[v5.15] KASAN: slab-out-of-bounds Read in reiserfs_xattr_get (2)
0 views
Skip to first unread message
syzbot
May 13, 2026, 5:19:39 AM (20 hours ago) May 13
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: de8dfb3f0278 Linux 5.15.206
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14d13f48580000
kernel config: https://syzkaller.appspot.com/x/.config?x=353ae28c40b35af5
dashboard link: https://syzkaller.appspot.com/bug?extid=ae864827e14574cf7718
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a3b00346a7a2/disk-de8dfb3f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cd8ff348788e/vmlinux-de8dfb3f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6d03a73b9540/bzImage-de8dfb3f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae8648...@syzkaller.appspotmail.com
loop2: detected capacity change from 0 to 64
==================================================================
BUG: KASAN: slab-out-of-bounds in reiserfs_xattr_get+0xde/0x960 fs/reiserfs/xattr.c:681
Read of size 8 at addr ffff888143fd5d98 by task syz.2.22473/24689
CPU: 0 PID: 24689 Comm: syz.2.22473 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
print_address_description+0x60/0x2d0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0xdf/0x130 mm/kasan/report.c:451
reiserfs_xattr_get+0xde/0x960 fs/reiserfs/xattr.c:681
reiserfs_get_acl+0x7a/0x680 fs/reiserfs/xattr_acl.c:214
get_acl+0x154/0x250 fs/posix_acl.c:153
check_acl+0x3a/0x150 fs/namei.c:307
acl_permission_check fs/namei.c:352 [inline]
generic_permission+0x3bf/0x510 fs/namei.c:405
do_inode_permission fs/namei.c:459 [inline]
inode_permission+0x239/0x480 fs/namei.c:526
may_open+0x262/0x400 fs/namei.c:3240
do_open fs/namei.c:3614 [inline]
path_openat+0x258c/0x2fa0 fs/namei.c:3750
do_filp_open+0x1e2/0x410 fs/namei.c:3777
do_sys_openat2+0x150/0x4b0 fs/open.c:1255
do_sys_open fs/open.c:1271 [inline]
__do_sys_openat fs/open.c:1287 [inline]
__se_sys_openat fs/open.c:1282 [inline]
__x64_sys_openat+0x135/0x160 fs/open.c:1282
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f27c1b0468e
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f27bfd9cda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f27bfd9d6c0 RCX: 00007f27c1b0468e
RDX: 0000000000010000 RSI: 0000200000000200 RDI: ffffffffffffff9c
RBP: 0000200000000280 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000200
R13: 00007f27bfd9cea0 R14: 000000000000032e R15: 0000200000004240
</TASK>
Allocated by task 24689:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
__kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:607 [inline]
kzalloc include/linux/slab.h:738 [inline]
hfs_fill_super+0x139/0x1590 fs/hfs/super.c:386
mount_bdev+0x287/0x3c0 fs/super.c:1400
legacy_get_tree+0xe6/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1530
do_new_mount+0x24a/0xa40 fs/namespace.c:3034
do_mount fs/namespace.c:3377 [inline]
__do_sys_mount fs/namespace.c:3585 [inline]
__se_sys_mount+0x2e3/0x3d0 fs/namespace.c:3562
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Last potentially related work creation:
kasan_save_stack+0x35/0x60 mm/kasan/common.c:38
kasan_record_aux_stack+0xb8/0x100 mm/kasan/generic.c:348
kvfree_call_rcu+0x105/0x7d0 kernel/rcu/tree.c:3600
neigh_periodic_work+0x407/0xc70 net/core/neighbour.c:947
process_one_work+0x85f/0x1010 kernel/workqueue.c:2310
worker_thread+0xaa6/0x1290 kernel/workqueue.c:2457
kthread+0x436/0x520 kernel/kthread.c:334
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
The buggy address belongs to the object at ffff888143fd5800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 408 bytes to the right of
1024-byte region [ffff888143fd5800, ffff888143fd5c00)
The buggy address belongs to the page:
page:ffffea00050ff400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888143fd0000 pfn:0x143fd0
head:ffffea00050ff400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000010200 ffffea00007b9000 0000000200000002 ffff888016c41dc0
raw: ffff888143fd0000 000000008010000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 2524690904, free_ts 0
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192
__alloc_pages+0x1ee/0x480 mm/page_alloc.c:5501
alloc_page_interleave+0x24/0x1e0 mm/mempolicy.c:2031
alloc_slab_page mm/slub.c:1780 [inline]
allocate_slab mm/slub.c:1917 [inline]
new_slab+0xc0/0x4b0 mm/slub.c:1980
___slab_alloc+0x80a/0xdd0 mm/slub.c:3013
__slab_alloc mm/slub.c:3100 [inline]
slab_alloc_node mm/slub.c:3191 [inline]
slab_alloc mm/slub.c:3233 [inline]
__kmalloc_track_caller+0x1cb/0x330 mm/slub.c:4930
__do_krealloc mm/slab_common.c:1244 [inline]
krealloc+0x5a/0xf0 mm/slab_common.c:1277
add_sysfs_param+0xe8/0x930 kernel/params.c:651
kernel_add_sysfs_param+0xaf/0x120 kernel/params.c:812
param_sysfs_builtin+0x183/0x200 kernel/params.c:851
param_sysfs_init+0x66/0x70 kernel/params.c:972
do_one_initcall+0x272/0x730 init/main.c:1316
do_initcall_level+0x137/0x1f0 init/main.c:1389
do_initcalls+0x4b/0x90 init/main.c:1405
kernel_init_freeable+0x3e9/0x570 init/main.c:1629
kernel_init+0x19/0x1b0 init/main.c:1520
page_owner free stack trace missing
Memory state around the buggy address:
ffff888143fd5c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888143fd5d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888143fd5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888143fd5e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888143fd5e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: de8dfb3f0278 Linux 5.15.206
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14d13f48580000
kernel config: https://syzkaller.appspot.com/x/.config?x=353ae28c40b35af5
dashboard link: https://syzkaller.appspot.com/bug?extid=ae864827e14574cf7718
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a3b00346a7a2/disk-de8dfb3f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cd8ff348788e/vmlinux-de8dfb3f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6d03a73b9540/bzImage-de8dfb3f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae8648...@syzkaller.appspotmail.com
loop2: detected capacity change from 0 to 64
==================================================================
BUG: KASAN: slab-out-of-bounds in reiserfs_xattr_get+0xde/0x960 fs/reiserfs/xattr.c:681
Read of size 8 at addr ffff888143fd5d98 by task syz.2.22473/24689
CPU: 0 PID: 24689 Comm: syz.2.22473 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
print_address_description+0x60/0x2d0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0xdf/0x130 mm/kasan/report.c:451
reiserfs_xattr_get+0xde/0x960 fs/reiserfs/xattr.c:681
reiserfs_get_acl+0x7a/0x680 fs/reiserfs/xattr_acl.c:214
get_acl+0x154/0x250 fs/posix_acl.c:153
check_acl+0x3a/0x150 fs/namei.c:307
acl_permission_check fs/namei.c:352 [inline]
generic_permission+0x3bf/0x510 fs/namei.c:405
do_inode_permission fs/namei.c:459 [inline]
inode_permission+0x239/0x480 fs/namei.c:526
may_open+0x262/0x400 fs/namei.c:3240
do_open fs/namei.c:3614 [inline]
path_openat+0x258c/0x2fa0 fs/namei.c:3750
do_filp_open+0x1e2/0x410 fs/namei.c:3777
do_sys_openat2+0x150/0x4b0 fs/open.c:1255
do_sys_open fs/open.c:1271 [inline]
__do_sys_openat fs/open.c:1287 [inline]
__se_sys_openat fs/open.c:1282 [inline]
__x64_sys_openat+0x135/0x160 fs/open.c:1282
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f27c1b0468e
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f27bfd9cda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f27bfd9d6c0 RCX: 00007f27c1b0468e
RDX: 0000000000010000 RSI: 0000200000000200 RDI: ffffffffffffff9c
RBP: 0000200000000280 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000200
R13: 00007f27bfd9cea0 R14: 000000000000032e R15: 0000200000004240
</TASK>
Allocated by task 24689:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
__kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:607 [inline]
kzalloc include/linux/slab.h:738 [inline]
hfs_fill_super+0x139/0x1590 fs/hfs/super.c:386
mount_bdev+0x287/0x3c0 fs/super.c:1400
legacy_get_tree+0xe6/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1530
do_new_mount+0x24a/0xa40 fs/namespace.c:3034
do_mount fs/namespace.c:3377 [inline]
__do_sys_mount fs/namespace.c:3585 [inline]
__se_sys_mount+0x2e3/0x3d0 fs/namespace.c:3562
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Last potentially related work creation:
kasan_save_stack+0x35/0x60 mm/kasan/common.c:38
kasan_record_aux_stack+0xb8/0x100 mm/kasan/generic.c:348
kvfree_call_rcu+0x105/0x7d0 kernel/rcu/tree.c:3600
neigh_periodic_work+0x407/0xc70 net/core/neighbour.c:947
process_one_work+0x85f/0x1010 kernel/workqueue.c:2310
worker_thread+0xaa6/0x1290 kernel/workqueue.c:2457
kthread+0x436/0x520 kernel/kthread.c:334
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
The buggy address belongs to the object at ffff888143fd5800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 408 bytes to the right of
1024-byte region [ffff888143fd5800, ffff888143fd5c00)
The buggy address belongs to the page:
page:ffffea00050ff400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888143fd0000 pfn:0x143fd0
head:ffffea00050ff400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000010200 ffffea00007b9000 0000000200000002 ffff888016c41dc0
raw: ffff888143fd0000 000000008010000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 2524690904, free_ts 0
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192
__alloc_pages+0x1ee/0x480 mm/page_alloc.c:5501
alloc_page_interleave+0x24/0x1e0 mm/mempolicy.c:2031
alloc_slab_page mm/slub.c:1780 [inline]
allocate_slab mm/slub.c:1917 [inline]
new_slab+0xc0/0x4b0 mm/slub.c:1980
___slab_alloc+0x80a/0xdd0 mm/slub.c:3013
__slab_alloc mm/slub.c:3100 [inline]
slab_alloc_node mm/slub.c:3191 [inline]
slab_alloc mm/slub.c:3233 [inline]
__kmalloc_track_caller+0x1cb/0x330 mm/slub.c:4930
__do_krealloc mm/slab_common.c:1244 [inline]
krealloc+0x5a/0xf0 mm/slab_common.c:1277
add_sysfs_param+0xe8/0x930 kernel/params.c:651
kernel_add_sysfs_param+0xaf/0x120 kernel/params.c:812
param_sysfs_builtin+0x183/0x200 kernel/params.c:851
param_sysfs_init+0x66/0x70 kernel/params.c:972
do_one_initcall+0x272/0x730 init/main.c:1316
do_initcall_level+0x137/0x1f0 init/main.c:1389
do_initcalls+0x4b/0x90 init/main.c:1405
kernel_init_freeable+0x3e9/0x570 init/main.c:1629
kernel_init+0x19/0x1b0 init/main.c:1520
page_owner free stack trace missing
Memory state around the buggy address:
ffff888143fd5c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888143fd5d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888143fd5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888143fd5e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888143fd5e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages