kernel BUG at lib/string.c:LINE! (5)

26 views
Skip to first unread message

syzbot

unread,
Sep 15, 2020, 7:00:22 AM9/15/20
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: e4c26faa Merge tag 'usb-5.9-rc5' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13b17bed900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c61610091f4ca8c4
dashboard link: https://syzkaller.appspot.com/bug?extid=e864a35d361e1d4e29a5
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177582be900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13deb2b5900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e864a3...@syzkaller.appspotmail.com

detected buffer overflow in memcpy
------------[ cut here ]------------
kernel BUG at lib/string.c:1129!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 26 Comm: kworker/u4:2 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: btrfs-endio-meta btrfs_work_helper
RIP: 0010:fortify_panic+0xf/0x20 lib/string.c:1129
Code: 89 c7 48 89 74 24 08 48 89 04 24 e8 ab 39 00 fe 48 8b 74 24 08 48 8b 04 24 eb d5 48 89 fe 48 c7 c7 40 22 97 88 e8 b0 8c a9 fd <0f> 0b cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 41 57 41 56 41
RSP: 0018:ffffc90000e27980 EFLAGS: 00010286
RAX: 0000000000000022 RBX: ffff8880a80dca64 RCX: 0000000000000000
RDX: ffff8880a90860c0 RSI: ffffffff815dba07 RDI: fffff520001c4f22
RBP: ffff8880a80dca00 R08: 0000000000000022 R09: ffff8880ae7318e7
R10: 0000000000000000 R11: 0000000000077578 R12: 00000000ffffff6e
R13: 0000000000000008 R14: ffffc90000e27a40 R15: 1ffff920001c4f3c
FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557335f440d0 CR3: 000000009647d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
memcpy include/linux/string.h:405 [inline]
btree_readpage_end_io_hook.cold+0x206/0x221 fs/btrfs/disk-io.c:642
end_bio_extent_readpage+0x4de/0x10c0 fs/btrfs/extent_io.c:2854
bio_endio+0x3cf/0x7f0 block/bio.c:1449
end_workqueue_fn+0x114/0x170 fs/btrfs/disk-io.c:1695
btrfs_work_helper+0x221/0xe20 fs/btrfs/async-thread.c:318
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
---[ end trace b68924293169feef ]---
RIP: 0010:fortify_panic+0xf/0x20 lib/string.c:1129
Code: 89 c7 48 89 74 24 08 48 89 04 24 e8 ab 39 00 fe 48 8b 74 24 08 48 8b 04 24 eb d5 48 89 fe 48 c7 c7 40 22 97 88 e8 b0 8c a9 fd <0f> 0b cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 41 57 41 56 41
RSP: 0018:ffffc90000e27980 EFLAGS: 00010286
RAX: 0000000000000022 RBX: ffff8880a80dca64 RCX: 0000000000000000
RDX: ffff8880a90860c0 RSI: ffffffff815dba07 RDI: fffff520001c4f22
RBP: ffff8880a80dca00 R08: 0000000000000022 R09: ffff8880ae7318e7
R10: 0000000000000000 R11: 0000000000077578 R12: 00000000ffffff6e
R13: 0000000000000008 R14: ffffc90000e27a40 R15: 1ffff920001c4f3c
FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f95b7c4d008 CR3: 000000009647d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

syzbot

unread,
Sep 16, 2020, 4:19:11 AM9/16/20
to anand...@oracle.com, c...@fb.com, dst...@suse.com, johannes....@wdc.com, jo...@toxicpanda.com, jthum...@suse.de, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has bisected this issue to:

commit 3951e7f050ac6a38bbc859fc3cd6093890c31d1c
Author: Johannes Thumshirn <jthum...@suse.de>
Date: Mon Oct 7 09:11:01 2019 +0000

btrfs: add xxhash64 to checksumming algorithms

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10aadcc5900000
start commit: e4c26faa Merge tag 'usb-5.9-rc5' of git://git.kernel.org/p..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=12aadcc5900000
console output: https://syzkaller.appspot.com/x/log.txt?x=14aadcc5900000
Reported-by: syzbot+e864a3...@syzkaller.appspotmail.com
Fixes: 3951e7f050ac ("btrfs: add xxhash64 to checksumming algorithms")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Johannes Thumshirn

unread,
Sep 16, 2020, 4:45:40 AM9/16/20
to syzbot, anand...@oracle.com, c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, jthum...@suse.de, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com

This commit only allowed 8 byte checksums, but d5178578bcd4 ("btrfs: directly
call into crypto framework for checksumming") is the one that was missing the
conversion in btree_readpage_end_io_hook() and a prerequisite for 3951e7f050ac
("btrfs: add xxhash64 to checksumming algorithms"). So I think it makes more
sense to add d5178578bcd4 to the fixes line.

David Sterba

unread,
Sep 17, 2020, 9:15:33 AM9/17/20
to syzbot, c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Tue, Sep 15, 2020 at 04:00:21AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: e4c26faa Merge tag 'usb-5.9-rc5' of git://git.kernel.org/p..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13b17bed900000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c61610091f4ca8c4
> dashboard link: https://syzkaller.appspot.com/bug?extid=e864a35d361e1d4e29a5
> compiler: gcc (GCC) 10.1.0-syz 20200507
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177582be900000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13deb2b5900000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e864a3...@syzkaller.appspotmail.com

#syz fix: btrfs: fix overflow when copying corrupt csums for a message
Reply all
Reply to author
Forward
0 new messages