Hello,
syzbot found the following crash on:
HEAD commit: 8488c3f3 Linux 4.19.116
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=130070bbe00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=f57eb167d8072371
dashboard link:
https://syzkaller.appspot.com/bug?extid=f77070592e2450481fe2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+f77070...@syzkaller.appspotmail.com
loop5: rw=2049, want=6434, limit=52
Buffer I/O error on dev loop5, logical block 3216, lost async page write
minix_free_inode: bit 1 already cleared
MINIX-fs: mounting unchecked file system, running fsck is recommended
==================================================================
BUG: KASAN: slab-out-of-bounds in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: slab-out-of-bounds in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: slab-out-of-bounds in get_block+0x1047/0x1300 fs/minix/itree_common.c:160
Read of size 2 at addr ffff88804f7e1000 by task syz-executor.0/24044
CPU: 0 PID: 24044 Comm: syz-executor.0 Not tainted 4.19.116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0x1047/0x1300 fs/minix/itree_common.c:160
minix_get_block+0xe5/0x110 fs/minix/inode.c:379
block_read_full_page+0x28e/0xef0 fs/buffer.c:2248
do_read_cache_page+0x916/0x1700 mm/filemap.c:2828
read_mapping_page include/linux/pagemap.h:402 [inline]
dir_get_page.isra.0+0x62/0xb0 fs/minix/dir.c:70
minix_find_entry+0x200/0x7b0 fs/minix/dir.c:170
minix_inode_by_name+0x6d/0x452 fs/minix/dir.c:454
minix_lookup fs/minix/namei.c:30 [inline]
minix_lookup+0x103/0x190 fs/minix/namei.c:22
lookup_open+0x681/0x19b0 fs/namei.c:3214
do_last fs/namei.c:3327 [inline]
path_openat+0x13cb/0x4200 fs/namei.c:3537
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c889
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f46b0906c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f46b09076d4 RCX: 000000000045c889
RDX: 0000000000000000 RSI: 0000000000020040 RDI: 0000000020000040
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000773 R14: 000000000050443f R15: 000000000076bf0c
Allocated by task 23965:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
kmem_cache_alloc+0x127/0x710 mm/slab.c:3559
kmem_cache_zalloc include/linux/slab.h:699 [inline]
__alloc_file+0x21/0x330 fs/file_table.c:100
alloc_empty_file+0x6d/0x170 fs/file_table.c:150
path_openat+0xf2/0x4200 fs/namei.c:3526
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 18:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xb2d/0x17f0 kernel/rcu/tree.c:2881
__do_softirq+0x26c/0x93c kernel/softirq.c:292
The buggy address belongs to the object at ffff88804f7e1080
which belongs to the cache filp of size 456
The buggy address is located 128 bytes to the left of
456-byte region [ffff88804f7e1080, ffff88804f7e1248)
The buggy address belongs to the page:
page:ffffea00013df840 count:1 mapcount:0 mapping:ffff88821bc46b00 index:0xffff88804f7e1d00
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000148f688 ffffea00010a5988 ffff88821bc46b00
raw: ffff88804f7e1d00 ffff88804f7e1080 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88804f7e0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88804f7e0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804f7e1000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88804f7e1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804f7e1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.