[v6.1] KASAN: slab-out-of-bounds Read in xlog_pack_data
0 views
Skip to first unread message
syzbot
Jun 14, 2023, 1:02:21 AM6/14/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2f3918bc53fb Linux 6.1.33
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11eb5073280000
kernel config: https://syzkaller.appspot.com/x/.config?x=64e29382e385f1b9
dashboard link: https://syzkaller.appspot.com/bug?extid=904ffc7f25c759741787
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1709d7c7280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14cfeb3b280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f180a77b248f/disk-2f3918bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/582d3206652e/vmlinux-2f3918bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/20934119e0f6/Image-2f3918bc.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d4ed2220376b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+904ffc...@syzkaller.appspotmail.com
XFS (loop0): Torn write (CRC failure) detected at log block 0x10. Truncating head block from 0x20.
XFS (loop0): Ending clean mount
XFS (loop0): Unmounting Filesystem
==================================================================
BUG: KASAN: slab-out-of-bounds in xlog_pack_data+0x2c8/0x444 fs/xfs/xfs_log.c:1795
Read of size 4 at addr ffff0000d71a4e00 by task syz-executor159/4223
CPU: 1 PID: 4223 Comm: syz-executor159 Not tainted 6.1.33-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
xlog_pack_data+0x2c8/0x444 fs/xfs/xfs_log.c:1795
xlog_sync+0x3b8/0x11fc fs/xfs/xfs_log.c:2066
xlog_state_release_iclog+0x4bc/0xa78 fs/xfs/xfs_log.c:619
xlog_force_iclog fs/xfs/xfs_log.c:886 [inline]
xlog_force_and_check_iclog fs/xfs/xfs_log.c:3156 [inline]
xlog_force_lsn+0x69c/0x81c fs/xfs/xfs_log.c:3328
xfs_log_force_seq+0x218/0x50c fs/xfs/xfs_log.c:3393
__xfs_trans_commit+0xa1c/0x10a0 fs/xfs/xfs_trans.c:1014
xfs_trans_commit+0x24/0x34 fs/xfs/xfs_trans.c:1049
xfs_sync_sb+0x144/0x1ac fs/xfs/libxfs/xfs_sb.c:1012
xfs_log_cover fs/xfs/xfs_log.c:1273 [inline]
xfs_log_quiesce+0x57c/0x844 fs/xfs/xfs_log.c:1090
xfs_log_clean+0xb0/0xde8 fs/xfs/xfs_log.c:1097
xfs_log_unmount+0x30/0xbc fs/xfs/xfs_log.c:1112
xfs_unmountfs+0x130/0x1d0 fs/xfs/xfs_mount.c:1081
xfs_fs_put_super+0x78/0x260 fs/xfs/xfs_super.c:1115
generic_shutdown_super+0x130/0x328 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1450
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x554/0x1a88 kernel/exit.c:869
do_group_exit+0x194/0x22c kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1028
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:00000000a77b331a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117180
head:00000000a77b331a order:6 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010000(head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d71a4d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000d71a4d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000d71a4e00: 01 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffff0000d71a4e80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff0000d71a4f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 2f3918bc53fb Linux 6.1.33
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11eb5073280000
kernel config: https://syzkaller.appspot.com/x/.config?x=64e29382e385f1b9
dashboard link: https://syzkaller.appspot.com/bug?extid=904ffc7f25c759741787
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1709d7c7280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14cfeb3b280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f180a77b248f/disk-2f3918bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/582d3206652e/vmlinux-2f3918bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/20934119e0f6/Image-2f3918bc.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d4ed2220376b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+904ffc...@syzkaller.appspotmail.com
XFS (loop0): Torn write (CRC failure) detected at log block 0x10. Truncating head block from 0x20.
XFS (loop0): Ending clean mount
XFS (loop0): Unmounting Filesystem
==================================================================
BUG: KASAN: slab-out-of-bounds in xlog_pack_data+0x2c8/0x444 fs/xfs/xfs_log.c:1795
Read of size 4 at addr ffff0000d71a4e00 by task syz-executor159/4223
CPU: 1 PID: 4223 Comm: syz-executor159 Not tainted 6.1.33-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
xlog_pack_data+0x2c8/0x444 fs/xfs/xfs_log.c:1795
xlog_sync+0x3b8/0x11fc fs/xfs/xfs_log.c:2066
xlog_state_release_iclog+0x4bc/0xa78 fs/xfs/xfs_log.c:619
xlog_force_iclog fs/xfs/xfs_log.c:886 [inline]
xlog_force_and_check_iclog fs/xfs/xfs_log.c:3156 [inline]
xlog_force_lsn+0x69c/0x81c fs/xfs/xfs_log.c:3328
xfs_log_force_seq+0x218/0x50c fs/xfs/xfs_log.c:3393
__xfs_trans_commit+0xa1c/0x10a0 fs/xfs/xfs_trans.c:1014
xfs_trans_commit+0x24/0x34 fs/xfs/xfs_trans.c:1049
xfs_sync_sb+0x144/0x1ac fs/xfs/libxfs/xfs_sb.c:1012
xfs_log_cover fs/xfs/xfs_log.c:1273 [inline]
xfs_log_quiesce+0x57c/0x844 fs/xfs/xfs_log.c:1090
xfs_log_clean+0xb0/0xde8 fs/xfs/xfs_log.c:1097
xfs_log_unmount+0x30/0xbc fs/xfs/xfs_log.c:1112
xfs_unmountfs+0x130/0x1d0 fs/xfs/xfs_mount.c:1081
xfs_fs_put_super+0x78/0x260 fs/xfs/xfs_super.c:1115
generic_shutdown_super+0x130/0x328 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1450
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x554/0x1a88 kernel/exit.c:869
do_group_exit+0x194/0x22c kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1028
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:00000000a77b331a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117180
head:00000000a77b331a order:6 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010000(head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d71a4d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000d71a4d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000d71a4e00: 01 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffff0000d71a4e80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff0000d71a4f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 14, 2023, 4:07:59 AM6/14/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7349e40704a0 Linux 5.15.116
syzbot found the following issue on:
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12390627280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f650a0601dbf525d
dashboard link: https://syzkaller.appspot.com/bug?extid=66f256de193ab682584f
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c625b3280000
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=152f7343280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eec1263e4f05/disk-7349e407.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/833d6ae016fd/vmlinux-7349e407.xz
kernel image: https://storage.googleapis.com/syzbot-assets/da142afba386/Image-7349e407.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ffafcbdaaa87/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
XFS (loop0): Torn write (CRC failure) detected at log block 0x10. Truncating head block from 0x20.
XFS (loop0): Ending clean mount
XFS (loop0): Unmounting Filesystem
==================================================================
Read of size 4 at addr ffff0000d4164e00 by task syz-executor146/3966
CPU: 0 PID: 3966 Comm: syz-executor146 Not tainted 5.15.116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
xlog_pack_data+0x2c8/0x444 fs/xfs/xfs_log.c:1760
xlog_sync+0x3ec/0xe78 fs/xfs/xfs_log.c:2014
xlog_state_release_iclog+0x554/0xaf0 fs/xfs/xfs_log.c:596
xlog_force_iclog fs/xfs/xfs_log.c:864 [inline]
xlog_force_and_check_iclog+0x12c/0x258 fs/xfs/xfs_log.c:3223
xlog_force_lsn+0x690/0x7bc fs/xfs/xfs_log.c:3395
xfs_log_force_seq+0x310/0x81c fs/xfs/xfs_log.c:3460
__xfs_trans_commit+0x8cc/0xe98 fs/xfs/xfs_trans.c:890
xfs_trans_commit+0x24/0x34 fs/xfs/xfs_trans.c:925
xfs_sync_sb+0x144/0x1ac fs/xfs/libxfs/xfs_sb.c:1004
xfs_log_cover fs/xfs/xfs_log.c:1235 [inline]
xfs_log_quiesce+0x424/0x684 fs/xfs/xfs_log.c:1052
xfs_log_clean+0xb4/0x9bc fs/xfs/xfs_log.c:1059
xfs_log_unmount+0x30/0xbc fs/xfs/xfs_log.c:1074
xfs_unmountfs+0x128/0x1c8 fs/xfs/xfs_mount.c:1040
xfs_fs_put_super+0x70/0x250 fs/xfs/xfs_super.c:1090
generic_shutdown_super+0x130/0x29c fs/super.c:475
kill_block_super+0x70/0xdc fs/super.c:1405
deactivate_locked_super+0xb8/0x13c fs/super.c:335
deactivate_super+0x108/0x128 fs/super.c:366
cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
__cleanup_mnt+0x20/0x30 fs/namespace.c:1150
task_work_run+0x130/0x1e4 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0x688/0x2134 kernel/exit.c:872
do_group_exit+0x110/0x268 kernel/exit.c:994
__do_sys_exit_group kernel/exit.c:1005 [inline]
__se_sys_exit_group kernel/exit.c:1003 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1003
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the page:
page:00000000e62389df refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114140
head:00000000e62389df order:6 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010000(head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d4164d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
raw: 05ffc00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d4164d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000d4164e00: 01 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffff0000d4164e80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff0000d4164f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Reply all
Reply to author
Forward
0 new messages