From: syzbot <syzbot+e5292b50f1957164a4b6@syzkaller.appspotmail.com>
To: bfoster@redhat.com, kent.overstreet@linux.dev,
linux-bcachefs@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] [bcachefs?] UBSAN: shift-out-of-bounds in bch2_bkey_format_invalid (2)
Date: Sun, 09 Jun 2024 22:39:26 -0700 [thread overview]
Message-ID: <00000000000089ded8061a829247@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 8867bbd4a056 mm: arm64: Fix the out-of-bounds issue in con..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=13fc4362980000
kernel config: https://syzkaller.appspot.com/x/.config?x=3b4350cf56c61c80
dashboard link: https://syzkaller.appspot.com/bug?extid=e5292b50f1957164a4b6
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15a262ce980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15dc0cba980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6ea21f50498b/disk-8867bbd4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e2fed09364aa/vmlinux-8867bbd4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4860173c7a18/Image-8867bbd4.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/662edb25db9f/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e5292b50f1957164a4b6@syzkaller.appspotmail.com
bcachefs (loop0): mounting version 1.7: mi_btree_bitmap opts=ro,metadata_checksum=none,data_checksum=xxhash,compression=zstd,nojournal_transaction_names,read_only
bcachefs (loop0): recovering from clean shutdown, journal seq 10
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/bcachefs/bkey.c:664:22
shift exponent 64 is too large for 64-bit type 'unsigned long long'
CPU: 0 PID: 6246 Comm: syz-executor702 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:317
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:114
dump_stack+0x1c/0x28 lib/dump_stack.c:123
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_shift_out_of_bounds+0x2f4/0x36c lib/ubsan.c:468
bch2_bkey_format_invalid+0x6a0/0x6e0 fs/bcachefs/bkey.c:664
validate_bset+0x10ec/0x1d24 fs/bcachefs/btree_io.c:822
bch2_btree_node_read_done+0x16f0/0x4ac8 fs/bcachefs/btree_io.c:1140
btree_node_read_work+0x50c/0xe04 fs/bcachefs/btree_io.c:1345
bch2_btree_node_read+0x1f4c/0x2818 fs/bcachefs/btree_io.c:1730
__bch2_btree_root_read fs/bcachefs/btree_io.c:1769 [inline]
bch2_btree_root_read+0x2a8/0x534 fs/bcachefs/btree_io.c:1793
read_btree_roots+0x21c/0x730 fs/bcachefs/recovery.c:475
bch2_fs_recovery+0x31c4/0x5488 fs/bcachefs/recovery.c:803
bch2_fs_start+0x30c/0x53c fs/bcachefs/super.c:1031
bch2_fs_open+0x8b4/0xb64 fs/bcachefs/super.c:2123
bch2_mount+0x4fc/0xe18 fs/bcachefs/fs.c:1917
legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
vfs_get_tree+0x90/0x288 fs/super.c:1780
do_new_mount+0x278/0x900 fs/namespace.c:3352
path_mount+0x590/0xe04 fs/namespace.c:3679
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount fs/namespace.c:3875 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3875
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
---[ end trace ]---
bcachefs (loop0): inconsistency detected - emergency read only at journal seq 10
bcachefs (loop0): flagging btree alloc lost data
error reading btree root alloc l=0: btree_node_read_error, shutting down
bcachefs (loop0): bch2_fs_recovery(): error fsck_errors_not_fixed
bcachefs (loop0): bch2_fs_start(): error starting filesystem fsck_errors_not_fixed
bcachefs (loop0): shutting down
bcachefs (loop0): shutdown complete
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
reply other threads:[~2024-06-10 5:39 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000089ded8061a829247@google.com \
--to=syzbot+e5292b50f1957164a4b6@syzkaller.appspotmail.com \
--cc=bfoster@redhat.com \
--cc=kent.overstreet@linux.dev \
--cc=linux-bcachefs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.