[syzbot] [nilfs?] UBSAN: array-index-out-of-bounds in nilfs_add_link
25 views
Skip to first unread message
syzbot
Apr 15, 2024, 6:09:30 AMApr 15
to konishi...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1777792b180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=2e22057de05b9f3b30d8
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1176600b180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15141b43180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/72ab73815344/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2d6d6b0d7071/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/48e275e5478b/bzImage-fe46a7dd.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/de3bc2f4acaf/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e2205...@syzkaller.appspotmail.com
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/nilfs2/dir.c:257:18
index 15 is out of range for type 'unsigned char[15]'
CPU: 0 PID: 5057 Comm: syz-executor165 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:415
nilfs_set_de_type fs/nilfs2/dir.c:257 [inline]
nilfs_add_link+0xb39/0xb80 fs/nilfs2/dir.c:501
nilfs_link+0x136/0x220 fs/nilfs2/namei.c:192
vfs_link+0x4f5/0x690 fs/namei.c:4608
do_linkat+0x356/0x760 fs/namei.c:4679
__do_sys_linkat fs/namei.c:4707 [inline]
__se_sys_linkat fs/namei.c:4704 [inline]
__x64_sys_linkat+0xdd/0xf0 fs/namei.c:4704
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f0624efc679
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff6dc40a98 EFLAGS: 00000246 ORIG_RAX: 0000000000000109
RAX: ffffffffffffffda RBX: 00007fff6dc40c68 RCX: 00007f0624efc679
RDX: 0000000000000004 RSI: 0000000020000180 RDI: 0000000000000004
RBP: 00007f0624f70610 R08: 0000000000000000 R09: 00007fff6dc40c68
R10: 0000000020000640 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff6dc40c58 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---[ end trace ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1777792b180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=2e22057de05b9f3b30d8
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1176600b180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15141b43180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/72ab73815344/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2d6d6b0d7071/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/48e275e5478b/bzImage-fe46a7dd.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/de3bc2f4acaf/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e2205...@syzkaller.appspotmail.com
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/nilfs2/dir.c:257:18
index 15 is out of range for type 'unsigned char[15]'
CPU: 0 PID: 5057 Comm: syz-executor165 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:415
nilfs_set_de_type fs/nilfs2/dir.c:257 [inline]
nilfs_add_link+0xb39/0xb80 fs/nilfs2/dir.c:501
nilfs_link+0x136/0x220 fs/nilfs2/namei.c:192
vfs_link+0x4f5/0x690 fs/namei.c:4608
do_linkat+0x356/0x760 fs/namei.c:4679
__do_sys_linkat fs/namei.c:4707 [inline]
__se_sys_linkat fs/namei.c:4704 [inline]
__x64_sys_linkat+0xdd/0xf0 fs/namei.c:4704
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f0624efc679
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff6dc40a98 EFLAGS: 00000246 ORIG_RAX: 0000000000000109
RAX: ffffffffffffffda RBX: 00007fff6dc40c68 RCX: 00007f0624efc679
RDX: 0000000000000004 RSI: 0000000020000180 RDI: 0000000000000004
RBP: 00007f0624f70610 R08: 0000000000000000 R09: 00007fff6dc40c68
R10: 0000000020000640 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff6dc40c58 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---[ end trace ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Jeongjun Park
Apr 15, 2024, 9:30:46 AMApr 15
to syzbot+2e2205...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
please test array-index-out-of-bounds in nilfs_add_link
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0bbac3facb5d
diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index bc846b904b68..aee40db7a036 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -240,7 +240,7 @@ nilfs_filetype_table[NILFS_FT_MAX] = {
#define S_SHIFT 12
static unsigned char
-nilfs_type_by_mode[S_IFMT >> S_SHIFT] = {
+nilfs_type_by_mode[(S_IFMT >> S_SHIFT) + 1] = {
[S_IFREG >> S_SHIFT] = NILFS_FT_REG_FILE,
[S_IFDIR >> S_SHIFT] = NILFS_FT_DIR,
[S_IFCHR >> S_SHIFT] = NILFS_FT_CHRDEV,
--
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0bbac3facb5d
diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index bc846b904b68..aee40db7a036 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -240,7 +240,7 @@ nilfs_filetype_table[NILFS_FT_MAX] = {
#define S_SHIFT 12
static unsigned char
-nilfs_type_by_mode[S_IFMT >> S_SHIFT] = {
+nilfs_type_by_mode[(S_IFMT >> S_SHIFT) + 1] = {
[S_IFREG >> S_SHIFT] = NILFS_FT_REG_FILE,
[S_IFDIR >> S_SHIFT] = NILFS_FT_DIR,
[S_IFCHR >> S_SHIFT] = NILFS_FT_CHRDEV,
--
Ryusuke Konishi
Apr 15, 2024, 10:49:08 AMApr 15
to Jeongjun Park, syzbot+2e2205...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
This patch looks correct as a fix for the issue.
