KASAN: out-of-bounds Read in leaf_paste_entries (2)
1 view
Skip to first unread message
syzbot
Nov 12, 2021, 2:19:29 PM11/12/21
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5833291ab6de Merge tag 'pci-v5.16-fixes-1' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13637de1b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7259f0deb293aa
dashboard link: https://syzkaller.appspot.com/bug?extid=ef8359d6478091124f23
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
CC: [linux-...@vger.kernel.org reiserf...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef8359...@syzkaller.appspotmail.com
REISERFS (device loop2): Using r5 hash to sort names
==================================================================
BUG: KASAN: out-of-bounds in memmove include/linux/fortify-string.h:241 [inline]
BUG: KASAN: out-of-bounds in leaf_paste_entries+0x449/0x910 fs/reiserfs/lbalance.c:1377
Read of size 18446744073709551584 at addr ffff888061ee2fa4 by task syz-executor.2/7951
CPU: 0 PID: 7951 Comm: syz-executor.2 Not tainted 5.15.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memmove+0x20/0x60 mm/kasan/shadow.c:54
memmove include/linux/fortify-string.h:241 [inline]
leaf_paste_entries+0x449/0x910 fs/reiserfs/lbalance.c:1377
balance_leaf_finish_node_paste_dirent fs/reiserfs/do_balan.c:1295 [inline]
balance_leaf_finish_node_paste fs/reiserfs/do_balan.c:1321 [inline]
balance_leaf_finish_node fs/reiserfs/do_balan.c:1364 [inline]
balance_leaf+0x951e/0xd8b0 fs/reiserfs/do_balan.c:1452
do_balance+0x315/0x810 fs/reiserfs/do_balan.c:1888
reiserfs_paste_into_item+0x762/0x8e0 fs/reiserfs/stree.c:2159
reiserfs_add_entry+0x8cb/0xcf0 fs/reiserfs/namei.c:567
reiserfs_mkdir+0x675/0x980 fs/reiserfs/namei.c:860
create_privroot fs/reiserfs/xattr.c:889 [inline]
reiserfs_xattr_init+0x4de/0xb60 fs/reiserfs/xattr.c:1012
reiserfs_fill_super+0x21ea/0x2f80 fs/reiserfs/super.c:2175
mount_bdev+0x34d/0x410 fs/super.c:1370
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1500
do_new_mount fs/namespace.c:2988 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3318
do_mount fs/namespace.c:3331 [inline]
__do_sys_mount fs/namespace.c:3539 [inline]
__se_sys_mount fs/namespace.c:3516 [inline]
__ia32_sys_mount+0x27e/0x300 fs/namespace.c:3516
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf6f54549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f454e440 EFLAGS: 00000296 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 00000000f454e4b0 RCX: 0000000020000100
RDX: 0000000020000000 RSI: 0000000000000000 RDI: 00000000f454e4f0
RBP: 00000000f454e4f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
The buggy address belongs to the page:
page:ffffea000187b880 refcount:3 mapcount:0 mapping:ffff8880159ce6c0 index:0x213 pfn:0x61ee2
memcg:ffff8880145bc000
aops:def_blk_aops ino:700002
flags: 0x4fff00000002022(referenced|active|private|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000002022 0000000000000000 dead000000000122 ffff8880159ce6c0
raw: 0000000000000213 ffff88802488b9f8 00000003ffffffff ffff8880145bc000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 7951, ts 2598921230596, free_ts 2598919631400
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
folio_alloc+0x1c/0x70 mm/mempolicy.c:2201
filemap_alloc_folio mm/filemap.c:1036 [inline]
__filemap_get_folio+0x5f2/0xd60 mm/filemap.c:1951
pagecache_get_page+0x2c/0x1a0 mm/folio-compat.c:125
find_or_create_page include/linux/pagemap.h:440 [inline]
grow_dev_page fs/buffer.c:949 [inline]
grow_buffers fs/buffer.c:1014 [inline]
__getblk_slow+0x1ed/0xae0 fs/buffer.c:1041
__getblk_gfp+0x6e/0x80 fs/buffer.c:1334
sb_getblk include/linux/buffer_head.h:327 [inline]
search_by_key+0x3a5/0x3cc0 fs/reiserfs/stree.c:672
search_by_entry_key+0x32/0x960 fs/reiserfs/namei.c:125
reiserfs_find_entry.part.0+0x139/0xdf0 fs/reiserfs/namei.c:322
reiserfs_find_entry fs/reiserfs/namei.c:368 [inline]
