[moderation] [ext4?] KCSAN: data-race in memcpy_and_pad / string
1 view
Skip to first unread message
syzbot
2:34 AM (7 hours ago) 2:34 AM
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a3d97d1d3fa6 Merge tag 'ovl-fixes-7.0-rc6' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13a94648580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3a78dd265deac3a9
dashboard link: https://syzkaller.appspot.com/bug?extid=744345bdb0321acd7643
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
CC: [adilger...@dilger.ca ja...@suse.cz liba...@linux.alibaba.com linux...@vger.kernel.org linux-...@vger.kernel.org oja...@linux.ibm.com rites...@gmail.com ty...@mit.edu yi.z...@huawei.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bea7b2d2598b/disk-a3d97d1d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2dc824e85020/vmlinux-a3d97d1d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fbb17bfffa6d/bzImage-a3d97d1d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+744345...@syzkaller.appspotmail.com
EXT4-fs error (device loop2): ext4_dirty_inode:6495: inode #15: comm syz.2.332: mark_inode_dirty error
loop2: lost file I/O error report for ino 15 type 5 pos 0x0 len 0x0 error -117
==================================================================
BUG: KCSAN: data-race in memcpy_and_pad / string
read to 0xffff88813dd045f0 of 1 bytes by interrupt on cpu 1:
string_nocheck lib/vsprintf.c:655 [inline]
string+0x15f/0x220 lib/vsprintf.c:737
vsnprintf+0x532/0x860 lib/vsprintf.c:2948
vscnprintf+0x41/0x90 lib/vsprintf.c:3013
printk_sprint+0x30/0x2e0 kernel/printk/printk.c:2222
vprintk_store+0x57b/0x910 kernel/printk/printk.c:2364
vprintk_emit+0x1a4/0x600 kernel/printk/printk.c:2455
vprintk_default+0x26/0x30 kernel/printk/printk.c:2494
vprintk+0x1d/0x30 kernel/printk/printk_safe.c:82
_printk+0x79/0xa0 kernel/printk/printk.c:2504
print_daily_error_info+0x210/0x300 fs/ext4/super.c:3704
call_timer_fn+0x3b/0x2a0 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1799 [inline]
__run_timers kernel/time/timer.c:2373 [inline]
__run_timer_base+0x426/0x620 kernel/time/timer.c:2385
run_timer_base kernel/time/timer.c:2394 [inline]
run_timer_softirq+0x31/0x70 kernel/time/timer.c:2404
handle_softirqs+0xb9/0x2a0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x39/0xc0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
kcsan_setup_watchpoint+0x404/0x410 kernel/kcsan/core.c:705
try_to_unmap+0x8f/0x210 mm/rmap.c:2388
shrink_folio_list+0x12f7/0x2820 mm/vmscan.c:1375
reclaim_folio_list+0x9f/0x220 mm/vmscan.c:2205
reclaim_pages+0x21e/0x280 mm/vmscan.c:2242
madvise_cold_or_pageout_pte_range+0xd6a/0xdc0 mm/madvise.c:561
walk_pmd_range mm/pagewalk.c:149 [inline]
walk_pud_range mm/pagewalk.c:240 [inline]
walk_p4d_range mm/pagewalk.c:281 [inline]
walk_pgd_range+0xa76/0x1520 mm/pagewalk.c:322
__walk_page_range+0xdd/0x340 mm/pagewalk.c:430
walk_page_range_vma_unsafe+0x2cd/0x320 mm/pagewalk.c:734
walk_page_range_vma+0x56/0x70 mm/pagewalk.c:744
madvise_vma_behavior+0x1d11/0x20c0 mm/madvise.c:-1
madvise_walk_vmas mm/madvise.c:1719 [inline]
madvise_do_behavior+0x5de/0xa10 mm/madvise.c:1935
do_madvise+0x10e/0x190 mm/madvise.c:2028
__do_sys_madvise mm/madvise.c:2037 [inline]
__se_sys_madvise mm/madvise.c:2035 [inline]
__x64_sys_madvise+0x63/0x80 mm/madvise.c:2035
x64_sys_call+0x1eff/0x3020 arch/x86/include/generated/asm/syscalls_64.h:29
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
write to 0xffff88813dd045f0 of 16 bytes by task 4942 on cpu 0:
memcpy_and_pad+0x5a/0x80 lib/string_helpers.c:1009
ext4_update_super+0x790/0xba0 fs/ext4/super.c:6259
ext4_commit_super+0x40/0x280 fs/ext4/super.c:6288
ext4_handle_error+0x452/0x550 fs/ext4/super.c:719
__ext4_error_inode+0x1bb/0x3f0 fs/ext4/super.c:865
__ext4_mark_inode_dirty+0xbd/0x400 fs/ext4/inode.c:6469
ext4_dirty_inode+0x92/0xc0 fs/ext4/inode.c:6495
__mark_inode_dirty+0x16f/0x7d0 fs/fs-writeback.c:2609
mark_inode_dirty_sync include/linux/fs.h:2217 [inline]
dquot_free_space include/linux/quotaops.h:380 [inline]
dquot_free_block include/linux/quotaops.h:390 [inline]
ext4_mb_clear_bb fs/ext4/mballoc.c:6668 [inline]
ext4_free_blocks+0xeba/0x14a0 fs/ext4/mballoc.c:6788
ext4_xattr_release_block+0x38d/0x550 fs/ext4/xattr.c:1317
ext4_xattr_delete_inode+0x6fd/0x7a0 fs/ext4/xattr.c:2992
ext4_evict_inode+0xac1/0xe40 fs/ext4/inode.c:282
evict+0x2af/0x510 fs/inode.c:846
iput_final fs/inode.c:1966 [inline]
iput+0x41a/0x580 fs/inode.c:2015
ext4_process_orphan+0x1a9/0x1c0 fs/ext4/orphan.c:358
ext4_orphan_cleanup+0x6a8/0xa00 fs/ext4/orphan.c:472
__ext4_fill_super fs/ext4/super.c:5693 [inline]
ext4_fill_super+0x3414/0x37c0 fs/ext4/super.c:5816
get_tree_bdev_flags+0x291/0x300 fs/super.c:1694
get_tree_bdev+0x1f/0x30 fs/super.c:1717
ext4_get_tree+0x1c/0x30 fs/ext4/super.c:5848
vfs_get_tree+0x57/0x1d0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3763 [inline]
do_new_mount+0x288/0x8d0 fs/namespace.c:3839
path_mount+0x4d0/0xbc0 fs/namespace.c:4159
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount+0x28c/0x2e0 fs/namespace.c:4338
__x64_sys_mount+0x67/0x80 fs/namespace.c:4338
x64_sys_call+0x2d61/0x3020 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 4942 Comm: syz.2.332 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
==================================================================
EXT4-fs error (device loop2): ext4_do_update_inode:5602: inode #15: comm syz.2.332: corrupted inode contents
loop2: lost file I/O error report for ino 15 type 5 pos 0x0 len 0x0 error -117
EXT4-fs error (device loop2): ext4_xattr_delete_inode:2999: inode #15: comm syz.2.332: mark_inode_dirty error
loop2: lost file I/O error report for ino 15 type 5 pos 0x0 len 0x0 error -117
EXT4-fs error (device loop2): ext4_xattr_delete_inode:3002: inode #15: comm syz.2.332: mark inode dirty (error -117)
loop2: lost file I/O error report for ino 15 type 5 pos 0x0 len 0x0 error -117
EXT4-fs warning (device loop2): ext4_evict_inode:285: xattr delete (err -117)
EXT4-fs (loop2): 1 orphan inode deleted
EXT4-fs (loop2): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: a3d97d1d3fa6 Merge tag 'ovl-fixes-7.0-rc6' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13a94648580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3a78dd265deac3a9
dashboard link: https://syzkaller.appspot.com/bug?extid=744345bdb0321acd7643
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
CC: [adilger...@dilger.ca ja...@suse.cz liba...@linux.alibaba.com linux...@vger.kernel.org linux-...@vger.kernel.org oja...@linux.ibm.com rites...@gmail.com ty...@mit.edu yi.z...@huawei.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bea7b2d2598b/disk-a3d97d1d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2dc824e85020/vmlinux-a3d97d1d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fbb17bfffa6d/bzImage-a3d97d1d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+744345...@syzkaller.appspotmail.com
EXT4-fs error (device loop2): ext4_dirty_inode:6495: inode #15: comm syz.2.332: mark_inode_dirty error
loop2: lost file I/O error report for ino 15 type 5 pos 0x0 len 0x0 error -117
==================================================================
BUG: KCSAN: data-race in memcpy_and_pad / string
read to 0xffff88813dd045f0 of 1 bytes by interrupt on cpu 1:
string_nocheck lib/vsprintf.c:655 [inline]
string+0x15f/0x220 lib/vsprintf.c:737
vsnprintf+0x532/0x860 lib/vsprintf.c:2948
vscnprintf+0x41/0x90 lib/vsprintf.c:3013
printk_sprint+0x30/0x2e0 kernel/printk/printk.c:2222
vprintk_store+0x57b/0x910 kernel/printk/printk.c:2364
vprintk_emit+0x1a4/0x600 kernel/printk/printk.c:2455
vprintk_default+0x26/0x30 kernel/printk/printk.c:2494
vprintk+0x1d/0x30 kernel/printk/printk_safe.c:82
_printk+0x79/0xa0 kernel/printk/printk.c:2504
print_daily_error_info+0x210/0x300 fs/ext4/super.c:3704
call_timer_fn+0x3b/0x2a0 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1799 [inline]
__run_timers kernel/time/timer.c:2373 [inline]
__run_timer_base+0x426/0x620 kernel/time/timer.c:2385
run_timer_base kernel/time/timer.c:2394 [inline]
run_timer_softirq+0x31/0x70 kernel/time/timer.c:2404
handle_softirqs+0xb9/0x2a0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x39/0xc0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x74/0x80 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
kcsan_setup_watchpoint+0x404/0x410 kernel/kcsan/core.c:705
try_to_unmap+0x8f/0x210 mm/rmap.c:2388
shrink_folio_list+0x12f7/0x2820 mm/vmscan.c:1375
reclaim_folio_list+0x9f/0x220 mm/vmscan.c:2205
reclaim_pages+0x21e/0x280 mm/vmscan.c:2242
madvise_cold_or_pageout_pte_range+0xd6a/0xdc0 mm/madvise.c:561
walk_pmd_range mm/pagewalk.c:149 [inline]
walk_pud_range mm/pagewalk.c:240 [inline]
walk_p4d_range mm/pagewalk.c:281 [inline]
walk_pgd_range+0xa76/0x1520 mm/pagewalk.c:322
__walk_page_range+0xdd/0x340 mm/pagewalk.c:430
walk_page_range_vma_unsafe+0x2cd/0x320 mm/pagewalk.c:734
walk_page_range_vma+0x56/0x70 mm/pagewalk.c:744
madvise_vma_behavior+0x1d11/0x20c0 mm/madvise.c:-1
madvise_walk_vmas mm/madvise.c:1719 [inline]
madvise_do_behavior+0x5de/0xa10 mm/madvise.c:1935
do_madvise+0x10e/0x190 mm/madvise.c:2028
__do_sys_madvise mm/madvise.c:2037 [inline]
__se_sys_madvise mm/madvise.c:2035 [inline]
__x64_sys_madvise+0x63/0x80 mm/madvise.c:2035
x64_sys_call+0x1eff/0x3020 arch/x86/include/generated/asm/syscalls_64.h:29
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
write to 0xffff88813dd045f0 of 16 bytes by task 4942 on cpu 0:
memcpy_and_pad+0x5a/0x80 lib/string_helpers.c:1009
ext4_update_super+0x790/0xba0 fs/ext4/super.c:6259
ext4_commit_super+0x40/0x280 fs/ext4/super.c:6288
ext4_handle_error+0x452/0x550 fs/ext4/super.c:719
__ext4_error_inode+0x1bb/0x3f0 fs/ext4/super.c:865
__ext4_mark_inode_dirty+0xbd/0x400 fs/ext4/inode.c:6469
ext4_dirty_inode+0x92/0xc0 fs/ext4/inode.c:6495
__mark_inode_dirty+0x16f/0x7d0 fs/fs-writeback.c:2609
mark_inode_dirty_sync include/linux/fs.h:2217 [inline]
dquot_free_space include/linux/quotaops.h:380 [inline]
dquot_free_block include/linux/quotaops.h:390 [inline]
ext4_mb_clear_bb fs/ext4/mballoc.c:6668 [inline]
ext4_free_blocks+0xeba/0x14a0 fs/ext4/mballoc.c:6788
ext4_xattr_release_block+0x38d/0x550 fs/ext4/xattr.c:1317
ext4_xattr_delete_inode+0x6fd/0x7a0 fs/ext4/xattr.c:2992
ext4_evict_inode+0xac1/0xe40 fs/ext4/inode.c:282
evict+0x2af/0x510 fs/inode.c:846
iput_final fs/inode.c:1966 [inline]
iput+0x41a/0x580 fs/inode.c:2015
ext4_process_orphan+0x1a9/0x1c0 fs/ext4/orphan.c:358
ext4_orphan_cleanup+0x6a8/0xa00 fs/ext4/orphan.c:472
__ext4_fill_super fs/ext4/super.c:5693 [inline]
ext4_fill_super+0x3414/0x37c0 fs/ext4/super.c:5816
get_tree_bdev_flags+0x291/0x300 fs/super.c:1694
get_tree_bdev+0x1f/0x30 fs/super.c:1717
ext4_get_tree+0x1c/0x30 fs/ext4/super.c:5848
vfs_get_tree+0x57/0x1d0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3763 [inline]
do_new_mount+0x288/0x8d0 fs/namespace.c:3839
path_mount+0x4d0/0xbc0 fs/namespace.c:4159
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount+0x28c/0x2e0 fs/namespace.c:4338
__x64_sys_mount+0x67/0x80 fs/namespace.c:4338
x64_sys_call+0x2d61/0x3020 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x370 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 4942 Comm: syz.2.332 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
==================================================================
EXT4-fs error (device loop2): ext4_do_update_inode:5602: inode #15: comm syz.2.332: corrupted inode contents
loop2: lost file I/O error report for ino 15 type 5 pos 0x0 len 0x0 error -117
EXT4-fs error (device loop2): ext4_xattr_delete_inode:2999: inode #15: comm syz.2.332: mark_inode_dirty error
loop2: lost file I/O error report for ino 15 type 5 pos 0x0 len 0x0 error -117
EXT4-fs error (device loop2): ext4_xattr_delete_inode:3002: inode #15: comm syz.2.332: mark inode dirty (error -117)
loop2: lost file I/O error report for ino 15 type 5 pos 0x0 len 0x0 error -117
EXT4-fs warning (device loop2): ext4_evict_inode:285: xattr delete (err -117)
EXT4-fs (loop2): 1 orphan inode deleted
EXT4-fs (loop2): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages