[ext4?] KASAN: slab-out-of-bounds Read in ext4_statfs
5 lượt xem
Chuyển tới thư đầu tiên chưa đọc
syzbot
11:13:02 15 thg 3, 202315/3/23
đến syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: fe15c26ee26e Linux 6.3-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=11fa8592c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7573cbcd881a88c9
dashboard link: https://syzkaller.appspot.com/bug?extid=e00de976f53400133de7
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
CC: [adilger...@dilger.ca linux...@vger.kernel.org linux-...@vger.kernel.org linux-...@vger.kernel.org ll...@lists.linux.dev nat...@kernel.org ndesau...@google.com tr...@redhat.com ty...@mit.edu]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/89d41abd07bd/disk-fe15c26e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fa75f5030ade/vmlinux-fe15c26e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/590d0f5903ee/Image-fe15c26e.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e00de9...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_test_inode_flag fs/ext4/ext4.h:1924 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_statfs+0x520/0xb0c fs/ext4/super.c:6690
Read of size 8 at addr ffff0000dd547f30 by task syz-executor.4/11468
CPU: 0 PID: 11468 Comm: syz-executor.4 Not tainted 6.3.0-rc1-syzkaller-gfe15c26ee26e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:319 [inline]
print_report+0x174/0x514 mm/kasan/report.c:430
kasan_report+0xd4/0x130 mm/kasan/report.c:536
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:381
generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline]
ext4_test_inode_flag fs/ext4/ext4.h:1924 [inline]
ext4_statfs+0x520/0xb0c fs/ext4/super.c:6690
statfs_by_dentry fs/statfs.c:66 [inline]
vfs_statfs+0x140/0x2bc fs/statfs.c:90
ovl_check_namelen fs/overlayfs/super.c:919 [inline]
ovl_lower_dir fs/overlayfs/super.c:939 [inline]
ovl_get_lowerstack+0x1c4/0x1868 fs/overlayfs/super.c:1742
ovl_fill_super+0x1218/0x2240 fs/overlayfs/super.c:2010
mount_nodev+0x68/0x104 fs/super.c:1417
ovl_mount+0x3c/0x50 fs/overlayfs/super.c:2091
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1501
do_new_mount+0x25c/0x8c8 fs/namespace.c:3042
path_mount+0x590/0xe20 fs/namespace.c:3372
do_mount fs/namespace.c:3385 [inline]
__do_sys_mount fs/namespace.c:3594 [inline]
__se_sys_mount fs/namespace.c:3571 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3571
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Allocated by task 5996:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:510
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook+0x80/0x488 mm/slab.h:769
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x288/0x37c mm/slub.c:3476
radix_tree_node_alloc+0x1ac/0x3c0 lib/radix-tree.c:251
idr_get_free+0x234/0x89c lib/radix-tree.c:1505
idr_alloc_u32 lib/idr.c:46 [inline]
idr_alloc_cyclic+0x18c/0x4f4 lib/idr.c:125
__kernfs_new_node+0x124/0x66c fs/kernfs/dir.c:617
kernfs_new_node+0x98/0x184 fs/kernfs/dir.c:673
__kernfs_create_file+0x60/0x2d4 fs/kernfs/file.c:1047
sysfs_add_file_mode_ns+0x1dc/0x298 fs/sysfs/file.c:294
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x428/0xbec fs/sysfs/group.c:148
internal_create_groups fs/sysfs/group.c:188 [inline]
sysfs_create_groups+0x60/0x130 fs/sysfs/group.c:214
device_add_groups drivers/base/core.c:2678 [inline]
device_add_attrs+0x178/0x750 drivers/base/core.c:2798
device_add+0x5e0/0xf58 drivers/base/core.c:3543
netdev_register_kobject+0x15c/0x2d8 net/core/net-sysfs.c:2043
register_netdevice+0xcb8/0x1270 net/core/dev.c:10046
veth_newlink+0x730/0xb88 drivers/net/veth.c:1837
rtnl_newlink_create net/core/rtnetlink.c:3440 [inline]
__rtnl_newlink net/core/rtnetlink.c:3657 [inline]
rtnl_newlink+0x1174/0x1b1c net/core/rtnetlink.c:3670
rtnetlink_rcv_msg+0x744/0xdb8 net/core/rtnetlink.c:6174
netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6192
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:722 [inline]
sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x3b4/0x538 net/socket.c:2145
__do_sys_sendto net/socket.c:2157 [inline]
__se_sys_sendto net/socket.c:2153 [inline]
__arm64_sys_sendto+0xd8/0xf8 net/socket.c:2153
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
The buggy address belongs to the object at ffff0000dd547c80
which belongs to the cache radix_tree_node of size 576
The buggy address is located 112 bytes to the right of
allocated 576-byte region [ffff0000dd547c80, ffff0000dd547ec0)
The buggy address belongs to the physical page:
page:00000000805eca39 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11d544
head:00000000805eca39 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 ffff0000c000d500 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000170017 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dd547e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000dd547e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff0000dd547f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000dd547f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000dd548000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: fe15c26ee26e Linux 6.3-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=11fa8592c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7573cbcd881a88c9
dashboard link: https://syzkaller.appspot.com/bug?extid=e00de976f53400133de7
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
CC: [adilger...@dilger.ca linux...@vger.kernel.org linux-...@vger.kernel.org linux-...@vger.kernel.org ll...@lists.linux.dev nat...@kernel.org ndesau...@google.com tr...@redhat.com ty...@mit.edu]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/89d41abd07bd/disk-fe15c26e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fa75f5030ade/vmlinux-fe15c26e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/590d0f5903ee/Image-fe15c26e.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e00de9...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_test_inode_flag fs/ext4/ext4.h:1924 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_statfs+0x520/0xb0c fs/ext4/super.c:6690
Read of size 8 at addr ffff0000dd547f30 by task syz-executor.4/11468
CPU: 0 PID: 11468 Comm: syz-executor.4 Not tainted 6.3.0-rc1-syzkaller-gfe15c26ee26e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:319 [inline]
print_report+0x174/0x514 mm/kasan/report.c:430
kasan_report+0xd4/0x130 mm/kasan/report.c:536
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:381
generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline]
ext4_test_inode_flag fs/ext4/ext4.h:1924 [inline]
ext4_statfs+0x520/0xb0c fs/ext4/super.c:6690
statfs_by_dentry fs/statfs.c:66 [inline]
vfs_statfs+0x140/0x2bc fs/statfs.c:90
ovl_check_namelen fs/overlayfs/super.c:919 [inline]
ovl_lower_dir fs/overlayfs/super.c:939 [inline]
ovl_get_lowerstack+0x1c4/0x1868 fs/overlayfs/super.c:1742
ovl_fill_super+0x1218/0x2240 fs/overlayfs/super.c:2010
mount_nodev+0x68/0x104 fs/super.c:1417
ovl_mount+0x3c/0x50 fs/overlayfs/super.c:2091
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1501
do_new_mount+0x25c/0x8c8 fs/namespace.c:3042
path_mount+0x590/0xe20 fs/namespace.c:3372
do_mount fs/namespace.c:3385 [inline]
__do_sys_mount fs/namespace.c:3594 [inline]
__se_sys_mount fs/namespace.c:3571 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3571
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Allocated by task 5996:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:510
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook+0x80/0x488 mm/slab.h:769
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x288/0x37c mm/slub.c:3476
radix_tree_node_alloc+0x1ac/0x3c0 lib/radix-tree.c:251
idr_get_free+0x234/0x89c lib/radix-tree.c:1505
idr_alloc_u32 lib/idr.c:46 [inline]
idr_alloc_cyclic+0x18c/0x4f4 lib/idr.c:125
__kernfs_new_node+0x124/0x66c fs/kernfs/dir.c:617
kernfs_new_node+0x98/0x184 fs/kernfs/dir.c:673
__kernfs_create_file+0x60/0x2d4 fs/kernfs/file.c:1047
sysfs_add_file_mode_ns+0x1dc/0x298 fs/sysfs/file.c:294
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x428/0xbec fs/sysfs/group.c:148
internal_create_groups fs/sysfs/group.c:188 [inline]
sysfs_create_groups+0x60/0x130 fs/sysfs/group.c:214
device_add_groups drivers/base/core.c:2678 [inline]
device_add_attrs+0x178/0x750 drivers/base/core.c:2798
device_add+0x5e0/0xf58 drivers/base/core.c:3543
netdev_register_kobject+0x15c/0x2d8 net/core/net-sysfs.c:2043
register_netdevice+0xcb8/0x1270 net/core/dev.c:10046
veth_newlink+0x730/0xb88 drivers/net/veth.c:1837
rtnl_newlink_create net/core/rtnetlink.c:3440 [inline]
__rtnl_newlink net/core/rtnetlink.c:3657 [inline]
rtnl_newlink+0x1174/0x1b1c net/core/rtnetlink.c:3670
rtnetlink_rcv_msg+0x744/0xdb8 net/core/rtnetlink.c:6174
netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6192
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:722 [inline]
sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x3b4/0x538 net/socket.c:2145
__do_sys_sendto net/socket.c:2157 [inline]
__se_sys_sendto net/socket.c:2153 [inline]
__arm64_sys_sendto+0xd8/0xf8 net/socket.c:2153
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
The buggy address belongs to the object at ffff0000dd547c80
which belongs to the cache radix_tree_node of size 576
The buggy address is located 112 bytes to the right of
allocated 576-byte region [ffff0000dd547c80, ffff0000dd547ec0)
The buggy address belongs to the physical page:
page:00000000805eca39 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11d544
head:00000000805eca39 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 ffff0000c000d500 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000170017 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dd547e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000dd547e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff0000dd547f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000dd547f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000dd548000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
21:21:38 6 thg 7, 20236/7/23
đến syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Trả lời tất cả
Trả lời tác giả
Chuyển tiếp
0 tin nhắn mới