From: Christoph Hellwig <hch@infradead.org>
To: syzbot <syzbot+8a8170685a482c92e86a@syzkaller.appspotmail.com>
Cc: chandan.babu@oracle.com, djwong@kernel.org,
linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
Alexander Potapenko <glider@google.com>,
Marco Elver <elver@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
kasan-dev@googlegroups.com
Subject: Re: [syzbot] [xfs?] KFENCE: memory corruption in xfs_idata_realloc
Date: Wed, 9 Oct 2024 23:48:31 -0700 [thread overview]
Message-ID: <Zwd4vxcqoGi6Resh@infradead.org> (raw)
In-Reply-To: <6705c39b.050a0220.22840d.000a.GAE@google.com>
[adding the kfence maintainers]
On Tue, Oct 08, 2024 at 04:43:23PM -0700, syzbot wrote:
> dashboard link: https://syzkaller.appspot.com/bug?extid=8a8170685a482c92e86a
[...]
> XFS (loop2): Quotacheck: Done.
> ==================================================================
> BUG: KFENCE: memory corruption in krealloc_noprof+0x160/0x2e0
>
> Corrupted memory at 0xffff88823bedafeb [ 0x03 0x00 0xd8 0x62 0x75 0x73 0x01 0x00 0x00 0x11 0x4c 0x00 0x00 0x00 0x00 0x00 ] (in kfence-#108):
> krealloc_noprof+0x160/0x2e0
> xfs_idata_realloc+0x116/0x1b0 fs/xfs/libxfs/xfs_inode_fork.c:523
I've tried to make sense of this report and failed.
Documentation/dev-tools/kfence.rst explains these messages as:
KFENCE also uses pattern-based redzones on the other side of an object's guard
page, to detect out-of-bounds writes on the unprotected side of the object.
These are reported on frees::
But doesn't explain what "the other side of an object's guard page" is.
Either way this is in the common krealloc code, which is a bit special
as it uses ksize to figure out what the actual underlying allocation
size of an object is to make use of that. Without understanding the
actual error I wonder if that's something kfence can't cope with?
next prev parent reply other threads:[~2024-10-10 6:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-08 23:43 [syzbot] [xfs?] KFENCE: memory corruption in xfs_idata_realloc syzbot
2024-10-10 6:48 ` Christoph Hellwig [this message]
2024-10-10 7:50 ` Marco Elver
2024-10-10 8:01 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zwd4vxcqoGi6Resh@infradead.org \
--to=hch@infradead.org \
--cc=chandan.babu@oracle.com \
--cc=djwong@kernel.org \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=syzbot+8a8170685a482c92e86a@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.