reiserfs_lookup+0x24a/0x490 fs/reiserfs/namei.c:368
__lookup_slow+0x24c/0x480 fs/namei.c:1657
lookup_one_len+0x16a/0x1a0 fs/namei.c:2686
reiserfs_lookup_privroot+0x92/0x280 fs/reiserfs/xattr.c:980
reiserfs_fill_super+0x21a8/0x2f80 fs/reiserfs/super.c:2174
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3425
release_pages+0x3f4/0x1480 mm/swap.c:979
__pagevec_release+0x77/0x100 mm/swap.c:999
pagevec_release include/linux/pagevec.h:81 [inline]
shmem_undo_range+0x749/0x16d0 mm/shmem.c:957
shmem_truncate_range mm/shmem.c:1056 [inline]
shmem_evict_inode+0x3a4/0xbd0 mm/shmem.c:1138
evict+0x2ed/0x6b0 fs/inode.c:592
iput_final fs/inode.c:1672 [inline]
iput.part.0+0x539/0x850 fs/inode.c:1698
iput+0x58/0x70 fs/inode.c:1688
dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:376
__dentry_kill+0x3c0/0x640 fs/dcache.c:582
dentry_kill fs/dcache.c:720 [inline]
dput+0x669/0xbc0 fs/dcache.c:888
__fput+0x3ab/0x9f0 fs/file_table.c:293
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
Memory state around the buggy address:
ffff888061ee2e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888061ee2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888061ee2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888061ee3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888061ee3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess):
0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi
4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d
a: 10 06 adc %al,(%rsi)
c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
10: 10 07 adc %al,(%rdi)
12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
16: 10 08 adc %cl,(%rax)
18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1c: 00 00 add %al,(%rax)
1e: 00 00 add %al,(%rax)
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
* 2a: 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
39: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 5833291ab6de Merge tag 'pci-v5.16-fixes-1' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13637de1b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7259f0deb293aa
dashboard link: https://syzkaller.appspot.com/bug?extid=ef8359d6478091124f23
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
CC: [linux-...@vger.kernel.org reiserf...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef8359...@syzkaller.appspotmail.com
REISERFS (device loop2): Using r5 hash to sort names
==================================================================
BUG: KASAN: out-of-bounds in memmove include/linux/fortify-string.h:241 [inline]
BUG: KASAN: out-of-bounds in leaf_paste_entries+0x449/0x910 fs/reiserfs/lbalance.c:1377
Read of size 18446744073709551584 at addr ffff888061ee2fa4 by task syz-executor.2/7951
CPU: 0 PID: 7951 Comm: syz-executor.2 Not tainted 5.15.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memmove+0x20/0x60 mm/kasan/shadow.c:54
memmove include/linux/fortify-string.h:241 [inline]
leaf_paste_entries+0x449/0x910 fs/reiserfs/lbalance.c:1377
balance_leaf_finish_node_paste_dirent fs/reiserfs/do_balan.c:1295 [inline]
balance_leaf_finish_node_paste fs/reiserfs/do_balan.c:1321 [inline]
balance_leaf_finish_node fs/reiserfs/do_balan.c:1364 [inline]
balance_leaf+0x951e/0xd8b0 fs/reiserfs/do_balan.c:1452
do_balance+0x315/0x810 fs/reiserfs/do_balan.c:1888
reiserfs_paste_into_item+0x762/0x8e0 fs/reiserfs/stree.c:2159
reiserfs_add_entry+0x8cb/0xcf0 fs/reiserfs/namei.c:567
reiserfs_mkdir+0x675/0x980 fs/reiserfs/namei.c:860
create_privroot fs/reiserfs/xattr.c:889 [inline]
reiserfs_xattr_init+0x4de/0xb60 fs/reiserfs/xattr.c:1012
reiserfs_fill_super+0x21ea/0x2f80 fs/reiserfs/super.c:2175
mount_bdev+0x34d/0x410 fs/super.c:1370
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1500
do_new_mount fs/namespace.c:2988 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3318
do_mount fs/namespace.c:3331 [inline]
__do_sys_mount fs/namespace.c:3539 [inline]
__se_sys_mount fs/namespace.c:3516 [inline]
__ia32_sys_mount+0x27e/0x300 fs/namespace.c:3516
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf6f54549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f454e440 EFLAGS: 00000296 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 00000000f454e4b0 RCX: 0000000020000100
RDX: 0000000020000000 RSI: 0000000000000000 RDI: 00000000f454e4f0
RBP: 00000000f454e4f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
The buggy address belongs to the page:
page:ffffea000187b880 refcount:3 mapcount:0 mapping:ffff8880159ce6c0 index:0x213 pfn:0x61ee2
memcg:ffff8880145bc000
aops:def_blk_aops ino:700002
flags: 0x4fff00000002022(referenced|active|private|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000002022 0000000000000000 dead000000000122 ffff8880159ce6c0
raw: 0000000000000213 ffff88802488b9f8 00000003ffffffff ffff8880145bc000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 7951, ts 2598921230596, free_ts 2598919631400
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
folio_alloc+0x1c/0x70 mm/mempolicy.c:2201
filemap_alloc_folio mm/filemap.c:1036 [inline]
__filemap_get_folio+0x5f2/0xd60 mm/filemap.c:1951
pagecache_get_page+0x2c/0x1a0 mm/folio-compat.c:125
find_or_create_page include/linux/pagemap.h:440 [inline]
grow_dev_page fs/buffer.c:949 [inline]
grow_buffers fs/buffer.c:1014 [inline]
__getblk_slow+0x1ed/0xae0 fs/buffer.c:1041
__getblk_gfp+0x6e/0x80 fs/buffer.c:1334
sb_getblk include/linux/buffer_head.h:327 [inline]
search_by_key+0x3a5/0x3cc0 fs/reiserfs/stree.c:672
search_by_entry_key+0x32/0x960 fs/reiserfs/namei.c:125
reiserfs_find_entry.part.0+0x139/0xdf0 fs/reiserfs/namei.c:322
reiserfs_find_entry fs/reiserfs/namei.c:368 [inline]
reiserfs_lookup+0x24a/0x490 fs/reiserfs/namei.c:368
__lookup_slow+0x24c/0x480 fs/namei.c:1657
lookup_one_len+0x16a/0x1a0 fs/namei.c:2686
reiserfs_lookup_privroot+0x92/0x280 fs/reiserfs/xattr.c:980
reiserfs_fill_super+0x21a8/0x2f80 fs/reiserfs/super.c:2174
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3425
release_pages+0x3f4/0x1480 mm/swap.c:979
__pagevec_release+0x77/0x100 mm/swap.c:999
pagevec_release include/linux/pagevec.h:81 [inline]
shmem_undo_range+0x749/0x16d0 mm/shmem.c:957
shmem_truncate_range mm/shmem.c:1056 [inline]
shmem_evict_inode+0x3a4/0xbd0 mm/shmem.c:1138
evict+0x2ed/0x6b0 fs/inode.c:592
iput_final fs/inode.c:1672 [inline]
iput.part.0+0x539/0x850 fs/inode.c:1698
iput+0x58/0x70 fs/inode.c:1688
dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:376
__dentry_kill+0x3c0/0x640 fs/dcache.c:582
dentry_kill fs/dcache.c:720 [inline]
dput+0x669/0xbc0 fs/dcache.c:888
__fput+0x3ab/0x9f0 fs/file_table.c:293
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
Memory state around the buggy address:
ffff888061ee2e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888061ee2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888061ee2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888061ee3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888061ee3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess):
0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi
4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d
a: 10 06 adc %al,(%rsi)
c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
10: 10 07 adc %al,(%rdi)
12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
16: 10 08 adc %cl,(%rax)
18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1c: 00 00 add %al,(%rax)
1e: 00 00 add %al,(%rax)
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
* 2a: 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
39: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 13, 2021, 2:20:25 PM12/13/21
to syzkaller-upst...@googlegroups.com
Sending this report upstream.
Reply all
Reply to author
Forward
0 new messages