Hello,
syzbot found the following issue on:
HEAD commit: ca87e77a2ef8 Linux 6.1.34
git tree: linux-6.1.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=130524d3280000
kernel config:
https://syzkaller.appspot.com/x/.config?x=c188e92022a334b
dashboard link:
https://syzkaller.appspot.com/bug?extid=190978a7032fb7e58db1
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=1669e6e3280000
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/f48d514c343c/disk-ca87e77a.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/563336f1f216/vmlinux-ca87e77a.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/2254afa3642b/bzImage-ca87e77a.xz
mounted in repro:
https://storage.googleapis.com/syzbot-assets/d131424ead46/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+190978...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in leaf_paste_in_buffer+0x631/0xab0
Read of size 72 at addr ffff8880612fffe8 by task syz-executor.2/6152
CPU: 1 PID: 6152 Comm: syz-executor.2 Not tainted 6.1.34-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
kasan_check_range+0x27f/0x290 mm/kasan/generic.c:189
memcpy+0x25/0x60 mm/kasan/shadow.c:65
leaf_paste_in_buffer+0x631/0xab0
leaf_copy_dir_entries+0x71a/0xc60 fs/reiserfs/lbalance.c:108
leaf_copy_boundary_item+0xbbe/0x21b0 fs/reiserfs/lbalance.c:168
leaf_copy_items fs/reiserfs/lbalance.c:551 [inline]
leaf_move_items+0xcd0/0x28a0 fs/reiserfs/lbalance.c:726
leaf_shift_left+0xba/0x430 fs/reiserfs/lbalance.c:750
balance_leaf_when_delete_left fs/reiserfs/do_balan.c:194 [inline]
balance_leaf_when_delete fs/reiserfs/do_balan.c:272 [inline]
balance_leaf+0x228e/0x12510 fs/reiserfs/do_balan.c:1393
do_balance+0x309/0x8f0 fs/reiserfs/do_balan.c:1888
reiserfs_cut_from_item+0x1945/0x2580 fs/reiserfs/stree.c:1838
reiserfs_do_truncate+0xa12/0x15b0 fs/reiserfs/stree.c:1973
reiserfs_truncate_file+0x4d6/0x810 fs/reiserfs/inode.c:2310
reiserfs_setattr+0xc57/0x11c0 fs/reiserfs/inode.c:3395
notify_change+0xdcd/0x1080 fs/attr.c:482
do_truncate+0x21c/0x300 fs/open.c:65
do_sys_ftruncate+0x2e2/0x380 fs/open.c:193
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3dfe08c389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3dfed13168 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
RAX: ffffffffffffffda RBX: 00007f3dfe1ac050 RCX: 00007f3dfe08c389
RDX: 0000000000000000 RSI: 0000000000000e00 RDI: 0000000000000005
RBP: 00007f3dfe0d7493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd72109a6f R14: 00007f3dfed13300 R15: 0000000000022000
</TASK>
The buggy address belongs to the physical page:
page:ffffea000184bfc0 refcount:2 mapcount:0 mapping:ffff888012915ff8 index:0x214 pfn:0x612ff
memcg:ffff8880791dc000
aops:def_blk_aops ino:700002
flags: 0xfff30000002052(referenced|lru|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff30000002052 ffffea0001807b48 ffffea0001847cc8 ffff888012915ff8
raw: 0000000000000214 ffff888074f24cb0 00000002ffffffff ffff8880791dc000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 6152, tgid 6136 (syz-executor.2), ts 1195154452969, free_ts 1195153783852
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
folio_alloc+0x1a/0x50 mm/mempolicy.c:2290
filemap_alloc_folio+0xda/0x4f0 mm/filemap.c:971
__filemap_get_folio+0x711/0xe30 mm/filemap.c:1965
pagecache_get_page+0x28/0x250 mm/folio-compat.c:110
find_or_create_page include/linux/pagemap.h:613 [inline]
grow_dev_page fs/buffer.c:946 [inline]
grow_buffers fs/buffer.c:1011 [inline]
__getblk_slow fs/buffer.c:1038 [inline]
__getblk_gfp+0x211/0xa20 fs/buffer.c:1333
sb_getblk include/linux/buffer_head.h:356 [inline]
get_empty_nodes+0x8c1/0xd70 fs/reiserfs/fix_node.c:890
fix_nodes+0x2615/0x8c70 fs/reiserfs/fix_node.c:2662
reiserfs_insert_item+0xa7a/0xcb0 fs/reiserfs/stree.c:2240
indirect2direct+0x695/0xc00 fs/reiserfs/tail_conversion.c:283
maybe_indirect_to_direct fs/reiserfs/stree.c:1587 [inline]
reiserfs_cut_from_item+0xba3/0x2580 fs/reiserfs/stree.c:1694
reiserfs_do_truncate+0xa12/0x15b0 fs/reiserfs/stree.c:1973
reiserfs_truncate_file+0x4d6/0x810 fs/reiserfs/inode.c:2310
reiserfs_setattr+0xc57/0x11c0 fs/reiserfs/inode.c:3395
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page_list+0x107/0x810 mm/page_alloc.c:3530
release_pages+0x2836/0x2b40 mm/swap.c:1055
__pagevec_release+0x80/0xf0 mm/swap.c:1075
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
truncate_inode_pages_range+0x48a/0x1340 mm/truncate.c:373
truncate_inode_pages mm/truncate.c:452 [inline]
truncate_pagecache mm/truncate.c:753 [inline]
truncate_setsize+0xcb/0xf0 mm/truncate.c:778
reiserfs_setattr+0xc4a/0x11c0 fs/reiserfs/inode.c:3394
notify_change+0xdcd/0x1080 fs/attr.c:482
do_truncate+0x21c/0x300 fs/open.c:65
do_sys_ftruncate+0x2e2/0x380 fs/open.c:193
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880612fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880612fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888061300000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888061300080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888061300100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup