KASAN: out-of-bounds Read in leaf_paste

KASAN: out-of-bounds Read in leaf_paste_entries
Status: upstream: reported C repro on 2021/02/20 06:05
Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
Fix commit: 13d257503c09 reiserfs: check directory items on read from disk
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-linux-next-kasan-gce-root ci2-upstream-kcsan-gce], missing on: [ci-qemu2-arm32 ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-usb]
First crash: 163d, last: 30d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: out-of-bounds Read in leaf_paste_entries (log)
Repro: C syz .config

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: out-of-bounds Read in leaf_paste_entries	C			4	6d03h	256d	0/1	upstream: reported C repro on 2020/11/14 23:23
linux-4.14	KASAN: out-of-bounds Read in leaf_paste_entries	C			9	23d	296d	0/1	upstream: reported C repro on 2020/10/05 14:11

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/07/09 12:01	19m	chouhan.shreyansh630@gmail.com	patch	linux-next	OK
2021/07/09 04:02	19m	chouhan.shreyansh630@gmail.com	patch	linux-next	OK
2021/07/08 12:47	11m	chouhan.shreyansh630@gmail.com	patch	linux-next	report log
2021/06/23 16:37	11m	chouhan.shreyansh630@gmail.com		linux-next	report log

Sample crash report:

REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using rupasov hash to sort names
==================================================================
BUG: KASAN: out-of-bounds in memmove include/linux/fortify-string.h:207 [inline]
BUG: KASAN: out-of-bounds in leaf_paste_entries+0x404/0x910 fs/reiserfs/lbalance.c:1368
Read of size 18446744073709551571 at addr ffff888044129fe1 by task syz-executor837/8439

CPU: 1 PID: 8439 Comm: syz-executor837 Not tainted 5.13.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:180 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
 memmove+0x20/0x60 mm/kasan/shadow.c:54
 memmove include/linux/fortify-string.h:207 [inline]
 leaf_paste_entries+0x404/0x910 fs/reiserfs/lbalance.c:1368
 balance_leaf_finish_node_paste_dirent fs/reiserfs/do_balan.c:1295 [inline]
 balance_leaf_finish_node_paste fs/reiserfs/do_balan.c:1321 [inline]
 balance_leaf_finish_node fs/reiserfs/do_balan.c:1364 [inline]
 balance_leaf+0x951e/0xd8b0 fs/reiserfs/do_balan.c:1452
 do_balance+0x315/0x810 fs/reiserfs/do_balan.c:1888
 reiserfs_paste_into_item+0x762/0x8e0 fs/reiserfs/stree.c:2138
 reiserfs_add_entry+0x8cb/0xcf0 fs/reiserfs/namei.c:566
 reiserfs_mkdir+0x675/0x980 fs/reiserfs/namei.c:859
 create_privroot fs/reiserfs/xattr.c:889 [inline]
 reiserfs_xattr_init+0x4de/0xb60 fs/reiserfs/xattr.c:1012
 reiserfs_fill_super+0x2166/0x2e00 fs/reiserfs/super.c:2177
 mount_bdev+0x34d/0x410 fs/super.c:1368
 legacy_get_tree+0x105/0x220 fs/fs_context.c:592
 vfs_get_tree+0x89/0x2f0 fs/super.c:1498
 do_new_mount fs/namespace.c:2905 [inline]
 path_mount+0x132a/0x1fa0 fs/namespace.c:3235
 do_mount fs/namespace.c:3248 [inline]
 __do_sys_mount fs/namespace.c:3456 [inline]
 __se_sys_mount fs/namespace.c:3433 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3433
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x445b8a
Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffced423788 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffced4237e0 RCX: 0000000000445b8a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffced4237a0
RBP: 00007ffced4237a0 R08: 00007ffced4237e0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200002a8
R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000007

The buggy address belongs to the page:
page:ffffea0001104a40 refcount:3 mapcount:0 mapping:ffff888145832b50 index:0x2013 pfn:0x44129
memcg:ffff888140180000
aops:def_blk_aops ino:700000
flags: 0xfff00000002022(referenced|active|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002022 dead000000000100 dead000000000122 ffff888145832b50
raw: 0000000000002013 ffff8880409cad98 00000003ffffffff ffff888140180000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 8439, ts 83750852768, free_ts 0
 prep_new_page mm/page_alloc.c:2358 [inline]
 get_page_from_freelist+0x1033/0x2b60 mm/page_alloc.c:3994
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5200
 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2272
 __page_cache_alloc mm/filemap.c:1005 [inline]
 __page_cache_alloc+0x303/0x3a0 mm/filemap.c:990
 pagecache_get_page+0x38f/0x18d0 mm/filemap.c:1885
 find_or_create_page include/linux/pagemap.h:420 [inline]
 grow_dev_page fs/buffer.c:974 [inline]
 grow_buffers fs/buffer.c:1039 [inline]
 __getblk_slow+0x213/0xb60 fs/buffer.c:1066
 __getblk_gfp+0x70/0x80 fs/buffer.c:1359
 sb_getblk include/linux/buffer_head.h:327 [inline]
 search_by_key+0x3a8/0x3b80 fs/reiserfs/stree.c:651
 reiserfs_read_locked_inode+0x154/0x2160 fs/reiserfs/inode.c:1557
 reiserfs_fill_super+0x18f4/0x2e00 fs/reiserfs/super.c:2081
 mount_bdev+0x34d/0x410 fs/super.c:1368
 legacy_get_tree+0x105/0x220 fs/fs_context.c:592
 vfs_get_tree+0x89/0x2f0 fs/super.c:1498
 do_new_mount fs/namespace.c:2905 [inline]
 path_mount+0x132a/0x1fa0 fs/namespace.c:3235
 do_mount fs/namespace.c:3248 [inline]
 __do_sys_mount fs/namespace.c:3456 [inline]
 __se_sys_mount fs/namespace.c:3433 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3433
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888044129e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888044129f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888044129f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                       ^
 ffff88804412a000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804412a080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce-selinux-root	2021/06/08 22:46	upstream	368094df48e6	98682e5e	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2021/04/17 11:24	upstream	9cdbf6467424	98682e5e	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2021/03/18 07:49	upstream	6417f03132a6	98682e5e	.config	log	report	syz	C

Crashes (6):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-selinux-root	2021/06/23 13:50	upstream	0c18f29aae7c	aba2b2fb	.config	log	report	syz	C		KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-selinux-root	2021/02/16 07:29	upstream	f40ddce88593	98682e5e	.config	log	report	syz	C		KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-linux-next-kasan-gce-root	2021/06/12 10:09	linux-next	a1f92694393a	1ba81399	.config	log	report	syz	C		KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-root	2021/06/28 23:14	upstream	62fb9874f5da	9d2ab5df	.config	log	report			info	KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-root	2021/05/08 21:43	upstream	ab159ac569fd	bc5434be	.config	log	report			info	KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-selinux-root	2021/02/16 05:57	upstream	f40ddce88593	98682e5e	.config	log	report			info	KASAN: out-of-bounds Read in leaf_paste_entries