[syzbot] [jfs?] KASAN: slab-out-of-bounds Write in diWrite
53 views
Skip to first unread message
syzbot
Apr 25, 2024, 5:10:22āÆPM4/25/24
to jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7b4f2bc91c15 Add linux-next specific files for 20240418
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1181b910980000
kernel config: https://syzkaller.appspot.com/x/.config?x=ae644165a243bf62
dashboard link: https://syzkaller.appspot.com/bug?extid=aa6df9d3b383bf5f047f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=108f21c7180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128532bb180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/524a18e6c5be/disk-7b4f2bc9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/029f1b84d653/vmlinux-7b4f2bc9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c02d1542e886/bzImage-7b4f2bc9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b09f946202a4/mount_0.gz
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10dec06b180000
final oops: https://syzkaller.appspot.com/x/report.txt?x=12dec06b180000
console output: https://syzkaller.appspot.com/x/log.txt?x=14dec06b180000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa6df9...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: use-after-free in diWrite+0xde3/0x19b0 fs/jfs/jfs_imap.c:750
Write of size 32 at addr ffff888076cee0c0 by task syz-executor949/5083
CPU: 1 PID: 5083 Comm: syz-executor949 Not tainted 6.9.0-rc4-next-20240418-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
diWrite+0xde3/0x19b0 fs/jfs/jfs_imap.c:750
txCommit+0xa1a/0x6a20 fs/jfs/jfs_txnmgr.c:1255
add_missing_indices fs/jfs/jfs_dtree.c:2661 [inline]
jfs_readdir+0x28e9/0x4660 fs/jfs/jfs_dtree.c:3009
wrap_directory_iterator+0x94/0xe0 fs/readdir.c:67
iterate_dir+0x65e/0x820 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64+0x20d/0x4f0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff57c567679
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffddcb47e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007fffddcb49b8 RCX: 00007ff57c567679
RDX: 000000000000005d RSI: 00000000200002c0 RDI: 0000000000000005
RBP: 00007ff57c5e0610 R08: 0000000000000000 R09: 00007fffddcb49b8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fffddcb49a8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76cee
flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)
raw: 00fff80000000000 ffffea0001db3bc8 ffffea0001dcea48 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 5078, tgid 397447660 (sshd), ts 5078, free_ts 51945391130
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1476
prep_new_page mm/page_alloc.c:1484 [inline]
get_page_from_freelist+0x2ce2/0x2d90 mm/page_alloc.c:3446
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4704
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
pipe_write+0x657/0x1a40 fs/pipe.c:513
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xa72/0xc90 fs/read_write.c:590
ksys_write+0x1a0/0x2c0 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5080 tgid 5080 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1096 [inline]
free_unref_page+0xd22/0xea0 mm/page_alloc.c:2609
__folio_put+0x3b9/0x620 mm/swap.c:129
pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
pipe_update_tail fs/pipe.c:224 [inline]
pipe_read+0x6f2/0x13e0 fs/pipe.c:344
new_sync_read fs/read_write.c:395 [inline]
vfs_read+0x9c4/0xbd0 fs/read_write.c:476
ksys_read+0x1a0/0x2c0 fs/read_write.c:619
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888076cedf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888076cee000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888076cee080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888076cee100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888076cee180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 7b4f2bc91c15 Add linux-next specific files for 20240418
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1181b910980000
kernel config: https://syzkaller.appspot.com/x/.config?x=ae644165a243bf62
dashboard link: https://syzkaller.appspot.com/bug?extid=aa6df9d3b383bf5f047f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=108f21c7180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128532bb180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/524a18e6c5be/disk-7b4f2bc9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/029f1b84d653/vmlinux-7b4f2bc9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c02d1542e886/bzImage-7b4f2bc9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b09f946202a4/mount_0.gz
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10dec06b180000
final oops: https://syzkaller.appspot.com/x/report.txt?x=12dec06b180000
console output: https://syzkaller.appspot.com/x/log.txt?x=14dec06b180000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa6df9...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: use-after-free in diWrite+0xde3/0x19b0 fs/jfs/jfs_imap.c:750
Write of size 32 at addr ffff888076cee0c0 by task syz-executor949/5083
CPU: 1 PID: 5083 Comm: syz-executor949 Not tainted 6.9.0-rc4-next-20240418-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
diWrite+0xde3/0x19b0 fs/jfs/jfs_imap.c:750
txCommit+0xa1a/0x6a20 fs/jfs/jfs_txnmgr.c:1255
add_missing_indices fs/jfs/jfs_dtree.c:2661 [inline]
jfs_readdir+0x28e9/0x4660 fs/jfs/jfs_dtree.c:3009
wrap_directory_iterator+0x94/0xe0 fs/readdir.c:67
iterate_dir+0x65e/0x820 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64+0x20d/0x4f0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff57c567679
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffddcb47e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007fffddcb49b8 RCX: 00007ff57c567679
RDX: 000000000000005d RSI: 00000000200002c0 RDI: 0000000000000005
RBP: 00007ff57c5e0610 R08: 0000000000000000 R09: 00007fffddcb49b8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fffddcb49a8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76cee
flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)
raw: 00fff80000000000 ffffea0001db3bc8 ffffea0001dcea48 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 5078, tgid 397447660 (sshd), ts 5078, free_ts 51945391130
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1476
prep_new_page mm/page_alloc.c:1484 [inline]
get_page_from_freelist+0x2ce2/0x2d90 mm/page_alloc.c:3446
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4704
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
pipe_write+0x657/0x1a40 fs/pipe.c:513
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xa72/0xc90 fs/read_write.c:590
ksys_write+0x1a0/0x2c0 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5080 tgid 5080 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1096 [inline]
free_unref_page+0xd22/0xea0 mm/page_alloc.c:2609
__folio_put+0x3b9/0x620 mm/swap.c:129
pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
pipe_update_tail fs/pipe.c:224 [inline]
pipe_read+0x6f2/0x13e0 fs/pipe.c:344
new_sync_read fs/read_write.c:395 [inline]
vfs_read+0x9c4/0xbd0 fs/read_write.c:476
ksys_read+0x1a0/0x2c0 fs/read_write.c:619
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888076cedf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888076cee000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888076cee080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888076cee100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888076cee180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Lizhi Xu
May 16, 2024, 8:53:05āÆPM5/16/24
to syzbot+aa6df9...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ed30a4a51bb1
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 2ec35889ad24..84c9abb0fa71 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -746,7 +746,9 @@ int diWrite(tid_t tid, struct inode *ip)
p = (dtpage_t *) &jfs_ip->i_dtroot;
xp = (dtpage_t *) & dp->di_dtroot;
lv = ilinelock->lv;
- for (n = 0; n < ilinelock->index; n++, lv++) {
+ printk("sp ms: %d, dp ms: %d, %s\n", p->header.maxslot, xp->header.maxslot, __func__);
+ if (p->header.maxslot < DTPAGEMAXSLOT && xp->header.maxslot < DTPAGEMAXSLOT)
+ for (n = 0; n < ilinelock->index && lv->offset < DTPAGEMAXSLOT; n++, lv++) {
memcpy(&xp->slot[lv->offset], &p->slot[lv->offset],
lv->length << L2DTSLOTSIZE);
}
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 2ec35889ad24..84c9abb0fa71 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -746,7 +746,9 @@ int diWrite(tid_t tid, struct inode *ip)
p = (dtpage_t *) &jfs_ip->i_dtroot;
xp = (dtpage_t *) & dp->di_dtroot;
lv = ilinelock->lv;
- for (n = 0; n < ilinelock->index; n++, lv++) {
+ printk("sp ms: %d, dp ms: %d, %s\n", p->header.maxslot, xp->header.maxslot, __func__);
+ if (p->header.maxslot < DTPAGEMAXSLOT && xp->header.maxslot < DTPAGEMAXSLOT)
+ for (n = 0; n < ilinelock->index && lv->offset < DTPAGEMAXSLOT; n++, lv++) {
memcpy(&xp->slot[lv->offset], &p->slot[lv->offset],
lv->length << L2DTSLOTSIZE);
}
syzbot
May 16, 2024, 9:05:06āÆPM5/16/24
to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in jfs_readdir
loop0: detected capacity change from 0 to 32768
sp ms: 103, dp ms: 2, diWrite
==================================================================
BUG: KASAN: slab-out-of-bounds in jfs_readdir+0x1b79/0x4660 fs/jfs/jfs_dtree.c:2894
Read of size 1 at addr ffff8880112dfdd5 by task syz-executor.0/5535
CPU: 1 PID: 5535 Comm: syz-executor.0 Not tainted 6.9.0-rc5-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
wrap_directory_iterator+0x94/0xe0 fs/readdir.c:67
iterate_dir+0x539/0x6f0 fs/readdir.c:110
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4472f0a0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f44723abf80 RCX: 00007f447227dea9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f44723abf80 R15: 00007ffff75dcee8
</TASK>
Allocated by task 5535:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:312 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_lru+0x178/0x350 mm/slub.c:3864
alloc_inode_sb include/linux/fs.h:3091 [inline]
jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
alloc_inode fs/inode.c:261 [inline]
iget_locked+0x1ad/0x850 fs/inode.c:1280
jfs_iget+0x22/0x3b0 fs/jfs/inode.c:29
jfs_fill_super+0x808/0xc50 fs/jfs/super.c:580
mount_bdev+0x20a/0x2d0 fs/super.c:1658
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2a0 fs/super.c:1779
do_new_mount+0x2be/0xb40 fs/namespace.c:3352
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
which belongs to the cache jfs_ip of size 2240
The buggy address is located 1557 bytes to the right of
allocated 2240-byte region [ffff8880112def00, ffff8880112df7c0)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112d8
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888015bb6d01
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015be6dc0 dead000000000122 0000000000000000
raw: 0000000000000000 00000000000d000d 00000001ffffffff ffff888015bb6d01
head: 00fff80000000840 ffff888015be6dc0 dead000000000122 0000000000000000
head: 0000000000000000 00000000000d000d 00000001ffffffff ffff888015bb6d01
head: 00fff80000000003 ffffea000044b601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5492, tgid 556946219 (syz-executor.0), ts 5494, free_ts 89804801893
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0x3410/0x35b0 mm/page_alloc.c:3317
__alloc_pages+0x256/0x6c0 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page+0x5f/0x160 mm/slub.c:2175
allocate_slab mm/slub.c:2338 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2391
___slab_alloc+0xc73/0x1260 mm/slub.c:3525
__slab_alloc mm/slub.c:3610 [inline]
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
kmem_cache_alloc_lru+0x253/0x350 mm/slub.c:3864
alloc_inode_sb include/linux/fs.h:3091 [inline]
jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
alloc_inode fs/inode.c:261 [inline]
new_inode_pseudo+0x69/0x1e0 fs/inode.c:1007
new_inode+0x22/0x1d0 fs/inode.c:1033
jfs_fill_super+0x408/0xc50 fs/jfs/super.c:544
mount_bdev+0x20a/0x2d0 fs/super.c:1658
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2a0 fs/super.c:1779
do_new_mount+0x2be/0xb40 fs/namespace.c:3352
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
page last free pid 5473 tgid 5473 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x97b/0xaa0 mm/page_alloc.c:2347
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
discard_slab mm/slub.c:2437 [inline]
__put_partials+0xeb/0x130 mm/slub.c:2906
put_cpu_partial+0x17c/0x250 mm/slub.c:2981
__slab_free+0x2ea/0x3d0 mm/slub.c:4151
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x5e/0xc0 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x174/0x340 mm/slub.c:3852
getname_flags+0xbd/0x4f0 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1432
ffff8880112dfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880112dfd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880112dfe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880112dfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: ed30a4a5 Linux 6.9-rc5
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15266ae0980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5a05c230e142f2bc
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in jfs_readdir
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in jfs_readdir+0x1b79/0x4660 fs/jfs/jfs_dtree.c:2894
Read of size 1 at addr ffff8880112dfdd5 by task syz-executor.0/5535
CPU: 1 PID: 5535 Comm: syz-executor.0 Not tainted 6.9.0-rc5-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
jfs_readdir+0x1b79/0x4660 fs/jfs/jfs_dtree.c:2894
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
wrap_directory_iterator+0x94/0xe0 fs/readdir.c:67
iterate_dir+0x539/0x6f0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64+0x20d/0x4f0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f447227dea9
__se_sys_getdents64+0x20d/0x4f0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4472f0a0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f44723abf80 RCX: 00007f447227dea9
RDX: 000000000000005d RSI: 00000000200002c0 RDI: 0000000000000005
RBP: 00007f44722ca4a4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f44723abf80 R15: 00007ffff75dcee8
</TASK>
Allocated by task 5535:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:312 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_lru+0x178/0x350 mm/slub.c:3864
alloc_inode_sb include/linux/fs.h:3091 [inline]
jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
alloc_inode fs/inode.c:261 [inline]
iget_locked+0x1ad/0x850 fs/inode.c:1280
jfs_iget+0x22/0x3b0 fs/jfs/inode.c:29
jfs_fill_super+0x808/0xc50 fs/jfs/super.c:580
mount_bdev+0x20a/0x2d0 fs/super.c:1658
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2a0 fs/super.c:1779
do_new_mount+0x2be/0xb40 fs/namespace.c:3352
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8880112def00
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
which belongs to the cache jfs_ip of size 2240
The buggy address is located 1557 bytes to the right of
allocated 2240-byte region [ffff8880112def00, ffff8880112df7c0)
The buggy address belongs to the physical page:
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888015bb6d01
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015be6dc0 dead000000000122 0000000000000000
raw: 0000000000000000 00000000000d000d 00000001ffffffff ffff888015bb6d01
head: 00fff80000000840 ffff888015be6dc0 dead000000000122 0000000000000000
head: 0000000000000000 00000000000d000d 00000001ffffffff ffff888015bb6d01
head: 00fff80000000003 ffffea000044b601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5492, tgid 556946219 (syz-executor.0), ts 5494, free_ts 89804801893
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0x3410/0x35b0 mm/page_alloc.c:3317
__alloc_pages+0x256/0x6c0 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page+0x5f/0x160 mm/slub.c:2175
allocate_slab mm/slub.c:2338 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2391
___slab_alloc+0xc73/0x1260 mm/slub.c:3525
__slab_alloc mm/slub.c:3610 [inline]
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
kmem_cache_alloc_lru+0x253/0x350 mm/slub.c:3864
alloc_inode_sb include/linux/fs.h:3091 [inline]
jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
alloc_inode fs/inode.c:261 [inline]
new_inode_pseudo+0x69/0x1e0 fs/inode.c:1007
new_inode+0x22/0x1d0 fs/inode.c:1033
jfs_fill_super+0x408/0xc50 fs/jfs/super.c:544
mount_bdev+0x20a/0x2d0 fs/super.c:1658
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2a0 fs/super.c:1779
do_new_mount+0x2be/0xb40 fs/namespace.c:3352
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
page last free pid 5473 tgid 5473 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x97b/0xaa0 mm/page_alloc.c:2347
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
discard_slab mm/slub.c:2437 [inline]
__put_partials+0xeb/0x130 mm/slub.c:2906
put_cpu_partial+0x17c/0x250 mm/slub.c:2981
__slab_free+0x2ea/0x3d0 mm/slub.c:4151
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x5e/0xc0 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x174/0x340 mm/slub.c:3852
getname_flags+0xbd/0x4f0 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880112dfc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880112dfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880112dfd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880112dfe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880112dfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: ed30a4a5 Linux 6.9-rc5
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15266ae0980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5a05c230e142f2bc
dashboard link: https://syzkaller.appspot.com/bug?extid=aa6df9d3b383bf5f047f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11605ed0980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Lizhi Xu
May 16, 2024, 10:03:43āÆPM5/16/24
to syzbot+aa6df9...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ed30a4a51bb1
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 2ec35889ad24..d9b302938ed2 100644
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -747,6 +747,8 @@ int diWrite(tid_t tid, struct inode *ip)
xp = (dtpage_t *) & dp->di_dtroot;
lv = ilinelock->lv;
lv = ilinelock->lv;
for (n = 0; n < ilinelock->index; n++, lv++) {
+ printk("lv: %p offset:%d %s\n", lv, lv->offset, __func__);
+ if (lv->offset < DTPAGEMAXSLOT)
syzbot
May 16, 2024, 10:19:05āÆPM5/16/24
to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in jfs_readdir
loop0: detected capacity change from 0 to 32768
lv: ffffc900028520b0 offset:0 diWrite
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in jfs_readdir
loop0: detected capacity change from 0 to 32768
lv: ffffc900028520b2 offset:6 diWrite
lv: ffffc900028520b4 offset:0 diWrite
lv: ffffc900028520b6 offset:0 diWrite
==================================================================
BUG: KASAN: slab-out-of-bounds in jfs_readdir+0x1b79/0x4660 fs/jfs/jfs_dtree.c:2894
Read of size 1 at addr ffff888076df3d15 by task syz-executor.0/5492
BUG: KASAN: slab-out-of-bounds in jfs_readdir+0x1b79/0x4660 fs/jfs/jfs_dtree.c:2894
CPU: 0 PID: 5492 Comm: syz-executor.0 Not tainted 6.9.0-rc5-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
jfs_readdir+0x1b79/0x4660 fs/jfs/jfs_dtree.c:2894
wrap_directory_iterator+0x94/0xe0 fs/readdir.c:67
iterate_dir+0x539/0x6f0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64+0x20d/0x4f0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8966e7dea9
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
jfs_readdir+0x1b79/0x4660 fs/jfs/jfs_dtree.c:2894
wrap_directory_iterator+0x94/0xe0 fs/readdir.c:67
iterate_dir+0x539/0x6f0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64+0x20d/0x4f0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f89669ff0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f8966fabf80 RCX: 00007f8966e7dea9
RDX: 000000000000005d RSI: 00000000200002c0 RDI: 0000000000000005
RBP: 00007f8966eca4a4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f8966fabf80 R15: 00007ffe3b2048e8
</TASK>
The buggy address belongs to the object at ffff888076df3780
which belongs to the cache jfs_ip of size 2240
The buggy address is located 1429 bytes inside of
allocated 2240-byte region [ffff888076df3780, ffff888076df4040)
The buggy address belongs to the physical page:
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88802aef9f01
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff8880197418c0 dead000000000122 0000000000000000
page_type: 0xffffffff()
raw: 0000000000000000 00000000800d000d 00000001ffffffff ffff88802aef9f01
head: 00fff80000000840 ffff8880197418c0 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000001ffffffff ffff88802aef9f01
head: 00fff80000000003 ffffea0001db7c01 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5490, tgid 1905245577 (syz-executor.0), ts 5492, free_ts 87323640300
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x97b/0xaa0 mm/page_alloc.c:2347
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
discard_slab mm/slub.c:2437 [inline]
__put_partials+0xeb/0x130 mm/slub.c:2906
put_cpu_partial+0x17c/0x250 mm/slub.c:2981
__slab_free+0x2ea/0x3d0 mm/slub.c:4151
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x5e/0xc0 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x174/0x340 mm/slub.c:3852
kmem_cache_zalloc include/linux/slab.h:739 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x97b/0xaa0 mm/page_alloc.c:2347
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
discard_slab mm/slub.c:2437 [inline]
__put_partials+0xeb/0x130 mm/slub.c:2906
put_cpu_partial+0x17c/0x250 mm/slub.c:2981
__slab_free+0x2ea/0x3d0 mm/slub.c:4151
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x5e/0xc0 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x174/0x340 mm/slub.c:3852
lsm_file_alloc security/security.c:649 [inline]
security_file_alloc+0x28/0x130 security/security.c:2709
init_file+0x99/0x200 fs/file_table.c:152
alloc_empty_file+0xb8/0x1d0 fs/file_table.c:206
path_openat+0xfb/0x3240 fs/namei.c:3785
do_filp_open+0x235/0x490 fs/namei.c:3826
do_sys_openat2+0x13e/0x1d0 fs/open.c:1406
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1432
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1432
Memory state around the buggy address:
ffff888076df3c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888076df3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888076df3d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888076df3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888076df3e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: ed30a4a5 Linux 6.9-rc5
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12ba37b8980000
Tested on:
commit: ed30a4a5 Linux 6.9-rc5
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5a05c230e142f2bc
dashboard link: https://syzkaller.appspot.com/bug?extid=aa6df9d3b383bf5f047f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12a532e0980000
dashboard link: https://syzkaller.appspot.com/bug?extid=aa6df9d3b383bf5f047f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Apr 30, 2026, 7:04:16āÆPMĀ (2 days ago)Ā Apr 30
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syz] KASAN: slab-out-of-bounds Write in diWrite
Author: tri...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From b49fd6df859312590dfffd12e3dad87914f88c9c Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>
Date: Thu, 30 Apr 2026 23:01:32 +0000
Subject: [PATCH] jfs: validate lv bounds in diWrite to prevent
slab-out-of-bounds
diWrite() copies btree root data from the in-memory inode to the
on-disk dinode using lv->offset and lv->length from the transaction
lock without bounds checking. When a corrupted JFS filesystem image
provides inconsistent dtree or xtree metadata, the transaction log
entries can reference slots beyond the root node boundaries
(DTROOTMAXSLOT or XTROOTMAXSLOT), causing a slab-out-of-bounds write
in the subsequent memcpy.
For example, with a crafted directory inode where the dtree metadata
produces lv->offset + lv->length > DTROOTMAXSLOT (9), the memcpy in
the dtree copy loop writes 32 bytes past the dinode boundary into
adjacent slab memory.
Add bounds validation before each memcpy in both the xtree and dtree
copy loops to ensure lv->offset + lv->length does not exceed
XTROOTMAXSLOT (18) or DTROOTMAXSLOT (9) respectively.
Reported-by: syzbot+aa6df9...@syzkaller.appspotmail.com
Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2")
Cc: sta...@vger.kernel.org
Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---
fs/jfs/jfs_imap.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index b84ba4d7dfb44..70d6a33597273 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -726,6 +726,11 @@ int diWrite(tid_t tid, struct inode *ip)
xp = &dp->di_xtroot;
+ jfs_err("diWrite: xtree lv out of bounds");
+ release_metapage(mp);
+ return -EIO;
+ }
memcpy(&xp->xad[lv->offset], &p->xad[lv->offset],
lv->length << L2XTSLOTSIZE);
}
@@ -750,6 +755,11 @@ int diWrite(tid_t tid, struct inode *ip)
+ jfs_err("diWrite: dtree lv out of bounds");
+ release_metapage(mp);
+ return -EIO;
+ }
2.47.3
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syz] KASAN: slab-out-of-bounds Write in diWrite
Author: tri...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From b49fd6df859312590dfffd12e3dad87914f88c9c Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>
Date: Thu, 30 Apr 2026 23:01:32 +0000
Subject: [PATCH] jfs: validate lv bounds in diWrite to prevent
slab-out-of-bounds
diWrite() copies btree root data from the in-memory inode to the
on-disk dinode using lv->offset and lv->length from the transaction
lock without bounds checking. When a corrupted JFS filesystem image
provides inconsistent dtree or xtree metadata, the transaction log
entries can reference slots beyond the root node boundaries
(DTROOTMAXSLOT or XTROOTMAXSLOT), causing a slab-out-of-bounds write
in the subsequent memcpy.
For example, with a crafted directory inode where the dtree metadata
produces lv->offset + lv->length > DTROOTMAXSLOT (9), the memcpy in
the dtree copy loop writes 32 bytes past the dinode boundary into
adjacent slab memory.
Add bounds validation before each memcpy in both the xtree and dtree
copy loops to ensure lv->offset + lv->length does not exceed
XTROOTMAXSLOT (18) or DTROOTMAXSLOT (9) respectively.
Reported-by: syzbot+aa6df9...@syzkaller.appspotmail.com
Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2")
Cc: sta...@vger.kernel.org
Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---
fs/jfs/jfs_imap.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index b84ba4d7dfb44..70d6a33597273 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -726,6 +726,11 @@ int diWrite(tid_t tid, struct inode *ip)
xp = &dp->di_xtroot;
lv = ilinelock->lv;
for (n = 0; n < ilinelock->index; n++, lv++) {
+ if (lv->offset + lv->length > XTROOTMAXSLOT) {
for (n = 0; n < ilinelock->index; n++, lv++) {
+ jfs_err("diWrite: xtree lv out of bounds");
+ release_metapage(mp);
+ return -EIO;
+ }
memcpy(&xp->xad[lv->offset], &p->xad[lv->offset],
lv->length << L2XTSLOTSIZE);
}
@@ -750,6 +755,11 @@ int diWrite(tid_t tid, struct inode *ip)
xp = (dtpage_t *) & dp->di_dtroot;
lv = ilinelock->lv;
for (n = 0; n < ilinelock->index; n++, lv++) {
+ if (lv->offset + lv->length > DTROOTMAXSLOT) {
lv = ilinelock->lv;
for (n = 0; n < ilinelock->index; n++, lv++) {
+ jfs_err("diWrite: dtree lv out of bounds");
+ release_metapage(mp);
+ return -EIO;
+ }
memcpy(&xp->slot[lv->offset], &p->slot[lv->offset],
lv->length << L2DTSLOTSIZE);
}
--
lv->length << L2DTSLOTSIZE);
}
2.47.3
Reply all
Reply to author
Forward
0 new messages