[v6.1] UBSAN: array-index-out-of-bounds in dbAllocBits
2 views
Skip to first unread message
syzbot
May 19, 2023, 12:28:52 AM5/19/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: fa74641fb6b9 Linux 6.1.29
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1537990e280000
kernel config: https://syzkaller.appspot.com/x/.config?x=7454aa89ac475d7b
dashboard link: https://syzkaller.appspot.com/bug?extid=fc68ece19701d9c7f9d4
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1513e141280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17aa77e9280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/53e4da6b145c/disk-fa74641f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/adeb1a2cfa86/vmlinux-fa74641f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c976f1155d08/Image-fa74641f.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/708e42aea600/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fc68ec...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2238:2
index 2000 is out of range for type 's64[128]' (aka 'long long[128]')
CPU: 1 PID: 4216 Comm: syz-executor247 Not tainted 6.1.29-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0xfc/0x148 lib/ubsan.c:282
dbAllocBits+0x8a4/0x8d0 fs/jfs/jfs_dmap.c:2238
dbAllocDmap fs/jfs/jfs_dmap.c:2015 [inline]
dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1244
dbAlloc+0x8b4/0xb68 fs/jfs/jfs_dmap.c:829
ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514
__jfs_setxattr+0x41c/0x1338 fs/jfs/xattr.c:718
__jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87
jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
set_posix_acl fs/posix_acl.c:1160 [inline]
posix_acl_xattr_set+0x2f8/0x398 fs/posix_acl.c:1189
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:309
do_setxattr fs/xattr.c:594 [inline]
setxattr+0x230/0x294 fs/xattr.c:617
path_setxattr+0x17c/0x258 fs/xattr.c:636
__do_sys_lsetxattr fs/xattr.c:659 [inline]
__se_sys_lsetxattr fs/xattr.c:655 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:655
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
================================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2238
Read of size 8 at addr ffff0000d2446eb8 by task syz-executor247/4216
CPU: 1 PID: 4216 Comm: syz-executor247 Not tainted 6.1.29-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2238
dbAllocDmap fs/jfs/jfs_dmap.c:2015 [inline]
dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1244
dbAlloc+0x8b4/0xb68 fs/jfs/jfs_dmap.c:829
ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514
__jfs_setxattr+0x41c/0x1338 fs/jfs/xattr.c:718
__jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87
jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
set_posix_acl fs/posix_acl.c:1160 [inline]
posix_acl_xattr_set+0x2f8/0x398 fs/posix_acl.c:1189
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:309
do_setxattr fs/xattr.c:594 [inline]
setxattr+0x230/0x294 fs/xattr.c:617
path_setxattr+0x17c/0x258 fs/xattr.c:636
__do_sys_lsetxattr fs/xattr.c:659 [inline]
__se_sys_lsetxattr fs/xattr.c:655 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:655
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the object at ffff0000d2446000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1720 bytes to the right of
2048-byte region [ffff0000d2446000, ffff0000d2446800)
The buggy address belongs to the physical page:
page:000000005eac5069 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112440
head:000000005eac5069 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d2446d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000d2446e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d2446e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000d2446f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000d2446f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
JFS: metapage_get_blocks failed
ERROR: (device loop0): release_metapage: write_one_page() failed
ERROR: (device loop0): remounting filesystem as read-only
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fa74641fb6b9 Linux 6.1.29
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1537990e280000
kernel config: https://syzkaller.appspot.com/x/.config?x=7454aa89ac475d7b
dashboard link: https://syzkaller.appspot.com/bug?extid=fc68ece19701d9c7f9d4
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1513e141280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17aa77e9280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/53e4da6b145c/disk-fa74641f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/adeb1a2cfa86/vmlinux-fa74641f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c976f1155d08/Image-fa74641f.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/708e42aea600/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fc68ec...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2238:2
index 2000 is out of range for type 's64[128]' (aka 'long long[128]')
CPU: 1 PID: 4216 Comm: syz-executor247 Not tainted 6.1.29-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0xfc/0x148 lib/ubsan.c:282
dbAllocBits+0x8a4/0x8d0 fs/jfs/jfs_dmap.c:2238
dbAllocDmap fs/jfs/jfs_dmap.c:2015 [inline]
dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1244
dbAlloc+0x8b4/0xb68 fs/jfs/jfs_dmap.c:829
ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514
__jfs_setxattr+0x41c/0x1338 fs/jfs/xattr.c:718
__jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87
jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
set_posix_acl fs/posix_acl.c:1160 [inline]
posix_acl_xattr_set+0x2f8/0x398 fs/posix_acl.c:1189
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:309
do_setxattr fs/xattr.c:594 [inline]
setxattr+0x230/0x294 fs/xattr.c:617
path_setxattr+0x17c/0x258 fs/xattr.c:636
__do_sys_lsetxattr fs/xattr.c:659 [inline]
__se_sys_lsetxattr fs/xattr.c:655 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:655
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
================================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2238
Read of size 8 at addr ffff0000d2446eb8 by task syz-executor247/4216
CPU: 1 PID: 4216 Comm: syz-executor247 Not tainted 6.1.29-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2238
dbAllocDmap fs/jfs/jfs_dmap.c:2015 [inline]
dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1244
dbAlloc+0x8b4/0xb68 fs/jfs/jfs_dmap.c:829
ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514
__jfs_setxattr+0x41c/0x1338 fs/jfs/xattr.c:718
__jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87
jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
set_posix_acl fs/posix_acl.c:1160 [inline]
posix_acl_xattr_set+0x2f8/0x398 fs/posix_acl.c:1189
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:309
do_setxattr fs/xattr.c:594 [inline]
setxattr+0x230/0x294 fs/xattr.c:617
path_setxattr+0x17c/0x258 fs/xattr.c:636
__do_sys_lsetxattr fs/xattr.c:659 [inline]
__se_sys_lsetxattr fs/xattr.c:655 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:655
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the object at ffff0000d2446000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1720 bytes to the right of
2048-byte region [ffff0000d2446000, ffff0000d2446800)
The buggy address belongs to the physical page:
page:000000005eac5069 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112440
head:000000005eac5069 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d2446d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000d2446e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d2446e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000d2446f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000d2446f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
JFS: metapage_get_blocks failed
ERROR: (device loop0): release_metapage: write_one_page() failed
ERROR: (device loop0): remounting filesystem as read-only
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
May 19, 2023, 3:30:03 AM5/19/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 9d6bde853685 Linux 5.15.112
syzbot found the following issue on:
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1572afce280000
kernel config: https://syzkaller.appspot.com/x/.config?x=508f7a387ef8f82b
dashboard link: https://syzkaller.appspot.com/bug?extid=76c960a839deb49a86ec
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1637b25a280000
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=169d0691280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a8ab2bd416bb/disk-9d6bde85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c358e3d58bb2/vmlinux-9d6bde85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c82319bbaeb8/Image-9d6bde85.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/96e76a22e76c/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
loop0: detected capacity change from 0 to 32768
================================================================================
index 2000 is out of range for type 's64[128]' (aka 'long long[128]')
CPU: 0 PID: 3962 Comm: syz-executor219 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282
dbAllocBits+0x8a4/0x8d0 fs/jfs/jfs_dmap.c:2306
dbAllocDmap fs/jfs/jfs_dmap.c:2083 [inline]
dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1312
dbAlloc+0x804/0xa18 fs/jfs/jfs_dmap.c:829
ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514
__jfs_setxattr+0x41c/0x13ac fs/jfs/xattr.c:718
__jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87
jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
set_posix_acl fs/posix_acl.c:947 [inline]
jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
posix_acl_xattr_set+0x2cc/0x378 fs/posix_acl.c:966
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:303
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
do_setxattr fs/xattr.c:588 [inline]
setxattr+0x250/0x2b4 fs/xattr.c:611
path_setxattr+0x17c/0x258 fs/xattr.c:630
__do_sys_lsetxattr fs/xattr.c:653 [inline]
__se_sys_lsetxattr fs/xattr.c:649 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
================================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2306
Read of size 8 at addr ffff0000c8ea3eb8 by task syz-executor219/3962
CPU: 0 PID: 3962 Comm: syz-executor219 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309
dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2306
dbAllocDmap fs/jfs/jfs_dmap.c:2083 [inline]
dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1312
dbAlloc+0x804/0xa18 fs/jfs/jfs_dmap.c:829
ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514
__jfs_setxattr+0x41c/0x13ac fs/jfs/xattr.c:718
__jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87
jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
set_posix_acl fs/posix_acl.c:947 [inline]
jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
posix_acl_xattr_set+0x2cc/0x378 fs/posix_acl.c:966
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:303
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
do_setxattr fs/xattr.c:588 [inline]
setxattr+0x250/0x2b4 fs/xattr.c:611
path_setxattr+0x17c/0x258 fs/xattr.c:630
__do_sys_lsetxattr fs/xattr.c:653 [inline]
__se_sys_lsetxattr fs/xattr.c:649 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Allocated by task 0:
(stack is not available)
The buggy address belongs to the object at ffff0000c8ea3000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1720 bytes to the right of
2048-byte region [ffff0000c8ea3000, ffff0000c8ea3800)
The buggy address is located 1720 bytes to the right of
The buggy address belongs to the page:
page:00000000a47a5561 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108ea0
head:00000000a47a5561 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c8ea3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c8ea3e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000c8ea3e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000c8ea3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c8ea3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Reply all
Reply to author
Forward
0 new messages