jfs-discussion Mailing List for Journaled File System
Brought to you by:
blaschke-oss,
shaggyk
You can subscribe to this list here.
2001 |
Jan
|
Feb
|
Mar
|
Apr
(35) |
May
(47) |
Jun
(67) |
Jul
(147) |
Aug
(58) |
Sep
(65) |
Oct
(84) |
Nov
(34) |
Dec
(53) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2002 |
Jan
(89) |
Feb
(66) |
Mar
(79) |
Apr
(42) |
May
(22) |
Jun
(15) |
Jul
(51) |
Aug
(29) |
Sep
(38) |
Oct
(57) |
Nov
(30) |
Dec
(6) |
2003 |
Jan
(41) |
Feb
(19) |
Mar
(17) |
Apr
(14) |
May
(23) |
Jun
(17) |
Jul
(12) |
Aug
(8) |
Sep
(63) |
Oct
(14) |
Nov
(7) |
Dec
(15) |
2004 |
Jan
(31) |
Feb
(9) |
Mar
(72) |
Apr
(40) |
May
(38) |
Jun
(30) |
Jul
(62) |
Aug
(5) |
Sep
(51) |
Oct
(14) |
Nov
(25) |
Dec
(53) |
2005 |
Jan
(61) |
Feb
(22) |
Mar
(40) |
Apr
(37) |
May
(15) |
Jun
(53) |
Jul
(52) |
Aug
(40) |
Sep
(52) |
Oct
(51) |
Nov
(27) |
Dec
(12) |
2006 |
Jan
(24) |
Feb
(40) |
Mar
(8) |
Apr
(22) |
May
(12) |
Jun
(29) |
Jul
(33) |
Aug
(23) |
Sep
(19) |
Oct
(24) |
Nov
(28) |
Dec
(50) |
2007 |
Jan
(59) |
Feb
(21) |
Mar
(39) |
Apr
(16) |
May
(17) |
Jun
(27) |
Jul
(40) |
Aug
(62) |
Sep
(54) |
Oct
(62) |
Nov
(39) |
Dec
(28) |
2008 |
Jan
(34) |
Feb
(21) |
Mar
(59) |
Apr
(48) |
May
(45) |
Jun
(33) |
Jul
(40) |
Aug
(39) |
Sep
(46) |
Oct
(4) |
Nov
(1) |
Dec
(1) |
2009 |
Jan
(1) |
Feb
|
Mar
(10) |
Apr
(19) |
May
(12) |
Jun
(29) |
Jul
(44) |
Aug
(13) |
Sep
(19) |
Oct
(5) |
Nov
(10) |
Dec
(41) |
2010 |
Jan
(30) |
Feb
(22) |
Mar
(8) |
Apr
(10) |
May
(6) |
Jun
(17) |
Jul
(12) |
Aug
(2) |
Sep
(6) |
Oct
(13) |
Nov
(20) |
Dec
(6) |
2011 |
Jan
|
Feb
(4) |
Mar
(9) |
Apr
(22) |
May
(24) |
Jun
(13) |
Jul
(5) |
Aug
(5) |
Sep
(3) |
Oct
(3) |
Nov
(14) |
Dec
(23) |
2012 |
Jan
(1) |
Feb
|
Mar
(7) |
Apr
|
May
(10) |
Jun
(17) |
Jul
(36) |
Aug
(7) |
Sep
(17) |
Oct
(16) |
Nov
(7) |
Dec
(2) |
2013 |
Jan
(10) |
Feb
(2) |
Mar
(2) |
Apr
|
May
(23) |
Jun
(18) |
Jul
(5) |
Aug
(23) |
Sep
(5) |
Oct
(10) |
Nov
(19) |
Dec
(97) |
2014 |
Jan
(7) |
Feb
(9) |
Mar
(13) |
Apr
(10) |
May
(2) |
Jun
(2) |
Jul
(2) |
Aug
|
Sep
|
Oct
(107) |
Nov
(18) |
Dec
(5) |
2015 |
Jan
|
Feb
(10) |
Mar
(38) |
Apr
(18) |
May
(4) |
Jun
(3) |
Jul
(15) |
Aug
(5) |
Sep
(5) |
Oct
|
Nov
|
Dec
|
2016 |
Jan
|
Feb
(8) |
Mar
(8) |
Apr
(9) |
May
(2) |
Jun
(22) |
Jul
(5) |
Aug
(13) |
Sep
(2) |
Oct
(1) |
Nov
(4) |
Dec
(2) |
2017 |
Jan
(4) |
Feb
|
Mar
(5) |
Apr
(73) |
May
(98) |
Jun
(27) |
Jul
(21) |
Aug
(9) |
Sep
(3) |
Oct
(17) |
Nov
(6) |
Dec
(7) |
2018 |
Jan
(5) |
Feb
(3) |
Mar
|
Apr
(103) |
May
(64) |
Jun
(14) |
Jul
|
Aug
(19) |
Sep
(15) |
Oct
(3) |
Nov
(3) |
Dec
|
2019 |
Jan
(7) |
Feb
(1) |
Mar
(2) |
Apr
|
May
(5) |
Jun
(50) |
Jul
(23) |
Aug
(47) |
Sep
|
Oct
(4) |
Nov
(3) |
Dec
|
2020 |
Jan
(6) |
Feb
(2) |
Mar
(2) |
Apr
(3) |
May
(28) |
Jun
(3) |
Jul
(5) |
Aug
(3) |
Sep
(35) |
Oct
(4) |
Nov
(8) |
Dec
(21) |
2021 |
Jan
(95) |
Feb
(22) |
Mar
(19) |
Apr
|
May
(1) |
Jun
(10) |
Jul
(16) |
Aug
(58) |
Sep
(8) |
Oct
(182) |
Nov
(2) |
Dec
(1) |
2022 |
Jan
|
Feb
|
Mar
(11) |
Apr
(161) |
May
(28) |
Jun
(35) |
Jul
(1) |
Aug
(5) |
Sep
(25) |
Oct
(78) |
Nov
(44) |
Dec
(56) |
2023 |
Jan
(46) |
Feb
(11) |
Mar
(100) |
Apr
(56) |
May
(117) |
Jun
(84) |
Jul
(93) |
Aug
(51) |
Sep
(68) |
Oct
(79) |
Nov
(44) |
Dec
(12) |
2024 |
Jan
(86) |
Feb
(40) |
Mar
(18) |
Apr
(50) |
May
(18) |
Jun
(18) |
Jul
(33) |
Aug
(25) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
From: Dave K. <dav...@or...> - 2024-09-16 19:45:57
|
The following changes since commit 3d5f968a177d468cd13568ef901c5be84d83d32b: Merge tag 'pwrseq-fixes-for-v6.11-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux (2024-08-23 17:48:27 +0800) are available in the Git repository at: gi...@gi...:kleikamp/linux-shaggy.git tags/jfs-6.12 for you to fetch changes up to 2b59ffad47db1c46af25ccad157bb3b25147c35c: jfs: Fix uninit-value access of new_ea in ea_buffer (2024-09-04 10:28:08 -0500) ---------------------------------------------------------------- A few fixes for jfs ---------------------------------------------------------------- Edward Adam Davis (2): jfs: Fix uaf in dbFreeBits jfs: check if leafidx greater than num leaves per dmap tree Jeongjun Park (1): jfs: fix out-of-bounds in dbNextAG() and diAlloc() Remington Brasga (1): jfs: UBSAN: shift-out-of-bounds in dbFindBits Zhao Mengmeng (1): jfs: Fix uninit-value access of new_ea in ea_buffer fs/jfs/jfs_discard.c | 11 +++++++++-- fs/jfs/jfs_dmap.c | 11 +++++++---- fs/jfs/jfs_imap.c | 2 +- fs/jfs/xattr.c | 2 ++ 4 files changed, 19 insertions(+), 7 deletions(-) |
From: syzbot <syz...@sy...> - 2024-09-15 23:58:37
|
Hello, syzbot found the following issue on: HEAD commit: 7c6a3a65ace7 minmax: reduce min/max macro expansion in ato.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15105807980000 kernel config: https://syzkaller.appspot.com/x/.config?x=1c9e296880039df9 dashboard link: https://syzkaller.appspot.com/bug?extid=bb0aa125eb8d70475ebd compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/06208dec0174/disk-7c6a3a65.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/bd09f189e9df/vmlinux-7c6a3a65.xz kernel image: https://storage.googleapis.com/syzbot-assets/25e56ca1462d/bzImage-7c6a3a65.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syz...@sy... ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in fs/jfs/super.c:140:14 shift exponent 770 is too large for 64-bit type 's64' (aka 'long long') CPU: 0 UID: 0 PID: 8224 Comm: syz.2.276 Not tainted 6.11.0-rc7-syzkaller-00021-g7c6a3a65ace7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 jfs_statfs+0x503/0x510 fs/jfs/super.c:140 statfs_by_dentry fs/statfs.c:66 [inline] vfs_statfs+0x13b/0x2c0 fs/statfs.c:90 ovl_check_namelen fs/overlayfs/super.c:375 [inline] ovl_lower_dir fs/overlayfs/super.c:391 [inline] ovl_get_lowerstack fs/overlayfs/super.c:1132 [inline] ovl_fill_super+0x8ed/0x3560 fs/overlayfs/super.c:1392 vfs_get_super fs/super.c:1280 [inline] get_tree_nodev+0xb7/0x140 fs/super.c:1299 vfs_get_tree+0x90/0x2b0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f54f4d7def9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f54f5b25038 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f54f4f35f80 RCX: 00007f54f4d7def9 RDX: 0000000020000180 RSI: 0000000020000140 RDI: 0000000000000000 RBP: 00007f54f4df0b76 R08: 00000000200001c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f54f4f35f80 R15: 00007fff0587cfb8 </TASK> ---[ end trace ]--- --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syz...@go.... syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup |
From: syzbot <syz...@sy...> - 2024-09-15 17:59:36
|
Hello, syzbot found the following issue on: HEAD commit: df54f4a16f82 Merge branch 'for-next/core' into for-kernelci git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=15f1a200580000 kernel config: https://syzkaller.appspot.com/x/.config?x=dde5a5ba8d41ee9e dashboard link: https://syzkaller.appspot.com/bug?extid=af0d2605ff1908d60ca9 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 userspace arch: arm64 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/aa2eb06e0aea/disk-df54f4a1.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/14728733d385/vmlinux-df54f4a1.xz kernel image: https://storage.googleapis.com/syzbot-assets/99816271407d/Image-df54f4a1.gz.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syz...@sy... read_mapping_page failed! read_mapping_page failed! BUG at fs/jfs/jfs_dmap.c:2700 assert(leaf[leafno] == NOFREE) ------------[ cut here ]------------ kernel BUG at fs/jfs/jfs_dmap.c:2700! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 6540 Comm: syz.0.10 Not tainted 6.11.0-rc5-syzkaller-gdf54f4a16f82 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dbBackSplit+0x50c/0x510 fs/jfs/jfs_dmap.c:2700 lr : dbBackSplit+0x50c/0x510 fs/jfs/jfs_dmap.c:2700 sp : ffff80009b097910 x29: ffff80009b097940 x28: dfff800000000000 x27: 0000000000000074 x26: 0000000000000000 x25: 1fffe0001a90ac1d x24: 00000000000000ff x23: 0000000000000006 x22: ffff0000d4856076 x21: 0000000000000055 x20: ffff0000d4856010 x19: ffff0000d48560ea x18: 0000000000000008 x17: 0000000000000000 x16: ffff80008b22c470 x15: ffff700011eb116c x14: 1ffff00011eb116c x13: 0000000000000004 x12: ffffffffffffffff x11: 0000000000040000 x10: 000000000003ffff x9 : 66d0280209d6ee00 x8 : 66d0280209d6ee00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff80009b097078 x4 : ffff80008f5fb200 x3 : ffff800080381c08 x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003c Call trace: dbBackSplit+0x50c/0x510 fs/jfs/jfs_dmap.c:2700 dbFreeDmap fs/jfs/jfs_dmap.c:2108 [inline] dbFree+0x498/0x5b0 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x604/0x748 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x3cc/0x5d8 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x338/0x550 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: d004e9a3 91128063 52815182 9592231d (d4210000) ---[ end trace 0000000000000000 ]--- --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syz...@go.... syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup |
From: syzbot <syz...@sy...> - 2024-09-13 10:03:35
|
Hello jfs maintainers/developers, This is a 31-day syzbot report for the jfs subsystem. All related reports/information can be found at: https://syzkaller.appspot.com/upstream/s/jfs During the period, 3 new issues were detected and 0 were fixed. In total, 50 issues are still open and 43 have been fixed so far. Some of the still happening issues: Ref Crashes Repro Title <1> 19333 Yes kernel BUG in jfs_evict_inode https://syzkaller.appspot.com/bug?extid=9c0c58ea2e4887ab502e <2> 8182 Yes kernel BUG in txUnlock https://syzkaller.appspot.com/bug?extid=a63afa301d1258d09267 <3> 3763 Yes general protection fault in lmLogSync (2) https://syzkaller.appspot.com/bug?extid=e14b1036481911ae4d77 <4> 2627 Yes WARNING in dbAdjTree https://syzkaller.appspot.com/bug?extid=ab18fa9c959320611727 <5> 2159 Yes general protection fault in write_special_inodes https://syzkaller.appspot.com/bug?extid=c732e285f8fc38d15916 <6> 2001 Yes INFO: task hung in lock_metapage https://syzkaller.appspot.com/bug?extid=1d84a1682e4673d5c4fb <7> 1775 Yes kernel BUG in dbFindLeaf https://syzkaller.appspot.com/bug?extid=dcea2548c903300a400e <8> 1542 Yes KASAN: user-memory-access Write in __destroy_inode https://syzkaller.appspot.com/bug?extid=dcc068159182a4c31ca3 <9> 839 Yes general protection fault in jfs_flush_journal https://syzkaller.appspot.com/bug?extid=194bfe3476f96782c0b6 <10> 756 Yes KASAN: use-after-free Read in release_metapage https://syzkaller.appspot.com/bug?extid=f1521383cec5f7baaa94 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syz...@go.... To disable reminders for individual bugs, reply with the following command: #syz set <Ref> no-reminders To change bug's subsystems, reply with: #syz set <Ref> subsystems: new-subsystem You may send multiple commands in a single email message. |
From: syzbot <syz...@sy...> - 2024-09-10 08:16:37
|
Hello, syzbot found the following issue on: HEAD commit: da3ea35007d0 Linux 6.11-rc7 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14e3e877980000 kernel config: https://syzkaller.appspot.com/x/.config?x=61d235cb8d15001c dashboard link: https://syzkaller.appspot.com/bug?extid=e380443eaa59bfb75a84 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17681420580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e3e877980000 Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-da3ea350.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/1ab780d224f6/vmlinux-da3ea350.xz kernel image: https://storage.googleapis.com/syzbot-assets/834dde85c1c2/bzImage-da3ea350.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/8ca1335c6a53/mount_0.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syz...@sy... BUG: spinlock bad magic on CPU#0, jfsCommit/101 ================================================================== BUG: KASAN: slab-out-of-bounds in string_nocheck lib/vsprintf.c:646 [inline] BUG: KASAN: slab-out-of-bounds in string+0x218/0x2b0 lib/vsprintf.c:728 Read of size 1 at addr ffff8880412849f0 by task jfsCommit/101 CPU: 0 UID: 0 PID: 101 Comm: jfsCommit Not tainted 6.11.0-rc7-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 string_nocheck lib/vsprintf.c:646 [inline] string+0x218/0x2b0 lib/vsprintf.c:728 vsnprintf+0x1101/0x1da0 lib/vsprintf.c:2824 vprintk_store+0x480/0x1160 kernel/printk/printk.c:2228 vprintk_emit+0x1e0/0x7c0 kernel/printk/printk.c:2329 _printk+0xd5/0x120 kernel/printk/printk.c:2373 spin_dump kernel/locking/spinlock_debug.c:64 [inline] spin_bug+0x13b/0x1d0 kernel/locking/spinlock_debug.c:78 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] do_raw_spin_lock+0x209/0x370 kernel/locking/spinlock_debug.c:115 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline] _raw_spin_lock_irqsave+0xe1/0x120 kernel/locking/spinlock.c:162 __wake_up_common_lock+0x25/0x1e0 kernel/sched/wait.c:105 unlock_metapage fs/jfs/jfs_metapage.c:39 [inline] release_metapage+0xb2/0x960 fs/jfs/jfs_metapage.c:763 xtTruncate+0x1006/0x3270 jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:759 jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153 evict+0x532/0x950 fs/inode.c:704 txUpdateMap+0x931/0xb10 fs/jfs/jfs_txnmgr.c:2367 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x49a/0xb80 fs/jfs/jfs_txnmgr.c:2733 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The buggy address belongs to the object at ffff8880412849c0 which belongs to the cache jfs_ip of size 2232 The buggy address is located 48 bytes inside of allocated 2232-byte region [ffff8880412849c0, ffff888041285278) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x41280 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) page_type: 0xfdffffff(slab) raw: 04fff00000000040 ffff88801f594280 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800d000d 00000001fdffffff 0000000000000000 head: 04fff00000000040 ffff88801f594280 dead000000000122 0000000000000000 head: 0000000000000000 00000000800d000d 00000001fdffffff 0000000000000000 head: 04fff00000000003 ffffea000104a001 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5111, tgid 5111 (syz-executor352), ts 80788950583, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1500 prep_new_page mm/page_alloc.c:1508 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3446 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4702 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2325 allocate_slab+0x5a/0x2f0 mm/slub.c:2488 new_slab mm/slub.c:2541 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3727 __slab_alloc+0x58/0xa0 mm/slub.c:3817 __slab_alloc_node mm/slub.c:3870 [inline] slab_alloc_node mm/slub.c:4029 [inline] kmem_cache_alloc_lru_noprof+0x1c5/0x2b0 mm/slub.c:4060 jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105 alloc_inode fs/inode.c:263 [inline] new_inode_pseudo fs/inode.c:1073 [inline] new_inode+0x6e/0x310 fs/inode.c:1092 jfs_fill_super+0x408/0xc50 fs/jfs/super.c:544 mount_bdev+0x20a/0x2d0 fs/super.c:1679 legacy_get_tree+0xee/0x190 fs/fs_context.c:662 vfs_get_tree+0x90/0x2b0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 page_owner free stack trace missing Memory state around the buggy address: ffff888041284880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888041284900: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff888041284980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888041284a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888041284a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syz...@go.... syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup |
From: Dave K. <dav...@or...> - 2024-09-04 15:35:58
|
On 9/3/24 8:07PM, Zhao Mengmeng wrote: > syzbot reports that lzo1x_1_do_compress is using uninit-value: Looks good. I'm trimming down the commit header since the stack traces aren't very useful. I think the important fields are all set correctly when necessary, but the structure does contain some reserved bytes as padding, so the initialization is good to have. Applied. Shaggy > > ===================================================== > BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 > lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 > lzogeneric1x_1_compress+0x26a/0x11b0 lib/lzo/lzo1x_compress.c:333 > lzo1x_1_compress+0x47/0x80 lib/lzo/lzo1x_compress.c:383 > __lzo_compress crypto/lzo.c:58 [inline] > lzo_scompress+0x98/0x180 crypto/lzo.c:79 > scomp_acomp_comp_decomp+0x7c6/0xb90 > scomp_acomp_compress+0x32/0x40 crypto/scompress.c:187 > crypto_acomp_compress include/crypto/acompress.h:251 [inline] > zswap_compress+0x368/0xad0 mm/zswap.c:927 > zswap_store+0x1af3/0x2dd0 mm/zswap.c:1459 > swap_writepage+0x11f/0x470 mm/page_io.c:198 > shmem_writepage+0x1a75/0x1f70 mm/shmem.c:1536 > pageout mm/vmscan.c:680 [inline] > shrink_folio_list+0x577f/0x7cb0 mm/vmscan.c:1360 > evict_folios+0x9bce/0xbc80 mm/vmscan.c:4580 > try_to_shrink_lruvec+0x13a3/0x1750 mm/vmscan.c:4775 > shrink_one+0x646/0xd20 mm/vmscan.c:4813 > shrink_many mm/vmscan.c:4876 [inline] > lru_gen_shrink_node mm/vmscan.c:4954 [inline] > shrink_node+0x451a/0x50f0 mm/vmscan.c:5934 > kswapd_shrink_node mm/vmscan.c:6762 [inline] > balance_pgdat mm/vmscan.c:6954 [inline] > kswapd+0x257e/0x4290 mm/vmscan.c:7223 > kthread+0x3dd/0x540 kernel/kthread.c:389 > ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Uninit was stored to memory at: > memcpy_from_iter lib/iov_iter.c:73 [inline] > iterate_bvec include/linux/iov_iter.h:122 [inline] > iterate_and_advance2 include/linux/iov_iter.h:249 [inline] > iterate_and_advance include/linux/iov_iter.h:271 [inline] > __copy_from_iter lib/iov_iter.c:249 [inline] > copy_page_from_iter_atomic+0x12bb/0x2ae0 lib/iov_iter.c:481 > copy_folio_from_iter_atomic include/linux/uio.h:186 [inline] > generic_perform_write+0x896/0x12e0 mm/filemap.c:4032 > shmem_file_write_iter+0x2bd/0x2f0 mm/shmem.c:3074 > do_iter_readv_writev+0x8a1/0xa40 > vfs_iter_write+0x459/0xd50 fs/read_write.c:895 > lo_write_bvec drivers/block/loop.c:243 [inline] > lo_write_simple drivers/block/loop.c:264 [inline] > do_req_filebacked drivers/block/loop.c:511 [inline] > loop_handle_cmd drivers/block/loop.c:1910 [inline] > loop_process_work+0x15ec/0x3750 drivers/block/loop.c:1945 > loop_rootcg_workfn+0x2b/0x40 drivers/block/loop.c:1976 > process_one_work kernel/workqueue.c:3231 [inline] > process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3312 > worker_thread+0xea7/0x14d0 kernel/workqueue.c:3389 > kthread+0x3dd/0x540 kernel/kthread.c:389 > ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Uninit was stored to memory at: > copy_to_dinode+0x881/0xb30 fs/jfs/jfs_imap.c:3158 > diWrite+0x1bf5/0x1f00 fs/jfs/jfs_imap.c:790 > txCommit+0xdb8/0x8cd0 fs/jfs/jfs_txnmgr.c:1255 > __jfs_xattr_set+0x1b7/0x1f0 fs/jfs/xattr.c:936 > jfs_xattr_set+0x79/0x90 fs/jfs/xattr.c:958 > __vfs_setxattr+0x844/0x8b0 fs/xattr.c:200 > __vfs_setxattr_noperm+0x22f/0xb00 fs/xattr.c:234 > __vfs_setxattr_locked+0x441/0x480 fs/xattr.c:295 > vfs_setxattr+0x294/0x650 fs/xattr.c:321 > do_setxattr fs/xattr.c:629 [inline] > __do_sys_fsetxattr fs/xattr.c:710 [inline] > __se_sys_fsetxattr+0x7f0/0x980 fs/xattr.c:686 > __x64_sys_fsetxattr+0xe4/0x150 fs/xattr.c:686 > x64_sys_call+0x19c3/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:191 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Uninit was stored to memory at: > ea_put fs/jfs/xattr.c:639 [inline] > __jfs_setxattr+0x185f/0x1ae0 fs/jfs/xattr.c:785 > __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 > jfs_xattr_set+0x79/0x90 fs/jfs/xattr.c:958 > __vfs_setxattr+0x844/0x8b0 fs/xattr.c:200 > __vfs_setxattr_noperm+0x22f/0xb00 fs/xattr.c:234 > __vfs_setxattr_locked+0x441/0x480 fs/xattr.c:295 > vfs_setxattr+0x294/0x650 fs/xattr.c:321 > do_setxattr fs/xattr.c:629 [inline] > __do_sys_fsetxattr fs/xattr.c:710 [inline] > __se_sys_fsetxattr+0x7f0/0x980 fs/xattr.c:686 > __x64_sys_fsetxattr+0xe4/0x150 fs/xattr.c:686 > x64_sys_call+0x19c3/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:191 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Local variable ea_buf created at: > __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662 > __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 > > CPU: 0 UID: 0 PID: 81 Comm: kswapd0 Tainted: G W 6.11.0-rc5-syzkaller #0 > Tainted: [W]=WARN > ===================================================== > > The reason is ea_buf->new_ea is not initialized properly. > > Fix this by using memset to empty its content at the beginning > in ea_get(). > > Reported-by: syz...@sy... > Closes: https://syzkaller.appspot.com/bug?extid=02341e0daa42a15ce130 > Signed-off-by: Zhao Mengmeng <zha...@ky...> > --- > fs/jfs/xattr.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c > index 2999ed5d83f5..0fb05e314edf 100644 > --- a/fs/jfs/xattr.c > +++ b/fs/jfs/xattr.c > @@ -434,6 +434,8 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) > int rc; > int quota_allocation = 0; > > + memset(&ea_buf->new_ea, 0, sizeof(ea_buf->new_ea)); > + > /* When fsck.jfs clears a bad ea, it doesn't clear the size */ > if (ji->ea.flag == 0) > ea_size = 0; |
From: Zhao M. <zha...@ky...> - 2024-09-04 01:24:53
|
syzbot reports that lzo1x_1_do_compress is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 lzogeneric1x_1_compress+0x26a/0x11b0 lib/lzo/lzo1x_compress.c:333 lzo1x_1_compress+0x47/0x80 lib/lzo/lzo1x_compress.c:383 __lzo_compress crypto/lzo.c:58 [inline] lzo_scompress+0x98/0x180 crypto/lzo.c:79 scomp_acomp_comp_decomp+0x7c6/0xb90 scomp_acomp_compress+0x32/0x40 crypto/scompress.c:187 crypto_acomp_compress include/crypto/acompress.h:251 [inline] zswap_compress+0x368/0xad0 mm/zswap.c:927 zswap_store+0x1af3/0x2dd0 mm/zswap.c:1459 swap_writepage+0x11f/0x470 mm/page_io.c:198 shmem_writepage+0x1a75/0x1f70 mm/shmem.c:1536 pageout mm/vmscan.c:680 [inline] shrink_folio_list+0x577f/0x7cb0 mm/vmscan.c:1360 evict_folios+0x9bce/0xbc80 mm/vmscan.c:4580 try_to_shrink_lruvec+0x13a3/0x1750 mm/vmscan.c:4775 shrink_one+0x646/0xd20 mm/vmscan.c:4813 shrink_many mm/vmscan.c:4876 [inline] lru_gen_shrink_node mm/vmscan.c:4954 [inline] shrink_node+0x451a/0x50f0 mm/vmscan.c:5934 kswapd_shrink_node mm/vmscan.c:6762 [inline] balance_pgdat mm/vmscan.c:6954 [inline] kswapd+0x257e/0x4290 mm/vmscan.c:7223 kthread+0x3dd/0x540 kernel/kthread.c:389 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Uninit was stored to memory at: memcpy_from_iter lib/iov_iter.c:73 [inline] iterate_bvec include/linux/iov_iter.h:122 [inline] iterate_and_advance2 include/linux/iov_iter.h:249 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] __copy_from_iter lib/iov_iter.c:249 [inline] copy_page_from_iter_atomic+0x12bb/0x2ae0 lib/iov_iter.c:481 copy_folio_from_iter_atomic include/linux/uio.h:186 [inline] generic_perform_write+0x896/0x12e0 mm/filemap.c:4032 shmem_file_write_iter+0x2bd/0x2f0 mm/shmem.c:3074 do_iter_readv_writev+0x8a1/0xa40 vfs_iter_write+0x459/0xd50 fs/read_write.c:895 lo_write_bvec drivers/block/loop.c:243 [inline] lo_write_simple drivers/block/loop.c:264 [inline] do_req_filebacked drivers/block/loop.c:511 [inline] loop_handle_cmd drivers/block/loop.c:1910 [inline] loop_process_work+0x15ec/0x3750 drivers/block/loop.c:1945 loop_rootcg_workfn+0x2b/0x40 drivers/block/loop.c:1976 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3312 worker_thread+0xea7/0x14d0 kernel/workqueue.c:3389 kthread+0x3dd/0x540 kernel/kthread.c:389 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Uninit was stored to memory at: copy_to_dinode+0x881/0xb30 fs/jfs/jfs_imap.c:3158 diWrite+0x1bf5/0x1f00 fs/jfs/jfs_imap.c:790 txCommit+0xdb8/0x8cd0 fs/jfs/jfs_txnmgr.c:1255 __jfs_xattr_set+0x1b7/0x1f0 fs/jfs/xattr.c:936 jfs_xattr_set+0x79/0x90 fs/jfs/xattr.c:958 __vfs_setxattr+0x844/0x8b0 fs/xattr.c:200 __vfs_setxattr_noperm+0x22f/0xb00 fs/xattr.c:234 __vfs_setxattr_locked+0x441/0x480 fs/xattr.c:295 vfs_setxattr+0x294/0x650 fs/xattr.c:321 do_setxattr fs/xattr.c:629 [inline] __do_sys_fsetxattr fs/xattr.c:710 [inline] __se_sys_fsetxattr+0x7f0/0x980 fs/xattr.c:686 __x64_sys_fsetxattr+0xe4/0x150 fs/xattr.c:686 x64_sys_call+0x19c3/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:191 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ea_put fs/jfs/xattr.c:639 [inline] __jfs_setxattr+0x185f/0x1ae0 fs/jfs/xattr.c:785 __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 jfs_xattr_set+0x79/0x90 fs/jfs/xattr.c:958 __vfs_setxattr+0x844/0x8b0 fs/xattr.c:200 __vfs_setxattr_noperm+0x22f/0xb00 fs/xattr.c:234 __vfs_setxattr_locked+0x441/0x480 fs/xattr.c:295 vfs_setxattr+0x294/0x650 fs/xattr.c:321 do_setxattr fs/xattr.c:629 [inline] __do_sys_fsetxattr fs/xattr.c:710 [inline] __se_sys_fsetxattr+0x7f0/0x980 fs/xattr.c:686 __x64_sys_fsetxattr+0xe4/0x150 fs/xattr.c:686 x64_sys_call+0x19c3/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:191 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable ea_buf created at: __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662 __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 CPU: 0 UID: 0 PID: 81 Comm: kswapd0 Tainted: G W 6.11.0-rc5-syzkaller #0 Tainted: [W]=WARN ===================================================== The reason is ea_buf->new_ea is not initialized properly. Fix this by using memset to empty its content at the beginning in ea_get(). Reported-by: syz...