In fact, I verified using the reproducer that it fixes the issue.
Is it okay to understand that you will finish it and send it to me?
If so, I'll take it and send it upstream after thorough testing.
Regards,
Ryusuke Konishi
syzbot
Apr 15, 2024, 11:00:07 AMApr 15
to aha3...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
[ 8.046646][ T1] usbcore: registered new interface driver pn533_usb
[ 8.053398][ T1] nfcsim 0.2 initialized
[ 8.054384][ T1] usbcore: registered new interface driver port100
[ 8.056070][ T1] usbcore: registered new interface driver nfcmrvl
[ 8.063127][ T1] Loading iSCSI transport class v2.0-870.
[ 8.083033][ T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues
[ 8.093514][ T1] ------------[ cut here ]------------
[ 8.097392][ T1] refcount_t: decrement hit 0; leaking memory.
[ 8.098749][ T1] WARNING: CPU: 1 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0
[ 8.100089][ T1] Modules linked in:
[ 8.100981][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4-syzkaller-dirty #0
[ 8.102964][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 8.104809][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 8.105854][ T1] Code: b2 00 00 00 e8 87 70 f0 fc 5b 5d c3 cc cc cc cc e8 7b 70 f0 fc c6 05 ac bf ed 0a 01 90 48 c7 c7 80 66 1e 8c e8 e7 0a b3 fc 90 <0f> 0b 90 90 eb d9 e8 5b 70 f0 fc c6 05 89 bf ed 0a 01 90 48 c7 c7
[ 8.109304][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 8.110372][ T1] RAX: a5557a779647f700 RBX: ffff8881432f33fc RCX: ffff888016ac0000
[ 8.111482][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 8.112881][ T1] RBP: 0000000000000004 R08: ffffffff81587fc2 R09: fffffbfff1c39b48
[ 8.114169][ T1] R10: dffffc0000000000 R11: fffffbfff1c39b48 R12: ffffea000503cdc0
[ 8.115576][ T1] R13: ffffea000503cdc8 R14: 1ffffd4000a079b9 R15: 0000000000000000
[ 8.116934][ T1] FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
[ 8.118632][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8.120448][ T1] CR2: 0000000000000000 CR3: 000000000e134000 CR4: 00000000003506f0
[ 8.121952][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8.125239][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 8.128444][ T1] Call Trace:
[ 8.128999][ T1] <TASK>
[ 8.129476][ T1] ? __warn+0x163/0x4e0
[ 8.130277][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.131293][ T1] ? report_bug+0x2b3/0x500
[ 8.132024][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.133864][ T1] ? handle_bug+0x3e/0x70
[ 8.134800][ T1] ? exc_invalid_op+0x1a/0x50
[ 8.135746][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 8.136660][ T1] ? __warn_printk+0x292/0x360
[ 8.138782][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.139747][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 8.141576][ T1] __free_pages_ok+0xc54/0xd80
[ 8.142662][ T1] make_alloc_exact+0xa3/0xf0
[ 8.143619][ T1] vring_alloc_queue_split+0x20a/0x600
[ 8.144668][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 8.145585][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 8.146361][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 8.147253][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 8.148035][ T1] ? really_probe+0x2b8/0xad0
[ 8.148878][ T1] ? driver_probe_device+0x50/0x430
[ 8.149903][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 8.150905][ T1] ? ret_from_fork+0x4b/0x80
[ 8.152921][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 8.154006][ T1] vring_create_virtqueue+0xca/0x110
[ 8.155477][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.156849][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.158255][ T1] setup_vq+0xe9/0x2d0
[ 8.158966][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.160058][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.161161][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.162896][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.163930][ T1] vp_setup_vq+0xbf/0x330
[ 8.164941][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 8.166253][ T1] ? ioread16+0x2f/0x90
[ 8.167168][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.168459][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 8.169516][ T1] vp_find_vqs+0x4c/0x4e0
[ 8.170429][ T1] virtscsi_init+0x8db/0xd00
[ 8.171852][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 8.172801][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 8.176106][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 8.177026][ T1] ? vp_get+0xfd/0x140
[ 8.177595][ T1] virtscsi_probe+0x3ea/0xf60
[ 8.178351][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 8.179274][ T1] ? vp_get_shm_region+0x51d/0x8b0
[ 8.180369][ T1] ? __pfx_vp_set_status+0x10/0x10
[ 8.181850][ T1] ? vp_set_status+0x1a/0x40
[ 8.182628][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 8.183880][ T1] ? virtio_features_ok+0x10c/0x270
[ 8.184839][ T1] virtio_dev_probe+0x991/0xaf0
[ 8.185666][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 8.186643][ T1] really_probe+0x2b8/0xad0
[ 8.187658][ T1] __driver_probe_device+0x1a2/0x390
[ 8.188847][ T1] driver_probe_device+0x50/0x430
[ 8.189648][ T1] __driver_attach+0x45f/0x710
[ 8.190566][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.191463][ T1] bus_for_each_dev+0x239/0x2b0
[ 8.192162][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.193282][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 8.194135][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 8.195052][ T1] bus_add_driver+0x347/0x620
[ 8.195904][ T1] driver_register+0x23a/0x320
[ 8.196676][ T1] virtio_scsi_init+0x69/0xe0
[ 8.197688][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.198566][ T1] do_one_initcall+0x248/0x880
[ 8.199453][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.200558][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.201915][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 8.202821][ T1] ? __pfx_parse_args+0x10/0x10
[ 8.203915][ T1] ? do_initcalls+0x1c/0x80
[ 8.204956][ T1] ? rcu_is_watching+0x15/0xb0
[ 8.205785][ T1] do_initcall_level+0x157/0x210
[ 8.206580][ T1] do_initcalls+0x3f/0x80
[ 8.207402][ T1] kernel_init_freeable+0x435/0x5d0
[ 8.208171][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 8.209120][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.210016][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.211607][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.212570][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.213608][ T1] kernel_init+0x1d/0x2b0
[ 8.214363][ T1] ret_from_fork+0x4b/0x80
[ 8.215262][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.216195][ T1] ret_from_fork_asm+0x1a/0x30
[ 8.216904][ T1] </TASK>
[ 8.217906][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 8.219113][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4-syzkaller-dirty #0
[ 8.220551][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 8.222223][ T1] Call Trace:
[ 8.222793][ T1] <TASK>
[ 8.223243][ T1] dump_stack_lvl+0x241/0x360
[ 8.224079][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 8.224927][ T1] ? __pfx__printk+0x10/0x10
[ 8.225243][ T1] ? _printk+0xd5/0x120
[ 8.225243][ T1] ? vscnprintf+0x5d/0x90
[ 8.225243][ T1] panic+0x349/0x860
[ 8.225243][ T1] ? __warn+0x172/0x4e0
[ 8.225243][ T1] ? __pfx_panic+0x10/0x10
[ 8.225243][ T1] ? show_trace_log_lvl+0x4e6/0x520
[ 8.225243][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 8.225243][ T1] __warn+0x346/0x4e0
[ 8.225243][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.225243][ T1] report_bug+0x2b3/0x500
[ 8.225243][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.225243][ T1] handle_bug+0x3e/0x70
[ 8.225243][ T1] exc_invalid_op+0x1a/0x50
[ 8.225243][ T1] asm_exc_invalid_op+0x1a/0x20
[ 8.225243][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 8.225243][ T1] Code: b2 00 00 00 e8 87 70 f0 fc 5b 5d c3 cc cc cc cc e8 7b 70 f0 fc c6 05 ac bf ed 0a 01 90 48 c7 c7 80 66 1e 8c e8 e7 0a b3 fc 90 <0f> 0b 90 90 eb d9 e8 5b 70 f0 fc c6 05 89 bf ed 0a 01 90 48 c7 c7
[ 8.225243][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 8.225243][ T1] RAX: a5557a779647f700 RBX: ffff8881432f33fc RCX: ffff888016ac0000
[ 8.225243][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 8.225243][ T1] RBP: 0000000000000004 R08: ffffffff81587fc2 R09: fffffbfff1c39b48
[ 8.225243][ T1] R10: dffffc0000000000 R11: fffffbfff1c39b48 R12: ffffea000503cdc0
[ 8.225243][ T1] R13: ffffea000503cdc8 R14: 1ffffd4000a079b9 R15: 0000000000000000
[ 8.225243][ T1] ? __warn_printk+0x292/0x360
[ 8.225243][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 8.225243][ T1] __free_pages_ok+0xc54/0xd80
[ 8.225243][ T1] make_alloc_exact+0xa3/0xf0
[ 8.225243][ T1] vring_alloc_queue_split+0x20a/0x600
[ 8.225243][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 8.225243][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 8.225243][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 8.225243][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 8.225243][ T1] ? really_probe+0x2b8/0xad0
[ 8.225243][ T1] ? driver_probe_device+0x50/0x430
[ 8.225243][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 8.225243][ T1] ? ret_from_fork+0x4b/0x80
[ 8.225243][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 8.225243][ T1] vring_create_virtqueue+0xca/0x110
[ 8.225243][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.225243][ T1] setup_vq+0xe9/0x2d0
[ 8.225243][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.225243][ T1] vp_setup_vq+0xbf/0x330
[ 8.225243][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 8.225243][ T1] ? ioread16+0x2f/0x90
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.274896][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 8.274896][ T1] vp_find_vqs+0x4c/0x4e0
[ 8.274896][ T1] virtscsi_init+0x8db/0xd00
[ 8.274896][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 8.274896][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 8.274896][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 8.274896][ T1] ? vp_get+0xfd/0x140
[ 8.274896][ T1] virtscsi_probe+0x3ea/0xf60
[ 8.274896][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 8.274896][ T1] ? vp_get_shm_region+0x51d/0x8b0
[ 8.274896][ T1] ? __pfx_vp_set_status+0x10/0x10
[ 8.274896][ T1] ? vp_set_status+0x1a/0x40
[ 8.274896][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 8.274896][ T1] ? virtio_features_ok+0x10c/0x270
[ 8.274896][ T1] virtio_dev_probe+0x991/0xaf0
[ 8.274896][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 8.274896][ T1] really_probe+0x2b8/0xad0
[ 8.274896][ T1] __driver_probe_device+0x1a2/0x390
[ 8.274896][ T1] driver_probe_device+0x50/0x430
[ 8.274896][ T1] __driver_attach+0x45f/0x710
[ 8.274896][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.274896][ T1] bus_for_each_dev+0x239/0x2b0
[ 8.274896][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.274896][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 8.274896][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 8.274896][ T1] bus_add_driver+0x347/0x620
[ 8.274896][ T1] driver_register+0x23a/0x320
[ 8.274896][ T1] virtio_scsi_init+0x69/0xe0
[ 8.274896][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.274896][ T1] do_one_initcall+0x248/0x880
[ 8.274896][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.274896][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.274896][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 8.274896][ T1] ? __pfx_parse_args+0x10/0x10
[ 8.274896][ T1] ? do_initcalls+0x1c/0x80
[ 8.274896][ T1] ? rcu_is_watching+0x15/0xb0
[ 8.274896][ T1] do_initcall_level+0x157/0x210
[ 8.274896][ T1] do_initcalls+0x3f/0x80
[ 8.274896][ T1] kernel_init_freeable+0x435/0x5d0
[ 8.274896][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 8.274896][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.274896][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.274896][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.274896][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.274896][ T1] kernel_init+0x1d/0x2b0
[ 8.274896][ T1] ret_from_fork+0x4b/0x80
[ 8.274896][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.274896][ T1] ret_from_fork_asm+0x1a/0x30
[ 8.274896][ T1] </TASK>
[ 8.274896][ T1] Kernel Offset: disabled
[ 8.274896][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2608577974=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at c8349e485
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c8349e48534ea6d8f01515335d95de8ebf5da8df -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240412-102842'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c8349e48534ea6d8f01515335d95de8ebf5da8df -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240412-102842'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c8349e48534ea6d8f01515335d95de8ebf5da8df -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240412-102842'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c8349e48534ea6d8f01515335d95de8ebf5da8df\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16ca23d5180000
Tested on:
commit: 0bbac3fa Linux 6.9-rc4
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=b6bcb7598d5494cd
syzbot tried to test the proposed patch but the build/boot failed:
[ 8.046646][ T1] usbcore: registered new interface driver pn533_usb
[ 8.053398][ T1] nfcsim 0.2 initialized
[ 8.054384][ T1] usbcore: registered new interface driver port100
[ 8.056070][ T1] usbcore: registered new interface driver nfcmrvl
[ 8.063127][ T1] Loading iSCSI transport class v2.0-870.
[ 8.083033][ T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues
[ 8.093514][ T1] ------------[ cut here ]------------
[ 8.097392][ T1] refcount_t: decrement hit 0; leaking memory.
[ 8.098749][ T1] WARNING: CPU: 1 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0
[ 8.100089][ T1] Modules linked in:
[ 8.100981][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4-syzkaller-dirty #0
[ 8.102964][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 8.104809][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 8.105854][ T1] Code: b2 00 00 00 e8 87 70 f0 fc 5b 5d c3 cc cc cc cc e8 7b 70 f0 fc c6 05 ac bf ed 0a 01 90 48 c7 c7 80 66 1e 8c e8 e7 0a b3 fc 90 <0f> 0b 90 90 eb d9 e8 5b 70 f0 fc c6 05 89 bf ed 0a 01 90 48 c7 c7
[ 8.109304][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 8.110372][ T1] RAX: a5557a779647f700 RBX: ffff8881432f33fc RCX: ffff888016ac0000
[ 8.111482][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 8.112881][ T1] RBP: 0000000000000004 R08: ffffffff81587fc2 R09: fffffbfff1c39b48
[ 8.114169][ T1] R10: dffffc0000000000 R11: fffffbfff1c39b48 R12: ffffea000503cdc0
[ 8.115576][ T1] R13: ffffea000503cdc8 R14: 1ffffd4000a079b9 R15: 0000000000000000
[ 8.116934][ T1] FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
[ 8.118632][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8.120448][ T1] CR2: 0000000000000000 CR3: 000000000e134000 CR4: 00000000003506f0
[ 8.121952][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8.125239][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 8.128444][ T1] Call Trace:
[ 8.128999][ T1] <TASK>
[ 8.129476][ T1] ? __warn+0x163/0x4e0
[ 8.130277][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.131293][ T1] ? report_bug+0x2b3/0x500
[ 8.132024][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.133864][ T1] ? handle_bug+0x3e/0x70
[ 8.134800][ T1] ? exc_invalid_op+0x1a/0x50
[ 8.135746][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 8.136660][ T1] ? __warn_printk+0x292/0x360
[ 8.138782][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.139747][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 8.141576][ T1] __free_pages_ok+0xc54/0xd80
[ 8.142662][ T1] make_alloc_exact+0xa3/0xf0
[ 8.143619][ T1] vring_alloc_queue_split+0x20a/0x600
[ 8.144668][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 8.145585][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 8.146361][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 8.147253][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 8.148035][ T1] ? really_probe+0x2b8/0xad0
[ 8.148878][ T1] ? driver_probe_device+0x50/0x430
[ 8.149903][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 8.150905][ T1] ? ret_from_fork+0x4b/0x80
[ 8.152921][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 8.154006][ T1] vring_create_virtqueue+0xca/0x110
[ 8.155477][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.156849][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.158255][ T1] setup_vq+0xe9/0x2d0
[ 8.158966][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.160058][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.161161][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.162896][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.163930][ T1] vp_setup_vq+0xbf/0x330
[ 8.164941][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 8.166253][ T1] ? ioread16+0x2f/0x90
[ 8.167168][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.168459][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 8.169516][ T1] vp_find_vqs+0x4c/0x4e0
[ 8.170429][ T1] virtscsi_init+0x8db/0xd00
[ 8.171852][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 8.172801][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 8.176106][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 8.177026][ T1] ? vp_get+0xfd/0x140
[ 8.177595][ T1] virtscsi_probe+0x3ea/0xf60
[ 8.178351][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 8.179274][ T1] ? vp_get_shm_region+0x51d/0x8b0
[ 8.180369][ T1] ? __pfx_vp_set_status+0x10/0x10
[ 8.181850][ T1] ? vp_set_status+0x1a/0x40
[ 8.182628][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 8.183880][ T1] ? virtio_features_ok+0x10c/0x270
[ 8.184839][ T1] virtio_dev_probe+0x991/0xaf0
[ 8.185666][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 8.186643][ T1] really_probe+0x2b8/0xad0
[ 8.187658][ T1] __driver_probe_device+0x1a2/0x390
[ 8.188847][ T1] driver_probe_device+0x50/0x430
[ 8.189648][ T1] __driver_attach+0x45f/0x710
[ 8.190566][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.191463][ T1] bus_for_each_dev+0x239/0x2b0
[ 8.192162][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.193282][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 8.194135][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 8.195052][ T1] bus_add_driver+0x347/0x620
[ 8.195904][ T1] driver_register+0x23a/0x320
[ 8.196676][ T1] virtio_scsi_init+0x69/0xe0
[ 8.197688][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.198566][ T1] do_one_initcall+0x248/0x880
[ 8.199453][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.200558][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.201915][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 8.202821][ T1] ? __pfx_parse_args+0x10/0x10
[ 8.203915][ T1] ? do_initcalls+0x1c/0x80
[ 8.204956][ T1] ? rcu_is_watching+0x15/0xb0
[ 8.205785][ T1] do_initcall_level+0x157/0x210
[ 8.206580][ T1] do_initcalls+0x3f/0x80
[ 8.207402][ T1] kernel_init_freeable+0x435/0x5d0
[ 8.208171][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 8.209120][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.210016][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.211607][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.212570][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.213608][ T1] kernel_init+0x1d/0x2b0
[ 8.214363][ T1] ret_from_fork+0x4b/0x80
[ 8.215262][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.216195][ T1] ret_from_fork_asm+0x1a/0x30
[ 8.216904][ T1] </TASK>
[ 8.217906][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 8.219113][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4-syzkaller-dirty #0
[ 8.220551][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 8.222223][ T1] Call Trace:
[ 8.222793][ T1] <TASK>
[ 8.223243][ T1] dump_stack_lvl+0x241/0x360
[ 8.224079][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 8.224927][ T1] ? __pfx__printk+0x10/0x10
[ 8.225243][ T1] ? _printk+0xd5/0x120
[ 8.225243][ T1] ? vscnprintf+0x5d/0x90
[ 8.225243][ T1] panic+0x349/0x860
[ 8.225243][ T1] ? __warn+0x172/0x4e0
[ 8.225243][ T1] ? __pfx_panic+0x10/0x10
[ 8.225243][ T1] ? show_trace_log_lvl+0x4e6/0x520
[ 8.225243][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 8.225243][ T1] __warn+0x346/0x4e0
[ 8.225243][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.225243][ T1] report_bug+0x2b3/0x500
[ 8.225243][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 8.225243][ T1] handle_bug+0x3e/0x70
[ 8.225243][ T1] exc_invalid_op+0x1a/0x50
[ 8.225243][ T1] asm_exc_invalid_op+0x1a/0x20
[ 8.225243][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 8.225243][ T1] Code: b2 00 00 00 e8 87 70 f0 fc 5b 5d c3 cc cc cc cc e8 7b 70 f0 fc c6 05 ac bf ed 0a 01 90 48 c7 c7 80 66 1e 8c e8 e7 0a b3 fc 90 <0f> 0b 90 90 eb d9 e8 5b 70 f0 fc c6 05 89 bf ed 0a 01 90 48 c7 c7
[ 8.225243][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 8.225243][ T1] RAX: a5557a779647f700 RBX: ffff8881432f33fc RCX: ffff888016ac0000
[ 8.225243][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 8.225243][ T1] RBP: 0000000000000004 R08: ffffffff81587fc2 R09: fffffbfff1c39b48
[ 8.225243][ T1] R10: dffffc0000000000 R11: fffffbfff1c39b48 R12: ffffea000503cdc0
[ 8.225243][ T1] R13: ffffea000503cdc8 R14: 1ffffd4000a079b9 R15: 0000000000000000
[ 8.225243][ T1] ? __warn_printk+0x292/0x360
[ 8.225243][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 8.225243][ T1] __free_pages_ok+0xc54/0xd80
[ 8.225243][ T1] make_alloc_exact+0xa3/0xf0
[ 8.225243][ T1] vring_alloc_queue_split+0x20a/0x600
[ 8.225243][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 8.225243][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 8.225243][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 8.225243][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 8.225243][ T1] ? really_probe+0x2b8/0xad0
[ 8.225243][ T1] ? driver_probe_device+0x50/0x430
[ 8.225243][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 8.225243][ T1] ? ret_from_fork+0x4b/0x80
[ 8.225243][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 8.225243][ T1] vring_create_virtqueue+0xca/0x110
[ 8.225243][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.225243][ T1] setup_vq+0xe9/0x2d0
[ 8.225243][ T1] ? __pfx_vp_notify+0x10/0x10
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.225243][ T1] vp_setup_vq+0xbf/0x330
[ 8.225243][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 8.225243][ T1] ? ioread16+0x2f/0x90
[ 8.225243][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 8.274896][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 8.274896][ T1] vp_find_vqs+0x4c/0x4e0
[ 8.274896][ T1] virtscsi_init+0x8db/0xd00
[ 8.274896][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 8.274896][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 8.274896][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 8.274896][ T1] ? vp_get+0xfd/0x140
[ 8.274896][ T1] virtscsi_probe+0x3ea/0xf60
[ 8.274896][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 8.274896][ T1] ? vp_get_shm_region+0x51d/0x8b0
[ 8.274896][ T1] ? __pfx_vp_set_status+0x10/0x10
[ 8.274896][ T1] ? vp_set_status+0x1a/0x40
[ 8.274896][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 8.274896][ T1] ? virtio_features_ok+0x10c/0x270
[ 8.274896][ T1] virtio_dev_probe+0x991/0xaf0
[ 8.274896][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 8.274896][ T1] really_probe+0x2b8/0xad0
[ 8.274896][ T1] __driver_probe_device+0x1a2/0x390
[ 8.274896][ T1] driver_probe_device+0x50/0x430
[ 8.274896][ T1] __driver_attach+0x45f/0x710
[ 8.274896][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.274896][ T1] bus_for_each_dev+0x239/0x2b0
[ 8.274896][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.274896][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 8.274896][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 8.274896][ T1] bus_add_driver+0x347/0x620
[ 8.274896][ T1] driver_register+0x23a/0x320
[ 8.274896][ T1] virtio_scsi_init+0x69/0xe0
[ 8.274896][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.274896][ T1] do_one_initcall+0x248/0x880
[ 8.274896][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 8.274896][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.274896][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 8.274896][ T1] ? __pfx_parse_args+0x10/0x10
[ 8.274896][ T1] ? do_initcalls+0x1c/0x80
[ 8.274896][ T1] ? rcu_is_watching+0x15/0xb0
[ 8.274896][ T1] do_initcall_level+0x157/0x210
[ 8.274896][ T1] do_initcalls+0x3f/0x80
[ 8.274896][ T1] kernel_init_freeable+0x435/0x5d0
[ 8.274896][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 8.274896][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.274896][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.274896][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.274896][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.274896][ T1] kernel_init+0x1d/0x2b0
[ 8.274896][ T1] ret_from_fork+0x4b/0x80
[ 8.274896][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.274896][ T1] ret_from_fork_asm+0x1a/0x30
[ 8.274896][ T1] </TASK>
[ 8.274896][ T1] Kernel Offset: disabled
[ 8.274896][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2608577974=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at c8349e485
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c8349e48534ea6d8f01515335d95de8ebf5da8df -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240412-102842'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c8349e48534ea6d8f01515335d95de8ebf5da8df -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240412-102842'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c8349e48534ea6d8f01515335d95de8ebf5da8df -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240412-102842'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c8349e48534ea6d8f01515335d95de8ebf5da8df\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16ca23d5180000
Tested on:
commit: 0bbac3fa Linux 6.9-rc4
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=b6bcb7598d5494cd
dashboard link: https://syzkaller.appspot.com/bug?extid=2e22057de05b9f3b30d8
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13fe882b180000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Ryusuke Konishi
Apr 15, 2024, 2:20:19 PMApr 15
to Andrew Morton, linux...@vger.kernel.org, syzbot, syzkall...@googlegroups.com, Jeongjun Park, linux-...@vger.kernel.org, linux-...@vger.kernel.org
From: Jeongjun Park <aha3...@gmail.com>
The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is
defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function,
which uses this array, specifies the index to read from the array in the
same way as "(mode & S_IFMT) >> S_SHIFT".
static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode
*inode)
{
umode_t mode = inode->i_mode;
de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob
}
However, when the index is determined this way, an out-of-bounds (OOB)
error occurs by referring to an index that is 1 larger than the array
size when the condition "mode & S_IFMT == S_IFMT" is satisfied.
Therefore, a patch to resize the nilfs_type_by_mode array should be
applied to prevent OOB errors.
Reported-by: syzbot+2e2205...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2e22057de05b9f3b30d8
Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
Signed-off-by: Jeongjun Park <aha3...@gmail.com>
Signed-off-by: Ryusuke Konishi <konishi...@gmail.com>
Tested-by: Ryusuke Konishi <konishi...@gmail.com>
Cc: sta...@vger.kernel.org
---
Hi Andrew, please apply this as a bugfix.
This patch from Jeongjun fixes an array out-of-bounds access reported
by syzbot that can occur for filesystem images containing corrupted
directory inodes.
Thanks,
Ryusuke Konishi
fs/nilfs2/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index bc846b904b68..aee40db7a036 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -240,7 +240,7 @@ nilfs_filetype_table[NILFS_FT_MAX] = {
#define S_SHIFT 12
static unsigned char
-nilfs_type_by_mode[S_IFMT >> S_SHIFT] = {
+nilfs_type_by_mode[(S_IFMT >> S_SHIFT) + 1] = {
[S_IFREG >> S_SHIFT] = NILFS_FT_REG_FILE,
[S_IFDIR >> S_SHIFT] = NILFS_FT_DIR,
[S_IFCHR >> S_SHIFT] = NILFS_FT_CHRDEV,
--
2.34.1
The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is
defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function,
which uses this array, specifies the index to read from the array in the
same way as "(mode & S_IFMT) >> S_SHIFT".
static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode
*inode)
{
umode_t mode = inode->i_mode;
de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob
}
However, when the index is determined this way, an out-of-bounds (OOB)
error occurs by referring to an index that is 1 larger than the array
size when the condition "mode & S_IFMT == S_IFMT" is satisfied.
Therefore, a patch to resize the nilfs_type_by_mode array should be
applied to prevent OOB errors.
Reported-by: syzbot+2e2205...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2e22057de05b9f3b30d8
Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
Signed-off-by: Jeongjun Park <aha3...@gmail.com>
Signed-off-by: Ryusuke Konishi <konishi...@gmail.com>
Tested-by: Ryusuke Konishi <konishi...@gmail.com>
Cc: sta...@vger.kernel.org
---
Hi Andrew, please apply this as a bugfix.
This patch from Jeongjun fixes an array out-of-bounds access reported
by syzbot that can occur for filesystem images containing corrupted
directory inodes.
Thanks,
Ryusuke Konishi
fs/nilfs2/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index bc846b904b68..aee40db7a036 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -240,7 +240,7 @@ nilfs_filetype_table[NILFS_FT_MAX] = {
#define S_SHIFT 12
static unsigned char
-nilfs_type_by_mode[S_IFMT >> S_SHIFT] = {
+nilfs_type_by_mode[(S_IFMT >> S_SHIFT) + 1] = {
[S_IFREG >> S_SHIFT] = NILFS_FT_REG_FILE,
[S_IFDIR >> S_SHIFT] = NILFS_FT_DIR,
[S_IFCHR >> S_SHIFT] = NILFS_FT_CHRDEV,
--
Reply all
Reply to author
Forward
0 new messages