Hello,
syzbot found the following crash on:
HEAD commit: b850307b Linux 4.14.184
git tree: linux-4.14.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=15ed7d13100000
kernel config:
https://syzkaller.appspot.com/x/.config?x=ddc0f08dd6b981c5
dashboard link:
https://syzkaller.appspot.com/bug?extid=dc04ddf2778b6d7e38a3
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+dc04dd...@syzkaller.appspotmail.com
MINIX-fs: mounting unchecked file system, running fsck is recommended
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
Process accounting resumed
==================================================================
BUG: KASAN: slab-out-of-bounds in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: slab-out-of-bounds in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: slab-out-of-bounds in get_block+0xe06/0x1100 fs/minix/itree_common.c:160
Read of size 2 at addr ffff8880957ab18a by task syz-executor.2/2261
CPU: 0 PID: 2261 Comm: syz-executor.2 Not tainted 4.14.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0xe06/0x1100 fs/minix/itree_common.c:160
minix_get_block+0xd6/0x100 fs/minix/inode.c:379
__block_write_begin_int+0x33a/0x1000 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x260 fs/buffer.c:2147
minix_write_begin+0x35/0xc0 fs/minix/inode.c:415
generic_perform_write+0x1c9/0x420 mm/filemap.c:3047
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3172
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3200
call_write_iter include/linux/fs.h:1778 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x44e/0x630 fs/read_write.c:482
__kernel_write+0xf5/0x330 fs/read_write.c:501
do_acct_process+0xb49/0xf60 kernel/acct.c:520
acct_pin_kill+0x28/0xe0 kernel/acct.c:174
pin_kill+0x147/0x650 fs/fs_pin.c:50
mnt_pin_kill+0x62/0x170 fs/fs_pin.c:87
cleanup_mnt+0x110/0x140 fs/namespace.c:1180
task_work_run+0x113/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45cba9
RSP: 002b:00007f4fabb83c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 000000000050ca80 RCX: 000000000045cba9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000500
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000cb6 R14: 00000000004cf091 R15: 00007f4fabb846d4
Allocated by task 1564:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
__sigqueue_alloc+0x1b8/0x3e0 kernel/signal.c:400
__send_signal+0x193/0x1280 kernel/signal.c:1097
specific_send_sig_info kernel/signal.c:1208 [inline]
force_sig_info+0x240/0x340 kernel/signal.c:1260
force_sig_info_fault.constprop.0+0x185/0x260 arch/x86/mm/fault.c:225
__bad_area_nosemaphore+0x1d6/0x2c0 arch/x86/mm/fault.c:940
__do_page_fault+0x842/0xb50 arch/x86/mm/fault.c:1412
page_fault+0x45/0x50 arch/x86/entry/entry_64.S:1123
Freed by task 1564:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
__sigqueue_free kernel/signal.c:419 [inline]
dequeue_synchronous_signal kernel/signal.c:727 [inline]
get_signal+0xba1/0x1c90 kernel/signal.c:2313
do_signal+0x7c/0x15d0 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode+0x1af/0x210 arch/x86/entry/common.c:199
retint_user+0x8/0x18
The buggy address belongs to the object at ffff8880957ab0e0
which belongs to the cache sigqueue of size 160
The buggy address is located 10 bytes to the right of
160-byte region [ffff8880957ab0e0, ffff8880957ab180)
The buggy address belongs to the page:
page:ffffea000255eac0 count:1 mapcount:0 mapping:ffff8880957ab000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880957ab000 0000000000000000 0000000100000012
raw: ffffea0001520020 ffffea000286a020 ffff8880aa9da6c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880957ab080: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb
ffff8880957ab100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880957ab180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880957ab200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8880957ab280: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.