Re: [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_btree_node_get

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+2b2046c73fcb7e6a0e4e@syzkaller.appspotmail.com>
To: kent.overstreet@linux.dev, linux-bcachefs@vger.kernel.org,
	 linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_btree_node_get
Date: Wed, 26 Feb 2025 07:14:26 -0800	[thread overview]
Message-ID: <67bf2fd2.050a0220.1ebef.0023.GAE@google.com> (raw)
In-Reply-To: <674c2f0c.050a0220.ad585.0034.GAE@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    ac9c34d1e45a Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17a4f7a4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d66f6f82ee090382
dashboard link: https://syzkaller.appspot.com/bug?extid=2b2046c73fcb7e6a0e4e
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11da9c98580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=177a003f980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c756243ff2fa/disk-ac9c34d1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/47bd399bb287/vmlinux-ac9c34d1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b6c5db9fcba1/bzImage-ac9c34d1.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/039e65b899b2/mount_2.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2b2046c73fcb7e6a0e4e@syzkaller.appspotmail.com

bucket 0:127 gen 0 has wrong data_type: got free, should be sb, fixing
bucket 0:127 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
 done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay...
=====================================================
BUG: KMSAN: uninit-value in bch2_btree_node_get+0x5ed/0x1970 fs/bcachefs/btree_cache.c:1180
 bch2_btree_node_get+0x5ed/0x1970 fs/bcachefs/btree_cache.c:1180
 btree_path_down fs/bcachefs/btree_iter.c:976 [inline]
 bch2_btree_path_traverse_one+0x283d/0x4790 fs/bcachefs/btree_iter.c:1202
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:249 [inline]
 bch2_btree_iter_traverse+0xbb8/0x1110 fs/bcachefs/btree_iter.c:1913
 bch2_journal_replay_key+0x28a/0x13f0 fs/bcachefs/recovery.c:264
 bch2_journal_replay+0x301d/0x4e20 fs/bcachefs/recovery.c:373
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:226 [inline]
 bch2_run_recovery_passes+0x5a2/0x1160 fs/bcachefs/recovery_passes.c:291
 bch2_fs_recovery+0x489c/0x6230 fs/bcachefs/recovery.c:936
 bch2_fs_start+0x7ca/0xc20 fs/bcachefs/super.c:1041
 bch2_fs_get_tree+0x1564/0x24e0 fs/bcachefs/fs.c:2203
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:416 [inline]
 bkey_reassemble fs/bcachefs/bkey.h:506 [inline]
 bch2_bkey_buf_reassemble fs/bcachefs/bkey_buf.h:28 [inline]
 btree_node_iter_and_journal_peek+0x889/0x2560 fs/bcachefs/btree_iter.c:918
 btree_path_down fs/bcachefs/btree_iter.c:947 [inline]
 bch2_btree_path_traverse_one+0x2131/0x4790 fs/bcachefs/btree_iter.c:1202
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:249 [inline]
 bch2_btree_iter_traverse+0xbb8/0x1110 fs/bcachefs/btree_iter.c:1913
 bch2_journal_replay_key+0x28a/0x13f0 fs/bcachefs/recovery.c:264
 bch2_journal_replay+0x301d/0x4e20 fs/bcachefs/recovery.c:373
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:226 [inline]
 bch2_run_recovery_passes+0x5a2/0x1160 fs/bcachefs/recovery_passes.c:291
 bch2_fs_recovery+0x489c/0x6230 fs/bcachefs/recovery.c:936
 bch2_fs_start+0x7ca/0xc20 fs/bcachefs/super.c:1041
 bch2_fs_get_tree+0x1564/0x24e0 fs/bcachefs/fs.c:2203
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4249
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4266
 __do_kmalloc_node mm/slub.c:4282 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4300
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:662
 btree_node_data_alloc fs/bcachefs/btree_cache.c:156 [inline]
 bch2_btree_node_mem_alloc+0xa72/0x2ee0 fs/bcachefs/btree_cache.c:834
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:304 [inline]
 bch2_btree_reserve_get+0x37f/0x2290 fs/bcachefs/btree_update_interior.c:532
 bch2_btree_update_start+0x2b0e/0x2d60 fs/bcachefs/btree_update_interior.c:1251
 bch2_btree_split_leaf+0x120/0xc90 fs/bcachefs/btree_update_interior.c:1853
 bch2_trans_commit_error+0x1c0/0x1d60 fs/bcachefs/btree_trans_commit.c:908
 __bch2_trans_commit+0x1d5f/0xd310 fs/bcachefs/btree_trans_commit.c:1089
 bch2_trans_commit fs/bcachefs/btree_update.h:183 [inline]
 bch2_journal_replay+0x3125/0x4e20 fs/bcachefs/recovery.c:373
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:226 [inline]
 bch2_run_recovery_passes+0x5a2/0x1160 fs/bcachefs/recovery_passes.c:291
 bch2_fs_recovery+0x489c/0x6230 fs/bcachefs/recovery.c:936
 bch2_fs_start+0x7ca/0xc20 fs/bcachefs/super.c:1041
 bch2_fs_get_tree+0x1564/0x24e0 fs/bcachefs/fs.c:2203
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5784 Comm: syz-executor148 Not tainted 6.14.0-rc4-syzkaller-00052-gac9c34d1e45a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
=====================================================

---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

next prev parent reply	other threads:[~2025-02-26 15:14 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-01  9:40 [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_btree_node_get syzbot
2025-02-26 15:14 ` syzbot [this message]
2025-04-01  3:59 ` [syzbot] syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=67bf2fd2.050a0220.1ebef.0023.GAE@google.com \
    --to=syzbot+2b2046c73fcb7e6a0e4e@syzkaller.appspotmail.com \
    --cc=kent.overstreet@linux.dev \
    --cc=linux-bcachefs@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.