[v5.15] UBSAN: array-index-out-of-bounds in dbJoin
1 view
Skip to first unread message
syzbot
May 7, 2024, 10:35:21 PMMay 7
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 284087d4f7d5 Linux 5.15.158
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1180c624980000
kernel config: https://syzkaller.appspot.com/x/.config?x=ab74f93e8454887c
dashboard link: https://syzkaller.appspot.com/bug?extid=cffee4987ee15d116a32
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0accc7dacf9d/disk-284087d4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fb6b5b110f8c/vmlinux-284087d4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6763bebdbfea/Image-284087d4.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cffee4...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2846:24
index 2994972533 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 1 PID: 239 Comm: jfsCommit Not tainted 5.15.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282
dbJoin+0x268/0x2a4 fs/jfs/jfs_dmap.c:2846
dbFreeBits+0x458/0xc30 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x2dc/0x5d8 fs/jfs/jfs_dmap.c:409
txFreeMap+0x7e8/0xb84 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xb18/0x2b10 fs/jfs/jfs_xtree.c:3428
jfs_free_zero_link+0x374/0x598 fs/jfs/namei.c:758
jfs_evict_inode+0x308/0x408 fs/jfs/inode.c:153
evict+0x260/0x68c fs/inode.c:587
iput_final fs/inode.c:1705 [inline]
iput+0x744/0x824 fs/inode.c:1731
txUpdateMap+0x76c/0x914 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x3b0/0xa40 fs/jfs/jfs_txnmgr.c:2766
kthread+0x37c/0x45c kernel/kthread.c:334
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
================================================================================
------------[ cut here ]------------
WARNING: CPU: 0 PID: 239 at fs/jfs/jfs_dmap.c:2941 dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
Modules linked in:
CPU: 0 PID: 239 Comm: jfsCommit Not tainted 5.15.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
lr : dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
sp : ffff80001aed7410
x29: ffff80001aed7410 x28: dfff800000000000 x27: 1fffe0001e29c002
x26: dfff800000000000 x25: ffff0001a3d1a796 x24: 00000000ffffffff
x23: 0000000000000155 x22: 00000000b283a776 x21: 0000000000000001
x20: 0000000000000001 x19: ffff0000f14e0010 x18: 1fffe000368fd78e
x17: 1fffe000368fd78e x16: ffff800011998e34 x15: ffff8000149dec00
x14: 1ffff0000292806a x13: dfff800000000000 x12: ffff700002de9f64
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000c69e1b40
x8 : ffff8000098c2aa8 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000001 x1 : 0000000000000155 x0 : 00000000b283a776
Call trace:
dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
dbJoin+0x1ec/0x2a4 fs/jfs/jfs_dmap.c:2909
dbFreeBits+0x458/0xc30 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x2dc/0x5d8 fs/jfs/jfs_dmap.c:409
txFreeMap+0x7e8/0xb84 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xb18/0x2b10 fs/jfs/jfs_xtree.c:3428
jfs_free_zero_link+0x374/0x598 fs/jfs/namei.c:758
jfs_evict_inode+0x308/0x408 fs/jfs/inode.c:153
evict+0x260/0x68c fs/inode.c:587
iput_final fs/inode.c:1705 [inline]
iput+0x744/0x824 fs/inode.c:1731
txUpdateMap+0x76c/0x914 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x3b0/0xa40 fs/jfs/jfs_txnmgr.c:2766
kthread+0x37c/0x45c kernel/kthread.c:334
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
irq event stamp: 1292
hardirqs last enabled at (1291): [<ffff800008269adc>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1338 [inline]
hardirqs last enabled at (1291): [<ffff800008269adc>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:4784
hardirqs last disabled at (1292): [<ffff8000119944c0>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:396
softirqs last enabled at (1274): [<ffff800008021c64>] softirq_handle_end kernel/softirq.c:401 [inline]
softirqs last enabled at (1274): [<ffff800008021c64>] __do_softirq+0xb5c/0xdb0 kernel/softirq.c:587
softirqs last disabled at (1027): [<ffff8000081b6568>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (1027): [<ffff8000081b6568>] invoke_softirq kernel/softirq.c:439 [inline]
softirqs last disabled at (1027): [<ffff8000081b6568>] __irq_exit_rcu+0x264/0x4d4 kernel/softirq.c:637
---[ end trace 2f25899a09969fbf ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 284087d4f7d5 Linux 5.15.158
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1180c624980000
kernel config: https://syzkaller.appspot.com/x/.config?x=ab74f93e8454887c
dashboard link: https://syzkaller.appspot.com/bug?extid=cffee4987ee15d116a32
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0accc7dacf9d/disk-284087d4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fb6b5b110f8c/vmlinux-284087d4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6763bebdbfea/Image-284087d4.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cffee4...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2846:24
index 2994972533 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 1 PID: 239 Comm: jfsCommit Not tainted 5.15.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282
dbJoin+0x268/0x2a4 fs/jfs/jfs_dmap.c:2846
dbFreeBits+0x458/0xc30 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x2dc/0x5d8 fs/jfs/jfs_dmap.c:409
txFreeMap+0x7e8/0xb84 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xb18/0x2b10 fs/jfs/jfs_xtree.c:3428
jfs_free_zero_link+0x374/0x598 fs/jfs/namei.c:758
jfs_evict_inode+0x308/0x408 fs/jfs/inode.c:153
evict+0x260/0x68c fs/inode.c:587
iput_final fs/inode.c:1705 [inline]
iput+0x744/0x824 fs/inode.c:1731
txUpdateMap+0x76c/0x914 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x3b0/0xa40 fs/jfs/jfs_txnmgr.c:2766
kthread+0x37c/0x45c kernel/kthread.c:334
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
================================================================================
------------[ cut here ]------------
WARNING: CPU: 0 PID: 239 at fs/jfs/jfs_dmap.c:2941 dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
Modules linked in:
CPU: 0 PID: 239 Comm: jfsCommit Not tainted 5.15.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
lr : dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
sp : ffff80001aed7410
x29: ffff80001aed7410 x28: dfff800000000000 x27: 1fffe0001e29c002
x26: dfff800000000000 x25: ffff0001a3d1a796 x24: 00000000ffffffff
x23: 0000000000000155 x22: 00000000b283a776 x21: 0000000000000001
x20: 0000000000000001 x19: ffff0000f14e0010 x18: 1fffe000368fd78e
x17: 1fffe000368fd78e x16: ffff800011998e34 x15: ffff8000149dec00
x14: 1ffff0000292806a x13: dfff800000000000 x12: ffff700002de9f64
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000c69e1b40
x8 : ffff8000098c2aa8 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000001 x1 : 0000000000000155 x0 : 00000000b283a776
Call trace:
dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
dbJoin+0x1ec/0x2a4 fs/jfs/jfs_dmap.c:2909
dbFreeBits+0x458/0xc30 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x2dc/0x5d8 fs/jfs/jfs_dmap.c:409
txFreeMap+0x7e8/0xb84 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xb18/0x2b10 fs/jfs/jfs_xtree.c:3428
jfs_free_zero_link+0x374/0x598 fs/jfs/namei.c:758
jfs_evict_inode+0x308/0x408 fs/jfs/inode.c:153
evict+0x260/0x68c fs/inode.c:587
iput_final fs/inode.c:1705 [inline]
iput+0x744/0x824 fs/inode.c:1731
txUpdateMap+0x76c/0x914 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x3b0/0xa40 fs/jfs/jfs_txnmgr.c:2766
kthread+0x37c/0x45c kernel/kthread.c:334
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
irq event stamp: 1292
hardirqs last enabled at (1291): [<ffff800008269adc>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1338 [inline]
hardirqs last enabled at (1291): [<ffff800008269adc>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:4784
hardirqs last disabled at (1292): [<ffff8000119944c0>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:396
softirqs last enabled at (1274): [<ffff800008021c64>] softirq_handle_end kernel/softirq.c:401 [inline]
softirqs last enabled at (1274): [<ffff800008021c64>] __do_softirq+0xb5c/0xdb0 kernel/softirq.c:587
softirqs last disabled at (1027): [<ffff8000081b6568>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (1027): [<ffff8000081b6568>] invoke_softirq kernel/softirq.c:439 [inline]
softirqs last disabled at (1027): [<ffff8000081b6568>] __irq_exit_rcu+0x264/0x4d4 kernel/softirq.c:637
---[ end trace 2f25899a09969fbf ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
May 14, 2024, 4:42:25 AMMay 14
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 909ba1f1b414 Linux 6.1.90
syzbot found the following issue on:
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14bef678980000
kernel config: https://syzkaller.appspot.com/x/.config?x=3be6d6f79b879a67
dashboard link: https://syzkaller.appspot.com/bug?extid=815a5691fe6de3cdb492
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63178de7cba7/disk-909ba1f1.raw.xz
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/25dec90d8126/vmlinux-909ba1f1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/25509ea1c6cd/bzImage-909ba1f1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2778:24
index 4294967295 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 0 PID: 134 Comm: jfsCommit Not tainted 6.1.90-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x118/0x140 lib/ubsan.c:282
dbJoin+0x2e9/0x310 fs/jfs/jfs_dmap.c:2778
dbFreeBits+0x4ef/0xdb0 fs/jfs/jfs_dmap.c:2338
dbFreeDmap fs/jfs/jfs_dmap.c:2087 [inline]
dbFree+0x357/0x670 fs/jfs/jfs_dmap.c:409
txFreeMap+0x966/0xd50 fs/jfs/jfs_txnmgr.c:2515
xtTruncate+0xe58/0x3260 fs/jfs/jfs_xtree.c:2467
jfs_free_zero_link+0x46a/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35b/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:666
txUpdateMap+0x825/0x9e0 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x476/0xb60 fs/jfs/jfs_txnmgr.c:2732
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
================================================================================
syzbot
May 14, 2024, 6:31:29 AMMay 14
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 284087d4f7d5 Linux 5.15.158
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=151e6978980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b0dd54e4b5171ebc
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1494e45c980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c2e33c1db6bf/disk-284087d4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d9f77284af1d/vmlinux-284087d4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a600323dd149/bzImage-284087d4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/991d947d36d4/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cffee4...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2846:24
index 4294967295 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 0 PID: 275 Comm: jfsCommit Not tainted 5.15.158-syzkaller #0
dbFreeBits+0x4ef/0xdb0 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x357/0x670 fs/jfs/jfs_dmap.c:409
txFreeMap+0x966/0xd50 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xe58/0x3260 fs/jfs/jfs_xtree.c:3428
txUpdateMap+0x825/0x9e0 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x470/0xc30 fs/jfs/jfs_txnmgr.c:2766
kthread+0x3f6/0x4f0 kernel/kthread.c:334
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
</TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2968:18
index -3 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 0 PID: 275 Comm: jfsCommit Tainted: G B 5.15.158-syzkaller #0
dbJoin+0x255/0x310 fs/jfs/jfs_dmap.c:2909
dbFreeBits+0x4ef/0xdb0 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x357/0x670 fs/jfs/jfs_dmap.c:409
txFreeMap+0x966/0xd50 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xe58/0x3260 fs/jfs/jfs_xtree.c:3428
txUpdateMap+0x825/0x9e0 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x470/0xc30 fs/jfs/jfs_txnmgr.c:2766
kthread+0x3f6/0x4f0 kernel/kthread.c:334
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 284087d4f7d5 Linux 5.15.158
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b0dd54e4b5171ebc
dashboard link: https://syzkaller.appspot.com/bug?extid=cffee4987ee15d116a32
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1742d884980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1494e45c980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c2e33c1db6bf/disk-284087d4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d9f77284af1d/vmlinux-284087d4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a600323dd149/bzImage-284087d4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/991d947d36d4/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cffee4...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2846:24
CPU: 0 PID: 275 Comm: jfsCommit Not tainted 5.15.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x118/0x140 lib/ubsan.c:282
dbJoin+0x2e9/0x310 fs/jfs/jfs_dmap.c:2846
__ubsan_handle_out_of_bounds+0x118/0x140 lib/ubsan.c:282
dbFreeBits+0x4ef/0xdb0 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x357/0x670 fs/jfs/jfs_dmap.c:409
txFreeMap+0x966/0xd50 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xe58/0x3260 fs/jfs/jfs_xtree.c:3428
jfs_free_zero_link+0x46a/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35b/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:587
jfs_evict_inode+0x35b/0x440 fs/jfs/inode.c:153
txUpdateMap+0x825/0x9e0 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x470/0xc30 fs/jfs/jfs_txnmgr.c:2766
kthread+0x3f6/0x4f0 kernel/kthread.c:334
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
</TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2968:18
index -3 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 0 PID: 275 Comm: jfsCommit Tainted: G B 5.15.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x118/0x140 lib/ubsan.c:282
dbAdjTree+0x377/0x520 fs/jfs/jfs_dmap.c:2968
__ubsan_handle_out_of_bounds+0x118/0x140 lib/ubsan.c:282
dbJoin+0x255/0x310 fs/jfs/jfs_dmap.c:2909
dbFreeBits+0x4ef/0xdb0 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x357/0x670 fs/jfs/jfs_dmap.c:409
txFreeMap+0x966/0xd50 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xe58/0x3260 fs/jfs/jfs_xtree.c:3428
jfs_free_zero_link+0x46a/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35b/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:587
jfs_evict_inode+0x35b/0x440 fs/jfs/inode.c:153
txUpdateMap+0x825/0x9e0 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x470/0xc30 fs/jfs/jfs_txnmgr.c:2766
kthread+0x3f6/0x4f0 kernel/kthread.c:334
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
May 14, 2024, 9:59:35 AMMay 14
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 909ba1f1b414 Linux 6.1.90
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10553084980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12e0f96c980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63178de7cba7/disk-909ba1f1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25dec90d8126/vmlinux-909ba1f1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/25509ea1c6cd/bzImage-909ba1f1.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/db89e2259762/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+815a56...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2778:24
index 4294967295 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 1 PID: 133 Comm: jfsCommit Not tainted 6.1.90-syzkaller #0
HEAD commit: 909ba1f1b414 Linux 6.1.90
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=3be6d6f79b879a67
dashboard link: https://syzkaller.appspot.com/bug?extid=815a5691fe6de3cdb492
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10be6978980000
dashboard link: https://syzkaller.appspot.com/bug?extid=815a5691fe6de3cdb492
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12e0f96c980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63178de7cba7/disk-909ba1f1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25dec90d8126/vmlinux-909ba1f1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/25509ea1c6cd/bzImage-909ba1f1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+815a56...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2778:24
index 4294967295 is out of range for type 's8[1365]' (aka 'signed char[1365]')
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x118/0x140 lib/ubsan.c:282
dbJoin+0x2e9/0x310 fs/jfs/jfs_dmap.c:2778
dbFreeBits+0x4ef/0xdb0 fs/jfs/jfs_dmap.c:2338
dbFreeDmap fs/jfs/jfs_dmap.c:2087 [inline]
dbFree+0x357/0x670 fs/jfs/jfs_dmap.c:409
txFreeMap+0x966/0xd50 fs/jfs/jfs_txnmgr.c:2515
xtTruncate+0xe58/0x3260 fs/jfs/jfs_xtree.c:2467
jfs_free_zero_link+0x46a/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35b/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:666
txUpdateMap+0x825/0x9e0 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x476/0xb60 fs/jfs/jfs_txnmgr.c:2732
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
================================================================================
---
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x118/0x140 lib/ubsan.c:282
dbJoin+0x2e9/0x310 fs/jfs/jfs_dmap.c:2778
dbFreeBits+0x4ef/0xdb0 fs/jfs/jfs_dmap.c:2338
dbFreeDmap fs/jfs/jfs_dmap.c:2087 [inline]
dbFree+0x357/0x670 fs/jfs/jfs_dmap.c:409
txFreeMap+0x966/0xd50 fs/jfs/jfs_txnmgr.c:2515
xtTruncate+0xe58/0x3260 fs/jfs/jfs_xtree.c:2467
jfs_free_zero_link+0x46a/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35b/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:666
txUpdateMap+0x825/0x9e0 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x476/0xb60 fs/jfs/jfs_txnmgr.c:2732
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
================================================================================
---
Reply all
Reply to author
Forward
0 new messages