Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=13d38fb0480000
kernel config:
https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link:
https://syzkaller.appspot.com/bug?extid=9eac28cc0c86d33be42f
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=16298dac480000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=17c0ee98480000
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro:
https://storage.googleapis.com/syzbot-assets/30f175b54130/mount_1.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+9eac28...@syzkaller.appspotmail.com
REISERFS error (device loop0): vs-13050 reiserfs_update_sd_size: i/o failure occurred trying to update [2 2 0x0 SD] stat data
REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 4029, free_space(entry_count) 2
REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 532. Fsck?
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8097 Comm: syz-executor303 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:reiserfs_node_data fs/reiserfs/reiserfs.h:2186 [inline]
RIP: 0010:item_head fs/reiserfs/reiserfs.h:2202 [inline]
RIP: 0010:tp_item_head fs/reiserfs/reiserfs.h:2228 [inline]
RIP: 0010:prepare_for_delete_or_cut+0x12a/0x1b00 fs/reiserfs/stree.c:1060
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 57 19 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 1b 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 69 18 00 00 48 8b 4b 28 49 63 c4 48 8d 44 40 03
RSP: 0018:ffff8880aeec7318 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8880aeec7998
RDX: 0000000000000005 RSI: ffffffff81d4eb6f RDI: 0000000000000028
RBP: ffff8880aeec7518 R08: ffff8880aeec7528 R09: ffff8880aeec7518
R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88808ac47780 R14: 1ffff11015dd8f3b R15: ffff8880aeec7528
FS: 0000555556e61300(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2280a96ec8 CR3: 0000000009e6d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
reiserfs_cut_from_item+0x1ef/0x1960 fs/reiserfs/stree.c:1692
reiserfs_do_truncate+0x64a/0x10c0 fs/reiserfs/stree.c:1983
reiserfs_truncate_file+0x1b1/0x1030 fs/reiserfs/inode.c:2320
reiserfs_file_release+0x982/0xd90 fs/reiserfs/file.c:115
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f2280a52cd9
Code: Bad RIP value.
RSP: 002b:00007fffd563e1c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f2280ac8430 RCX: 00007f2280a52cd9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2280ac8430
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Modules linked in:
---[ end trace 40c03b297533e20e ]---
RIP: 0010:reiserfs_node_data fs/reiserfs/reiserfs.h:2186 [inline]
RIP: 0010:item_head fs/reiserfs/reiserfs.h:2202 [inline]
RIP: 0010:tp_item_head fs/reiserfs/reiserfs.h:2228 [inline]
RIP: 0010:prepare_for_delete_or_cut+0x12a/0x1b00 fs/reiserfs/stree.c:1060
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 57 19 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 1b 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 69 18 00 00 48 8b 4b 28 49 63 c4 48 8d 44 40 03
RSP: 0018:ffff8880aeec7318 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8880aeec7998
RDX: 0000000000000005 RSI: ffffffff81d4eb6f RDI: 0000000000000028
RBP: ffff8880aeec7518 R08: ffff8880aeec7528 R09: ffff8880aeec7518
R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88808ac47780 R14: 1ffff11015dd8f3b R15: ffff8880aeec7528
FS: 0000555556e61300(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2280a52caf CR3: 0000000009e6d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 4 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 57 19 00 00 jne 0x1965
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 48 8b 1b mov (%rbx),%rbx
1b: 48 8d 7b 28 lea 0x28(%rbx),%rdi
1f: 48 89 fa mov %rdi,%rdx
22: 48 c1 ea 03 shr $0x3,%rdx
* 26: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2a: 0f 85 69 18 00 00 jne 0x1899
30: 48 8b 4b 28 mov 0x28(%rbx),%rcx
34: 49 63 c4 movslq %r12d,%rax
37: 48 8d 44 40 03 lea 0x3(%rax,%rax,2),%rax