@sy... Closes: https://syzkaller.appspot.com/bug?extid=02341e0daa42a15ce130 Signed-off-by: Zhao Mengmeng <zha...@ky...> --- fs/jfs/xattr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c index 2999ed5d83f5..0fb05e314edf 100644 --- a/fs/jfs/xattr.c +++ b/fs/jfs/xattr.c @@ -434,6 +434,8 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) int rc; int quota_allocation = 0; + memset(&ea_buf->new_ea, 0, sizeof(ea_buf->new_ea)); + /* When fsck.jfs clears a bad ea, it doesn't clear the size */ if (ji->ea.flag == 0) ea_size = 0; -- 2.43.0 |
From: syzbot <syz...@sy...> - 2024-09-02 11:32:36
|
syzbot has found a reproducer for the following issue on: HEAD commit: c9f016e72b5c Merge tag 'x86-urgent-2024-09-01' of git://gi.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=14d09929980000 kernel config: https://syzkaller.appspot.com/x/.config?x=8926d683f62db53e dashboard link: https://syzkaller.appspot.com/bug?extid=41b43444de86db4c5ed1 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=106934fb980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15617f2f980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/e47617e91522/disk-c9f016e7.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/69d8aef7dff1/vmlinux-c9f016e7.xz kernel image: https://storage.googleapis.com/syzbot-assets/dd5392c61560/bzImage-c9f016e7.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/7111d4efcae8/mount_0.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syz...@sy... BUG at fs/jfs/namei.c:513 assert(ip->i_nlink) ------------[ cut here ]------------ kernel BUG at fs/jfs/namei.c:513! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 5224 Comm: syz-executor204 Not tainted 6.11.0-rc6-syzkaller-00017-gc9f016e72b5c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:jfs_unlink+0xafd/0xb30 fs/jfs/namei.c:513 Code: e8 c8 5d 91 08 e8 83 f0 73 fe 48 c7 c7 20 9c 22 8c 48 c7 c6 e0 99 22 8c ba 01 02 00 00 48 c7 c1 60 9c 22 8c e8 64 5e 8e 08 90 <0f> 0b e8 5c f0 73 fe 48 c7 c7 20 9c 22 8c 48 c7 c6 e0 99 22 8c ba RSP: 0018:ffffc9000344fbe0 EFLAGS: 00010246 RAX: 000000000000002d RBX: 0000000000000000 RCX: 44cfc770ad800100 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000344fd10 R08: ffffffff8174016c R09: 1ffff92000689f1c R10: dffffc0000000000 R11: fffff52000689f1d R12: 0000000000000000 R13: ffffc9000344fc60 R14: 1ffff92000689f8c R15: ffff888072c33248 FS: 0000555577bcd380(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000045bdd0 CR3: 000000007ab8a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vfs_unlink+0x365/0x650 fs/namei.c:4422 do_unlinkat+0x4ae/0x830 fs/namei.c:4486 __do_sys_unlink fs/namei.c:4534 [inline] __se_sys_unlink fs/namei.c:4532 [inline] __x64_sys_unlink+0x47/0x50 fs/namei.c:4532 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f69ef25fad7 Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4544dac8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f69ef25fad7 RDX: 00007fff4544daf0 RSI: 00007fff4544db80 RDI: 00007fff4544db80 RBP: 00007fff4544db80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000100 R11: 0000000000000206 R12: 00007fff4544ec70 R13: 0000555577bd6700 R14: 0000000000000001 R15: 431bde82d7b634db </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:jfs_unlink+0xafd/0xb30 fs/jfs/namei.c:513 Code: e8 c8 5d 91 08 e8 83 f0 73 fe 48 c7 c7 20 9c 22 8c 48 c7 c6 e0 99 22 8c ba 01 02 00 00 48 c7 c1 60 9c 22 8c e8 64 5e 8e 08 90 <0f> 0b e8 5c f0 73 fe 48 c7 c7 20 9c 22 8c 48 c7 c6 e0 99 22 8c ba RSP: 0018:ffffc9000344fbe0 EFLAGS: 00010246 RAX: 000000000000002d RBX: 0000000000000000 RCX: 44cfc770ad800100 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000344fd10 R08: ffffffff8174016c R09: 1ffff92000689f1c R10: dffffc0000000000 R11: fffff52000689f1d R12: 0000000000000000 R13: ffffc9000344fc60 R14: 1ffff92000689f8c R15: ffff888072c33248 FS: 0000555577bcd380(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000045bdd0 CR3: 000000007ab8a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. |
From: Dave K. <dav...@or...> - 2024-08-27 16:23:42
|
On 8/23/24 8:25PM, Edward Adam Davis wrote: > syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater > than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. > > Reported-and-tested-by: syz...@sy... > Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890 > Signed-off-by: Edward Adam Davis <ea...@qq...> > --- > V2 -> V3: Exclude control page > > fs/jfs/jfs_dmap.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c > index cb3cda1390ad..516bac758053 100644 > --- a/fs/jfs/jfs_dmap.c > +++ b/fs/jfs/jfs_dmap.c > @@ -2976,6 +2976,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) > */ > assert(n < 4); > } > + if (!is_ctl && le32_to_cpu(tp->dmt_leafidx) >= LPERDMAP) > + return -ENOSPC; > > /* set the return to the leftmost leaf describing sufficient > * free space. I was thinking something more along the lines of this. jfs: check if leafidx greater than num leaves per dmap tree syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. Shaggy: Modified sanity check to apply to control pages as well as leaf pages. Reported-and-tested-by: syz...@sy... Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890 Signed-off-by: Edward Adam Davis <ea...@qq...> Signed-off-by: Dave Kleikamp <dav...@or...> --- fs/jfs/jfs_dmap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 8847e8c5d5b4..974ecf5e0d95 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2944,9 +2944,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) { int ti, n = 0, k, x = 0; - int max_size; + int max_size, max_idx; max_size = is_ctl ? CTLTREESIZE : TREESIZE; + max_idx = is_ctl ? LPERCTL : LPERDMAP; /* first check the root of the tree to see if there is * sufficient free space. @@ -2978,6 +2979,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) */ assert(n < 4); } + if (le32_to_cpu(tp->dmt_leafidx) >= max_idx) + return -ENOSPC; /* set the return to the leftmost leaf describing sufficient * free space. -- 2.46.0 |
From: Edward A. D. <ea...@qq...> - 2024-08-24 02:51:17
|
[syzbot reported] ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Freed by task 5218: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [inline] vfs_fsconfig_locked fs/fsopen.c:292 [inline] __do_sys_fsconfig fs/fsopen.c:473 [inline] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Analysis] There are two paths (dbUnmount and jfs_ioc_trim) that generate race condition when accessing bmap, which leads to the occurrence of uaf. Use the lock s_umount to synchronize them, in order to avoid uaf caused by race condition. Reported-and-tested-by: syz...@sy... Signed-off-by: Edward Adam Davis <ea...@qq...> --- V2: serialize jfs_ioc_trim() fs/jfs/jfs_discard.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/fs/jfs/jfs_discard.c b/fs/jfs/jfs_discard.c index 575cb2ba74fc..5f4b305030ad 100644 --- a/fs/jfs/jfs_discard.c +++ b/fs/jfs/jfs_discard.c @@ -65,7 +65,7 @@ void jfs_issue_discard(struct inode *ip, u64 blkno, u64 nblocks) int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) { struct inode *ipbmap = JFS_SBI(ip->i_sb)->ipbmap; - struct bmap *bmp = JFS_SBI(ip->i_sb)->bmap; + struct bmap *bmp; struct super_block *sb = ipbmap->i_sb; int agno, agno_end; u64 start, end, minlen; @@ -83,10 +83,15 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) if (minlen == 0) minlen = 1; + down_read(&sb->s_umount); + bmp = JFS_SBI(ip->i_sb)->bmap; + if (minlen > bmp->db_agsize || start >= bmp->db_mapsize || - range->len < sb->s_blocksize) + range->len < sb->s_blocksize) { + up_read(&sb->s_umount); return -EINVAL; + } if (end >= bmp->db_mapsize) end = bmp->db_mapsize - 1; @@ -100,6 +105,8 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) trimmed += dbDiscardAG(ip, agno, minlen); agno++; } + + up_read(&sb->s_umount); range->len = trimmed << sb->s_blocksize_bits; return 0; -- 2.43.0 |
From: Edward A. D. <ea...@qq...> - 2024-08-24 01:32:04
|
syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. Reported-and-tested-by: syz...@sy... Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890 Signed-off-by: Edward Adam Davis <ea...@qq...> --- V2 -> V3: Exclude control page fs/jfs/jfs_dmap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index cb3cda1390ad..516bac758053 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2976,6 +2976,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) */ assert(n < 4); } + if (!is_ctl && le32_to_cpu(tp->dmt_leafidx) >= LPERDMAP) + return -ENOSPC; /* set the return to the leftmost leaf describing sufficient * free space. -- 2.43.0 |
From: Dave K. <dav...@or...> - 2024-08-23 19:18:48
|
On 8/18/24 11:05PM, Jeongjun Park wrote: > In dbNextAG() , there is no check for the case where bmp->db_numag is > greater or same than MAXAG due to a polluted image, which causes an > out-of-bounds. Therefore, a bounds check should be added in dbMount(). > > And in dbNextAG(), a check for the case where agpref is greater than > bmp->db_numag should be added, so an out-of-bounds exception should be > prevented. > > Additionally, a check for the case where agno is greater or same than > MAXAG should be added in diAlloc() to prevent out-of-bounds. Looks good. Applied. Shaggy > > Reported-by: Jeongjun Park <aha...@gm...> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Jeongjun Park <aha...@gm...> > --- > fs/jfs/jfs_dmap.c | 4 ++-- > fs/jfs/jfs_imap.c | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c > index 5713994328cb..0625d1c0d064 100644 > --- a/fs/jfs/jfs_dmap.c > +++ b/fs/jfs/jfs_dmap.c > @@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap) > } > > bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); > - if (!bmp->db_numag) { > + if (!bmp->db_numag || bmp->db_numag >= MAXAG) { > err = -EINVAL; > goto err_release_metapage; > } > @@ -652,7 +652,7 @@ int dbNextAG(struct inode *ipbmap) > * average free space. > */ > for (i = 0 ; i < bmp->db_numag; i++, agpref++) { > - if (agpref == bmp->db_numag) > + if (agpref >= bmp->db_numag) > agpref = 0; > > if (atomic_read(&bmp->db_active[agpref])) > diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c > index 1407feccbc2d..a360b24ed320 100644 > --- a/fs/jfs/jfs_imap.c > +++ b/fs/jfs/jfs_imap.c > @@ -1360,7 +1360,7 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip) > /* get the ag number of this iag */ > agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb)); > dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag; > - if (agno < 0 || agno > dn_numag) > + if (agno < 0 || agno > dn_numag || agno >= MAXAG) > return -EIO; > > if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) { > -- |
