KASAN: out-of-bounds Read in leaf_paste

KASAN: out-of-bounds Read in leaf_paste_entries
Status: upstream: reported C repro on 2021/02/20 06:05
Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
First crash: 12d, last: 12d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: out-of-bounds Read in leaf_paste_entries (log)
Repro: C syz .config

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: out-of-bounds Read in leaf_paste_entries	C			3	9d23h	105d	0/1	upstream: reported C repro on 2020/11/14 23:23
linux-4.14	KASAN: out-of-bounds Read in leaf_paste_entries	C			8	5d14h	146d	0/1	upstream: reported C repro on 2020/10/05 14:11

Sample crash report:

REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using tea hash to sort names
==================================================================
BUG: KASAN: out-of-bounds in memmove include/linux/string.h:462 [inline]
BUG: KASAN: out-of-bounds in leaf_paste_entries+0x449/0x910 fs/reiserfs/lbalance.c:1377
Read of size 18446744073709551584 at addr ffff888040a03fa4 by task syz-executor585/8424

CPU: 1 PID: 8424 Comm: syz-executor585 Not tainted 5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 check_memory_region_inline mm/kasan/generic.c:179 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:185
 memmove+0x20/0x60 mm/kasan/shadow.c:53
 memmove include/linux/string.h:462 [inline]
 leaf_paste_entries+0x449/0x910 fs/reiserfs/lbalance.c:1377
 balance_leaf_finish_node_paste_dirent fs/reiserfs/do_balan.c:1295 [inline]
 balance_leaf_finish_node_paste fs/reiserfs/do_balan.c:1321 [inline]
 balance_leaf_finish_node fs/reiserfs/do_balan.c:1364 [inline]
 balance_leaf+0x951e/0xd8b0 fs/reiserfs/do_balan.c:1452
 do_balance+0x315/0x810 fs/reiserfs/do_balan.c:1888
 reiserfs_paste_into_item+0x762/0x8e0 fs/reiserfs/stree.c:2138
 reiserfs_add_entry+0x8cb/0xcf0 fs/reiserfs/namei.c:566
 reiserfs_mkdir+0x66e/0x980 fs/reiserfs/namei.c:858
 create_privroot fs/reiserfs/xattr.c:889 [inline]
 reiserfs_xattr_init+0x4de/0xb60 fs/reiserfs/xattr.c:1011
 reiserfs_fill_super+0x215d/0x2e00 fs/reiserfs/super.c:2177
 mount_bdev+0x34d/0x410 fs/super.c:1366
 legacy_get_tree+0x105/0x220 fs/fs_context.c:592
 vfs_get_tree+0x89/0x2f0 fs/super.c:1496
 do_new_mount fs/namespace.c:2881 [inline]
 path_mount+0x13ad/0x20c0 fs/namespace.c:3211
 do_mount fs/namespace.c:3224 [inline]
 __do_sys_mount fs/namespace.c:3432 [inline]
 __se_sys_mount fs/namespace.c:3409 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3409
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x445b8a
Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff8c7af438 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff8c7af490 RCX: 0000000000445b8a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff8c7af450
RBP: 00007fff8c7af450 R08: 00007fff8c7af490 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200002a8
R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000007

The buggy address belongs to the page:
page:000000008f17f20f refcount:3 mapcount:0 mapping:000000009acfcc32 index:0x3d97 pfn:0x40a03
aops:def_blk_aops ino:700000
flags: 0xfff00000002022(referenced|active|private)
raw: 00fff00000002022 dead000000000100 dead000000000122 ffff88801795cb50
raw: 0000000000003d97 ffff888038f7c4c8 00000003ffffffff ffff8881407ac000
page dumped because: kasan: bad access detected
pages's memcg:ffff8881407ac000

Memory state around the buggy address:
 ffff888040a03e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888040a03f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888040a03f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                               ^
 ffff888040a04000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888040a04080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (2):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-selinux-root	2021/02/16 07:29	upstream	f40ddce8	98682e5e	.config	log	report	syz	C		KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-selinux-root	2021/02/16 05:57	upstream	f40ddce8	98682e5e	.config	log	report			info	KASAN: out-of-bounds Read in leaf_paste_entries