KASAN: slab-out-of-bounds Read in get_block

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: b850307b Linux 4.14.184
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15ed7d13100000
kernel config: https://syzkaller.appspot.com/x/.config?x=ddc0f08dd6b981c5
dashboard link: https://syzkaller.appspot.com/bug?extid=dc04ddf2778b6d7e38a3
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+dc04dd...@syzkaller.appspotmail.com

MINIX-fs: mounting unchecked file system, running fsck is recommended
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
Process accounting resumed
==================================================================
BUG: KASAN: slab-out-of-bounds in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: slab-out-of-bounds in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: slab-out-of-bounds in get_block+0xe06/0x1100 fs/minix/itree_common.c:160
Read of size 2 at addr ffff8880957ab18a by task syz-executor.2/2261

CPU: 0 PID: 2261 Comm: syz-executor.2 Not tainted 4.14.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0xe06/0x1100 fs/minix/itree_common.c:160
minix_get_block+0xd6/0x100 fs/minix/inode.c:379
__block_write_begin_int+0x33a/0x1000 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x260 fs/buffer.c:2147
minix_write_begin+0x35/0xc0 fs/minix/inode.c:415
generic_perform_write+0x1c9/0x420 mm/filemap.c:3047
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3172
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3200
call_write_iter include/linux/fs.h:1778 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x44e/0x630 fs/read_write.c:482
__kernel_write+0xf5/0x330 fs/read_write.c:501
do_acct_process+0xb49/0xf60 kernel/acct.c:520
acct_pin_kill+0x28/0xe0 kernel/acct.c:174
pin_kill+0x147/0x650 fs/fs_pin.c:50
mnt_pin_kill+0x62/0x170 fs/fs_pin.c:87
cleanup_mnt+0x110/0x140 fs/namespace.c:1180
task_work_run+0x113/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45cba9
RSP: 002b:00007f4fabb83c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 000000000050ca80 RCX: 000000000045cba9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000500
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000cb6 R14: 00000000004cf091 R15: 00007f4fabb846d4

Allocated by task 1564:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
__sigqueue_alloc+0x1b8/0x3e0 kernel/signal.c:400
__send_signal+0x193/0x1280 kernel/signal.c:1097
specific_send_sig_info kernel/signal.c:1208 [inline]
force_sig_info+0x240/0x340 kernel/signal.c:1260
force_sig_info_fault.constprop.0+0x185/0x260 arch/x86/mm/fault.c:225
__bad_area_nosemaphore+0x1d6/0x2c0 arch/x86/mm/fault.c:940
__do_page_fault+0x842/0xb50 arch/x86/mm/fault.c:1412
page_fault+0x45/0x50 arch/x86/entry/entry_64.S:1123

Freed by task 1564:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
__sigqueue_free kernel/signal.c:419 [inline]
dequeue_synchronous_signal kernel/signal.c:727 [inline]
get_signal+0xba1/0x1c90 kernel/signal.c:2313
do_signal+0x7c/0x15d0 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode+0x1af/0x210 arch/x86/entry/common.c:199
retint_user+0x8/0x18

The buggy address belongs to the object at ffff8880957ab0e0
which belongs to the cache sigqueue of size 160
The buggy address is located 10 bytes to the right of
160-byte region [ffff8880957ab0e0, ffff8880957ab180)
The buggy address belongs to the page:
page:ffffea000255eac0 count:1 mapcount:0 mapping:ffff8880957ab000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880957ab000 0000000000000000 0000000100000012
raw: ffffea0001520020 ffffea000286a020 ffff8880aa9da6c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8880957ab080: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb
ffff8880957ab100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880957ab180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880957ab200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8880957ab280: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: b850307b Linux 4.14.184
git tree: linux-4.14.y

console output: https://syzkaller.appspot.com/x/log.txt?x=179541c0900000

kernel config: https://syzkaller.appspot.com/x/.config?x=ddc0f08dd6b981c5
dashboard link: https://syzkaller.appspot.com/bug?extid=dc04ddf2778b6d7e38a3
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d5e95d100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c69c0900000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+dc04dd...@syzkaller.appspotmail.com

audit: type=1800 audit(1594576603.343:9): pid=6356 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="syz-executor063" name="file0" dev="sda1" ino=15707 res=0

MINIX-fs: mounting unchecked file system, running fsck is recommended

Process accounting resumed
==================================================================
BUG: KASAN: slab-out-of-bounds in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: slab-out-of-bounds in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: slab-out-of-bounds in get_block+0xe06/0x1100 fs/minix/itree_common.c:160

Read of size 2 at addr ffff88808f8a018a by task syz-executor063/6356

CPU: 1 PID: 6356 Comm: syz-executor063 Not tainted 4.14.184-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0xe06/0x1100 fs/minix/itree_common.c:160
minix_get_block+0xd6/0x100 fs/minix/inode.c:379
__block_write_begin_int+0x33a/0x1000 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x260 fs/buffer.c:2147
minix_write_begin+0x35/0xc0 fs/minix/inode.c:415
generic_perform_write+0x1c9/0x420 mm/filemap.c:3047
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3172
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3200
call_write_iter include/linux/fs.h:1778 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x44e/0x630 fs/read_write.c:482
__kernel_write+0xf5/0x330 fs/read_write.c:501
do_acct_process+0xb49/0xf60 kernel/acct.c:520

slow_acct_process kernel/acct.c:579 [inline]
acct_process+0x38a/0x422 kernel/acct.c:605
do_exit+0x1728/0x2ae0 kernel/exit.c:848
do_group_exit+0x100/0x2e0 kernel/exit.c:955
SYSC_exit_group kernel/exit.c:966 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:964
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x443e28
RSP: 002b:00007ffcab085fd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000443e28
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 00000000004c4af0 R08: 00000000000000e7 R09: ffffffffffffffd4
R10: 00007ffcab085ef0 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d7180 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6284:

save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552

getname_flags+0xc8/0x550 fs/namei.c:138
do_sys_open+0x202/0x3e0 fs/open.c:1075
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 6284:

save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758

putname+0xcd/0x110 fs/namei.c:259
do_sys_open+0x233/0x3e0 fs/open.c:1090
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff88808f8a0580
which belongs to the cache names_cache of size 4096
The buggy address is located 1014 bytes to the left of
4096-byte region [ffff88808f8a0580, ffff88808f8a1580)

The buggy address belongs to the page:

page:ffffea00023e2800 count:1 mapcount:0 mapping:ffff88808f8a0580 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88808f8a0580 0000000000000000 0000000100000001
raw: ffffea00023e47a0 ffffea00023e2920 ffff8880aa9dacc0 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff88808f8a0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88808f8a0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808f8a0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88808f8a0200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88808f8a0280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 0900097ef667097b0a4afb0155a4f5add77ece19
Author: Eric Biggers <ebig...@google.com>
Date: Wed Aug 12 01:35:30 2020 +0000

fs/minix: reject too-large maximum file size

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=134732f1900000
start commit: b850307b Linux 4.14.184
git tree: linux-4.14.y

kernel config: https://syzkaller.appspot.com/x/.config?x=ddc0f08dd6b981c5
dashboard link: https://syzkaller.appspot.com/bug?extid=dc04ddf2778b6d7e38a3

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d5e95d100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c69c0900000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: fs/minix: reject too-large maximum file size

For information about bisection process see: https://goo.gl/tpsmEJ#bisection