From: Dave K. <dav...@or...> - 2024-08-23 19:11:08
|
On 8/16/24 10:55PM, Edward Adam Davis via Jfs-discussion wrote: > [syzbot reported] > ================================================================== > BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] > BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 > Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 > > CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:93 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 > print_address_description mm/kasan/report.c:377 [inline] > print_report+0x169/0x550 mm/kasan/report.c:488 > kasan_report+0x143/0x180 mm/kasan/report.c:601 > __mutex_lock_common kernel/locking/mutex.c:587 [inline] > __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 > dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 > dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] > dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 > dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 > jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 > jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:907 [inline] > __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > > Freed by task 5218: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 > poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 > __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 > kasan_slab_free include/linux/kasan.h:184 [inline] > slab_free_hook mm/slub.c:2252 [inline] > slab_free mm/slub.c:4473 [inline] > kfree+0x149/0x360 mm/slub.c:4594 > dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 > jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 > jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 > reconfigure_super+0x445/0x880 fs/super.c:1083 > vfs_cmd_reconfigure fs/fsopen.c:263 [inline] > vfs_fsconfig_locked fs/fsopen.c:292 [inline] > __do_sys_fsconfig fs/fsopen.c:473 [inline] > __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > [Analysis] > There are two paths (dbUnmount and dbDiscardAG) that generate race > condition when accessing bmap, which leads to the occurrence of uaf. > > Use the lock s_umount to synchronize them, in order to avoid uaf caused > by race condition. I'm afraid this is insufficient. dbUnmount() will actually free JFS_SBI(ipbmap->i_sb)->bmap and set the pointer to NULL. I think we need to serialize the entire function jfs_ioc_trim(), even before initializing bmp. I don't know what other codepaths might run into the same issue though. Shaggy > > Reported-and-tested-by: syz...@sy... > Closes: https://syzkaller.appspot.com/bug?extid=3c010e21296f33a5dc16 > Signed-off-by: Edward Adam Davis <ea...@qq...> > --- > fs/jfs/jfs_dmap.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c > index cb3cda1390ad..a409ae18454a 100644 > --- a/fs/jfs/jfs_dmap.c > +++ b/fs/jfs/jfs_dmap.c > @@ -1645,7 +1645,9 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen) > * call jfs_issue_discard() itself */ > if (!(JFS_SBI(sb)->flag & JFS_DISCARD)) > jfs_issue_discard(ip, tt->blkno, tt->nblocks); > + down_read(&sb->s_umount); > dbFree(ip, tt->blkno, tt->nblocks); > + up_read(&sb->s_umount); > trimmed += tt->nblocks; > } > kfree(totrim); |
From: Dave K. <dav...@or...> - 2024-08-23 18:30:33
|
On 7/26/24 8:42PM, Edward Adam Davis wrote: > syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater > than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. > > Reported-and-tested-by: syz...@sy... > Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890 > Signed-off-by: Edward Adam Davis <ea...@qq...> > --- > fs/jfs/jfs_dmap.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c > index cb3cda1390ad..516bac758053 100644 > --- a/fs/jfs/jfs_dmap.c > +++ b/fs/jfs/jfs_dmap.c > @@ -2976,6 +2976,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) > */ > assert(n < 4); > } > + if (le32_to_cpu(tp->dmt_leafidx) >= LPERDMAP) > + return -ENOSPC; NACK. It needs to be smarter than this. dbFindLeaf() can be called with a control page in which dmt_leafidx is bound by LPERCTL, which is larger than LPERDMAP. > > /* set the return to the leftmost leaf describing sufficient > * free space. |
From: Dave K. <dav...@or...> - 2024-08-23 18:16:35
|
On 7/9/24 7:12PM, Remington Brasga wrote: > Fix issue with UBSAN throwing shift-out-of-bounds warning. > > Reported-by: syz...@sy... > Signed-off-by: Remington Brasga <rb...@uc...> > --- > When nb = 32, `mask = mask >> nb` or shorthand `mask >>= nb` throws > shift-out-of-bounds warning. > `mask = (mask >> nb)` removes that warning. Looks good. Applied. Shaggy > > Link to the syzbot bug report: https://lore.kernel.org/all/000...@go.../T/ > > fs/jfs/jfs_dmap.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c > index cb3cda1390ad..636aae946e84 100644 > --- a/fs/jfs/jfs_dmap.c > +++ b/fs/jfs/jfs_dmap.c > @@ -3020,7 +3020,7 @@ static int dbFindBits(u32 word, int l2nb) > > /* scan the word for nb free bits at nb alignments. > */ > - for (bitno = 0; mask != 0; bitno += nb, mask >>= nb) { > + for (bitno = 0; mask != 0; bitno += nb, mask = (mask >> nb)) { > if ((mask & word) == mask) > break; > } |
From: syzbot <syz...@sy...> - 2024-08-23 15:15:39
|
Hello, syzbot found the following issue on: HEAD commit: 8867bbd4a056 mm: arm64: Fix the out-of-bounds issue in con.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=129445cb980000 kernel config: https://syzkaller.appspot.com/x/.config?x=1bc88a9f65787e86 dashboard link: https://syzkaller.appspot.com/bug?extid=d3b8979ffdc87bf6e7fa compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 userspace arch: arm64 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/5ef30d34e749/disk-8867bbd4.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/a21c2389ebfb/vmlinux-8867bbd4.xz kernel image: https://storage.googleapis.com/syzbot-assets/9720b12c3f99/Image-8867bbd4.gz.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syz...@sy... 00000000b604289f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000407d3c3b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ================================================================== BUG: KASAN: slab-out-of-bounds in hex_dump_to_buffer+0x5dc/0x984 lib/hexdump.c:193 Read of size 1 at addr ffff0000ef14c040 by task syz.4.137/7458 CPU: 1 PID: 7458 Comm: syz.4.137 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x198/0x538 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378 hex_dump_to_buffer+0x5dc/0x984 lib/hexdump.c:193 print_hex_dump+0x140/0x248 lib/hexdump.c:276 ea_get+0xa04/0xef0 fs/jfs/xattr.c:561 __jfs_getxattr+0xd4/0x484 fs/jfs/xattr.c:807 jfs_xattr_get+0x50/0x68 fs/jfs/xattr.c:931 __vfs_getxattr+0x394/0x3c0 fs/xattr.c:423 smk_fetch+0xc8/0x150 security/smack/smack_lsm.c:306 smack_d_instantiate+0x594/0x880 security/smack/smack_lsm.c:3588 security_d_instantiate+0x98/0xf0 security/security.c:3916 d_splice_alias+0x70/0x310 fs/dcache.c:2973 jfs_lookup+0x270/0x39c fs/jfs/namei.c:1474 __lookup_slow+0x250/0x374 fs/namei.c:1692 lookup_slow+0x60/0x84 fs/namei.c:1709 walk_component+0x280/0x36c fs/namei.c:2004 lookup_last fs/namei.c:2469 [inline] path_lookupat+0x13c/0x3d0 fs/namei.c:2493 filename_lookup+0x1d4/0x4e0 fs/namei.c:2522 user_path_at_empty+0x5c/0x84 fs/namei.c:2929 user_path_at include/linux/namei.h:58 [inline] path_setxattr+0xbc/0x258 fs/xattr.c:666 __do_sys_setxattr fs/xattr.c:687 [inline] __se_sys_setxattr fs/xattr.c:683 [inline] __arm64_sys_setxattr+0xbc/0xd8 fs/xattr.c:683 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 7458: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3940 [inline] slab_alloc_node mm/slub.c:4000 [inline] kmem_cache_alloc_lru_noprof+0x1c4/0x354 mm/slub.c:4019 jfs_alloc_inode+0x2c/0x68 fs/jfs/super.c:105 alloc_inode fs/inode.c:261 [inline] iget_locked+0x168/0x7a8 fs/inode.c:1280 jfs_iget+0x30/0x364 fs/jfs/inode.c:29 jfs_lookup+0x1e8/0x39c fs/jfs/namei.c:1469 __lookup_slow+0x250/0x374 fs/namei.c:1692 lookup_slow+0x60/0x84 fs/namei.c:1709 walk_component+0x280/0x36c fs/namei.c:2004 lookup_last fs/namei.c:2469 [inline] path_lookupat+0x13c/0x3d0 fs/namei.c:2493 filename_lookup+0x1d4/0x4e0 fs/namei.c:2522 user_path_at_empty+0x5c/0x84 fs/namei.c:2929 user_path_at include/linux/namei.h:58 [inline] path_setxattr+0xbc/0x258 fs/xattr.c:666 __do_sys_setxattr fs/xattr.c:687 [inline] __se_sys_setxattr fs/xattr.c:683 [inline] __arm64_sys_setxattr+0xbc/0xd8 fs/xattr.c:683 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 The buggy address belongs to the object at ffff0000ef14b780 which belongs to the cache jfs_ip of size 2240 The buggy address is located 0 bytes to the right of allocated 2240-byte region [ffff0000ef14b780, ffff0000ef14c040) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12f148 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff0000d5043c01 flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: 0xffffefff(slab) raw: 05ffc00000000040 ffff0000c4701dc0 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800d000d 00000001ffffefff ffff0000d5043c01 head: 05ffc00000000040 ffff0000c4701dc0 dead000000000122 0000000000000000 head: 0000000000000000 00000000800d000d 00000001ffffefff ffff0000d5043c01 head: 05ffc00000000003 fffffdffc3bc5201 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000ef14bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000ef14bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000ef14c000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff0000ef14c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000ef14c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== 00000000a79079e5: c0 c0 14 ef 00 00 ff ff 22 1d 00 00 11 05 e2 07 ........"....... 00000000323528b3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000045626bb4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000b6b86e63: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008baf9e1c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000042f276da: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000001797e4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000eafc7170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000f1d80e07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000092942691: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ea_get: invalid extended attribute 00000000fa3b70fc: 30 00 00 00 00 0b 06 00 75 73 65 72 2e 78 61 74 0.......user.xat 000000001de11289: 74 72 31 00 78 61 74 74 72 31 00 0b 06 00 75 73 tr1.xattr1....us 00000000f53b2c15: 65 72 2e 78 61 74 74 72 32 00 78 61 74 74 72 32 er.xattr2.xattr2 00000000d6e5c067: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000004efae81a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008d40e5d4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000004d1de3e5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000477e8818: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000005e62b43c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000f7f2d9cf: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000298c2810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000cb36034e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000121a17a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008092db94: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000b6da7edc: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000035d70b3e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000052af5403: ed 81 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000d3619f13: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ 0000000073a343e7: 00 07 6f 8b 00 80 ff ff 00 80 5e d5 00 00 ff ff ..o.......^..... 00000000b8c2e9bf: d8 bd 14 ef 00 00 ff ff 78 8c 78 c7 00 00 ff ff ........x.x..... 000000001f083067: 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 00000000ad8c0e1b: 0a 00 00 00 00 00 00 00 f2 f1 7c 63 00 00 00 00 ..........|c.... 0000000016e53ab2: a6 74 ec 19 00 00 00 00 f2 f1 7c 63 00 00 00 00 .t........|c.... 0000000036125cf1: a6 74 ec 19 00 00 00 00 f2 f1 7c 63 00 00 00 00 .t........|c.... 00000000f0a58d87: a6 74 ec 19 00 00 00 00 00 00 00 00 ad 4e ad de .t...........N.. 00000000096700d3: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 00000000c31311aa: 28 cc 97 8f 00 80 ff ff b8 f3 97 92 00 80 ff ff (............... 0000000035af6652: 00 00 00 00 00 00 00 00 00 63 45 8b 00 80 ff ff .........cE..... 0000000032358836: 00 02 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 ................ 00000000990721ee: 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000045a08d01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000c4b4e310: 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. 00000000575f793b: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 00000000533452ef: b0 9a 80 92 00 80 ff ff 00 00 00 00 00 00 00 00 ................ 000000001b37b2d8: 00 00 00 00 00 00 00 00 c0 f4 37 8b 00 80 ff ff ..........7..... 000000003c6ca526: 00 02 00 00 00 00 00 00 e8 bc 14 ef 00 00 ff ff ................ 0000000059b8531b: e8 bc 14 ef 00 00 ff ff 90 bc 14 ef 00 00 ff ff ................ 000000009c449d41: 38 cc 97 8f 00 80 ff ff 00 00 00 00 00 00 00 00 8............... 000000006c187259: 00 00 00 00 00 00 00 00 60 63 45 8b 00 80 ff ff ........`cE..... 0000000035d2c55e: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008b3f5706: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000a0d35bea: b0 5f 2a b3 01 00 ff ff 48 bd 14 ef 00 00 ff ff ._*.....H....... 000000008cc82ea0: 48 bd 14 ef 00 00 ff ff 00 00 00 00 00 00 00 00 H............... 00000000219aead2: 00 00 00 00 00 00 00 00 68 bd 14 ef 00 00 ff ff ........h....... 0000000055f93516: 68 bd 14 ef 00 00 ff ff 38 b4 14 ef 00 00 ff ff h.......8....... 000000000d57203f: c0 89 5e d5 00 00 ff ff 88 bd 14 ef 00 00 ff ff ..^............. 0000000062412f73: 88 bd 14 ef 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 00000000f07bf155: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000ec7fd6b4: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 0000000065e1f7c0: 00 00 00 00 00 00 00 00 00 08 6f 8b 00 80 ff ff ..........o..... 00000000b609ccfc: 00 00 00 00 00 00 00 00 b0 bb 14 ef 00 00 ff ff ................ 00000000c2d1685d: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000069869ad1: ff ff ff ff ff ff ff ff 40 ec d7 93 00 80 ff ff ........@....... 0000000052f4273c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000002f5925f5: 40 69 45 8b 00 80 ff ff 00 02 00 00 00 00 00 00 @iE............. 0000000073b0e7ee: 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 !............... 0000000038a683eb: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000a133ed3a: 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. 00000000887d56fa: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 000000009c66d88d: b0 9a 80 92 00 80 ff ff 00 00 00 00 00 00 00 00 ................ 000000002e2768ec: 00 00 00 00 00 00 00 00 c0 f4 37 8b 00 80 ff ff ..........7..... 00000000c8cdea59: 00 02 00 00 00 00 00 00 88 be 14 ef 00 00 ff ff ................ 0000000036329c09: 88 be 14 ef 00 00 ff ff 30 be 14 ef 00 00 ff ff ........0....... 000000004662d794: 48 cc 97 8f 00 80 ff ff 00 00 00 00 00 00 00 00 H............... 000000002c4152a9: 00 00 00 00 00 00 00 00 00 64 45 8b 00 80 ff ff .........dE..... 00000000c59f4538: 00 03 00 00 00 00 00 00 ca 0c 10 00 00 00 00 00 ................ 00000000b699e5d9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000017757022: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000820ffe75: 00 00 00 00 00 00 00 00 00 0a 6f 8b 00 80 ff ff ..........o..... 000000003e3afc71: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000010e7f9d1: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000022ade75e: ff ff ff ff ff ff ff ff 30 ec d7 93 00 80 ff ff ........0....... 00000000fe571b1f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000fba86087: 00 69 45 8b 00 80 ff ff 00 02 00 00 00 00 00 00 .iE............. 00000000e6b92d52: 50 bf 14 ef 00 00 ff ff 50 bf 14 ef 00 00 ff ff P.......P....... 00000000eb137f91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000006944dd7f: 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. 000000008d7bea76: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 00000000de906dc6: b0 9a 80 92 00 80 ff ff 00 00 00 00 00 00 00 00 ................ 00000000a88ade82: 00 00 00 00 00 00 00 00 c0 f4 37 8b 00 80 ff ff ..........7..... 0000000006571726: 00 02 00 00 00 00 00 00 b8 bf 14 ef 00 00 ff ff ................ 00000000fe6e4ff8: b8 bf 14 ef 00 00 ff ff 60 bf 14 ef 00 00 ff ff ........`....... 00000000b3c78ff9: 20 ec d7 93 00 80 ff ff 00 00 00 00 00 00 00 00 ............... 000000003de484af: 00 00 00 00 00 00 00 00 c0 68 45 8b 00 80 ff ff .........hE..... 00000000360efeb4: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000000a409a44: 00 c0 14 ef 00 00 ff ff 00 c0 14 ef 00 00 ff ff ................ 0000000026713b20: 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................ 00000000b604289f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000407d3c3b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000a79079e5: c0 c0 14 ef 00 00 ff ff 22 1d 00 00 11 05 e2 07 ........"....... 00000000323528b3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000045626bb4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000b6b86e63: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008baf9e1c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000042f276da: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000001797e4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000eafc7170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000f1d80e07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000092942691: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ea_get: invalid extended attribute 00000000fa3b70fc: 30 00 00 00 00 0b 06 00 75 73 65 72 2e 78 61 74 0.......user.xat 000000001de11289: 74 72 31 00 78 61 74 74 72 31 00 0b 06 00 75 73 tr1.xattr1....us 00000000f53b2c15: 65 72 2e 78 61 74 74 72 32 00 78 61 74 74 72 32 er.xattr2.xattr2 00000000d6e5c067: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000004efae81a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008d40e5d4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000004d1de3e5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000477e8818: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000005e62b43c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000f7f2d9cf: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000298c2810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000cb36034e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000121a17a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008092db94: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000b6da7edc: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000035d70b3e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000052af5403: ed 81 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000d3619f13: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ 0000000073a343e7: 00 07 6f 8b 00 80 ff ff 00 80 5e d5 00 00 ff ff ..o.......^..... 00000000b8c2e9bf: d8 bd 14 ef 00 00 ff ff 78 8c 78 c7 00 00 ff ff ........x.x..... 000000001f083067: 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 00000000ad8c0e1b: 0a 00 00 00 00 00 00 00 f2 f1 7c 63 00 00 00 00 ..........|c.... 0000000016e53ab2: a6 74 ec 19 00 00 00 00 f2 f1 7c 63 00 00 00 00 .t........|c.... 0000000036125cf1: a6 74 ec 19 00 00 00 00 f2 f1 7c 63 00 00 00 00 .t........|c.... 00000000f0a58d87: a6 74 ec 19 00 00 00 00 00 00 00 00 ad 4e ad de .t...........N.. 00000000096700d3: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 00000000c31311aa: 28 cc 97 8f 00 80 ff ff b8 f3 97 92 00 80 ff ff (............... 0000000035af6652: 00 00 00 00 00 00 00 00 00 63 45 8b 00 80 ff ff .........cE..... 0000000032358836: 00 02 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 ................ 00000000990721ee: 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000045a08d01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000c4b4e310: 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. 00000000575f793b: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 00000000533452ef: b0 9a 80 92 00 80 ff ff 00 00 00 00 00 00 00 00 ................ 000000001b37b2d8: 00 00 00 00 00 00 00 00 c0 f4 37 8b 00 80 ff ff ..........7..... 000000003c6ca526: 00 02 00 00 00 00 00 00 e8 bc 14 ef 00 00 ff ff ................ 0000000059b8531b: e8 bc 14 ef 00 00 ff ff 90 bc 14 ef 00 00 ff ff ................ 000000009c449d41: 38 cc 97 8f 00 80 ff ff 00 00 00 00 00 00 00 00 8............... 000000006c187259: 00 00 00 00 00 00 00 00 60 63 45 8b 00 80 ff ff ........`cE..... 0000000035d2c55e: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008b3f5706: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000a0d35bea: b0 5f 2a b3 01 00 ff ff 48 bd 14 ef 00 00 ff ff ._*.....H....... 000000008cc82ea0: 48 bd 14 ef 00 00 ff ff 00 00 00 00 00 00 00 00 H............... 00000000219aead2: 00 00 00 00 00 00 00 00 68 bd 14 ef 00 00 ff ff ........h....... 0000000055f93516: 68 bd 14 ef 00 00 ff ff 38 b4 14 ef 00 00 ff ff h.......8....... 000000000d57203f: c0 89 5e d5 00 00 ff ff 88 bd 14 ef 00 00 ff ff ..^............. 0000000062412f73: 88 bd 14 ef 00 00 ff ff 00 00 00 00 00 00 00 00 ................ 00000000f07bf155: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000ec7fd6b4: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 0000000065e1f7c0: 00 00 00 00 00 00 00 00 00 08 6f 8b 00 80 ff ff ..........o..... 00000000b609ccfc: 00 00 00 00 00 00 00 00 b0 bb 14 ef 00 00 ff ff ................ 00000000c2d1685d: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000069869ad1: ff ff ff ff ff ff ff ff 40 ec d7 93 00 80 ff ff ........@....... 0000000052f4273c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000002f5925f5: 40 69 45 8b 00 80 ff ff 00 02 00 00 00 00 00 00 @iE............. 0000000073b0e7ee: 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 !............... 0000000038a683eb: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000a133ed3a: 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. 00000000887d56fa: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 000000009c66d88d: b0 9a 80 92 00 80 ff ff 00 00 00 00 00 00 00 00 ................ 000000002e2768ec: 00 00 00 00 00 00 00 00 c0 f4 37 8b 00 80 ff ff ..........7..... 00000000c8cdea59: 00 02 00 00 00 00 00 00 88 be 14 ef 00 00 ff ff ................ 0000000036329c09: 88 be 14 ef 00 00 ff ff 30 be 14 ef 00 00 ff ff ........0....... 000000004662d794: 48 cc 97 8f 00 80 ff ff 00 00 00 00 00 00 00 00 H............... 000000002c4152a9: 00 00 00 00 00 00 00 00 00 64 45 8b 00 80 ff ff .........dE..... 00000000c59f4538: 00 03 00 00 00 00 00 00 ca 0c 10 00 00 00 00 00 ................ 00000000b699e5d9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000017757022: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000820ffe75: 00 00 00 00 00 00 00 00 00 0a 6f 8b 00 80 ff ff ..........o..... 000000003e3afc71: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000010e7f9d1: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000022ade75e: ff ff ff ff ff ff ff ff 30 ec d7 93 00 80 ff ff ........0....... 00000000fe571b1f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000fba86087: 00 69 45 8b 00 80 ff ff 00 02 00 00 00 00 00 00 .iE............. 00000000e6b92d52: 50 bf 14 ef 00 00 ff ff 50 bf 14 ef 00 00 ff ff P.......P....... 00000000eb137f91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000006944dd7f: 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. 000000008d7bea76: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 00000000de906dc6: b0 9a 80 92 00 80 ff ff 00 00 00 00 00 00 00 00 ................ 00000000a88ade82: 00 00 00 00 00 00 00 00 c0 f4 37 8b 00 80 ff ff ..........7..... 0000000006571726: 00 02 00 00 00 00 00 00 b8 bf 14 ef 00 00 ff ff ................ 00000000fe6e4ff8: b8 bf 14 ef 00 00 ff ff 60 bf 14 ef 00 00 ff ff ........`....... 00000000b3c78ff9: 20 ec d7 93 00 80 ff ff 00 00 00 00 00 00 00 00 ............... 000000003de484af: 00 00 00 00 00 00 00 00 c0 68 45 8b 00 80 ff ff .........hE..... 00000000360efeb4: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000000a409a44: 00 c0 14 ef 00 00 ff ff 00 c0 14 ef 00 00 ff ff ................ 0000000026713b20: 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................ 00000000b604289f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000407d3c3b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000a79079e5: c0 c0 14 ef 00 00 ff ff 22 1d 00 00 11 05 e2 07 ........"....... 00000000323528b3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000045626bb4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000b6b86e63: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008baf9e1c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000042f276da: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000001797e4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000eafc7170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000f1d80e07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000092942691: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ea_get: invalid extended attribute 00000000fa3b70fc: 30 00 00 00 00 0b 06 00 75 73 65 72 2e 78 61 74 0.......user.xat 000000001de11289: 74 72 31 00 78 61 74 74 72 31 00 0b 06 00 75 73 tr1.xattr1....us 00000000f53b2c15: 65 72 2e 78 61 74 74 72 32 00 78 61 74 74 72 32 er.xattr2.xattr2 00000000d6e5c067: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000004efae81a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008d40e5d4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000004d1de3e5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000477e8818: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000005e62b43c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000f7f2d9cf: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000298c2810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000cb36034e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000121a17a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008092db94: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000b6da7edc: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000035d70b3e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000052af5403: ed 81 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000d3619f13: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ 0000000073a343e7: 00 07 6f 8b 00 80 ff ff 00 80 5e d5 00 00 ff ff ..o.......^..... 00000000b8c2e9bf: d8 bd 14 ef 00 00 ff ff 78 8c 78 c7 00 00 ff ff ........x.x..... 000000001f083067: 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 00000000ad8c0e1b: 0a 00 00 00 00 00 00 00 f2 f1 7c 63 00 00 00 00 ..........|c.... 0000000016e53ab2: a6 74 ec 19 00 00 00 00 f2 f1 7c 63 00 00 00 00 .t........|c.... 0000000036125cf1: a6 74 ec 19 00 00 00 00 f2 f1 7c 63 00 00 00 00 .t........|c.... 00000000f0a58d87: a6 74 ec 19 00 00 00 00 00 00 00 00 ad 4e ad de .t...........N.. 00000000096700d3: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 00000000c31311aa: 28 cc 97 8f 00 80 ff ff b8 f3 97 92 00 80 ff ff (............... 0000000035af6652: 00 00 00 00 00 00 00 00 00 63 45 8b 00 80 ff ff .........cE..... 0000000032358836: 00 02 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 ................ 00000000990721ee: 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000045a08d01: 01 00 00 00 00 00 00 00 00 00 a8 ca 00 00 ff ff ................ 00000000c4b4e310: 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. 00000000575f793b: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 00000000533452ef: b0 9a 80 92 00 80 ff ff 00 00 00 00 00 00 00 00 ................ 000000001b37b2d8: 00 00 00 00 00 00 00 00 c0 f4 37 8b 00 80 ff ff ..........7..... 000000003c6ca526: 00 02 00 00 00 00 00 00 e8 bc 14 ef 00 00 ff ff ................ 0000000059b8531b: e8 bc 14 ef 00 00 ff ff 90 bc 14 ef 00 00 ff ff ................ 000000009c449d41: 38 cc 97 8f 00 80 ff ff 00 00 00 00 00 00 00 00 8............... 000000006c187259: 00 00 00 00 00 00 00 00 60 63 45 8b 00 80 ff ff ........`cE..... 0000000035d2c55e: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008b3f5706: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000a0d35bea: b0 5f 2a b3 01 00 ff ff 48 bd 14 ef 00 00 ff ff ._*.....H....... 000000008cc82ea0: 48 bd 14 ef 00 00 ff ff 00 00 00 00 00 00 00 00 H............... 00000000219aead2: 00 00 00 00 00 00 00 00 68 bd 14 ef 00 00 ff ff ........h....... 0000000055f93516: 68 bd 14 ef 00 00 ff ff 38 b4 14 ef 00 00 ff ff h.......8....... 000000000d57203f: c0 89 5e d5 00 00 ff ff 88 bd 14 ef 00 00 ff ff ..^............. 0000000062412f73: 88 bd 14 ef 00 00 ff ff a0 42 ff dd 00 00 ff ff .........B...... 00000000f07bf155: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000ec7fd6b4: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 0000000065e1f7c0: 00 00 00 00 00 00 00 00 00 08 6f 8b 00 80 ff ff ..........o..... 00000000b609ccfc: 00 00 00 00 00 00 00 00 b0 bb 14 ef 00 00 ff ff ................ 00000000c2d1685d: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000069869ad1: ff ff ff ff ff ff ff ff 40 ec d7 93 00 80 ff ff ........@....... 0000000052f4273c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000002f5925f5: 40 69 45 8b 00 80 ff ff 00 02 00 00 00 00 00 00 @iE............. 0000000073b0e7ee: 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 !............... 0000000038a683eb: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000a133ed3a: 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. 00000000887d56fa: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 000000009c66d88d: b0 9a 80 92 00 80 ff ff 00 00 00 00 00 00 00 00 ................ 000000002e2768ec: 00 00 00 00 00 00 00 00 c0 f4 37 8b 00 80 ff ff ..........7..... 00000000c8cdea59: 00 02 00 00 00 00 00 00 88 be 14 ef 00 00 ff ff ................ 0000000036329c09: 88 be 14 ef 00 00 ff ff 30 be 14 ef 00 00 ff ff ........0....... 000000004662d794: 48 cc 97 8f 00 80 ff ff 00 00 00 00 00 00 00 00 H............... 000000002c4152a9: 00 00 00 00 00 00 00 00 00 64 45 8b 00 80 ff ff .........dE..... 00000000c59f4538: 00 03 00 00 00 00 00 00 ca 0c 10 00 00 00 00 00 ................ 00000000b699e5d9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000017757022: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000820ffe75: 00 00 00 00 00 00 00 00 00 0a 6f 8b 00 80 ff ff ..........o..... 000000003e3afc71: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000010e7f9d1: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000022ade75e: ff ff ff ff ff ff ff ff 30 ec d7 93 00 80 ff ff ........0....... 00000000fe571b1f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000fba86087: 00 69 45 8b 00 80 ff ff 00 02 00 00 00 00 00 00 .iE............. 00000000e6b92d52: 50 bf 14 ef 00 00 ff ff 50 bf 14 ef 00 00 ff ff P.......P....... 00000000eb137f91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000006944dd7f: 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. 000000008d7bea76: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ 00000000de906dc6: b0 9a 80 92 00 80 ff ff 00 00 00 00 00 00 00 00 ................ 00000000a88ade82: 00 00 00 00 00 00 00 00 c0 f4 37 8b 00 80 ff ff ..........7..... 0000000006571726: 00 02 00 00 00 00 00 00 b8 bf 14 ef 00 00 ff ff ................ 00000000fe6e4ff8: b8 bf 14 ef 00 00 ff ff 60 bf 14 ef 00 00 ff ff ........`....... 00000000b3c78ff9: 20 ec d7 93 00 80 ff ff 00 00 00 00 00 00 00 00 ............... 000000003de484af: 00 00 00 00 00 00 00 00 c0 68 45 8b 00 80 ff ff .........hE..... 00000000360efeb4: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000000a409a44: 00 c0 14 ef 00 00 ff ff 00 c0 14 ef 00 00 ff ff ................ 0000000026713b20: 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................ 00000000b604289f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000407d3c3b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000a79079e5: c0 c0 14 ef 00 00 ff ff 22 1d 00 00 11 05 e2 07 ........"....... 00000000323528b3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000045626bb4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000b6b86e63: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000008baf9e1c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000042f276da: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000001797e4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000eafc7170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000000f1d80e07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000000092942691: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syz...@go.... syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup |
From: syzbot <syz...@sy...> - 2024-08-22 05:37:36
|
Hello, syzbot found the following issue on: HEAD commit: df6cbc62cc9b Merge tag 'scsi-fixes' of git://git.kernel.or.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1076a713980000 kernel config: https://syzkaller.appspot.com/x/.config?x=7229118d88b4a71b dashboard link: https://syzkaller.appspot.com/bug?extid=d16facb00df3f446511c compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1702b429980000 Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-df6cbc62.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/f4768d9245d4/vmlinux-df6cbc62.xz kernel image: https://storage.googleapis.com/syzbot-assets/0597825de2fb/bzImage-df6cbc62.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/ac22370a3ae0/mount_1.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syz...@sy... loop0: detected capacity change from 0 to 32768 lbmIODone: I/O error in JFS log ================================================================== BUG: KASAN: slab-use-after-free in lbmLogShutdown fs/jfs/jfs_logmgr.c:1863 [inline] BUG: KASAN: slab-use-after-free in lmLogInit+0xc9f/0x1c90 fs/jfs/jfs_logmgr.c:1416 Read of size 8 at addr ffff88801deb8e18 by task syz.0.95/5566 CPU: 0 UID: 0 PID: 5566 Comm: syz.0.95 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 lbmLogShutdown fs/jfs/jfs_logmgr.c:1863 [inline] lmLogInit+0xc9f/0x1c90 fs/jfs/jfs_logmgr.c:1416 open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline] lmLogOpen+0x55e/0x1040 fs/jfs/jfs_logmgr.c:1069 jfs_mount_rw+0xf1/0x6a0 fs/jfs/jfs_mount.c:257 jfs_fill_super+0x681/0xc50 fs/jfs/super.c:565 mount_bdev+0x20a/0x2d0 fs/super.c:1679 legacy_get_tree+0xee/0x190 fs/fs_context.c:662 vfs_get_tree+0x90/0x2a0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff94457b0ba Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 7e 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff943ffee68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ff943ffeef0 RCX: 00007ff94457b0ba RDX: 0000000020005d40 RSI: 0000000020005d80 RDI: 00007ff943ffeeb0 RBP: 0000000020005d40 R08: 00007ff943ffeef0 R09: 0000000000000810 R10: 0000000000000810 R11: 0000000000000246 R12: 0000000020005d80 R13: 00007ff943ffeeb0 R14: 0000000000005e1a R15: 0000000020000400 </TASK> Allocated by task 5566: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4189 kmalloc_noprof include/linux/slab.h:681 [inline] lbmLogInit fs/jfs/jfs_logmgr.c:1822 [inline] lmLogInit+0x3b4/0x1c90 fs/jfs/jfs_logmgr.c:1270 open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline] lmLogOpen+0x55e/0x1040 fs/jfs/jfs_logmgr.c:1069 jfs_mount_rw+0xf1/0x6a0 fs/jfs/jfs_mount.c:257 jfs_fill_super+0x681/0xc50 fs/jfs/super.c:565 mount_bdev+0x20a/0x2d0 fs/super.c:1679 legacy_get_tree+0xee/0x190 fs/fs_context.c:662 vfs_get_tree+0x90/0x2a0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5566: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 lbmLogShutdown fs/jfs/jfs_logmgr.c:1865 [inline] lmLogInit+0xccd/0x1c90 fs/jfs/jfs_logmgr.c:1416 open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline] lmLogOpen+0x55e/0x1040 fs/jfs/jfs_logmgr.c:1069 jfs_mount_rw+0xf1/0x6a0 fs/jfs/jfs_mount.c:257 jfs_fill_super+0x681/0xc50 fs/jfs/super.c:565 mount_bdev+0x20a/0x2d0 fs/super.c:1679 legacy_get_tree+0xee/0x190 fs/fs_context.c:662 vfs_get_tree+0x90/0x2a0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88801deb8e00 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 24 bytes inside of freed 192-byte region [ffff88801deb8e00, ffff88801deb8ec0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1deb8 anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xfdffffff(slab) raw: 00fff00000000000 ffff8880158413c0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000080100010 00000001fdffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 13566750501, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3442 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4700 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2321 allocate_slab+0x5a/0x2f0 mm/slub.c:2484 new_slab mm/slub.c:2537 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3723 __slab_alloc+0x58/0xa0 mm/slub.c:3813 __slab_alloc_node mm/slub.c:3866 [inline] slab_alloc_node mm/slub.c:4025 [inline] __kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4184 kmalloc_noprof include/linux/slab.h:681 [inline] kzalloc_noprof include/linux/slab.h:807 [inline] call_usermodehelper_setup+0x8e/0x270 kernel/umh.c:363 kobject_uevent_env+0x680/0x8e0 lib/kobject_uevent.c:628 driver_register+0x2d6/0x320 drivers/base/driver.c:254 usb_register_driver+0x209/0x3c0 drivers/usb/core/driver.c:1082 do_one_initcall+0x248/0x880 init/main.c:1267 do_initcall_level+0x157/0x210 init/main.c:1329 do_initcalls+0x3f/0x80 init/main.c:1345 kernel_init_freeable+0x435/0x5d0 init/main.c:1578 page_owner free stack trace missing Memory state around the buggy address: ffff88801deb8d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801deb8d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88801deb8e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801deb8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88801deb8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syz...@go.... syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup |
From: syzbot <syz...@sy...> - 2024-08-21 21:35:36
|
Hello, syzbot found the following issue on: HEAD commit: b311c1b497e5 Merge tag '6.11-rc4-server-fixes' of git://gi.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17dfa42b980000 kernel config: https://syzkaller.appspot.com/x/.config?x=df2f0ed7e30a639d dashboard link: https://syzkaller.appspot.com/bug?extid=c0360e8367d6d8d04a66 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16210a7b980000 Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-b311c1b4.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/1c99fa48192f/vmlinux-b311c1b4.xz kernel image: https://storage.googleapis.com/syzbot-assets/16d5710a012a/bzImage-b311c1b4.xz mounted in repro #1: https://storage.googleapis.com/syzbot-assets/bcc0f964f07d/mount_0.gz mounted in repro #2: https://storage.googleapis.com/syzbot-assets/8d5780313c65/mount_1.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syz...@sy... bcachefs: bch2_fs_get_tree() error: EPERM Filesystem bcachefs get_tree() didn't set fc->root ------------[ cut here ]------------ kernel BUG at fs/super.c:1810! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5368 Comm: syz.0.15 Not tainted 6.11.0-rc4-syzkaller-00019-gb311c1b497e5 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:vfs_get_tree+0x29c/0x2a0 fs/super.c:1810 Code: ff 49 8b 1f 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 74 95 ee ff 48 8b 33 48 c7 c7 60 93 18 8c e8 b5 82 a7 09 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f RSP: 0018:ffffc90002c0fd08 EFLAGS: 00010246 RAX: 0000000000000032 RBX: ffffffff8ef44540 RCX: 3e1a74824a3f5500 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: 1ffff11007074696 R08: ffffffff8174034c R09: 1ffff1100410519a R10: dffffc0000000000 R11: ffffed100410519b R12: 0000000000000001 R13: dffffc0000000000 R14: ffff8880383a34b0 R15: ffff8880383a3498 FS: 00007fea882896c0(0000) GS:ffff888020800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7345eec538 CR3: 0000000037c0e000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fea8757b61a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fea88288e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fea88288ef0 RCX: 00007fea8757b61a RDX: 000000002000fec0 RSI: 000000002000ff00 RDI: 00007fea88288eb0 RBP: 000000002000fec0 R08: 00007fea88288ef0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000002000ff00 R13: 00007fea88288eb0 R14: 000000000000fe88 R15: 0000000020000040 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:vfs_get_tree+0x29c/0x2a0 fs/super.c:1810 Code: ff 49 8b 1f 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 74 95 ee ff 48 8b 33 48 c7 c7 60 93 18 8c e8 b5 82 a7 09 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f RSP: 0018:ffffc90002c0fd08 EFLAGS: 00010246 RAX: 0000000000000032 RBX: ffffffff8ef44540 RCX: 3e1a74824a3f5500 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: 1ffff11007074696 R08: ffffffff8174034c R09: 1ffff1100410519a R10: dffffc0000000000 R11: ffffed100410519b R12: 0000000000000001 R13: dffffc0000000000 R14: ffff8880383a34b0 R15: ffff8880383a3498 FS: 00007fea882896c0(0000) GS:ffff888020800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007efe67e50469 CR3: 0000000037c0e000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syz...@go.... syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup |
From: Jeongjun P. <aha...@gm...> - 2024-08-19 04:05:57
|
In dbNextAG() , there is no check for the case where bmp->db_numag is greater or same than MAXAG due to a polluted image, which causes an out-of-bounds. Therefore, a bounds check should be added in dbMount(). And in dbNextAG(), a check for the case where agpref is greater than bmp->db_numag should be added, so an out-of-bounds exception should be prevented. Additionally, a check for the case where agno is greater or same than MAXAG should be added in diAlloc() to prevent out-of-bounds. Reported-by: Jeongjun Park <aha...@gm...> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jeongjun Park <aha...@gm...> --- fs/jfs/jfs_dmap.c | 4 ++-- fs/jfs/jfs_imap.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 5713994328cb..0625d1c0d064 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap) } bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); - if (!bmp->db_numag) { + if (!bmp->db_numag || bmp->db_numag >= MAXAG) { err = -EINVAL; goto err_release_metapage; } @@ -652,7 +652,7 @@ int dbNextAG(struct inode *ipbmap) * average free space. */ for (i = 0 ; i < bmp->db_numag; i++, agpref++) { - if (agpref == bmp->db_numag) + if (agpref >= bmp->db_numag) agpref = 0; if (atomic_read(&bmp->db_active[agpref])) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index 1407feccbc2d..a360b24ed320 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -1360,7 +1360,7 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip) /* get the ag number of this iag */ agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb)); dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag; - if (agno < 0 || agno > dn_numag) + if (agno < 0 || agno > dn_numag || agno >= MAXAG) return -EIO; if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) { -- |
From: Edward A. D. <ea...@qq...> - 2024-08-17 03:55:55
|
[syzbot reported] ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Freed by task 5218: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [inline] vfs_fsconfig_locked fs/fsopen.c:292 [inline] __do_sys_fsconfig fs/fsopen.c:473 [inline] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Analysis] There are two paths (dbUnmount and dbDiscardAG) that generate race condition when accessing bmap, which leads to the occurrence of uaf. Use the lock s_umount to synchronize them, in order to avoid uaf caused by race condition. Reported-and-tested-by: syz...@sy... Closes: https://syzkaller.appspot.com/bug?extid=3c010e21296f33a5dc16 Signed-off-by: Edward Adam Davis <ea...@qq...> --- fs/jfs/jfs_dmap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index cb3cda1390ad..a409ae18454a 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -1645,7 +1645,9 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen) * call jfs_issue_discard() itself */ if (!(JFS_SBI(sb)->flag & JFS_DISCARD)) jfs_issue_discard(ip, tt->blkno, tt->nblocks); + down_read(&sb->s_umount); dbFree(ip, tt->blkno, tt->nblocks); + up_read(&sb->s_umount); trimmed += tt->nblocks; } kfree(totrim); -- 2.43.0 |
From: syzbot <syz...@sy...> - 2024-08-17 00:08:11
|
syzbot has bisected this issue to: commit 2b9ac22b12a266eb4fec246a07b504dd4983b16b Author: Kristian Klausen <kri...@kl...> Date: Fri Jun 18 11:51:57 2021 +0000 loop: Fix missing discard support when using LOOP_CONFIGURE bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16f44605980000 start commit: d7a5aa4b3c00 Merge tag 'perf-tools-fixes-for-v6.11-2024-08.. git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=15f44605980000 console output: https://syzkaller.appspot.com/x/log.txt?x=11f44605980000 kernel config: https://syzkaller.appspot.com/x/.config?x=92c0312151c4e32e dashboard link: https://syzkaller.appspot.com/bug?extid=3c010e21296f33a5dc16 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=139469f5980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=100f7713980000 Reported-by: syz...@sy... Fixes: 2b9ac22b12a2 ("loop: Fix missing discard support when using LOOP_CONFIGURE") For information about bisection process see: https://goo.gl/tpsmEJ#bisection |
From: syzbot <syz...@sy...> - 2024-08-16 17:21:33
|
syzbot has found a reproducer for the following issue on: HEAD commit: d7a5aa4b3c00 Merge tag 'perf-tools-fixes-for-v6.11-2024-08.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=109f2df3980000 kernel config: https://syzkaller.appspot.com/x/.config?x=92c0312151c4e32e dashboard link: https://syzkaller.appspot.com/bug?extid=412dea214d8baa3f7483 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12114991980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11422f5d980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/64022429061b/disk-d7a5aa4b.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/f4aba88f7db8/vmlinux-d7a5aa4b.xz kernel image: https://storage.googleapis.com/syzbot-assets/120456a2d9dc/bzImage-d7a5aa4b.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/947fb73311a3/mount_0.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syz...@sy... loop0: detected capacity change from 0 to 32768 ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2902:18 index -3 is out of range for type 's8[1365]' (aka 'signed char[1365]') CPU: 0 UID: 0 PID: 5217 Comm: syz-executor310 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 dbAdjTree+0x377/0x520 fs/jfs/jfs_dmap.c:2902 dbAllocBits+0x4ea/0x990 fs/jfs/jfs_dmap.c:2193 dbAllocDmap+0x6d/0x150 fs/jfs/jfs_dmap.c:2034 dbAlloc+0x509/0xca0 fs/jfs/jfs_dmap.c:816 extBalloc fs/jfs/jfs_extent.c:326 [inline] extAlloc+0x4f8/0x1010 fs/jfs/jfs_extent.c:122 jfs_get_block+0x41b/0xe60 fs/jfs/inode.c:248 __block_write_begin_int+0x50c/0x1a70 fs/buffer.c:2125 __block_write_begin fs/buffer.c:2174 [inline] block_write_begin+0x9b/0x1e0 fs/buffer.c:2235 jfs_write_begin+0x31/0x70 fs/jfs/inode.c:299 generic_perform_write+0x399/0x840 mm/filemap.c:4019 generic_file_write_iter+0xaf/0x310 mm/filemap.c:4147 new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa72/0xc90 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8ed0fe9e99 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffed45f7398 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f8ed1033095 RCX: 00007f8ed0fe9e99 RDX: 00000000fffffdef RSI: 00000000200000c0 RDI: 0000000000000004 RBP: 00007f8ed10645f0 R08: 00005555618f94c0 R09: 00005555618f94c0 R10: 0000000000006289 R11: 0000000000000246 R12: 00007ffed45f73c0 R13: 00007ffed45f75e8 R14: 431bde82d7b634db R15: 00007f8ed103303b </TASK> ---[ end trace ]--- --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. |
From: syzbot <syz...@sy...> - 2024-08-16 13:09:36
|
Hello, syzbot found the following issue on: HEAD commit: d7a5aa4b3c00 Merge tag 'perf-tools-fixes-for-v6.11-2024-08.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=105afe05980000 kernel config: https://syzkaller.appspot.com/x/.config?x=92c0312151c4e32e dashboard link: https://syzkaller.appspot.com/bug?extid=3c010e21296f33a5dc16 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=139469f5980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=100f7713980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/64022429061b/disk-d7a5aa4b.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/f4aba88f7db8/vmlinux-d7a5aa4b.xz kernel image: https://storage.googleapis.com/syzbot-assets/120456a2d9dc/bzImage-d7a5aa4b.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/8d22e7c73cc2/mount_0.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syz...@sy... loop0: detected capacity change from 0 to 32768 ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4b8c992809 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4b8c948218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f4b8ca1f6c8 RCX: 00007f4b8c992809 RDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005 RBP: 00007f4b8ca1f6c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4b8c9ec0e4 R13: 00007f4b8c9e607e R14: 0037656c69662f2e R15: 0000200002000001 </TASK> Allocated by task 5216: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4189 kmalloc_noprof include/linux/slab.h:681 [inline] dbMount+0x58/0x9b0 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1e0/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x59c/0xc50 fs/jfs/super.c:556 mount_bdev+0x20a/0x2d0 fs/super.c:1679 legacy_get_tree+0xee/0x190 fs/fs_context.c:662 vfs_get_tree+0x90/0x2a0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5218: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [inline] vfs_fsconfig_locked fs/fsopen.c:292 [inline] __do_sys_fsconfig fs/fsopen.c:473 [inline] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888022925000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1200 bytes inside of freed 2048-byte region [ffff888022925000, ffff888022925800) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22920 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xfdffffff(slab) raw: 00fff00000000040 ffff888015442000 0000000000000000 dead000000000001 raw: 0000000000000000 0000000080080008 00000001fdffffff 0000000000000000 head: 00fff00000000040 ffff888015442000 0000000000000000 dead000000000001 head: 0000000000000000 0000000080080008 00000001fdffffff 0000000000000000 head: 00fff00000000003 ffffea00008a4801 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 61, tgid 61 (kworker/u8:4), ts 9893748899, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3442 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4700 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2321 allocate_slab+0x5a/0x2f0 mm/slub.c:2484 new_slab mm/slub.c:2537 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3723 __slab_alloc+0x58/0xa0 mm/slub.c:3813 __slab_alloc_node mm/slub.c:3866 [inline] slab_alloc_node mm/slub.c:4025 [inline] __do_kmalloc_node mm/slub.c:4157 [inline] __kmalloc_noprof+0x25a/0x400 mm/slub.c:4170 kmalloc_noprof include/linux/slab.h:685 [inline] kzalloc_noprof include/linux/slab.h:807 [inline] scsi_alloc_target+0x132/0xca0 drivers/scsi/scsi_scan.c:503 __scsi_scan_target+0x17d/0x1080 drivers/scsi/scsi_scan.c:1740 scsi_scan_channel drivers/scsi/scsi_scan.c:1845 [inline] scsi_scan_host_selected+0x37e/0x690 drivers/scsi/scsi_scan.c:1874 do_scsi_scan_host drivers/scsi/scsi_scan.c:2013 [inline] do_scan_async+0x138/0x7a0 drivers/scsi/scsi_scan.c:2023 async_run_entry_fn+0xa8/0x420 kernel/async.c:129 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390 kthread+0x2f0/0x390 kernel/kthread.c:389 page_owner free stack trace missing Memory state around the buggy address: ffff888022925380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888022925400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888022925480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888022925500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888022925580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syz...@go.... syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup |
From: Greg Kroah-H. <gr...@li...> - 2024-08-15 14:10:06
|
6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jan Kara <ja...@su...> [ Upstream commit 898c57f456b537e90493a9e9222226aa3ea66267 ] Convert jfs to use bdev_open_by_dev() and pass the handle around. CC: Dave Kleikamp <sh...@ke...> CC: jfs...@li... Acked-by: Christoph Hellwig <hc...@ls...> Acked-by: Dave Kleikamp <dav...@or...> Reviewed-by: Christian Brauner <br...@ke...> Signed-off-by: Jan Kara <ja...@su...> Link: https://lore.kernel.org/r/202...@su... Signed-off-by: Christian Brauner <br...@ke...> Stable-dep-of: 6306ff39a7fc ("jfs: fix log->bdev_handle null ptr deref in lbmStartIO") Signed-off-by: Sasha Levin <sa...@ke...> --- fs/jfs/jfs_logmgr.c | 29 +++++++++++++++-------------- fs/jfs/jfs_logmgr.h | 2 +- fs/jfs/jfs_mount.c | 3 ++- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index e855b8fde76ce..c911d838b8ec8 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1058,7 +1058,7 @@ void jfs_syncpt(struct jfs_log *log, int hard_sync) int lmLogOpen(struct super_block *sb) { int rc; - struct block_device *bdev; + struct bdev_handle *bdev_handle; struct jfs_log *log; struct jfs_sb_info *sbi = JFS_SBI(sb); @@ -1070,7 +1070,7 @@ int lmLogOpen(struct super_block *sb) mutex_lock(&jfs_log_mutex); list_for_each_entry(log, &jfs_external_logs, journal_list) { - if (log->bdev->bd_dev == sbi->logdev) { + if (log->bdev_handle->bdev->bd_dev == sbi->logdev) { if (!uuid_equal(&log->uuid, &sbi->loguuid)) { jfs_warn("wrong uuid on JFS journal"); mutex_unlock(&jfs_log_mutex); @@ -1100,14 +1100,14 @@ int lmLogOpen(struct super_block *sb) * file systems to log may have n-to-1 relationship; */ - bdev = blkdev_get_by_dev(sbi->logdev, BLK_OPEN_READ | BLK_OPEN_WRITE, - log, NULL); - if (IS_ERR(bdev)) { - rc = PTR_ERR(bdev); + bdev_handle = bdev_open_by_dev(sbi->logdev, + BLK_OPEN_READ | BLK_OPEN_WRITE, log, NULL); + if (IS_ERR(bdev_handle)) { + rc = PTR_ERR(bdev_handle); goto free; } - log->bdev = bdev; + log->bdev_handle = bdev_handle; uuid_copy(&log->uuid, &sbi->loguuid); /* @@ -1141,7 +1141,7 @@ int lmLogOpen(struct super_block *sb) lbmLogShutdown(log); close: /* close external log device */ - blkdev_put(bdev, log); + bdev_release(bdev_handle); free: /* free log descriptor */ mutex_unlock(&jfs_log_mutex); @@ -1162,7 +1162,7 @@ static int open_inline_log(struct super_block *sb) init_waitqueue_head(&log->syncwait); set_bit(log_INLINELOG, &log->flag); - log->bdev = sb->s_bdev; + log->bdev_handle = sb->s_bdev_handle; log->base = addressPXD(&JFS_SBI(sb)->logpxd); log->size = lengthPXD(&JFS_SBI(sb)->logpxd) >> (L2LOGPSIZE - sb->s_blocksize_bits); @@ -1436,7 +1436,7 @@ int lmLogClose(struct super_block *sb) { struct jfs_sb_info *sbi = JFS_SBI(sb); struct jfs_log *log = sbi->log; - struct block_device *bdev; + struct bdev_handle *bdev_handle; int rc = 0; jfs_info("lmLogClose: log:0x%p", log); @@ -1482,10 +1482,10 @@ int lmLogClose(struct super_block *sb) * external log as separate logical volume */ list_del(&log->journal_list); - bdev = log->bdev; + bdev_handle = log->bdev_handle; rc = lmLogShutdown(log); - blkdev_put(bdev, log); + bdev_release(bdev_handle); kfree(log); @@ -1972,7 +1972,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) bp->l_flag |= lbmREAD; - bio = bio_alloc(log->bdev, 1, REQ_OP_READ, GFP_NOFS); + bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_READ, GFP_NOFS); bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9); __bio_add_page(bio, bp->l_page, LOGPSIZE, bp->l_offset); BUG_ON(bio->bi_iter.bi_size != LOGPSIZE); @@ -2113,7 +2113,8 @@ static void lbmStartIO(struct lbuf * bp) jfs_info("lbmStartIO"); - bio = bio_alloc(log->bdev, 1, REQ_OP_WRITE | REQ_SYNC, GFP_NOFS); + bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_WRITE | REQ_SYNC, + GFP_NOFS); bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9); __bio_add_page(bio, bp->l_page, LOGPSIZE, bp->l_offset); BUG_ON(bio->bi_iter.bi_size != LOGPSIZE); diff --git a/fs/jfs/jfs_logmgr.h b/fs/jfs/jfs_logmgr.h index 805877ce50204..84aa2d2539074 100644 --- a/fs/jfs/jfs_logmgr.h +++ b/fs/jfs/jfs_logmgr.h @@ -356,7 +356,7 @@ struct jfs_log { * before writing syncpt. */ struct list_head journal_list; /* Global list */ - struct block_device *bdev; /* 4: log lv pointer */ + struct bdev_handle *bdev_handle; /* 4: log lv pointer */ int serial; /* 4: log mount serial number */ s64 base; /* @8: log extent address (inline log ) */ diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c index 631b8bd3e4384..9b5c6a20b30c8 100644 --- a/fs/jfs/jfs_mount.c +++ b/fs/jfs/jfs_mount.c @@ -430,7 +430,8 @@ int updateSuper(struct super_block *sb, uint state) if (state == FM_MOUNT) { /* record log's dev_t and mount serial number */ - j_sb->s_logdev = cpu_to_le32(new_encode_dev(sbi->log->bdev->bd_dev)); + j_sb->s_logdev = cpu_to_le32( + new_encode_dev(sbi->log->bdev_handle->bdev->bd_dev)); j_sb->s_logserial = cpu_to_le32(sbi->log->serial); } else if (state == FM_CLEAN) { /* -- 2.43.0 |
From: syzbot <syz...@sy...> - 2024-08-13 08:52:41
|
Hello jfs maintainers/developers, This is a 31-day syzbot report for the jfs subsystem. All related reports/information can be found at: https://syzkaller.appspot.com/upstream/s/jfs During the period, 4 new issues were detected and 0 were fixed. In total, 52 issues are still open and 43 have been fixed so far. Some of the still happening issues: Ref Crashes Repro Title <1> 13937 Yes kernel BUG in jfs_evict_inode https://syzkaller.appspot.com/bug?extid=9c0c58ea2e4887ab502e <2> 6809 Yes kernel BUG in txUnlock https://syzkaller.appspot.com/bug?extid=a63afa301d1258d09267 <3> 3462 Yes general protection fault in lmLogSync (2) https://syzkaller.appspot.com/bug?extid=e14b1036481911ae4d77 <4> 2508 Yes WARNING in dbAdjTree https://syzkaller.appspot.com/bug?extid=ab18fa9c959320611727 <5> 2152 Yes general protection fault in write_special_inodes https://syzkaller.appspot.com/bug?extid=c732e285f8fc38d15916 <6> 1572 Yes INFO: task hung in lock_metapage https://syzkaller.appspot.com/bug?extid=1d84a1682e4673d5c4fb <7> 1514 Yes KASAN: user-memory-access Write in __destroy_inode https://syzkaller.appspot.com/bug?extid=dcc068159182a4c31ca3 <8> 1413 Yes kernel BUG in dbFindLeaf https://syzkaller.appspot.com/bug?extid=dcea2548c903300a400e <9> 798 Yes general protection fault in jfs_flush_journal https://syzkaller.appspot.com/bug?extid=194bfe3476f96782c0b6 <10> 602 Yes INFO: trying to register non-static key in txEnd (2) https://syzkaller.appspot.com/bug?extid=5b27962d84feb4acb5c1 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syz...@go.... To disable reminders for individual bugs, reply with the following command: #syz set <Ref> no-reminders To change bug's subsystems, reply with: #syz set <Ref> subsystems: new-subsystem You may send multiple commands in a single email message. |