[syzbot] KASAN: slab-out-of-bounds Read in hex_dump_to_buffer
90 views
Skip to first unread message
syzbot
Oct 1, 2022, 9:41:33 AM10/1/22
to jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: aaa11ce2ffc8 Add linux-next specific files for 20220923
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1773ecb8880000
kernel config: https://syzkaller.appspot.com/x/.config?x=186d1ff305f10294
dashboard link: https://syzkaller.appspot.com/bug?extid=489783e0c22fbb27d8e9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/95c7bf83c07e/disk-aaa11ce2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b161cd56a7a3/vmlinux-aaa11ce2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+489783...@syzkaller.appspotmail.com
ffff8880a5a1c930: 28 c9 a1 a5 80 88 ff ff 00 00 00 00 00 00 00 00 (...............
ffff8880a5a1c940: 40 c9 a1 a5 80 88 ff ff 40 c9 a1 a5 80 88 ff ff @.......@.......
ffff8880a5a1c950: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
ffff8880a5a1c960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ffff8880a5a1c970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
==================================================================
BUG: KASAN: slab-out-of-bounds in hex_dump_to_buffer+0xdc1/0xdf0 lib/hexdump.c:193
Read of size 1 at addr ffff8880a5a1c980 by task syz-executor.0/21885
CPU: 1 PID: 21885 Comm: syz-executor.0 Not tainted 6.0.0-rc6-next-20220923-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
hex_dump_to_buffer+0xdc1/0xdf0 lib/hexdump.c:193
print_hex_dump+0x12f/0x1d0 lib/hexdump.c:276
ea_get.cold+0xaa/0x197 fs/jfs/xattr.c:561
__jfs_setxattr+0xdb/0xfc0 fs/jfs/xattr.c:671
__jfs_xattr_set+0xc9/0x150 fs/jfs/xattr.c:917
__vfs_setxattr+0x115/0x180 fs/xattr.c:182
__vfs_setxattr_noperm+0x125/0x5f0 fs/xattr.c:216
__vfs_setxattr_locked+0x1cf/0x260 fs/xattr.c:277
vfs_setxattr+0x13f/0x330 fs/xattr.c:309
setxattr+0x146/0x160 fs/xattr.c:617
path_setxattr+0x197/0x1c0 fs/xattr.c:636
__do_sys_lsetxattr fs/xattr.c:659 [inline]
__se_sys_lsetxattr fs/xattr.c:655 [inline]
__x64_sys_lsetxattr+0xbd/0x150 fs/xattr.c:655
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f56a6e8a5a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f56a800f168 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 00007f56a6fabf80 RCX: 00007f56a6e8a5a9
RDX: 0000000020005280 RSI: 0000000020000180 RDI: 0000000020000140
RBP: 00007f56a6ee5580 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000016 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe8902fcff R14: 00007f56a800f300 R15: 0000000000022000
</TASK>
Allocated by task 21885:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:754 [inline]
slab_alloc_node mm/slub.c:3336 [inline]
slab_alloc mm/slub.c:3344 [inline]
__kmem_cache_alloc_lru mm/slub.c:3351 [inline]
kmem_cache_alloc_lru+0x255/0x730 mm/slub.c:3367
alloc_inode_sb include/linux/fs.h:3106 [inline]
jfs_alloc_inode+0x23/0x60 fs/jfs/super.c:105
alloc_inode+0x61/0x230 fs/inode.c:259
iget_locked+0x1b7/0x6f0 fs/inode.c:1286
jfs_iget+0x1a/0x4d0 fs/jfs/inode.c:29
jfs_lookup+0x246/0x2f0 fs/jfs/namei.c:1462
__lookup_slow+0x24c/0x460 fs/namei.c:1685
lookup_slow fs/namei.c:1702 [inline]
walk_component+0x33f/0x5a0 fs/namei.c:1993
lookup_last fs/namei.c:2450 [inline]
path_lookupat+0x1ba/0x840 fs/namei.c:2474
filename_lookup+0x1ce/0x590 fs/namei.c:2503
user_path_at_empty+0x42/0x60 fs/namei.c:2876
user_path_at include/linux/namei.h:57 [inline]
do_mount fs/namespace.c:3380 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x1ea/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
call_rcu+0x99/0x820 kernel/rcu/tree.c:2796
destroy_inode+0x129/0x1b0 fs/inode.c:314
iput_final fs/inode.c:1747 [inline]
iput.part.0+0x59b/0x880 fs/inode.c:1773
iput+0x58/0x70 fs/inode.c:1763
diFreeSpecial+0x73/0x100 fs/jfs/jfs_imap.c:548
jfs_umount+0x130/0x3f0 fs/jfs/jfs_umount.c:65
jfs_put_super+0x81/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x154/0x410 fs/super.c:491
kill_block_super+0x97/0xf0 fs/super.c:1427
deactivate_locked_super+0x94/0x160 fs/super.c:331
deactivate_super+0xad/0xd0 fs/super.c:362
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1186
task_work_run+0x16b/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
call_rcu+0x99/0x820 kernel/rcu/tree.c:2796
destroy_inode+0x129/0x1b0 fs/inode.c:314
iput_final fs/inode.c:1747 [inline]
iput.part.0+0x59b/0x880 fs/inode.c:1773
iput+0x58/0x70 fs/inode.c:1763
jfs_put_super+0x152/0x190 fs/jfs/super.c:201
generic_shutdown_super+0x154/0x410 fs/super.c:491
kill_block_super+0x97/0xf0 fs/super.c:1427
deactivate_locked_super+0x94/0x160 fs/super.c:331
deactivate_super+0xad/0xd0 fs/super.c:362
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1186
task_work_run+0x16b/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880a5a1c0c0
which belongs to the cache jfs_ip of size 2240
The buggy address is located 0 bytes to the right of
2240-byte region [ffff8880a5a1c0c0, ffff8880a5a1c980)
The buggy address belongs to the physical page:
page:ffffea0002968600 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffea0002771e00 pfn:0xa5a18
head:ffffea0002968600 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff888027fc6101
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffff88801ba46b40 dead0000800d000d 0000000000000000
raw: ffffea0002771e00 dead000000000003 00000001ffffffff ffff888027fc6101
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 15578, tgid 15577 (syz-executor.1), ts 741966923770, free_ts 738328900782
prep_new_page mm/page_alloc.c:2538 [inline]
get_page_from_freelist+0x1092/0x2d20 mm/page_alloc.c:4287
__alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5546
alloc_pages+0x1a6/0x270 mm/mempolicy.c:2280
alloc_slab_page mm/slub.c:1739 [inline]
allocate_slab+0x213/0x300 mm/slub.c:1884
new_slab mm/slub.c:1937 [inline]
___slab_alloc+0xac1/0x1430 mm/slub.c:3119
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3217
slab_alloc_node mm/slub.c:3302 [inline]
slab_alloc mm/slub.c:3344 [inline]
__kmem_cache_alloc_lru mm/slub.c:3351 [inline]
kmem_cache_alloc_lru+0x4aa/0x730 mm/slub.c:3367
alloc_inode_sb include/linux/fs.h:3106 [inline]
jfs_alloc_inode+0x23/0x60 fs/jfs/super.c:105
alloc_inode+0x61/0x230 fs/inode.c:259
new_inode_pseudo fs/inode.c:1018 [inline]
new_inode+0x27/0x270 fs/inode.c:1046
diReadSpecial+0x4f/0x6d0 fs/jfs/jfs_imap.c:422
jfs_mount+0x1da/0x7b0 fs/jfs/jfs_mount.c:108
jfs_fill_super+0x5a4/0xc70 fs/jfs/super.c:556
mount_bdev+0x34d/0x410 fs/super.c:1400
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1530
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1458 [inline]
free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508
free_unref_page_prepare mm/page_alloc.c:3386 [inline]
free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482
__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2532
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:754 [inline]
slab_alloc_node mm/slub.c:3336 [inline]
slab_alloc mm/slub.c:3344 [inline]
__kmem_cache_alloc_lru mm/slub.c:3351 [inline]
kmem_cache_alloc+0x2b7/0x3d0 mm/slub.c:3360
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:320 [inline]
getname+0x8e/0xd0 fs/namei.c:218
do_sys_openat2+0xf5/0x4c0 fs/open.c:1304
do_sys_open fs/open.c:1326 [inline]
__do_sys_openat fs/open.c:1342 [inline]
__se_sys_openat fs/open.c:1337 [inline]
__x64_sys_openat+0x13f/0x1f0 fs/open.c:1337
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880a5a1c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a5a1c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a5a1c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a5a1ca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a5a1ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: aaa11ce2ffc8 Add linux-next specific files for 20220923
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1773ecb8880000
kernel config: https://syzkaller.appspot.com/x/.config?x=186d1ff305f10294
dashboard link: https://syzkaller.appspot.com/bug?extid=489783e0c22fbb27d8e9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/95c7bf83c07e/disk-aaa11ce2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b161cd56a7a3/vmlinux-aaa11ce2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+489783...@syzkaller.appspotmail.com
ffff8880a5a1c930: 28 c9 a1 a5 80 88 ff ff 00 00 00 00 00 00 00 00 (...............
ffff8880a5a1c940: 40 c9 a1 a5 80 88 ff ff 40 c9 a1 a5 80 88 ff ff @.......@.......
ffff8880a5a1c950: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
ffff8880a5a1c960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ffff8880a5a1c970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
==================================================================
BUG: KASAN: slab-out-of-bounds in hex_dump_to_buffer+0xdc1/0xdf0 lib/hexdump.c:193
Read of size 1 at addr ffff8880a5a1c980 by task syz-executor.0/21885
CPU: 1 PID: 21885 Comm: syz-executor.0 Not tainted 6.0.0-rc6-next-20220923-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
hex_dump_to_buffer+0xdc1/0xdf0 lib/hexdump.c:193
print_hex_dump+0x12f/0x1d0 lib/hexdump.c:276
ea_get.cold+0xaa/0x197 fs/jfs/xattr.c:561
__jfs_setxattr+0xdb/0xfc0 fs/jfs/xattr.c:671
__jfs_xattr_set+0xc9/0x150 fs/jfs/xattr.c:917
__vfs_setxattr+0x115/0x180 fs/xattr.c:182
__vfs_setxattr_noperm+0x125/0x5f0 fs/xattr.c:216
__vfs_setxattr_locked+0x1cf/0x260 fs/xattr.c:277
vfs_setxattr+0x13f/0x330 fs/xattr.c:309
setxattr+0x146/0x160 fs/xattr.c:617
path_setxattr+0x197/0x1c0 fs/xattr.c:636
__do_sys_lsetxattr fs/xattr.c:659 [inline]
__se_sys_lsetxattr fs/xattr.c:655 [inline]
__x64_sys_lsetxattr+0xbd/0x150 fs/xattr.c:655
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f56a6e8a5a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f56a800f168 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 00007f56a6fabf80 RCX: 00007f56a6e8a5a9
RDX: 0000000020005280 RSI: 0000000020000180 RDI: 0000000020000140
RBP: 00007f56a6ee5580 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000016 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe8902fcff R14: 00007f56a800f300 R15: 0000000000022000
</TASK>
Allocated by task 21885:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:754 [inline]
slab_alloc_node mm/slub.c:3336 [inline]
slab_alloc mm/slub.c:3344 [inline]
__kmem_cache_alloc_lru mm/slub.c:3351 [inline]
kmem_cache_alloc_lru+0x255/0x730 mm/slub.c:3367
alloc_inode_sb include/linux/fs.h:3106 [inline]
jfs_alloc_inode+0x23/0x60 fs/jfs/super.c:105
alloc_inode+0x61/0x230 fs/inode.c:259
iget_locked+0x1b7/0x6f0 fs/inode.c:1286
jfs_iget+0x1a/0x4d0 fs/jfs/inode.c:29
jfs_lookup+0x246/0x2f0 fs/jfs/namei.c:1462
__lookup_slow+0x24c/0x460 fs/namei.c:1685
lookup_slow fs/namei.c:1702 [inline]
walk_component+0x33f/0x5a0 fs/namei.c:1993
lookup_last fs/namei.c:2450 [inline]
path_lookupat+0x1ba/0x840 fs/namei.c:2474
filename_lookup+0x1ce/0x590 fs/namei.c:2503
user_path_at_empty+0x42/0x60 fs/namei.c:2876
user_path_at include/linux/namei.h:57 [inline]
do_mount fs/namespace.c:3380 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x1ea/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
call_rcu+0x99/0x820 kernel/rcu/tree.c:2796
destroy_inode+0x129/0x1b0 fs/inode.c:314
iput_final fs/inode.c:1747 [inline]
iput.part.0+0x59b/0x880 fs/inode.c:1773
iput+0x58/0x70 fs/inode.c:1763
diFreeSpecial+0x73/0x100 fs/jfs/jfs_imap.c:548
jfs_umount+0x130/0x3f0 fs/jfs/jfs_umount.c:65
jfs_put_super+0x81/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x154/0x410 fs/super.c:491
kill_block_super+0x97/0xf0 fs/super.c:1427
deactivate_locked_super+0x94/0x160 fs/super.c:331
deactivate_super+0xad/0xd0 fs/super.c:362
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1186
task_work_run+0x16b/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
call_rcu+0x99/0x820 kernel/rcu/tree.c:2796
destroy_inode+0x129/0x1b0 fs/inode.c:314
iput_final fs/inode.c:1747 [inline]
iput.part.0+0x59b/0x880 fs/inode.c:1773
iput+0x58/0x70 fs/inode.c:1763
jfs_put_super+0x152/0x190 fs/jfs/super.c:201
generic_shutdown_super+0x154/0x410 fs/super.c:491
kill_block_super+0x97/0xf0 fs/super.c:1427
deactivate_locked_super+0x94/0x160 fs/super.c:331
deactivate_super+0xad/0xd0 fs/super.c:362
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1186
task_work_run+0x16b/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880a5a1c0c0
which belongs to the cache jfs_ip of size 2240
The buggy address is located 0 bytes to the right of
2240-byte region [ffff8880a5a1c0c0, ffff8880a5a1c980)
The buggy address belongs to the physical page:
page:ffffea0002968600 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffea0002771e00 pfn:0xa5a18
head:ffffea0002968600 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff888027fc6101
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffff88801ba46b40 dead0000800d000d 0000000000000000
raw: ffffea0002771e00 dead000000000003 00000001ffffffff ffff888027fc6101
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 15578, tgid 15577 (syz-executor.1), ts 741966923770, free_ts 738328900782
prep_new_page mm/page_alloc.c:2538 [inline]
get_page_from_freelist+0x1092/0x2d20 mm/page_alloc.c:4287
__alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5546
alloc_pages+0x1a6/0x270 mm/mempolicy.c:2280
alloc_slab_page mm/slub.c:1739 [inline]
allocate_slab+0x213/0x300 mm/slub.c:1884
new_slab mm/slub.c:1937 [inline]
___slab_alloc+0xac1/0x1430 mm/slub.c:3119
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3217
slab_alloc_node mm/slub.c:3302 [inline]
slab_alloc mm/slub.c:3344 [inline]
__kmem_cache_alloc_lru mm/slub.c:3351 [inline]
kmem_cache_alloc_lru+0x4aa/0x730 mm/slub.c:3367
alloc_inode_sb include/linux/fs.h:3106 [inline]
jfs_alloc_inode+0x23/0x60 fs/jfs/super.c:105
alloc_inode+0x61/0x230 fs/inode.c:259
new_inode_pseudo fs/inode.c:1018 [inline]
new_inode+0x27/0x270 fs/inode.c:1046
diReadSpecial+0x4f/0x6d0 fs/jfs/jfs_imap.c:422
jfs_mount+0x1da/0x7b0 fs/jfs/jfs_mount.c:108
jfs_fill_super+0x5a4/0xc70 fs/jfs/super.c:556
mount_bdev+0x34d/0x410 fs/super.c:1400
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1530
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1458 [inline]
free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508
free_unref_page_prepare mm/page_alloc.c:3386 [inline]
free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482
__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2532
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:754 [inline]
slab_alloc_node mm/slub.c:3336 [inline]
slab_alloc mm/slub.c:3344 [inline]
__kmem_cache_alloc_lru mm/slub.c:3351 [inline]
kmem_cache_alloc+0x2b7/0x3d0 mm/slub.c:3360
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:320 [inline]
getname+0x8e/0xd0 fs/namei.c:218
do_sys_openat2+0xf5/0x4c0 fs/open.c:1304
do_sys_open fs/open.c:1326 [inline]
__do_sys_openat fs/open.c:1342 [inline]
__se_sys_openat fs/open.c:1337 [inline]
__x64_sys_openat+0x13f/0x1f0 fs/open.c:1337
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880a5a1c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a5a1c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a5a1c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a5a1ca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a5a1ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 2, 2022, 3:29:40 PM10/2/22
to jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: b357fd1c2afc Merge tag 'usb-6.0-final' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15677614880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a1992c90769e07
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1201c8cc880000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+489783...@syzkaller.appspotmail.com
