5.15.0-rc5 #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 > RIP: 0010:__reiserfs_panic.cold.17+0x37/0x8c > Code: d1 85 74 63 e8 e6 f4 9f fc 4c 89 f1 48 89 da 4c 89 ee 49 c7 c0 > a0 30 29 89 48 c7 c7 04 8f c0 85 e8 f1 60 fe ff e8 c5 f4 9f fc <0f> 0b > e8 be f4 9f fc 4d 85 ed 49 c7 c4 26 a6 d1 85 74 36 e8 ad f4 > RSP: 0018:ffffc900020b7aa0 EFLAGS: 00010216 > RAX: 0000000000013eb9 RBX: ffff888016c8a000 RCX: 0000000000040000 > RDX: ffffc9000226d000 RSI: ffff888111950000 RDI: 0000000000000002 > RBP: ffffc900020b7b10 R08: ffffffff849d7e9b R09: 0000000000000000 > R10: 0000000000000005 R11: 0000000080000000 R12: ffffffff85d1a626 > R13: ffffffff85c07963 R14: ffffffff85079d30 R15: ffffc900020b7c60 > FS: 00007f3386280700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000525b40 CR3: 0000000011cfd000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > reiserfs_update_sd_size+0x33b/0x450 > reiserfs_mkdir+0x2db/0x3c0 > reiserfs_xattr_init+0x1be/0x330 > reiserfs_fill_super+0x110e/0x1620 > mount_bdev+0x23d/0x280 > legacy_get_tree+0x2e/0x90 > vfs_get_tree+0x29/0x100 > path_mount+0x58e/0x10a0 > do_mount+0x9b/0xb0 > __x64_sys_mount+0x13a/0x150 > do_syscall_64+0x34/0xb0 > entry_SYSCALL_64_after_hwframe+0x44/0xae > RIP: 0033:0x46abda > Code: 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f > 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d > 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f338627fa48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 > RAX: ffffffffffffffda RBX: 00007f338627faf0 RCX: 000000000046abda > RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f338627fab0 > RBP: 0000000020000000 R08: 00007f338627faf0 R09: 0000000020000000 > R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000100 > R13: 00007f338627fab0 R14: 0000000000000001 R15: 0000000020011500 > Modules linked in: > ---[ end trace 15f12b9b91cc8105 ]--- > RIP: 0010:__reiserfs_panic.cold.17+0x37/0x8c > Code: d1 85 74 63 e8 e6 f4 9f fc 4c 89 f1 48 89 da 4c 89 ee 49 c7 c0 > a0 30 29 89 48 c7 c7 04 8f c0 85 e8 f1 60 fe ff e8 c5 f4 9f fc <0f> 0b > e8 be f4 9f fc 4d 85 ed 49 c7 c4 26 a6 d1 85 74 36 e8 ad f4 > RSP: 0018:ffffc900020b7aa0 EFLAGS: 00010216 > RAX: 0000000000013eb9 RBX: ffff888016c8a000 RCX: 0000000000040000 > RDX: ffffc9000226d000 RSI: ffff888111950000 RDI: 0000000000000002 > RBP: ffffc900020b7b10 R08: ffffffff849d7e9b R09: 0000000000000000 > R10: 0000000000000005 R11: 0000000080000000 R12: ffffffff85d1a626 > R13: ffffffff85c07963 R14: ffffffff85079d30 R15: ffffc900020b7c60 > FS: 00007f3386280700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000525b40 CR3: 0000000011cfd000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > Best, > Wei
