[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d1f2d51b711a Merge tag 'clk-fixes-for-linus' of git://git...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11671f29980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=de85d75807a205cd
dashboard link: https://syzkaller.appspot.com/bug?extid=6f655a60d3244d0c6718
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17f3589f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=100b589f980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/df667fbbb2c1/disk-d1f2d51b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1574a134d7c4/vmlinux-d1f2d51b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a977c1daccb8/bzImage-d1f2d51b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/db88b8b6831b/mount_3.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6f655a60d3244d0c6718@syzkaller.appspotmail.com

bucket 0:127 gen 0 has wrong data_type: got free, should be sb, fixing
bucket 0:127 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
 done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay...
=====================================================
BUG: KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined+0x8d0/0xd50 fs/bcachefs/bkey_cmp.h:115
 bch2_bkey_cmp_packed_inlined+0x8d0/0xd50 fs/bcachefs/bkey_cmp.h:115
 bch2_sort_keys_keep_unwritten_whiteouts+0xf94/0x19d0 fs/bcachefs/bkey_sort.c:184
 __bch2_btree_node_write+0x3ae7/0x6830 fs/bcachefs/btree_io.c:2096
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2285
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:261
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 journal_flush_done+0x156/0x3f0 fs/bcachefs/journal_reclaim.c:821
 bch2_journal_flush_pins+0x1a1/0x3b0 fs/bcachefs/journal_reclaim.c:851
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 bch2_journal_replay+0x4923/0x4d20 fs/bcachefs/recovery.c:383
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:183 [inline]
 bch2_run_recovery_passes+0x400/0xec0 fs/bcachefs/recovery_passes.c:230
 bch2_fs_recovery+0x42d2/0x5c60 fs/bcachefs/recovery.c:859
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0x13e8/0x22d0 fs/bcachefs/fs.c:1946
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1800
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3472
 path_mount+0x742/0x1f10 fs/namespace.c:3799
 do_mount fs/namespace.c:3812 [inline]
 __do_sys_mount fs/namespace.c:4020 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:3997
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3997
 x64_sys_call+0x255a/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4117
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4134
 __do_kmalloc_node mm/slub.c:4150 [inline]
 __kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4168
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 bch2_btree_node_read_done+0x52a9/0x7790 fs/bcachefs/btree_io.c:1192
 btree_node_read_work+0x973/0x1960 fs/bcachefs/btree_io.c:1323
 bch2_btree_node_read+0x2e6b/0x36e0
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1749 [inline]
 bch2_btree_root_read+0xa81/0x13f0 fs/bcachefs/btree_io.c:1773
 read_btree_roots+0x51c/0x1250 fs/bcachefs/recovery.c:523
 bch2_fs_recovery+0x422c/0x5c60 fs/bcachefs/recovery.c:851
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0x13e8/0x22d0 fs/bcachefs/fs.c:1946
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1800
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3472
 path_mount+0x742/0x1f10 fs/namespace.c:3799
 do_mount fs/namespace.c:3812 [inline]
 __do_sys_mount fs/namespace.c:4020 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:3997
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3997
 x64_sys_call+0x255a/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5189 Comm: syz-executor350 Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel panic: corrupted stack end in x64_sys_call

bucket 0:127 gen 0 has wrong data_type: got free, should be sb, fixing
bucket 0:127 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
 done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay...
Kernel panic - not syncing: corrupted stack end detected inside scheduler
CPU: 0 UID: 0 PID: 5945 Comm: syz.0.15 Not tainted 6.11.0-rc7-syzkaller-g57719771a244-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x216/0x2d0 lib/dump_stack.c:119
 dump_stack+0x1e/0x30 lib/dump_stack.c:128
 panic+0x4e2/0xcd0 kernel/panic.c:354
 schedule_debug kernel/sched/core.c:5745 [inline]
 __schedule+0x660/0x6580 kernel/sched/core.c:6411
 __schedule_loop kernel/sched/core.c:6606 [inline]
 schedule+0x13d/0x380 kernel/sched/core.c:6621
 __closure_sync+0x163/0x1c0 lib/closure.c:146
 closure_sync include/linux/closure.h:195 [inline]
 bch2_journal_flush_pins+0x263/0x3b0 fs/bcachefs/journal_reclaim.c:851
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 bch2_journal_replay+0x4923/0x4d20 fs/bcachefs/recovery.c:383
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:183 [inline]
 bch2_run_recovery_passes+0x400/0xec0 fs/bcachefs/recovery_passes.c:230
 bch2_fs_recovery+0x42d2/0x5c60 fs/bcachefs/recovery.c:859
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0x13e8/0x22d0 fs/bcachefs/fs.c:1954
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1800
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3472
 path_mount+0x742/0x1f10 fs/namespace.c:3799
 do_mount fs/namespace.c:3812 [inline]
 __do_sys_mount fs/namespace.c:4020 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:3997
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3997
 x64_sys_call+0x255a/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6261f7e69a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6262e37e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f6262e37ef0 RCX: 00007f6261f7e69a
RDX: 00000000200058c0 RSI: 0000000020005900 RDI: 00007f6262e37eb0
RBP: 00000000200058c0 R08: 00007f6262e37ef0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020005900
R13: 00007f6262e37eb0 R14: 0000000000005905 R15: 00000000200001c0
 </TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit:         57719771 Merge tag 'sound-6.11' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=162ce900580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ea008021530b2de3
dashboard link: https://syzkaller.appspot.com/bug?extid=6f655a60d3244d0c6718
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11026200580000

Re: [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined

[Piotr Zalewski]

Hello,

On Saturday, September 14th, 2024 at 2:15 PM, syzbot <syzbot+6f655a60d3244d0c6718@syzkaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> kernel panic: corrupted stack end in x64_sys_call
> 
> bucket 0:127 gen 0 has wrong data_type: got free, should be sb, fixing
> bucket 0:127 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
> done
> bcachefs (loop0): going read-write
> bcachefs (loop0): journal_replay...
> Kernel panic - not syncing: corrupted stack end detected inside scheduler
> CPU: 0 UID: 0 PID: 5945 Comm: syz.0.15 Not tainted 6.11.0-rc7-syzkaller-g57719771a244-dirty #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
> Call Trace:
> <TASK>
> 
> __dump_stack lib/dump_stack.c:93 [inline]
> dump_stack_lvl+0x216/0x2d0 lib/dump_stack.c:119
> dump_stack+0x1e/0x30 lib/dump_stack.c:128
> panic+0x4e2/0xcd0 kernel/panic.c:354
> schedule_debug kernel/sched/core.c:5745 [inline]

The place where kernel task's stack magic number gets 
smashed was found. Backtrace was presented below. Seems
like it is KMSAN's fault. Is this considered a bug?

```
Thread 1 hit Hardware watchpoint 15: *(unsigned long*)0xffff888112370000

Old value = 1470918301
New value = 18446744071600444244
kmsan_get_shadow_origin_ptr (address=<optimized out>, size=<optimized out>, store=<optimized out>) at mm/kmsan/shadow.c:83
83      {

(gdb) where

#0  kmsan_get_shadow_origin_ptr (address=<optimized out>, size=<optimized out>, store=<optimized out>) at mm/kmsan/shadow.c:83
#1  0xffffffff82499354 in get_shadow_origin_ptr (addr=0xffff888112370110, size=8, store=false) at mm/kmsan/instrumentation.c:38
#2  __msan_metadata_ptr_for_load_8 (addr=0xffff888112370110) at mm/kmsan/instrumentation.c:94
#3  0xffffffff8194dfc9 in filter_irq_stacks (entries=<optimized out>, nr_entries=4) at kernel/stacktrace.c:397
#4  0xffffffff866d79cb in stack_depot_save_flags (entries=0xffff888112370110, nr_entries=8, alloc_flags=0, depot_flags=1) at lib/stackdepot.c:609
#5  0xffffffff866d8062 in stack_depot_save (entries=0xffff888112370110, nr_entries=8, alloc_flags=0) at lib/stackdepot.c:678
#6  0xffffffff82499c92 in __msan_poison_alloca (address=0xffff888112370200, size=24, descr=<optimized out>) at mm/kmsan/instrumentation.c:286
#7  0xffffffff8fef8326 in sprintf (buf=0xffff8881123703b7 "", fmt=0xffffffff910e22a3 "+%#lx/%#lx") at lib/vsprintf.c:3024
#8  0xffffffff81a1e08e in __sprint_symbol (buffer=buffer@entry=0xffff8881123703a0 "bch2_bucket_alloc_trans", address=<optimized out>, address@entry=18446744071649627845, symbol_offset=symbol_offset@entry=0, add_offset=add_offset@entry=1, add_buildid=<optimized out>) at kernel/kallsyms.c:452
#9  0xffffffff81a1de7d in sprint_symbol (buffer=0xffff8881123703a0 "bch2_bucket_alloc_trans", address=18446744071649627845) at kernel/kallsyms.c:484
#10 0xffffffff8ff0130d in symbol_string (buf=buf@entry=0xffff888121efe436 "_MIN bch2", end=end@entry=0xffff888121efe440 "\006", ptr=ptr@entry=0xffffffff85380ec5 <bch2_bucket_alloc_trans+2085>, spec=spec@entry=..., fmt=fmt@entry=0xffffffff91194721 "S") at lib/vsprintf.c:1002
#11 0xffffffff8fef50b8 in pointer (fmt=fmt@entry=0xffffffff91194721 "S", buf=buf@entry=0xffff888121efe436 "_MIN bch2", end=end@entry=0xffff888121efe440 "\006", ptr=ptr@entry=0xffffffff85380ec5 <bch2_bucket_alloc_trans+2085>, spec=spec@entry=...) at lib/vsprintf.c:2422
#12 0xffffffff8fef1b70 in vsnprintf (buf=0xffff888121efe435 " _MIN bch2", size=11, fmt=0xffffffff91194721 "S", args=0xffff8881123708f0) at lib/vsprintf.c:2828
#13 0xffffffff8580676b in bch2_prt_printf (out=0xffff888112370b28, fmt=0xffffffff9119471e " %pS") at fs/bcachefs/printbuf.c:183
#14 0xffffffff8546d2c4 in bch2_btree_path_to_text_short (out=out@entry=0xffff888112370b28, trans=trans@entry=0xffff888121ef0000, path_idx=5) at fs/bcachefs/btree_iter.c:1485
#15 0xffffffff8ff58bf3 in __bch2_trans_paths_to_text (out=out@entry=0xffff888112370b28, trans=trans@entry=0xffff888121ef0000, nosort=<optimized out>) at fs/bcachefs/btree_iter.c:1540
#16 0xffffffff8ff58ae8 in bch2_trans_paths_to_text (out=0xffff888112370b28, trans=0xffff888121ef0000) at fs/bcachefs/btree_iter.c:1548
#17 0xffffffff8ff59245 in bch2_trans_update_max_paths (trans=trans@entry=0xffff888121ef0000) at fs/bcachefs/btree_iter.c:1576
#18 0xffffffff8546fea7 in btree_path_alloc (trans=trans@entry=0xffff888121ef0000, pos=0) at fs/bcachefs/btree_iter.c:1673
#19 0xffffffff8546f02e in bch2_path_get (trans=0xffff888121ef0000, btree_id=BTREE_ID_alloc, pos=..., locks_want=0, level=0, flags=24640, ip=18446744071650896280) at fs/bcachefs/btree_iter.c:1723
#20 0xffffffff85496915 in bch2_trans_iter_init_common (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=4, pos=..., locks_want=0, depth=0, flags=24640, ip=18446744071650896280) at fs/bcachefs/btree_iter.h:484
#21 bch2_trans_iter_init_outlined (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=BTREE_ID_alloc, pos=..., flags=24576) at fs/bcachefs/btree_iter.c:2876
#22 0xffffffff854b6998 in bch2_trans_iter_init (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=4, pos=..., flags=24576) at fs/bcachefs/btree_iter.h:502
#23 btree_key_cache_fill (trans=trans@entry=0xffff888121ef0000, ck_path=ck_path@entry=0xffff888121ef0420, flags=flags@entry=32) at fs/bcachefs/btree_key_cache.c:438
#24 0xffffffff854b634d in bch2_btree_path_traverse_cached (trans=0xffff888121ef0000, path=0xffff888121ef0420, flags=32) at fs/bcachefs/btree_key_cache.c:504
#25 0xffffffff8545ff9f in bch2_btree_path_traverse_one (trans=0xffff888121ef0000, path_idx=5, flags=32, trace_ip=18446744071649632148) at fs/bcachefs/btree_iter.c:1144
#26 0xffffffff8548e8bc in bch2_btree_path_traverse (trans=0xffff888121ef0000, path=5, flags=32) at fs/bcachefs/btree_iter.h:229
#27 bch2_btree_iter_peek_slot (iter=0xffff8881123718a8) at fs/bcachefs/btree_iter.c:2602
#28 0xffffffff85381f94 in __bch2_bkey_get_iter (trans=0xffff888121ef0000, iter=0xffff8881123718a8, btree_id=4, pos=..., flags=32, type=0) at fs/bcachefs/btree_iter.h:551
#29 bch2_bkey_get_iter (trans=0xffff888121ef0000, iter=0xffff8881123718a8, btree_id=4, pos=..., flags=32) at fs/bcachefs/btree_iter.h:565
#30 try_alloc_bucket (trans=0xffff888121ef0000, ca=0xffff888116aac000, watermark=BCH_WATERMARK_btree, free_entry=25, s=0xffff8881123717f0, freespace_k=..., cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:301
#31 bch2_bucket_alloc_freelist (trans=0xffff888121ef0000, ca=0xffff888116aac000, watermark=BCH_WATERMARK_btree, s=0xffff8881123717f0, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:521
#32 bch2_bucket_alloc_trans (trans=trans@entry=0xffff888121ef0000, ca=ca@entry=0xffff888116aac000, watermark=BCH_WATERMARK_btree, data_type=BCH_DATA_btree, cl=0x0 <fixed_percpu_data>, usage=usage@entry=0xffff888112371b50) at fs/bcachefs/alloc_foreground.c:643
#33 0xffffffff85386492 in bch2_bucket_alloc_set_trans (trans=0xffff888121ef0000, ptrs=0xffff8881123722e8, stripe=0xffff88811698ec68, devs_may_alloc=0xffff8881123720d0, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, flags=<optimized out>, data_type=BCH_DATA_btree, watermark=BCH_WATERMARK_btree, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:804
#34 0xffffffff85399b83 in __open_bucket_add_buckets (trans=trans@entry=0xffff888121ef0000, ptrs=0xffff8881123722e8, wp=0xffff88811698ec00, devs_have=devs_have@entry=0xffff888112372497, target=target@entry=0, erasure_code=false, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, watermark=BCH_WATERMARK_btree, flags=0, _cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:1052
#35 0xffffffff8538c939 in open_bucket_add_buckets (trans=trans@entry=0xffff888121ef0000, ptrs=ptrs@entry=0xffff8881123722e8, wp=wp@entry=0xffff88811698ec00, devs_have=devs_have@entry=0xffff888112372497, target=target@entry=0, erasure_code=erasure_code@entry=0, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, watermark=BCH_WATERMARK_btree, flags=0, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:1096
#36 0xffffffff8538b4c2 in bch2_alloc_sectors_start_trans (trans=0xffff888121ef0000, target=0, erasure_code=0, write_point=..., devs_have=0xffff888112372497, nr_replicas=1, nr_replicas_required=1, watermark=BCH_WATERMARK_btree, flags=0, cl=0x0 <fixed_percpu_data>, wp_ret=0xffff8881123725d0) at fs/bcachefs/alloc_foreground.c:1404
#37 0xffffffff8554cdd2 in __bch2_btree_node_alloc (trans=0xffff888121ef0000, cl=0x0 <fixed_percpu_data>, interior_node=false, res=<optimized out>, flags=<optimized out>) at fs/bcachefs/btree_update_interior.c:338
#38 bch2_btree_reserve_get (trans=trans@entry=0xffff888121ef0000, as=as@entry=0xffff88810e56e000, nr_nodes=nr_nodes@entry=0xffff888112372780, flags=flags@entry=435, cl=cl@entry=0x0 <fixed_percpu_data>) at fs/bcachefs/btree_update_interior.c:549
#39 0xffffffff8551d02a in bch2_btree_update_start (trans=trans@entry=0xffff888121ef0000, path=path@entry=0xffff888121ef0200, level_start=level_start@entry=0, split=<optimized out>, flags=<optimized out>, flags@entry=432) at fs/bcachefs/btree_update_interior.c:1247
#40 0xffffffff8551ac12 in bch2_btree_split_leaf (trans=0xffff888121ef0000, path=1, flags=432) at fs/bcachefs/btree_update_interior.c:1845
#41 0xffffffff854f660f in bch2_trans_commit_error (trans=0xffff888121ef0000, flags=flags@entry=432, i=i@entry=0xffff888121ef2400, ret=ret@entry=-2203, trace_ip=18446744071651609665) at fs/bcachefs/btree_trans_commit.c:903
#42 0xffffffff854f1713 in __bch2_trans_commit (trans=0xffff888121ef0000, flags=432) at fs/bcachefs/btree_trans_commit.c:1135
#43 0xffffffff85564c41 in bch2_trans_commit (trans=0xffff888121ef0000, disk_res=0x0 <fixed_percpu_data>, journal_seq=0x0 <fixed_percpu_data>, flags=432) at fs/bcachefs/btree_update.h:184
#44 wb_flush_one_slowpath (trans=0xffff888121ef0000, iter=iter@entry=0xffff888112372c88, wb=wb@entry=0xffffc900088004b0) at fs/bcachefs/btree_write_buffer.c:129
#45 0xffffffff8555a1fb in wb_flush_one (trans=0xffff888121ef0000, iter=0xffff888112372c88, wb=0xffffc900088004b0, write_locked=<optimized out>, accounting_accumulated=<optimized out>, fast=<optimized out>) at fs/bcachefs/btree_write_buffer.c:183
#46 bch2_btree_write_buffer_flush_locked (trans=trans@entry=0xffff888121ef0000) at fs/bcachefs/btree_write_buffer.c:375
#47 0xffffffff85555c86 in btree_write_buffer_flush_seq (trans=trans@entry=0xffff888121ef0000, seq=seq@entry=11) at fs/bcachefs/btree_write_buffer.c:510
#48 0xffffffff855600d1 in bch2_btree_write_buffer_journal_flush (j=<optimized out>, _pin=<optimized out>, seq=11) at fs/bcachefs/btree_write_buffer.c:525
#49 0xffffffff857c285c in journal_flush_pins (j=j@entry=0xffff8881169a6fc0, seq_to_flush=seq_to_flush@entry=18446744073709551615, allowed_below_seq=allowed_below_seq@entry=6, allowed_above_seq=0, min_any=0, min_key_cache=min_key_cache@entry=0) at fs/bcachefs/journal_reclaim.c:565
#50 0xffffffff857c0e1d in journal_flush_done (j=j@entry=0xffff8881169a6fc0, seq_to_flush=seq_to_flush@entry=18446744073709551615, did_work=did_work@entry=0xffff888112373327) at fs/bcachefs/journal_reclaim.c:818
#51 0xffffffff857c0c2d in bch2_journal_flush_pins (j=0xffff8881169a6fc0, seq_to_flush=18446744073709551615) at fs/bcachefs/journal_reclaim.c:851
#52 0xffffffff85826851 in bch2_journal_flush_all_pins (j=0xffff8881169a6fc0) at fs/bcachefs/journal_reclaim.h:76
#53 bch2_journal_replay (c=0xffff888116980000) at fs/bcachefs/recovery.c:383
#54 0xffffffff85836243 in bch2_run_recovery_pass (c=0xffff888116980000, pass=BCH_RECOVERY_PASS_journal_replay) at fs/bcachefs/recovery_passes.c:183
#55 bch2_run_recovery_passes (c=0xffff888116980000) at fs/bcachefs/recovery_passes.c:230
#56 0xffffffff8582c99a in bch2_fs_recovery (c=0xffff888116980000) at fs/bcachefs/recovery.c:859
#57 0xffffffff858b5f56 in bch2_fs_start (c=0xffff888116980000) at fs/bcachefs/super.c:1036
#58 0xffffffff8567507e in bch2_fs_get_tree (fc=0xffff88815d061600) at fs/bcachefs/fs.c:1946
#59 0xffffffff82632873 in vfs_get_tree (fc=0xffff88815d061600) at fs/super.c:1800
#60 0xffffffff8271cd6e in do_new_mount (path=path@entry=0xffff888112373d90, fstype=fstype@entry=0xffff888116ac8b00 "bcachefs", sb_flags=sb_flags@entry=0, mnt_flags=mnt_flags@entry=32, name=name@entry=0xffff888116ac8b10 "/dev/loop0", data=data@entry=0xffff88815d37b000) at fs/namespace.c:3472
#61 0xffffffff82719e93 in path_mount (dev_name=0xffff888116ac8b10 "/dev/loop0", path=0xffff888112373d90, type_page=0xffff888116ac8b00 "bcachefs", flags=<optimized out>, data_page=0xffff88815d37b000) at fs/namespace.c:3799
#62 0xffffffff827215d3 in do_mount (dev_name=0xffff888116ac8b10 "/dev/loop0", dir_name=0x20005900 "./file0", type_page=0xffff888116ac8b00 "bcachefs", flags=0, data_page=0xffff88815d37b000) at fs/namespace.c:3812
#63 __do_sys_mount (type=<optimized out>, dev_name=<optimized out>, dir_name=<optimized out>, flags=<optimized out>, data=<optimized out>) at fs/namespace.c:4020
#64 __se_sys_mount (dev_name=dev_name@entry=140734779799792, dir_name=dir_name@entry=536893696, type=type@entry=536893632, flags=flags@entry=0, data=data@entry=140734779799856) at fs/namespace.c:3997
#65 0xffffffff82720e24 in __x64_sys_mount (regs=0xffff888112373f58) at fs/namespace.c:3997
#66 0xffffffff81009251 in x64_sys_call (regs=0xffff888112373f58, nr=165) at ./arch/x86/include/generated/asm/syscalls_64.h:166
#67 0xffffffff8ff838d9 in do_syscall_x64 (regs=0xffff888112373f58, nr=165) at arch/x86/entry/common.c:52
#68 do_syscall_64 (regs=0xffff888112373f58, nr=165) at arch/x86/entry/common.c:83
#69 0xffffffff90000130 in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:121
#70 0x00007f7e7e0dca80 in ?? ()
#71 0x00005596cb52a242 in ?? ()
#72 0x00007fff5e8ebbc8 in ?? ()
#73 0x00007fff5e8ebbb8 in ?? ()
#74 0x00007fff5e8eba40 in ?? ()
#75 0x00005596cb531dd8 in ?? ()
#76 0x0000000000000202 in ?? ()
#77 0x0000000000000000 in ?? ()
```

Best Regards, Piotr Zalewski

Re: [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined

[Aleksandr Nogikh]

+Alexander Potapenko


On Tue, Sep 17, 2024 at 8:26 AM 'Piotr Zalewski' via syzkaller-bugs
<syzkaller-bugs@googlegroups.com> wrote:
>
> Hello,
>
> On Saturday, September 14th, 2024 at 2:15 PM, syzbot <syzbot+6f655a60d3244d0c6718@syzkaller.appspotmail.com> wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > kernel panic: corrupted stack end in x64_sys_call
> >
> > bucket 0:127 gen 0 has wrong data_type: got free, should be sb, fixing
> > bucket 0:127 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
> > done
> > bcachefs (loop0): going read-write
> > bcachefs (loop0): journal_replay...
> > Kernel panic - not syncing: corrupted stack end detected inside scheduler
> > CPU: 0 UID: 0 PID: 5945 Comm: syz.0.15 Not tainted 6.11.0-rc7-syzkaller-g57719771a244-dirty #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
> > Call Trace:
> > <TASK>
> >
> > __dump_stack lib/dump_stack.c:93 [inline]
> > dump_stack_lvl+0x216/0x2d0 lib/dump_stack.c:119
> > dump_stack+0x1e/0x30 lib/dump_stack.c:128
> > panic+0x4e2/0xcd0 kernel/panic.c:354
> > schedule_debug kernel/sched/core.c:5745 [inline]
>
> The place where kernel task's stack magic number gets
> smashed was found. Backtrace was presented below. Seems
> like it is KMSAN's fault. Is this considered a bug?
>
> ```
> Thread 1 hit Hardware watchpoint 15: *(unsigned long*)0xffff888112370000
>
> Old value = 1470918301
> New value = 18446744071600444244
> kmsan_get_shadow_origin_ptr (address=<optimized out>, size=<optimized out>, store=<optimized out>) at mm/kmsan/shadow.c:83
> 83      {
>
> (gdb) where
>
> #0  kmsan_get_shadow_origin_ptr (address=<optimized out>, size=<optimized out>, store=<optimized out>) at mm/kmsan/shadow.c:83
> #1  0xffffffff82499354 in get_shadow_origin_ptr (addr=0xffff888112370110, size=8, store=false) at mm/kmsan/instrumentation.c:38
> #2  __msan_metadata_ptr_for_load_8 (addr=0xffff888112370110) at mm/kmsan/instrumentation.c:94
> #3  0xffffffff8194dfc9 in filter_irq_stacks (entries=<optimized out>, nr_entries=4) at kernel/stacktrace.c:397
> #4  0xffffffff866d79cb in stack_depot_save_flags (entries=0xffff888112370110, nr_entries=8, alloc_flags=0, depot_flags=1) at lib/stackdepot.c:609
> #5  0xffffffff866d8062 in stack_depot_save (entries=0xffff888112370110, nr_entries=8, alloc_flags=0) at lib/stackdepot.c:678
> #6  0xffffffff82499c92 in __msan_poison_alloca (address=0xffff888112370200, size=24, descr=<optimized out>) at mm/kmsan/instrumentation.c:286
> #7  0xffffffff8fef8326 in sprintf (buf=0xffff8881123703b7 "", fmt=0xffffffff910e22a3 "+%#lx/%#lx") at lib/vsprintf.c:3024
> #8  0xffffffff81a1e08e in __sprint_symbol (buffer=buffer@entry=0xffff8881123703a0 "bch2_bucket_alloc_trans", address=<optimized out>, address@entry=18446744071649627845, symbol_offset=symbol_offset@entry=0, add_offset=add_offset@entry=1, add_buildid=<optimized out>) at kernel/kallsyms.c:452
> #9  0xffffffff81a1de7d in sprint_symbol (buffer=0xffff8881123703a0 "bch2_bucket_alloc_trans", address=18446744071649627845) at kernel/kallsyms.c:484
> #10 0xffffffff8ff0130d in symbol_string (buf=buf@entry=0xffff888121efe436 "_MIN bch2", end=end@entry=0xffff888121efe440 "\006", ptr=ptr@entry=0xffffffff85380ec5 <bch2_bucket_alloc_trans+2085>, spec=spec@entry=..., fmt=fmt@entry=0xffffffff91194721 "S") at lib/vsprintf.c:1002
> #11 0xffffffff8fef50b8 in pointer (fmt=fmt@entry=0xffffffff91194721 "S", buf=buf@entry=0xffff888121efe436 "_MIN bch2", end=end@entry=0xffff888121efe440 "\006", ptr=ptr@entry=0xffffffff85380ec5 <bch2_bucket_alloc_trans+2085>, spec=spec@entry=...) at lib/vsprintf.c:2422
> #12 0xffffffff8fef1b70 in vsnprintf (buf=0xffff888121efe435 " _MIN bch2", size=11, fmt=0xffffffff91194721 "S", args=0xffff8881123708f0) at lib/vsprintf.c:2828
> #13 0xffffffff8580676b in bch2_prt_printf (out=0xffff888112370b28, fmt=0xffffffff9119471e " %pS") at fs/bcachefs/printbuf.c:183
> #14 0xffffffff8546d2c4 in bch2_btree_path_to_text_short (out=out@entry=0xffff888112370b28, trans=trans@entry=0xffff888121ef0000, path_idx=5) at fs/bcachefs/btree_iter.c:1485
> #15 0xffffffff8ff58bf3 in __bch2_trans_paths_to_text (out=out@entry=0xffff888112370b28, trans=trans@entry=0xffff888121ef0000, nosort=<optimized out>) at fs/bcachefs/btree_iter.c:1540
> #16 0xffffffff8ff58ae8 in bch2_trans_paths_to_text (out=0xffff888112370b28, trans=0xffff888121ef0000) at fs/bcachefs/btree_iter.c:1548
> #17 0xffffffff8ff59245 in bch2_trans_update_max_paths (trans=trans@entry=0xffff888121ef0000) at fs/bcachefs/btree_iter.c:1576
> #18 0xffffffff8546fea7 in btree_path_alloc (trans=trans@entry=0xffff888121ef0000, pos=0) at fs/bcachefs/btree_iter.c:1673
> #19 0xffffffff8546f02e in bch2_path_get (trans=0xffff888121ef0000, btree_id=BTREE_ID_alloc, pos=..., locks_want=0, level=0, flags=24640, ip=18446744071650896280) at fs/bcachefs/btree_iter.c:1723
> #20 0xffffffff85496915 in bch2_trans_iter_init_common (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=4, pos=..., locks_want=0, depth=0, flags=24640, ip=18446744071650896280) at fs/bcachefs/btree_iter.h:484
> #21 bch2_trans_iter_init_outlined (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=BTREE_ID_alloc, pos=..., flags=24576) at fs/bcachefs/btree_iter.c:2876
> #22 0xffffffff854b6998 in bch2_trans_iter_init (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=4, pos=..., flags=24576) at fs/bcachefs/btree_iter.h:502
> #23 btree_key_cache_fill (trans=trans@entry=0xffff888121ef0000, ck_path=ck_path@entry=0xffff888121ef0420, flags=flags@entry=32) at fs/bcachefs/btree_key_cache.c:438
> #24 0xffffffff854b634d in bch2_btree_path_traverse_cached (trans=0xffff888121ef0000, path=0xffff888121ef0420, flags=32) at fs/bcachefs/btree_key_cache.c:504
> #25 0xffffffff8545ff9f in bch2_btree_path_traverse_one (trans=0xffff888121ef0000, path_idx=5, flags=32, trace_ip=18446744071649632148) at fs/bcachefs/btree_iter.c:1144
> #26 0xffffffff8548e8bc in bch2_btree_path_traverse (trans=0xffff888121ef0000, path=5, flags=32) at fs/bcachefs/btree_iter.h:229
> #27 bch2_btree_iter_peek_slot (iter=0xffff8881123718a8) at fs/bcachefs/btree_iter.c:2602
> #28 0xffffffff85381f94 in __bch2_bkey_get_iter (trans=0xffff888121ef0000, iter=0xffff8881123718a8, btree_id=4, pos=..., flags=32, type=0) at fs/bcachefs/btree_iter.h:551
> #29 bch2_bkey_get_iter (trans=0xffff888121ef0000, iter=0xffff8881123718a8, btree_id=4, pos=..., flags=32) at fs/bcachefs/btree_iter.h:565
> #30 try_alloc_bucket (trans=0xffff888121ef0000, ca=0xffff888116aac000, watermark=BCH_WATERMARK_btree, free_entry=25, s=0xffff8881123717f0, freespace_k=..., cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:301
> #31 bch2_bucket_alloc_freelist (trans=0xffff888121ef0000, ca=0xffff888116aac000, watermark=BCH_WATERMARK_btree, s=0xffff8881123717f0, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:521
> #32 bch2_bucket_alloc_trans (trans=trans@entry=0xffff888121ef0000, ca=ca@entry=0xffff888116aac000, watermark=BCH_WATERMARK_btree, data_type=BCH_DATA_btree, cl=0x0 <fixed_percpu_data>, usage=usage@entry=0xffff888112371b50) at fs/bcachefs/alloc_foreground.c:643
> #33 0xffffffff85386492 in bch2_bucket_alloc_set_trans (trans=0xffff888121ef0000, ptrs=0xffff8881123722e8, stripe=0xffff88811698ec68, devs_may_alloc=0xffff8881123720d0, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, flags=<optimized out>, data_type=BCH_DATA_btree, watermark=BCH_WATERMARK_btree, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:804
> #34 0xffffffff85399b83 in __open_bucket_add_buckets (trans=trans@entry=0xffff888121ef0000, ptrs=0xffff8881123722e8, wp=0xffff88811698ec00, devs_have=devs_have@entry=0xffff888112372497, target=target@entry=0, erasure_code=false, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, watermark=BCH_WATERMARK_btree, flags=0, _cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:1052
> #35 0xffffffff8538c939 in open_bucket_add_buckets (trans=trans@entry=0xffff888121ef0000, ptrs=ptrs@entry=0xffff8881123722e8, wp=wp@entry=0xffff88811698ec00, devs_have=devs_have@entry=0xffff888112372497, target=target@entry=0, erasure_code=erasure_code@entry=0, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, watermark=BCH_WATERMARK_btree, flags=0, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:1096
> #36 0xffffffff8538b4c2 in bch2_alloc_sectors_start_trans (trans=0xffff888121ef0000, target=0, erasure_code=0, write_point=..., devs_have=0xffff888112372497, nr_replicas=1, nr_replicas_required=1, watermark=BCH_WATERMARK_btree, flags=0, cl=0x0 <fixed_percpu_data>, wp_ret=0xffff8881123725d0) at fs/bcachefs/alloc_foreground.c:1404
> #37 0xffffffff8554cdd2 in __bch2_btree_node_alloc (trans=0xffff888121ef0000, cl=0x0 <fixed_percpu_data>, interior_node=false, res=<optimized out>, flags=<optimized out>) at fs/bcachefs/btree_update_interior.c:338
> #38 bch2_btree_reserve_get (trans=trans@entry=0xffff888121ef0000, as=as@entry=0xffff88810e56e000, nr_nodes=nr_nodes@entry=0xffff888112372780, flags=flags@entry=435, cl=cl@entry=0x0 <fixed_percpu_data>) at fs/bcachefs/btree_update_interior.c:549
> #39 0xffffffff8551d02a in bch2_btree_update_start (trans=trans@entry=0xffff888121ef0000, path=path@entry=0xffff888121ef0200, level_start=level_start@entry=0, split=<optimized out>, flags=<optimized out>, flags@entry=432) at fs/bcachefs/btree_update_interior.c:1247
> #40 0xffffffff8551ac12 in bch2_btree_split_leaf (trans=0xffff888121ef0000, path=1, flags=432) at fs/bcachefs/btree_update_interior.c:1845
> #41 0xffffffff854f660f in bch2_trans_commit_error (trans=0xffff888121ef0000, flags=flags@entry=432, i=i@entry=0xffff888121ef2400, ret=ret@entry=-2203, trace_ip=18446744071651609665) at fs/bcachefs/btree_trans_commit.c:903
> #42 0xffffffff854f1713 in __bch2_trans_commit (trans=0xffff888121ef0000, flags=432) at fs/bcachefs/btree_trans_commit.c:1135
> #43 0xffffffff85564c41 in bch2_trans_commit (trans=0xffff888121ef0000, disk_res=0x0 <fixed_percpu_data>, journal_seq=0x0 <fixed_percpu_data>, flags=432) at fs/bcachefs/btree_update.h:184
> #44 wb_flush_one_slowpath (trans=0xffff888121ef0000, iter=iter@entry=0xffff888112372c88, wb=wb@entry=0xffffc900088004b0) at fs/bcachefs/btree_write_buffer.c:129
> #45 0xffffffff8555a1fb in wb_flush_one (trans=0xffff888121ef0000, iter=0xffff888112372c88, wb=0xffffc900088004b0, write_locked=<optimized out>, accounting_accumulated=<optimized out>, fast=<optimized out>) at fs/bcachefs/btree_write_buffer.c:183
> #46 bch2_btree_write_buffer_flush_locked (trans=trans@entry=0xffff888121ef0000) at fs/bcachefs/btree_write_buffer.c:375
> #47 0xffffffff85555c86 in btree_write_buffer_flush_seq (trans=trans@entry=0xffff888121ef0000, seq=seq@entry=11) at fs/bcachefs/btree_write_buffer.c:510
> #48 0xffffffff855600d1 in bch2_btree_write_buffer_journal_flush (j=<optimized out>, _pin=<optimized out>, seq=11) at fs/bcachefs/btree_write_buffer.c:525
> #49 0xffffffff857c285c in journal_flush_pins (j=j@entry=0xffff8881169a6fc0, seq_to_flush=seq_to_flush@entry=18446744073709551615, allowed_below_seq=allowed_below_seq@entry=6, allowed_above_seq=0, min_any=0, min_key_cache=min_key_cache@entry=0) at fs/bcachefs/journal_reclaim.c:565
> #50 0xffffffff857c0e1d in journal_flush_done (j=j@entry=0xffff8881169a6fc0, seq_to_flush=seq_to_flush@entry=18446744073709551615, did_work=did_work@entry=0xffff888112373327) at fs/bcachefs/journal_reclaim.c:818
> #51 0xffffffff857c0c2d in bch2_journal_flush_pins (j=0xffff8881169a6fc0, seq_to_flush=18446744073709551615) at fs/bcachefs/journal_reclaim.c:851
> #52 0xffffffff85826851 in bch2_journal_flush_all_pins (j=0xffff8881169a6fc0) at fs/bcachefs/journal_reclaim.h:76
> #53 bch2_journal_replay (c=0xffff888116980000) at fs/bcachefs/recovery.c:383
> #54 0xffffffff85836243 in bch2_run_recovery_pass (c=0xffff888116980000, pass=BCH_RECOVERY_PASS_journal_replay) at fs/bcachefs/recovery_passes.c:183
> #55 bch2_run_recovery_passes (c=0xffff888116980000) at fs/bcachefs/recovery_passes.c:230
> #56 0xffffffff8582c99a in bch2_fs_recovery (c=0xffff888116980000) at fs/bcachefs/recovery.c:859
> #57 0xffffffff858b5f56 in bch2_fs_start (c=0xffff888116980000) at fs/bcachefs/super.c:1036
> #58 0xffffffff8567507e in bch2_fs_get_tree (fc=0xffff88815d061600) at fs/bcachefs/fs.c:1946
> #59 0xffffffff82632873 in vfs_get_tree (fc=0xffff88815d061600) at fs/super.c:1800
> #60 0xffffffff8271cd6e in do_new_mount (path=path@entry=0xffff888112373d90, fstype=fstype@entry=0xffff888116ac8b00 "bcachefs", sb_flags=sb_flags@entry=0, mnt_flags=mnt_flags@entry=32, name=name@entry=0xffff888116ac8b10 "/dev/loop0", data=data@entry=0xffff88815d37b000) at fs/namespace.c:3472
> #61 0xffffffff82719e93 in path_mount (dev_name=0xffff888116ac8b10 "/dev/loop0", path=0xffff888112373d90, type_page=0xffff888116ac8b00 "bcachefs", flags=<optimized out>, data_page=0xffff88815d37b000) at fs/namespace.c:3799
> #62 0xffffffff827215d3 in do_mount (dev_name=0xffff888116ac8b10 "/dev/loop0", dir_name=0x20005900 "./file0", type_page=0xffff888116ac8b00 "bcachefs", flags=0, data_page=0xffff88815d37b000) at fs/namespace.c:3812
> #63 __do_sys_mount (type=<optimized out>, dev_name=<optimized out>, dir_name=<optimized out>, flags=<optimized out>, data=<optimized out>) at fs/namespace.c:4020
> #64 __se_sys_mount (dev_name=dev_name@entry=140734779799792, dir_name=dir_name@entry=536893696, type=type@entry=536893632, flags=flags@entry=0, data=data@entry=140734779799856) at fs/namespace.c:3997
> #65 0xffffffff82720e24 in __x64_sys_mount (regs=0xffff888112373f58) at fs/namespace.c:3997
> #66 0xffffffff81009251 in x64_sys_call (regs=0xffff888112373f58, nr=165) at ./arch/x86/include/generated/asm/syscalls_64.h:166
> #67 0xffffffff8ff838d9 in do_syscall_x64 (regs=0xffff888112373f58, nr=165) at arch/x86/entry/common.c:52
> #68 do_syscall_64 (regs=0xffff888112373f58, nr=165) at arch/x86/entry/common.c:83
> #69 0xffffffff90000130 in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:121
> #70 0x00007f7e7e0dca80 in ?? ()
> #71 0x00005596cb52a242 in ?? ()
> #72 0x00007fff5e8ebbc8 in ?? ()
> #73 0x00007fff5e8ebbb8 in ?? ()
> #74 0x00007fff5e8eba40 in ?? ()
> #75 0x00005596cb531dd8 in ?? ()
> #76 0x0000000000000202 in ?? ()
> #77 0x0000000000000000 in ?? ()
> ```
>
> Best Regards, Piotr Zalewski
>
>

Re: [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined

[Alexander Potapenko]

On Tue, Sep 17, 2024 at 8:27 AM Aleksandr Nogikh <nogikh@google.com> wrote:
>
> +Alexander Potapenko
>
>
> On Tue, Sep 17, 2024 at 8:26 AM 'Piotr Zalewski' via syzkaller-bugs
> <syzkaller-bugs@googlegroups.com> wrote:
> >
> > Hello,
> >
> > On Saturday, September 14th, 2024 at 2:15 PM, syzbot <syzbot+6f655a60d3244d0c6718@syzkaller.appspotmail.com> wrote:
> >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > kernel panic: corrupted stack end in x64_sys_call
> > >
> > > bucket 0:127 gen 0 has wrong data_type: got free, should be sb, fixing
> > > bucket 0:127 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
> > > done
> > > bcachefs (loop0): going read-write
> > > bcachefs (loop0): journal_replay...
> > > Kernel panic - not syncing: corrupted stack end detected inside scheduler
> > > CPU: 0 UID: 0 PID: 5945 Comm: syz.0.15 Not tainted 6.11.0-rc7-syzkaller-g57719771a244-dirty #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
> > > Call Trace:
> > > <TASK>
> > >
> > > __dump_stack lib/dump_stack.c:93 [inline]
> > > dump_stack_lvl+0x216/0x2d0 lib/dump_stack.c:119
> > > dump_stack+0x1e/0x30 lib/dump_stack.c:128
> > > panic+0x4e2/0xcd0 kernel/panic.c:354
> > > schedule_debug kernel/sched/core.c:5745 [inline]
> >
> > The place where kernel task's stack magic number gets
> > smashed was found. Backtrace was presented below. Seems
> > like it is KMSAN's fault. Is this considered a bug?

Interesting, 18446744071600444244 is 0xffffffff82499354, which is the
get_shadow_origin_ptr() return address.
So we're indeed seeing a stack overflow in the instrumentation code.

Looking at vmlinux-b7718454 from
https://storage.googleapis.com/syzbot-assets/094db88ff1c2/vmlinux-b7718454.xz
(I am assuming it was used to test this patch), I see that a number
functions from the report have quite big stack frames:

symbol_string
ffffffff8fc9b801: 48 81 ec 00 03 00 00 sub    $0x300,%rsp
bch2_path_get
ffffffff853a7ad1: 48 81 ec 60 01 00 00 sub    $0x160,%rsp
bch2_btree_path_traverse_one
ffffffff85399741: 48 81 ec 70 02 00 00 sub    $0x270,%rsp
bch2_bucket_alloc_set_trans
ffffffff852bf441: 48 81 ec 98 03 00 00 sub    $0x398,%rsp
__open_bucket_add_buckets
ffffffff852d128d: 48 81 ec 70 02 00 00 sub    $0x270,%rsp
bch2_alloc_sectors_start_trans
ffffffff852c25d1: 48 81 ec b0 01 00 00 sub    $0x1b0,%rsp
bch2_btree_update_start
ffffffff85456c1d: 48 81 ec 20 01 00 00 sub    $0x120,%rsp
__bch2_trans_commit
ffffffff85424541: 48 81 ec a0 01 00 00 sub    $0x1a0,%rsp
btree_write_buffer_flush_seq
ffffffff8548dd6d: 48 81 ec 10 02 00 00 sub    $0x210,%rsp
journal_flush_pins
ffffffff856f6bad: 48 81 ec 38 01 00 00 sub    $0x138,%rsp
bch2_fs_recovery
ffffffff8575cff1: 48 81 ec 78 01 00 00 sub    $0x178,%rsp
bch2_fs_get_tree
ffffffff855ac5c1: 48 81 ec e8 01 00 00 sub    $0x1e8,%rsp

KASAN creates even bigger frames for these functions, but that's
because of redzones added around local variables.
For KASAN we increase the default kernel stack sizes to account for
that, but we do not for KMSAN, because its effect on stack frame sizes
was usually moderate.
But looking at the same stack sizes for a binary with CONFIG_KMSAN=n
now, I'm seeing much lower values for some of them:

symbol_string
ffffffff8fd6d6e1: 48 81 ec 10 03 00 00 sub    $0x310,%rsp
bch2_path_get
ffffffff853ec4e1: 48 81 ec 68 01 00 00 sub    $0x168,%rsp
bch2_btree_path_traverse_one
ffffffff853de5a1: 48 81 ec 58 02 00 00 sub    $0x258,%rsp
bch2_bucket_alloc_set_trans
ffffffff853051d1: 48 81 ec b0 03 00 00 sub    $0x3b0,%rsp
__open_bucket_add_buckets
ffffffff8531759d: 48 81 ec 68 02 00 00 sub    $0x268,%rsp
bch2_alloc_sectors_start_trans
ffffffff85308de1: 48 81 ec b8 01 00 00 sub    $0x1b8,%rsp
bch2_btree_update_start
ffffffff8549a63d: 48 81 ec 20 01 00 00 sub    $0x120,%rsp
__bch2_trans_commit
ffffffff85468b51: 48 81 ec 80 01 00 00 sub    $0x180,%rsp
btree_write_buffer_flush_seq
ffffffff854d17fd: 48 81 ec 10 02 00 00 sub    $0x210,%rsp
journal_flush_pins
ffffffff8573c36d: 48 81 ec 30 01 00 00 sub    $0x130,%rsp
bch2_fs_recovery
ffffffff857a27d1: 48 81 ec 68 01 00 00 sub    $0x168,%rsp
bch2_fs_get_tree
ffffffff855f04d1: 48 81 ec e8 01 00 00 sub    $0x1e8,%rsp

I'll probably need to recalculate the overall stack bloat for KMSAN
builds and land something along the lines of
https://github.com/google/kmsan/commit/060de96aa5de0a95b42589920b64e9aa95af2151,
if needed.