ffff88806c856a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ffff88806c856a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
CPU: 1 PID: 3608 Comm: syz-executor371 Not tainted 6.0.0-rc7-syzkaller-00239-gb357fd1c2afc #0
print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
__jfs_getxattr+0xc4/0x3d0 fs/jfs/xattr.c:807
jfs_xattr_get+0x39/0x50 fs/jfs/xattr.c:931
__vfs_getxattr+0xd9/0x140 fs/xattr.c:411
inode_doinit_use_xattr+0xb5/0x340 security/selinux/hooks.c:1321
inode_doinit_with_dentry+0xcd3/0x12e0 security/selinux/hooks.c:1443
selinux_d_instantiate+0x23/0x30 security/selinux/hooks.c:6327
security_d_instantiate+0x50/0xe0 security/security.c:2056
d_splice_alias+0x8c/0xc80 fs/dcache.c:3155
jfs_lookup+0x20c/0x2f0 fs/jfs/namei.c:1467
lookup_open.isra.0+0x76a/0x12a0 fs/namei.c:3391
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x996/0x28f0 fs/namei.c:3688
do_filp_open+0x1b6/0x400 fs/namei.c:3718
do_sys_openat2+0x16d/0x4c0 fs/open.c:1313
do_sys_open fs/open.c:1329 [inline]
__do_sys_open fs/open.c:1337 [inline]
__se_sys_open fs/open.c:1333 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1333
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff94f813e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007feb33d6a0c9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000340
RBP: 00007feb33d29890 R08: 00005555560782c0 R09: 0000000000000000
R10: 00007fff94f812b0 R11: 0000000000000246 R12: 00000000f8008000
R13: 0000000000000000 R14: 00080000000000fc R15: 0000000000000000
</TASK>
Allocated by task 3608:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0x85/0xb0 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc mm/slab.c:3294 [inline]
__kmem_cache_alloc_lru mm/slab.c:3471 [inline]
kmem_cache_alloc_lru+0x23d/0x860 mm/slab.c:3498
alloc_inode_sb include/linux/fs.h:3103 [inline]
jfs_alloc_inode+0x23/0x60 fs/jfs/super.c:105
alloc_inode+0x61/0x230 fs/inode.c:260
iget_locked+0x1b7/0x6f0 fs/inode.c:1287
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x996/0x28f0 fs/namei.c:3688
do_filp_open+0x1b6/0x400 fs/namei.c:3718
do_sys_openat2+0x16d/0x4c0 fs/open.c:1313
do_sys_open fs/open.c:1329 [inline]
__do_sys_open fs/open.c:1337 [inline]
__se_sys_open fs/open.c:1333 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1333
The buggy address belongs to the physical page:
page:ffffea0001b21580 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88806c856fff pfn:0x6c856
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001b21488 ffff88801ba2b150 ffff88801ba26a00
raw: ffff88806c856fff ffff88806c856180 0000000100000001 0000000000000000
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549
__alloc_pages_node include/linux/gfp.h:243 [inline]
kmem_getpages mm/slab.c:1363 [inline]
cache_grow_begin+0x75/0x360 mm/slab.c:2569
cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
____cache_alloc mm/slab.c:3018 [inline]
____cache_alloc mm/slab.c:3001 [inline]
__do_cache_alloc mm/slab.c:3246 [inline]
slab_alloc mm/slab.c:3287 [inline]
__kmem_cache_alloc_lru mm/slab.c:3471 [inline]
kmem_cache_alloc_lru+0x727/0x860 mm/slab.c:3498
alloc_inode_sb include/linux/fs.h:3103 [inline]
jfs_alloc_inode+0x23/0x60 fs/jfs/super.c:105
alloc_inode+0x61/0x230 fs/inode.c:260
iget_locked+0x1b7/0x6f0 fs/inode.c:1287
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x996/0x28f0 fs/namei.c:3688
do_filp_open+0x1b6/0x400 fs/namei.c:3718
do_sys_openat2+0x16d/0x4c0 fs/open.c:1313
do_sys_open fs/open.c:1329 [inline]
__do_sys_open fs/open.c:1337 [inline]
__se_sys_open fs/open.c:1333 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1333
free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
free_unref_page_prepare mm/page_alloc.c:3380 [inline]
free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
free_contig_range+0xb1/0x180 mm/page_alloc.c:9453
destroy_args+0xa8/0x646 mm/debug_vm_pgtable.c:1031
debug_vm_pgtable+0x2945/0x29d6 mm/debug_vm_pgtable.c:1354
do_one_initcall+0xfe/0x650 init/main.c:1296
do_initcall_level init/main.c:1369 [inline]
do_initcalls init/main.c:1385 [inline]
do_basic_setup init/main.c:1404 [inline]
kernel_init_freeable+0x6b1/0x73a init/main.c:1623
kernel_init+0x1a/0x1d0 init/main.c:1512
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
Memory state around the buggy address:
ffff88806c856900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88806c856980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88806c856a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff88806c856a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88806c856b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
HEAD commit: b357fd1c2afc Merge tag 'usb-6.0-final' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15677614880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a1992c90769e07
dashboard link: https://syzkaller.appspot.com/bug?extid=489783e0c22fbb27d8e9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17e2eeb8880000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1201c8cc880000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+489783...@syzkaller.appspotmail.com
ffff88806c856a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
==================================================================
BUG: KASAN: slab-out-of-bounds in hex_dump_to_buffer+0xdc1/0xdf0 lib/hexdump.c:193
Read of size 1 at addr ffff88806c856a40 by task syz-executor371/3608
BUG: KASAN: slab-out-of-bounds in hex_dump_to_buffer+0xdc1/0xdf0 lib/hexdump.c:193
CPU: 1 PID: 3608 Comm: syz-executor371 Not tainted 6.0.0-rc7-syzkaller-00239-gb357fd1c2afc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
hex_dump_to_buffer+0xdc1/0xdf0 lib/hexdump.c:193
print_hex_dump+0x12f/0x1d0 lib/hexdump.c:276
ea_get.cold+0xaa/0x190 fs/jfs/xattr.c:561
print_hex_dump+0x12f/0x1d0 lib/hexdump.c:276
__jfs_getxattr+0xc4/0x3d0 fs/jfs/xattr.c:807
jfs_xattr_get+0x39/0x50 fs/jfs/xattr.c:931
__vfs_getxattr+0xd9/0x140 fs/xattr.c:411
inode_doinit_use_xattr+0xb5/0x340 security/selinux/hooks.c:1321
inode_doinit_with_dentry+0xcd3/0x12e0 security/selinux/hooks.c:1443
selinux_d_instantiate+0x23/0x30 security/selinux/hooks.c:6327
security_d_instantiate+0x50/0xe0 security/security.c:2056
d_splice_alias+0x8c/0xc80 fs/dcache.c:3155
jfs_lookup+0x20c/0x2f0 fs/jfs/namei.c:1467
lookup_open.isra.0+0x76a/0x12a0 fs/namei.c:3391
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x996/0x28f0 fs/namei.c:3688
do_filp_open+0x1b6/0x400 fs/namei.c:3718
do_sys_openat2+0x16d/0x4c0 fs/open.c:1313
do_sys_open fs/open.c:1329 [inline]
__do_sys_open fs/open.c:1337 [inline]
__se_sys_open fs/open.c:1333 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1333
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7feb33d6a0c9
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff94f813e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007feb33d6a0c9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000340
RBP: 00007feb33d29890 R08: 00005555560782c0 R09: 0000000000000000
R10: 00007fff94f812b0 R11: 0000000000000246 R12: 00000000f8008000
R13: 0000000000000000 R14: 00080000000000fc R15: 0000000000000000
</TASK>
Allocated by task 3608:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0x85/0xb0 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc mm/slab.c:3294 [inline]
__kmem_cache_alloc_lru mm/slab.c:3471 [inline]
kmem_cache_alloc_lru+0x23d/0x860 mm/slab.c:3498
alloc_inode_sb include/linux/fs.h:3103 [inline]
jfs_alloc_inode+0x23/0x60 fs/jfs/super.c:105
alloc_inode+0x61/0x230 fs/inode.c:260
iget_locked+0x1b7/0x6f0 fs/inode.c:1287
jfs_iget+0x1a/0x4d0 fs/jfs/inode.c:29
jfs_lookup+0x246/0x2f0 fs/jfs/namei.c:1462
lookup_open.isra.0+0x76a/0x12a0 fs/namei.c:3391
jfs_lookup+0x246/0x2f0 fs/jfs/namei.c:1462
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x996/0x28f0 fs/namei.c:3688
do_filp_open+0x1b6/0x400 fs/namei.c:3718
do_sys_openat2+0x16d/0x4c0 fs/open.c:1313
do_sys_open fs/open.c:1329 [inline]
__do_sys_open fs/open.c:1337 [inline]
__se_sys_open fs/open.c:1333 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1333
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88806c856180
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache jfs_ip of size 2240
The buggy address is located 0 bytes to the right of
2240-byte region [ffff88806c856180, ffff88806c856a40)
The buggy address is located 0 bytes to the right of
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001b21488 ffff88801ba2b150 ffff88801ba26a00
raw: ffff88806c856fff ffff88806c856180 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x242050(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE|__GFP_RECLAIMABLE), pid 3608, tgid 3608 (syz-executor371), ts 53583161798, free_ts 12386078992
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549
__alloc_pages_node include/linux/gfp.h:243 [inline]
kmem_getpages mm/slab.c:1363 [inline]
cache_grow_begin+0x75/0x360 mm/slab.c:2569
cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
____cache_alloc mm/slab.c:3018 [inline]
____cache_alloc mm/slab.c:3001 [inline]
__do_cache_alloc mm/slab.c:3246 [inline]
slab_alloc mm/slab.c:3287 [inline]
__kmem_cache_alloc_lru mm/slab.c:3471 [inline]
kmem_cache_alloc_lru+0x727/0x860 mm/slab.c:3498
alloc_inode_sb include/linux/fs.h:3103 [inline]
jfs_alloc_inode+0x23/0x60 fs/jfs/super.c:105
alloc_inode+0x61/0x230 fs/inode.c:260
iget_locked+0x1b7/0x6f0 fs/inode.c:1287
jfs_iget+0x1a/0x4d0 fs/jfs/inode.c:29
jfs_lookup+0x246/0x2f0 fs/jfs/namei.c:1462
lookup_open.isra.0+0x76a/0x12a0 fs/namei.c:3391
jfs_lookup+0x246/0x2f0 fs/jfs/namei.c:1462
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x996/0x28f0 fs/namei.c:3688
do_filp_open+0x1b6/0x400 fs/namei.c:3718
do_sys_openat2+0x16d/0x4c0 fs/open.c:1313
do_sys_open fs/open.c:1329 [inline]
__do_sys_open fs/open.c:1337 [inline]
__se_sys_open fs/open.c:1333 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1333
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1449 [inline]
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
free_unref_page_prepare mm/page_alloc.c:3380 [inline]
free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
free_contig_range+0xb1/0x180 mm/page_alloc.c:9453
destroy_args+0xa8/0x646 mm/debug_vm_pgtable.c:1031
debug_vm_pgtable+0x2945/0x29d6 mm/debug_vm_pgtable.c:1354
do_one_initcall+0xfe/0x650 init/main.c:1296
do_initcall_level init/main.c:1369 [inline]
do_initcalls init/main.c:1385 [inline]
do_basic_setup init/main.c:1404 [inline]
kernel_init_freeable+0x6b1/0x73a init/main.c:1623
kernel_init+0x1a/0x1d0 init/main.c:1512
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
Memory state around the buggy address:
ffff88806c856980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88806c856a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff88806c856a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88806c856b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
김병남
Oct 3, 2022, 9:02:47 AM10/3/22
to syzkaller-bugs
2022년 10월 3일 월요일 오전 4시 29분 40초 UTC+9에 syzbot님이 작성:
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b357fd1c2afc1a3e1b73dc4574bb7ac0e3bd4193
index f9273f6901c8..33567a876bb1 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
printk(KERN_ERR "ea_get: invalid extended attribute\n");
print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
- ea_buf->xattr, ea_size, 1);
+ EALIST_SIZE(ea_buf->xattr), ea_size, 1);
ea_release(inode, ea_buf);
rc = -EIO;
goto clean_up;
--
Byungnam Kim
Oct 3, 2022, 11:17:52 AM10/3/22
to syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b357fd1c2afc1a3e1b73dc4574bb7ac0e3bd4193
index f9273f6901c8..33567a876bb1 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
printk(KERN_ERR "ea_get: invalid extended attribute\n");
print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
- ea_buf->xattr, ea_size, 1);
+ EALIST_SIZE(ea_buf->xattr), ea_size, 1);
ea_release(inode, ea_buf);
rc = -EIO;
goto clean_up;
--
2022년 10월 3일 월요일 오후 10시 2분 47초 UTC+9에 Byungnam Kim님이 작성:
syzbot
Oct 3, 2022, 11:17:56 AM10/3/22
to 'Byungnam Kim' via syzkaller-bugs, syzkall...@googlegroups.com
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/27bbaef6-e7b6-4529-b042-aef6be52142bn%40googlegroups.com.
I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/27bbaef6-e7b6-4529-b042-aef6be52142bn%40googlegroups.com.
Byungnam Kim
Oct 3, 2022, 11:25:46 AM10/3/22
to syzkaller-bugs
2022년 10월 4일 화요일 오전 12시 17분 56초 UTC+9에 syzbot님이 작성:
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b357fd1c2afc
syzbot
Oct 3, 2022, 11:25:50 AM10/3/22
to 'Byungnam Kim' via syzkaller-bugs, syzkall...@googlegroups.com
> b357fd1c2afc
>
> diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
> index f9273f6901c8..33567a876bb1 100644
> --- a/fs/jfs/xattr.c
> +++ b/fs/jfs/xattr.c
> @@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, struct ea_buffer
> *ea_buf, int min_size)
> if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
> printk(KERN_ERR "ea_get: invalid extended attribute\n");
> print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
> - ea_buf->xattr, ea_size, 1);
> + EALIST_SIZE(ea_buf->xattr), ea_size, 1);
> ea_release(inode, ea_buf);
> rc = -EIO;
> goto clean_up;
> --
>
>
> diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
> index f9273f6901c8..33567a876bb1 100644
> --- a/fs/jfs/xattr.c
> +++ b/fs/jfs/xattr.c
> @@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, struct ea_buffer
> *ea_buf, int min_size)
> if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
> printk(KERN_ERR "ea_get: invalid extended attribute\n");
> print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
> - ea_buf->xattr, ea_size, 1);
> + EALIST_SIZE(ea_buf->xattr), ea_size, 1);
> ea_release(inode, ea_buf);
> rc = -EIO;
> goto clean_up;
> --
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/35d63b08-7692-4d14-ba4c-3184b9f90831n%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
Kim, Byungnam
Oct 3, 2022, 12:14:44 PM10/3/22
to syzbot+489783...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b357fd1c2afc
syzbot
Oct 3, 2022, 12:54:19 PM10/3/22
to kimby...@ajou.ac.kr, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in hex_dump_to_buffer
loop0: detected capacity change from 0 to 32768
ea_get: invalid extended attribute
general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 1 PID: 4159 Comm: syz-executor.0 Not tainted 6.0.0-rc7-syzkaller-00239-gb357fd1c2afc-dirty #0
Code: 7d fd 49 83 ff 01 0f 84 05 0b 00 00 e8 25 52 7d fd 48 8b 7c 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 83 e7 07 48 c1 ea 03 <0f> b6 04 02 40 38 f8 7f 08 84 c0 0f 85 f2 0b 00 00 48 8b 44 24 18
RSP: 0018:ffffc900034470e0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000010 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffffffff83fde4fb RDI: 0000000000000002
RBP: 0000000000000021 R08: 0000000000000007 R09: 0000000000000001
R10: 0000000000000083 R11: 0000000000000000 R12: 0000000000000010
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000083
FS: 00007f3f34bd5700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3f33bad0b0 CR3: 000000006bbbc000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
print_hex_dump+0x12f/0x1d0 lib/hexdump.c:276
ea_get.cold+0xd2/0x1c2 fs/jfs/xattr.c:561
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3f34bd5168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f3f33babf80 RCX: 00007f3f33a8a5a9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe411969bf R14: 00007f3f34bd5300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hex_dump_to_buffer+0x1b4/0xdf0 lib/hexdump.c:193
Code: 7d fd 49 83 ff 01 0f 84 05 0b 00 00 e8 25 52 7d fd 48 8b 7c 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 83 e7 07 48 c1 ea 03 <0f> b6 04 02 40 38 f8 7f 08 84 c0 0f 85 f2 0b 00 00 48 8b 44 24 18
RSP: 0018:ffffc900034470e0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000010 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffffffff83fde4fb RDI: 0000000000000002
RBP: 0000000000000021 R08: 0000000000000007 R09: 0000000000000001
R10: 0000000000000083 R11: 0000000000000000 R12: 0000000000000010
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000083
FS: 00007f3f34bd5700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb91f76b2e0 CR3: 000000006bbbc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 7d fd jge 0xffffffff
2: 49 83 ff 01 cmp $0x1,%r15
6: 0f 84 05 0b 00 00 je 0xb11
c: e8 25 52 7d fd callq 0xfd7d5236
11: 48 8b 7c 24 18 mov 0x18(%rsp),%rdi
16: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1d: fc ff df
20: 48 89 fa mov %rdi,%rdx
23: 83 e7 07 and $0x7,%edi
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 40 38 f8 cmp %dil,%al
31: 7f 08 jg 0x3b
33: 84 c0 test %al,%al
35: 0f 85 f2 0b 00 00 jne 0xc2d
3b: 48 8b 44 24 18 mov 0x18(%rsp),%rax
Tested on:
commit: b357fd1c Merge tag 'usb-6.0-final' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12e61f70880000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in hex_dump_to_buffer
loop0: detected capacity change from 0 to 32768
ea_get: invalid extended attribute
general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 1 PID: 4159 Comm: syz-executor.0 Not tainted 6.0.0-rc7-syzkaller-00239-gb357fd1c2afc-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
RIP: 0010:hex_dump_to_buffer+0x1b4/0xdf0 lib/hexdump.c:193
Code: 7d fd 49 83 ff 01 0f 84 05 0b 00 00 e8 25 52 7d fd 48 8b 7c 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 83 e7 07 48 c1 ea 03 <0f> b6 04 02 40 38 f8 7f 08 84 c0 0f 85 f2 0b 00 00 48 8b 44 24 18
RSP: 0018:ffffc900034470e0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000010 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffffffff83fde4fb RDI: 0000000000000002
RBP: 0000000000000021 R08: 0000000000000007 R09: 0000000000000001
R10: 0000000000000083 R11: 0000000000000000 R12: 0000000000000010
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000083
FS: 00007f3f34bd5700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3f33bad0b0 CR3: 000000006bbbc000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
print_hex_dump+0x12f/0x1d0 lib/hexdump.c:276
ea_get.cold+0xd2/0x1c2 fs/jfs/xattr.c:561
__jfs_getxattr+0xc4/0x3d0 fs/jfs/xattr.c:807
jfs_xattr_get+0x39/0x50 fs/jfs/xattr.c:931
__vfs_getxattr+0xd9/0x140 fs/xattr.c:411
inode_doinit_use_xattr+0xb5/0x340 security/selinux/hooks.c:1321
inode_doinit_with_dentry+0xcd3/0x12e0 security/selinux/hooks.c:1443
selinux_d_instantiate+0x23/0x30 security/selinux/hooks.c:6327
security_d_instantiate+0x50/0xe0 security/security.c:2056
d_splice_alias+0x8c/0xc80 fs/dcache.c:3155
jfs_lookup+0x20c/0x2f0 fs/jfs/namei.c:1467
lookup_open.isra.0+0x76a/0x12a0 fs/namei.c:3391
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x996/0x28f0 fs/namei.c:3688
do_filp_open+0x1b6/0x400 fs/namei.c:3718
do_sys_openat2+0x16d/0x4c0 fs/open.c:1313
do_sys_open fs/open.c:1329 [inline]
__do_sys_open fs/open.c:1337 [inline]
__se_sys_open fs/open.c:1333 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1333
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3f33a8a5a9
jfs_xattr_get+0x39/0x50 fs/jfs/xattr.c:931
__vfs_getxattr+0xd9/0x140 fs/xattr.c:411
inode_doinit_use_xattr+0xb5/0x340 security/selinux/hooks.c:1321
inode_doinit_with_dentry+0xcd3/0x12e0 security/selinux/hooks.c:1443
selinux_d_instantiate+0x23/0x30 security/selinux/hooks.c:6327
security_d_instantiate+0x50/0xe0 security/security.c:2056
d_splice_alias+0x8c/0xc80 fs/dcache.c:3155
jfs_lookup+0x20c/0x2f0 fs/jfs/namei.c:1467
lookup_open.isra.0+0x76a/0x12a0 fs/namei.c:3391
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x996/0x28f0 fs/namei.c:3688
do_filp_open+0x1b6/0x400 fs/namei.c:3718
do_sys_openat2+0x16d/0x4c0 fs/open.c:1313
do_sys_open fs/open.c:1329 [inline]
__do_sys_open fs/open.c:1337 [inline]
__se_sys_open fs/open.c:1333 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1333
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3f34bd5168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f3f33babf80 RCX: 00007f3f33a8a5a9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000340
RBP: 00007f3f33ae5580 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe411969bf R14: 00007f3f34bd5300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hex_dump_to_buffer+0x1b4/0xdf0 lib/hexdump.c:193
Code: 7d fd 49 83 ff 01 0f 84 05 0b 00 00 e8 25 52 7d fd 48 8b 7c 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 83 e7 07 48 c1 ea 03 <0f> b6 04 02 40 38 f8 7f 08 84 c0 0f 85 f2 0b 00 00 48 8b 44 24 18
RSP: 0018:ffffc900034470e0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000010 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffffffff83fde4fb RDI: 0000000000000002
RBP: 0000000000000021 R08: 0000000000000007 R09: 0000000000000001
R10: 0000000000000083 R11: 0000000000000000 R12: 0000000000000010
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000083
FS: 00007f3f34bd5700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb91f76b2e0 CR3: 000000006bbbc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 7d fd jge 0xffffffff
2: 49 83 ff 01 cmp $0x1,%r15
6: 0f 84 05 0b 00 00 je 0xb11
c: e8 25 52 7d fd callq 0xfd7d5236
11: 48 8b 7c 24 18 mov 0x18(%rsp),%rdi
16: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1d: fc ff df
20: 48 89 fa mov %rdi,%rdx
23: 83 e7 07 and $0x7,%edi
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 40 38 f8 cmp %dil,%al
31: 7f 08 jg 0x3b
33: 84 c0 test %al,%al
35: 0f 85 f2 0b 00 00 jne 0xc2d
3b: 48 8b 44 24 18 mov 0x18(%rsp),%rax
Tested on:
commit: b357fd1c Merge tag 'usb-6.0-final' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12e61f70880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a1992c90769e07
dashboard link: https://syzkaller.appspot.com/bug?extid=489783e0c22fbb27d8e9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=179a79b8880000
dashboard link: https://syzkaller.appspot.com/bug?extid=489783e0c22fbb27d8e9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Kim, Byungnam
Oct 4, 2022, 9:11:56 AM10/4/22
to syzbot+489783...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b357fd1c2afc
---
fs/jfs/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index f9273f6901c8..3839aafc72bf 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
printk(KERN_ERR "ea_get: invalid extended attribute\n");
print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
- ea_buf->xattr, ea_size, 1);
+ ea_buf->xattr, EALIST_SIZE(ea_buf->xattr), 1);
syzbot
Oct 4, 2022, 9:31:27 AM10/4/22
to kimby...@ajou.ac.kr, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
asset storage also requires dashboard client
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2043878929=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at feb563518
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=feb5635181eb12a6e3516172a3f5af06a3bc93e1 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220930-160315'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=feb5635181eb12a6e3516172a3f5af06a3bc93e1 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220930-160315'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=feb5635181eb12a6e3516172a3f5af06a3bc93e1 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220930-160315'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"feb5635181eb12a6e3516172a3f5af06a3bc93e1\"
Tested on:
commit: b357fd1c Merge tag 'usb-6.0-final' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
syzbot tried to test the proposed patch but the build/boot failed:
asset storage also requires dashboard client
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2043878929=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at feb563518
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=feb5635181eb12a6e3516172a3f5af06a3bc93e1 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220930-160315'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=feb5635181eb12a6e3516172a3f5af06a3bc93e1 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220930-160315'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=feb5635181eb12a6e3516172a3f5af06a3bc93e1 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220930-160315'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"feb5635181eb12a6e3516172a3f5af06a3bc93e1\"
Tested on:
commit: b357fd1c Merge tag 'usb-6.0-final' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=a1992c90769e07
dashboard link: https://syzkaller.appspot.com/bug?extid=489783e0c22fbb27d8e9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1547e6a2880000
dashboard link: https://syzkaller.appspot.com/bug?extid=489783e0c22fbb27d8e9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Kim, Byungnam
Oct 4, 2022, 9:38:08 AM10/4/22
to syzbot+489783...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
Aleksandr Nogikh
Oct 4, 2022, 9:40:13 AM10/4/22
to syzbot, kimby...@ajou.ac.kr, 'Aleksandr Nogikh' via syzkaller-bugs
FYI There was a bug in syzbot's patch testing, now it's fixed, so the
following requests should succeed.
following requests should succeed.
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000000d750205ea357ac3%40google.com.
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
syzbot
Oct 4, 2022, 11:21:22 AM10/4/22
to kimby...@ajou.ac.kr, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
fs/jfs/xattr.c:563:28: error: expected ')' before ';' token
syzbot tried to test the proposed patch but the build/boot failed:
fs/jfs/xattr.c:563:3: error: invalid use of void expression
fs/jfs/xattr.c:561:3: error: too few arguments to function 'print_hex_dump'
fs/jfs/xattr.c:565:17: error: expected ';' before '}' token
Tested on:
commit: b357fd1c Merge tag 'usb-6.0-final' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=489783e0c22fbb27d8e9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1649b182880000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Jan 27, 2024, 5:45:21 PMJan 27
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages