Hello,
syzbot found the following issue on:
HEAD commit: 2f3918bc53fb Linux 6.1.33
git tree: linux-6.1.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=11eb5073280000
kernel config:
https://syzkaller.appspot.com/x/.config?x=64e29382e385f1b9
dashboard link:
https://syzkaller.appspot.com/bug?extid=904ffc7f25c759741787
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=1709d7c7280000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=14cfeb3b280000
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/f180a77b248f/disk-2f3918bc.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/582d3206652e/vmlinux-2f3918bc.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/20934119e0f6/Image-2f3918bc.gz.xz
mounted in repro:
https://storage.googleapis.com/syzbot-assets/d4ed2220376b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+904ffc...@syzkaller.appspotmail.com
XFS (loop0): Torn write (CRC failure) detected at log block 0x10. Truncating head block from 0x20.
XFS (loop0): Ending clean mount
XFS (loop0): Unmounting Filesystem
==================================================================
BUG: KASAN: slab-out-of-bounds in xlog_pack_data+0x2c8/0x444 fs/xfs/xfs_log.c:1795
Read of size 4 at addr ffff0000d71a4e00 by task syz-executor159/4223
CPU: 1 PID: 4223 Comm: syz-executor159 Not tainted 6.1.33-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
xlog_pack_data+0x2c8/0x444 fs/xfs/xfs_log.c:1795
xlog_sync+0x3b8/0x11fc fs/xfs/xfs_log.c:2066
xlog_state_release_iclog+0x4bc/0xa78 fs/xfs/xfs_log.c:619
xlog_force_iclog fs/xfs/xfs_log.c:886 [inline]
xlog_force_and_check_iclog fs/xfs/xfs_log.c:3156 [inline]
xlog_force_lsn+0x69c/0x81c fs/xfs/xfs_log.c:3328
xfs_log_force_seq+0x218/0x50c fs/xfs/xfs_log.c:3393
__xfs_trans_commit+0xa1c/0x10a0 fs/xfs/xfs_trans.c:1014
xfs_trans_commit+0x24/0x34 fs/xfs/xfs_trans.c:1049
xfs_sync_sb+0x144/0x1ac fs/xfs/libxfs/xfs_sb.c:1012
xfs_log_cover fs/xfs/xfs_log.c:1273 [inline]
xfs_log_quiesce+0x57c/0x844 fs/xfs/xfs_log.c:1090
xfs_log_clean+0xb0/0xde8 fs/xfs/xfs_log.c:1097
xfs_log_unmount+0x30/0xbc fs/xfs/xfs_log.c:1112
xfs_unmountfs+0x130/0x1d0 fs/xfs/xfs_mount.c:1081
xfs_fs_put_super+0x78/0x260 fs/xfs/xfs_super.c:1115
generic_shutdown_super+0x130/0x328 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1450
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x554/0x1a88 kernel/exit.c:869
do_group_exit+0x194/0x22c kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1028
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:00000000a77b331a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117180
head:00000000a77b331a order:6 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010000(head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d71a4d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000d71a4d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000d71a4e00: 01 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffff0000d71a4e80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff0000d71a4f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup