From: bugzilla-daemon@kernel.org
To: linux-f2fs-devel@lists.sourceforge.net
Subject: [f2fs-dev] [Bug 215905] New: BUG: KASAN: slab-out-of-bounds in f2fs_allocate_data_block+0x23d0/0x31f0
Date: Wed, 27 Apr 2022 15:29:48 +0000 [thread overview]
Message-ID: <bug-215905-202145@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=215905
Bug ID: 215905
Summary: BUG: KASAN: slab-out-of-bounds in
f2fs_allocate_data_block+0x23d0/0x31f0
Product: File System
Version: 2.5
Kernel Version: 5.17
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: f2fs
Assignee: filesystem_f2fs@kernel-bugs.kernel.org
Reporter: yanming@tju.edu.cn
Regression: No
Created attachment 300829
--> https://bugzilla.kernel.org/attachment.cgi?id=300829&action=edit
case.c
I have encountered a KASAN bug in F2FS file system in kernel v5.17.
I have uploaded the system call sequence as case.c, and a fuzzed image can be
found in google net disk
(https://drive.google.com/file/d/1PKPI0AojESKJLWKaWeBg-nRPNlEPELFb/view?usp=sharing).
The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can
reproduce the bug by running the following commands:
gcc -o case case.c
losetup /dev/loop0 case.img
mount -o
"background_gc=sync,discard,no_heap,nouser_xattr,active_logs=2,inline_data,fastboot,data_flush,checkpoint=disable,noquota,fsync_mode=strict,test_dummy_encryption"
-t f2fs /dev/loop0 /root/mnt
./case
The kernel log is shown below:
3,904,146667379,-;==================================================================
3,905,146667387,-;BUG: KASAN: slab-out-of-bounds in
f2fs_allocate_data_block+0x23d0/0x31f0
3,906,146667396,-;Read of size 4 at addr ffff88810ae96bc4 by task case/2167
3,907,146667399,-;
3,908,146667402,-;CPU: 1 PID: 2167 Comm: case Not tainted 5.17.0 #4
3,909,146667405,-;Hardware name: Dell Inc. OptiPlex 9020/03CPWF, BIOS A14
09/14/2015
3,910,146667408,-;Call Trace:
3,911,146667410,-; <TASK>
3,912,146667412,-; dump_stack_lvl+0x34/0x44
3,913,146667417,-; print_address_description.constprop.0+0x21/0x150
3,914,146667423,-; ? f2fs_allocate_data_block+0x23d0/0x31f0
3,915,146667426,-; ? f2fs_allocate_data_block+0x23d0/0x31f0
3,916,146667429,-; kasan_report.cold+0x7f/0x11b
3,917,146667434,-; ? f2fs_allocate_data_block+0x23d0/0x31f0
3,918,146667437,-; f2fs_allocate_data_block+0x23d0/0x31f0
3,919,146667441,-; ? _raw_read_lock_bh+0x40/0x40
3,920,146667445,-; ? _raw_spin_lock_irqsave+0x88/0xe0
3,921,146667449,-; do_write_page+0x18d/0x710
3,922,146667453,-; f2fs_outplace_write_data+0x151/0x250
3,923,146667457,-; ? f2fs_do_write_node_page+0x110/0x110
3,924,146667461,-; f2fs_convert_inline_page+0x6f7/0x1300
3,925,146667465,-; ? f2fs_read_inline_data+0x5c0/0x5c0
3,926,146667469,-; ? __get_node_page+0x13c/0xd30
3,927,146667472,-; f2fs_convert_inline_inode+0x99c/0xf40
3,928,146667476,-; ? f2fs_convert_inline_page+0x1300/0x1300
3,929,146667479,-; ? selinux_mount+0x220/0x220
3,930,146667484,-; ? setattr_prepare+0xd5/0x640
3,931,146667487,-; f2fs_setattr+0xb28/0x12e0
3,932,146667491,-; notify_change+0x5a5/0xcc0
3,933,146667494,-; ? down_write_killable+0x120/0x120
3,934,146667498,-; ? do_truncate+0xeb/0x190
3,935,146667501,-; do_truncate+0xeb/0x190
3,936,146667504,-; ? __x64_sys_openat2+0x2a0/0x2a0
3,937,146667508,-; ? __fget_light+0x52/0x500
3,938,146667511,-; ? ksys_read+0xe8/0x1c0
3,939,146667515,-; ? vfs_write+0x7b0/0x7b0
3,940,146667518,-; do_sys_ftruncate+0x2b2/0x4b0
3,941,146667522,-; do_syscall_64+0x3b/0x90
3,942,146667526,-; entry_SYSCALL_64_after_hwframe+0x44/0xae
3,943,146667529,-;RIP: 0033:0x7fd670d5976d
3,944,146667532,-;Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48
89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d f3 36 0d 00 f7 d8 64 89 01 48
3,945,146667536,-;RSP: 002b:00007fff4da961a8 EFLAGS: 00000203 ORIG_RAX:
000000000000004d
3,946,146667540,-;RAX: ffffffffffffffda RBX: 000055b2f5995b60 RCX:
00007fd670d5976d
3,947,146667543,-;RDX: 00007fd670d5976d RSI: 0000000000073460 RDI:
0000000000000003
3,948,146667545,-;RBP: 00007fff4de963e0 R08: 00007fff4de964d8 R09:
00007fff4de964d8
3,949,146667547,-;R10: 00007fff4de964d8 R11: 0000000000000203 R12:
000055b2f59950a0
3,950,146667549,-;R13: 00007fff4de964d0 R14: 0000000000000000 R15:
0000000000000000
3,951,146667552,-; </TASK>
3,952,146667555,-;
3,953,146667558,-;Allocated by task 2157:
4,954,146667572,-; kasan_save_stack+0x1e/0x40
4,955,146667575,-; __kasan_kmalloc+0x81/0xa0
4,956,146667577,-; f2fs_fill_super+0xea/0x64f0
4,957,146667580,-; mount_bdev+0x2c0/0x3a0
4,958,146667583,-; legacy_get_tree+0xea/0x1d0
4,959,146667598,-; vfs_get_tree+0x7f/0x2b0
4,960,146667601,-; path_mount+0x47e/0x19b0
4,961,146667613,-; do_mount+0xc5/0xe0
4,962,146667616,-; __x64_sys_mount+0x127/0x190
4,963,146667619,-; do_syscall_64+0x3b/0x90
4,964,146667621,-; entry_SYSCALL_64_after_hwframe+0x44/0xae
3,965,146667624,-;
3,966,146667625,-;The buggy address belongs to the object at
ffff88810ae96000\x0a which belongs to the cache kmalloc-4k of size 4096
3,967,146667628,-;The buggy address is located 3012 bytes inside of\x0a
4096-byte region [ffff88810ae96000, ffff88810ae97000)
3,968,146667631,-;The buggy address belongs to the page:
4,969,146667633,-;page:00000000d3f90f20 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x10ae90
4,970,146667636,-;head:00000000d3f90f20 order:3 compound_mapcount:0
compound_pincount:0
4,971,146667638,-;flags: 0x200000000010200(slab|head|node=0|zone=2)
4,972,146667643,-;raw: 0200000000010200 dead000000000100 dead000000000122
ffff888100043040
4,973,146667645,-;raw: 0000000000000000 0000000000040004 00000001ffffffff
0000000000000000
4,974,146667646,-;page dumped because: kasan: bad access detected
3,975,146667648,-;
3,976,146667649,-;Memory state around the buggy address:
3,977,146667651,-; ffff88810ae96a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
3,978,146667653,-; ffff88810ae96b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
3,979,146667656,-;>ffff88810ae96b80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
fc fc
3,980,146667657,-; ^
3,981,146667660,-; ffff88810ae96c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc
3,982,146667662,-; ffff88810ae96c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc
3,983,146667664,-;==================================================================
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next reply other threads:[~2022-04-27 15:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-27 15:29 bugzilla-daemon [this message]
2022-04-30 15:01 ` [f2fs-dev] [Bug 215905] BUG: KASAN: slab-out-of-bounds in f2fs_allocate_data_block+0x23d0/0x31f0 bugzilla-daemon
2022-05-01 3:17 ` bugzilla-daemon
2022-05-03 0:56 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-215905-202145@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.