[v6.1] KASAN: use-after-free Read in leaf_paste_in_buffer
0 views
Skip to first unread message
syzbot
Jun 16, 2023, 2:50:06 PM6/16/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ca87e77a2ef8 Linux 6.1.34
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=130524d3280000
kernel config: https://syzkaller.appspot.com/x/.config?x=c188e92022a334b
dashboard link: https://syzkaller.appspot.com/bug?extid=190978a7032fb7e58db1
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1669e6e3280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f48d514c343c/disk-ca87e77a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/563336f1f216/vmlinux-ca87e77a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2254afa3642b/bzImage-ca87e77a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d131424ead46/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+190978...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in leaf_paste_in_buffer+0x631/0xab0
Read of size 72 at addr ffff8880612fffe8 by task syz-executor.2/6152
CPU: 1 PID: 6152 Comm: syz-executor.2 Not tainted 6.1.34-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
kasan_check_range+0x27f/0x290 mm/kasan/generic.c:189
memcpy+0x25/0x60 mm/kasan/shadow.c:65
leaf_paste_in_buffer+0x631/0xab0
leaf_copy_dir_entries+0x71a/0xc60 fs/reiserfs/lbalance.c:108
leaf_copy_boundary_item+0xbbe/0x21b0 fs/reiserfs/lbalance.c:168
leaf_copy_items fs/reiserfs/lbalance.c:551 [inline]
leaf_move_items+0xcd0/0x28a0 fs/reiserfs/lbalance.c:726
leaf_shift_left+0xba/0x430 fs/reiserfs/lbalance.c:750
balance_leaf_when_delete_left fs/reiserfs/do_balan.c:194 [inline]
balance_leaf_when_delete fs/reiserfs/do_balan.c:272 [inline]
balance_leaf+0x228e/0x12510 fs/reiserfs/do_balan.c:1393
do_balance+0x309/0x8f0 fs/reiserfs/do_balan.c:1888
reiserfs_cut_from_item+0x1945/0x2580 fs/reiserfs/stree.c:1838
reiserfs_do_truncate+0xa12/0x15b0 fs/reiserfs/stree.c:1973
reiserfs_truncate_file+0x4d6/0x810 fs/reiserfs/inode.c:2310
reiserfs_setattr+0xc57/0x11c0 fs/reiserfs/inode.c:3395
notify_change+0xdcd/0x1080 fs/attr.c:482
do_truncate+0x21c/0x300 fs/open.c:65
do_sys_ftruncate+0x2e2/0x380 fs/open.c:193
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3dfe08c389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3dfed13168 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
RAX: ffffffffffffffda RBX: 00007f3dfe1ac050 RCX: 00007f3dfe08c389
RDX: 0000000000000000 RSI: 0000000000000e00 RDI: 0000000000000005
RBP: 00007f3dfe0d7493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd72109a6f R14: 00007f3dfed13300 R15: 0000000000022000
</TASK>
The buggy address belongs to the physical page:
page:ffffea000184bfc0 refcount:2 mapcount:0 mapping:ffff888012915ff8 index:0x214 pfn:0x612ff
memcg:ffff8880791dc000
aops:def_blk_aops ino:700002
flags: 0xfff30000002052(referenced|lru|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff30000002052 ffffea0001807b48 ffffea0001847cc8 ffff888012915ff8
raw: 0000000000000214 ffff888074f24cb0 00000002ffffffff ffff8880791dc000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 6152, tgid 6136 (syz-executor.2), ts 1195154452969, free_ts 1195153783852
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
folio_alloc+0x1a/0x50 mm/mempolicy.c:2290
filemap_alloc_folio+0xda/0x4f0 mm/filemap.c:971
__filemap_get_folio+0x711/0xe30 mm/filemap.c:1965
pagecache_get_page+0x28/0x250 mm/folio-compat.c:110
find_or_create_page include/linux/pagemap.h:613 [inline]
grow_dev_page fs/buffer.c:946 [inline]
grow_buffers fs/buffer.c:1011 [inline]
__getblk_slow fs/buffer.c:1038 [inline]
__getblk_gfp+0x211/0xa20 fs/buffer.c:1333
sb_getblk include/linux/buffer_head.h:356 [inline]
get_empty_nodes+0x8c1/0xd70 fs/reiserfs/fix_node.c:890
fix_nodes+0x2615/0x8c70 fs/reiserfs/fix_node.c:2662
reiserfs_insert_item+0xa7a/0xcb0 fs/reiserfs/stree.c:2240
indirect2direct+0x695/0xc00 fs/reiserfs/tail_conversion.c:283
maybe_indirect_to_direct fs/reiserfs/stree.c:1587 [inline]
reiserfs_cut_from_item+0xba3/0x2580 fs/reiserfs/stree.c:1694
reiserfs_do_truncate+0xa12/0x15b0 fs/reiserfs/stree.c:1973
reiserfs_truncate_file+0x4d6/0x810 fs/reiserfs/inode.c:2310
reiserfs_setattr+0xc57/0x11c0 fs/reiserfs/inode.c:3395
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page_list+0x107/0x810 mm/page_alloc.c:3530
release_pages+0x2836/0x2b40 mm/swap.c:1055
__pagevec_release+0x80/0xf0 mm/swap.c:1075
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
truncate_inode_pages_range+0x48a/0x1340 mm/truncate.c:373
truncate_inode_pages mm/truncate.c:452 [inline]
truncate_pagecache mm/truncate.c:753 [inline]
truncate_setsize+0xcb/0xf0 mm/truncate.c:778
reiserfs_setattr+0xc4a/0x11c0 fs/reiserfs/inode.c:3394
notify_change+0xdcd/0x1080 fs/attr.c:482
do_truncate+0x21c/0x300 fs/open.c:65
do_sys_ftruncate+0x2e2/0x380 fs/open.c:193
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880612fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880612fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888061300000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888061300080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888061300100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ca87e77a2ef8 Linux 6.1.34
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=130524d3280000
kernel config: https://syzkaller.appspot.com/x/.config?x=c188e92022a334b
dashboard link: https://syzkaller.appspot.com/bug?extid=190978a7032fb7e58db1
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1669e6e3280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f48d514c343c/disk-ca87e77a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/563336f1f216/vmlinux-ca87e77a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2254afa3642b/bzImage-ca87e77a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d131424ead46/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+190978...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in leaf_paste_in_buffer+0x631/0xab0
Read of size 72 at addr ffff8880612fffe8 by task syz-executor.2/6152
CPU: 1 PID: 6152 Comm: syz-executor.2 Not tainted 6.1.34-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
kasan_check_range+0x27f/0x290 mm/kasan/generic.c:189
memcpy+0x25/0x60 mm/kasan/shadow.c:65
leaf_paste_in_buffer+0x631/0xab0
leaf_copy_dir_entries+0x71a/0xc60 fs/reiserfs/lbalance.c:108
leaf_copy_boundary_item+0xbbe/0x21b0 fs/reiserfs/lbalance.c:168
leaf_copy_items fs/reiserfs/lbalance.c:551 [inline]
leaf_move_items+0xcd0/0x28a0 fs/reiserfs/lbalance.c:726
leaf_shift_left+0xba/0x430 fs/reiserfs/lbalance.c:750
balance_leaf_when_delete_left fs/reiserfs/do_balan.c:194 [inline]
balance_leaf_when_delete fs/reiserfs/do_balan.c:272 [inline]
balance_leaf+0x228e/0x12510 fs/reiserfs/do_balan.c:1393
do_balance+0x309/0x8f0 fs/reiserfs/do_balan.c:1888
reiserfs_cut_from_item+0x1945/0x2580 fs/reiserfs/stree.c:1838
reiserfs_do_truncate+0xa12/0x15b0 fs/reiserfs/stree.c:1973
reiserfs_truncate_file+0x4d6/0x810 fs/reiserfs/inode.c:2310
reiserfs_setattr+0xc57/0x11c0 fs/reiserfs/inode.c:3395
notify_change+0xdcd/0x1080 fs/attr.c:482
do_truncate+0x21c/0x300 fs/open.c:65
do_sys_ftruncate+0x2e2/0x380 fs/open.c:193
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3dfe08c389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3dfed13168 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
RAX: ffffffffffffffda RBX: 00007f3dfe1ac050 RCX: 00007f3dfe08c389
RDX: 0000000000000000 RSI: 0000000000000e00 RDI: 0000000000000005
RBP: 00007f3dfe0d7493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd72109a6f R14: 00007f3dfed13300 R15: 0000000000022000
</TASK>
The buggy address belongs to the physical page:
page:ffffea000184bfc0 refcount:2 mapcount:0 mapping:ffff888012915ff8 index:0x214 pfn:0x612ff
memcg:ffff8880791dc000
aops:def_blk_aops ino:700002
flags: 0xfff30000002052(referenced|lru|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff30000002052 ffffea0001807b48 ffffea0001847cc8 ffff888012915ff8
raw: 0000000000000214 ffff888074f24cb0 00000002ffffffff ffff8880791dc000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 6152, tgid 6136 (syz-executor.2), ts 1195154452969, free_ts 1195153783852
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
folio_alloc+0x1a/0x50 mm/mempolicy.c:2290
filemap_alloc_folio+0xda/0x4f0 mm/filemap.c:971
__filemap_get_folio+0x711/0xe30 mm/filemap.c:1965
pagecache_get_page+0x28/0x250 mm/folio-compat.c:110
find_or_create_page include/linux/pagemap.h:613 [inline]
grow_dev_page fs/buffer.c:946 [inline]
grow_buffers fs/buffer.c:1011 [inline]
__getblk_slow fs/buffer.c:1038 [inline]
__getblk_gfp+0x211/0xa20 fs/buffer.c:1333
sb_getblk include/linux/buffer_head.h:356 [inline]
get_empty_nodes+0x8c1/0xd70 fs/reiserfs/fix_node.c:890
fix_nodes+0x2615/0x8c70 fs/reiserfs/fix_node.c:2662
reiserfs_insert_item+0xa7a/0xcb0 fs/reiserfs/stree.c:2240
indirect2direct+0x695/0xc00 fs/reiserfs/tail_conversion.c:283
maybe_indirect_to_direct fs/reiserfs/stree.c:1587 [inline]
reiserfs_cut_from_item+0xba3/0x2580 fs/reiserfs/stree.c:1694
reiserfs_do_truncate+0xa12/0x15b0 fs/reiserfs/stree.c:1973
reiserfs_truncate_file+0x4d6/0x810 fs/reiserfs/inode.c:2310
reiserfs_setattr+0xc57/0x11c0 fs/reiserfs/inode.c:3395
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page_list+0x107/0x810 mm/page_alloc.c:3530
release_pages+0x2836/0x2b40 mm/swap.c:1055
__pagevec_release+0x80/0xf0 mm/swap.c:1075
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
truncate_inode_pages_range+0x48a/0x1340 mm/truncate.c:373
truncate_inode_pages mm/truncate.c:452 [inline]
truncate_pagecache mm/truncate.c:753 [inline]
truncate_setsize+0xcb/0xf0 mm/truncate.c:778
reiserfs_setattr+0xc4a/0x11c0 fs/reiserfs/inode.c:3394
notify_change+0xdcd/0x1080 fs/attr.c:482
do_truncate+0x21c/0x300 fs/open.c:65
do_sys_ftruncate+0x2e2/0x380 fs/open.c:193
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880612fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880612fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888061300000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888061300080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888061300100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 19, 2023, 6:00:56 PM6/19/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: ca87e77a2ef8 Linux 6.1.34
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=175de16b280000
kernel config: https://syzkaller.appspot.com/x/.config?x=143044f84cdceac2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141c0d87280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15efbe6b280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1141c37ce351/disk-ca87e77a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/de1fca0d0bb4/vmlinux-ca87e77a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c3417b70e0bf/Image-ca87e77a.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/bf9c2a9fd73d/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+190978...@syzkaller.appspotmail.com
REISERFS warning (device loop0): jdm-13090 reiserfs_new_inode: ACLs aren't enabled in the fs, but vfs thinks they are!
REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
==================================================================
BUG: KASAN: use-after-free in leaf_paste_in_buffer+0x578/0x9f0
Read of size 48 at addr ffff0000e1551ff0 by task syz-executor111/4232
CPU: 0 PID: 4232 Comm: syz-executor111 Not tainted 6.1.34-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x48/0x90 mm/kasan/shadow.c:65
leaf_paste_in_buffer+0x578/0x9f0
leaf_copy_dir_entries+0x2b4/0xa04 fs/reiserfs/lbalance.c:108
leaf_copy_boundary_item+0x8c4/0x1a34 fs/reiserfs/lbalance.c:168
leaf_copy_items fs/reiserfs/lbalance.c:551 [inline]
leaf_move_items+0xa0c/0x1f7c fs/reiserfs/lbalance.c:726
leaf_shift_left+0xc8/0x39c fs/reiserfs/lbalance.c:750
balance_leaf_left fs/reiserfs/do_balan.c:616 [inline]
balance_leaf+0x103c/0xe860 fs/reiserfs/do_balan.c:1409
do_balance+0x27c/0x788 fs/reiserfs/do_balan.c:1888
reiserfs_insert_item+0x940/0xa84 fs/reiserfs/stree.c:2261
reiserfs_get_block+0x18c0/0x45d8 fs/reiserfs/inode.c:868
__block_write_begin_int+0x340/0x13b4 fs/buffer.c:1991
__block_write_begin+0x7c/0xa0 fs/buffer.c:2041
reiserfs_write_begin+0x328/0x71c fs/reiserfs/inode.c:2775
generic_perform_write+0x278/0x55c mm/filemap.c:3754
__generic_file_write_iter+0x168/0x388 mm/filemap.c:3882
generic_file_write_iter+0xb8/0x2b4 mm/filemap.c:3914
call_write_iter include/linux/fs.h:2205 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x610/0x914 fs/read_write.c:584
ksys_write+0x15c/0x26c fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:646
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:000000009fafd8bf refcount:3 mapcount:0 mapping:00000000969c263a index:0x214 pfn:0x121551
memcg:ffff0000c0930000
aops:def_blk_aops ino:700000
flags: 0x5ffc60000002042(referenced|workingset|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc60000002042 0000000000000000 dead000000000122 ffff0000c0485510
raw: 0000000000000214 ffff0000defe2cb0 00000003ffffffff ffff0000c0930000
ffff0000e1551f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e1552000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000e1552080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e1552100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
HEAD commit: ca87e77a2ef8 Linux 6.1.34
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=143044f84cdceac2
dashboard link: https://syzkaller.appspot.com/bug?extid=190978a7032fb7e58db1
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141c0d87280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15efbe6b280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1141c37ce351/disk-ca87e77a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/de1fca0d0bb4/vmlinux-ca87e77a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c3417b70e0bf/Image-ca87e77a.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/bf9c2a9fd73d/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+190978...@syzkaller.appspotmail.com
REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
==================================================================
BUG: KASAN: use-after-free in leaf_paste_in_buffer+0x578/0x9f0
Read of size 48 at addr ffff0000e1551ff0 by task syz-executor111/4232
CPU: 0 PID: 4232 Comm: syz-executor111 Not tainted 6.1.34-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x48/0x90 mm/kasan/shadow.c:65
leaf_paste_in_buffer+0x578/0x9f0
leaf_copy_dir_entries+0x2b4/0xa04 fs/reiserfs/lbalance.c:108
leaf_copy_boundary_item+0x8c4/0x1a34 fs/reiserfs/lbalance.c:168
leaf_copy_items fs/reiserfs/lbalance.c:551 [inline]
leaf_move_items+0xa0c/0x1f7c fs/reiserfs/lbalance.c:726
leaf_shift_left+0xc8/0x39c fs/reiserfs/lbalance.c:750
balance_leaf_left fs/reiserfs/do_balan.c:616 [inline]
balance_leaf+0x103c/0xe860 fs/reiserfs/do_balan.c:1409
do_balance+0x27c/0x788 fs/reiserfs/do_balan.c:1888
reiserfs_insert_item+0x940/0xa84 fs/reiserfs/stree.c:2261
reiserfs_get_block+0x18c0/0x45d8 fs/reiserfs/inode.c:868
__block_write_begin_int+0x340/0x13b4 fs/buffer.c:1991
__block_write_begin+0x7c/0xa0 fs/buffer.c:2041
reiserfs_write_begin+0x328/0x71c fs/reiserfs/inode.c:2775
generic_perform_write+0x278/0x55c mm/filemap.c:3754
__generic_file_write_iter+0x168/0x388 mm/filemap.c:3882
generic_file_write_iter+0xb8/0x2b4 mm/filemap.c:3914
call_write_iter include/linux/fs.h:2205 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x610/0x914 fs/read_write.c:584
ksys_write+0x15c/0x26c fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:646
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
memcg:ffff0000c0930000
aops:def_blk_aops ino:700000
flags: 0x5ffc60000002042(referenced|workingset|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc60000002042 0000000000000000 dead000000000122 ffff0000c0485510
raw: 0000000000000214 ffff0000defe2cb0 00000003ffffffff ffff0000c0930000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e1551f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000e1551f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e1552000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000e1552080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e1552100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
syzbot
Aug 28, 2023, 12:08:30 PM8/28/23
to syzkaller...@googlegroups.com
syzbot suspects this issue could be fixed by backporting the following commit:
commit d772781964415c63759572b917e21c4f7ec08d9f
git tree: upstream
Author: Jakub Kicinski <ku...@kernel.org>
Date: Fri Jan 6 06:33:54 2023 +0000
devlink: bump the instance index directly when iterating
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15160133a80000
Please keep in mind that other backports might be required as well.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit d772781964415c63759572b917e21c4f7ec08d9f
git tree: upstream
Author: Jakub Kicinski <ku...@kernel.org>
Date: Fri Jan 6 06:33:54 2023 +0000
devlink: bump the instance index directly when iterating
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15160133a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c188e92022a334b
dashboard link: https://syzkaller.appspot.com/bug?extid=190978a7032fb7e58db1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1669e6e3280000
dashboard link: https://syzkaller.appspot.com/bug?extid=190978a7032fb7e58db1
Please keep in mind that other backports might be required as well.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages