From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-il1-f208.google.com (mail-il1-f208.google.com [209.85.166.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E41718C930 for ; Sun, 22 Dec 2024 13:38:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.208 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734874705; cv=none; b=uwLivrnatxGAcAkv2ZH4ocuZ0UxXyLb2quHrH76Ei+th1xgQlKQFFSQykocwhu6cuEg1y/57xXamVChDSwrYwY7o7HQi1nkXrcR7gepHWa9FFUgVuVPsrZQSHgfJwV76v9JekJs0JASTZnmCVskj78SesjBwVYt9EAj6ppiOkrs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734874705; c=relaxed/simple; bh=HT8jrdxuwV5Zc1K5QY4gAi5MXU4M2tZglg8ytQaci4E=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:Cc: Content-Type; b=MEiAJfrs/J4jW2TqDSr9+bQ+lE3Z7tJGsxZVQNdmaYa810bkLomdwpf09Ox5Kkc2p+fdf/gsJutEhv3Q9pb9/wgoRXi80lRj/2jM4dsBByvyfY+wvF3yGQS9TEgYttNTOFMJgJsBsqPFHNSkXdUn2+VJSAOHLTRGVj6vsWLBAyw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.166.208 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-il1-f208.google.com with SMTP id e9e14a558f8ab-3a9d3e48637so31982605ab.1 for ; Sun, 22 Dec 2024 05:38:23 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734874703; x=1735479503; h=cc:to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mO1sE7RMSoufrcCGDj/kWmsZJJx0Xlm3ogCwiIQMVlw=; b=oPbFKxDesncd25C3ezrC6vgrI64FW7K7kOvnOYCp65mbhmd28cy1vtjG8DGECBJhi9 TNEm8VAizHO95sAX9aloh8kSw2u71LiH7OeO3CaozSbgBRyLps6QN2muTKIPOxhMU/PA 0HZvYtZQoI2SlNCpHeM2dBR//WlRWCVyuGt7vacdUjHc7vRJdo7cpQRdQUwO6MxcPqvk DBCsOoeYtvwQIGu3nkKx//nF8hZONFT7JeME32NXASW/gVeVQW1yWHKQF+RIhT3MCVPy Z+B4bHJto5OXXgmFqXqiVAbEHgIY5++t0wd0A+Mj1WnQURXqoxdCZUXwmfJ8ccXiI9Ue DY3A== X-Forwarded-Encrypted: i=1; AJvYcCU1njI/sylBRoPH9HhuFzdAoDSVksTNhdEK5XenpsKM0KDBmNBdE93xljJL/RyEAQwBBPMWtNk06fctpEI=@vger.kernel.org X-Gm-Message-State: AOJu0Yxm0dlW7B1xbPPhFdA5wPQIY3M1r0bFSZIHGcpG8dgufCF8Sqxi Iev0BvLB5yWe0XPfjX5T2p2V7tIgPrj9U+htK7w7zgu23zRVbkauK/GadqpfOpUPH5rWJKlNjfk aD7XupXJQoK1bcedgAPWb8GzRb88h2L/aYAa/yCS6V+QNOTi6dH8Mkcw= X-Google-Smtp-Source: AGHT+IEd8Y6ZGcCVQEun9Q9uRR7/XFm4MoXClH40B11p4TUJeaAqfVPGknY92+yY626a0zzbY7hEcmK9wQx5EyUfATEEwUY/niSo Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6e02:b2e:b0:3a7:91a4:c752 with SMTP id e9e14a558f8ab-3c2d5919b63mr104703325ab.23.1734874703164; Sun, 22 Dec 2024 05:38:23 -0800 (PST) Date: Sun, 22 Dec 2024 05:38:23 -0800 In-Reply-To: <136d1e9b-cc8c-4c21-b7f9-abed5741d5e1@kernel.org> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6768164f.050a0220.25abdd.014a.GAE@google.com> Subject: Re: [syzbot] [f2fs?] UBSAN: array-index-out-of-bounds in inline_xattr_addr From: syzbot To: chao@kernel.org Cc: chao@kernel.org, jaegeuk@kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" > #syz test: https://https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git wip "https://https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git" does not look like a valid git repo address. > > On 2024/12/20 9:56, syzbot wrote: >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit: 2e7aff49b5da Merge branches 'for-next/core' and 'for-next/.. >> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci >> console output: https://syzkaller.appspot.com/x/log.txt?x=11b77344580000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=696fb014d05da3a3 >> dashboard link: https://syzkaller.appspot.com/bug?extid=e4876215632c2d23b481 >> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 >> userspace arch: arm64 >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1121d4f8580000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13511730580000 >> >> Downloadable assets: >> disk image: https://storage.googleapis.com/syzbot-assets/ef408f67fde3/disk-2e7aff49.raw.xz >> vmlinux: https://storage.googleapis.com/syzbot-assets/414ac17a20dc/vmlinux-2e7aff49.xz >> kernel image: https://storage.googleapis.com/syzbot-assets/a93415d2a7e7/Image-2e7aff49.gz.xz >> mounted in repro: https://storage.googleapis.com/syzbot-assets/57bb66f25be5/mount_0.gz >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+e4876215632c2d23b481@syzkaller.appspotmail.com >> >> F2FS-fs (loop0): Failed to enable quota tracking (type=1, err=-22). Please run fsck to fix. >> F2FS-fs (loop0): Cannot turn on quotas: error -22 >> F2FS-fs (loop0): Mounted with checkpoint version = 1b41e954 >> ------------[ cut here ]------------ >> UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3292:19 >> index 18446744073709500059 is out of range for type '__le32[923]' (aka 'unsigned int[923]') >> CPU: 0 UID: 0 PID: 6410 Comm: syz-executor883 Not tainted 6.13.0-rc2-syzkaller-g2e7aff49b5da #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 >> Call trace: >> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:484 (C) >> __dump_stack lib/dump_stack.c:94 [inline] >> dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 >> dump_stack+0x1c/0x28 lib/dump_stack.c:129 >> ubsan_epilogue lib/ubsan.c:231 [inline] >> __ubsan_handle_out_of_bounds+0xf8/0x148 lib/ubsan.c:429 >> inline_xattr_addr+0x524/0x530 fs/f2fs/f2fs.h:3292 >> read_inline_xattr fs/f2fs/xattr.c:289 [inline] >> lookup_all_xattrs fs/f2fs/xattr.c:341 [inline] >> f2fs_getxattr+0x5b4/0x1064 fs/f2fs/xattr.c:533 >> f2fs_xattr_generic_get+0x130/0x174 fs/f2fs/xattr.c:63 >> __vfs_getxattr+0x394/0x3c0 fs/xattr.c:423 >> smk_fetch+0xc8/0x150 security/smack/smack_lsm.c:306 >> smack_d_instantiate+0x594/0x880 security/smack/smack_lsm.c:3615 >> security_d_instantiate+0x100/0x204 security/security.c:4070 >> d_splice_alias+0x70/0x310 fs/dcache.c:3001 >> f2fs_lookup+0x4c8/0x948 fs/f2fs/namei.c:523 >> lookup_one_qstr_excl+0x108/0x230 fs/namei.c:1692 >> filename_create+0x230/0x468 fs/namei.c:4081 >> do_mkdirat+0xac/0x574 fs/namei.c:4326 >> __do_sys_mkdirat fs/namei.c:4349 [inline] >> __se_sys_mkdirat fs/namei.c:4347 [inline] >> __arm64_sys_mkdirat+0x8c/0xa4 fs/namei.c:4347 >> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] >> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 >> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 >> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 >> el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 >> el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 >> el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 >> ---[ end trace ]--- >> ================================================================== >> BUG: KASAN: slab-use-after-free in read_inline_xattr fs/f2fs/xattr.c:291 [inline] >> BUG: KASAN: slab-use-after-free in lookup_all_xattrs fs/f2fs/xattr.c:341 [inline] >> BUG: KASAN: slab-use-after-free in f2fs_getxattr+0x5c8/0x1064 fs/f2fs/xattr.c:533 >> Read of size 209920 at addr ffff0000d7f1ebd4 by task syz-executor883/6410 >> >> CPU: 0 UID: 0 PID: 6410 Comm: syz-executor883 Not tainted 6.13.0-rc2-syzkaller-g2e7aff49b5da #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 >> Call trace: >> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:484 (C) >> __dump_stack lib/dump_stack.c:94 [inline] >> dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 >> print_address_description mm/kasan/report.c:378 [inline] >> print_report+0x198/0x538 mm/kasan/report.c:489 >> kasan_report+0xd8/0x138 mm/kasan/report.c:602 >> kasan_check_range+0x268/0x2a8 mm/kasan/generic.c:189 >> __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105 >> read_inline_xattr fs/f2fs/xattr.c:291 [inline] >> lookup_all_xattrs fs/f2fs/xattr.c:341 [inline] >> f2fs_getxattr+0x5c8/0x1064 fs/f2fs/xattr.c:533 >> f2fs_xattr_generic_get+0x130/0x174 fs/f2fs/xattr.c:63 >> __vfs_getxattr+0x394/0x3c0 fs/xattr.c:423 >> smk_fetch+0xc8/0x150 security/smack/smack_lsm.c:306 >> smack_d_instantiate+0x594/0x880 security/smack/smack_lsm.c:3615 >> security_d_instantiate+0x100/0x204 security/security.c:4070 >> d_splice_alias+0x70/0x310 fs/dcache.c:3001 >> f2fs_lookup+0x4c8/0x948 fs/f2fs/namei.c:523 >> lookup_one_qstr_excl+0x108/0x230 fs/namei.c:1692 >> filename_create+0x230/0x468 fs/namei.c:4081 >> do_mkdirat+0xac/0x574 fs/namei.c:4326 >> __do_sys_mkdirat fs/namei.c:4349 [inline] >> __se_sys_mkdirat fs/namei.c:4347 [inline] >> __arm64_sys_mkdirat+0x8c/0xa4 fs/namei.c:4347 >> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] >> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 >> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 >> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 >> el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 >> el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 >> el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 >> >> Allocated by task 6343: >> kasan_save_stack mm/kasan/common.c:47 [inline] >> kasan_save_track+0x40/0x78 mm/kasan/common.c:68 >> kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:568 >> unpoison_slab_object mm/kasan/common.c:319 [inline] >> __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:345 >> kasan_slab_alloc include/linux/kasan.h:250 [inline] >> slab_post_alloc_hook mm/slub.c:4104 [inline] >> slab_alloc_node mm/slub.c:4153 [inline] >> kmem_cache_alloc_noprof+0x254/0x410 mm/slub.c:4160 >> getname_flags+0xcc/0x4b4 fs/namei.c:139 >> getname+0x24/0x34 fs/namei.c:223 >> do_sys_openat2+0xd0/0x1b8 fs/open.c:1396 >> do_sys_open fs/open.c:1417 [inline] >> __do_sys_openat fs/open.c:1433 [inline] >> __se_sys_openat fs/open.c:1428 [inline] >> __arm64_sys_openat+0x1f0/0x240 fs/open.c:1428 >> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] >> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 >> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 >> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 >> el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 >> el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 >> el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 >> >> Freed by task 6343: >> kasan_save_stack mm/kasan/common.c:47 [inline] >> kasan_save_track+0x40/0x78 mm/kasan/common.c:68 >> kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:582 >> poison_slab_object mm/kasan/common.c:247 [inline] >> __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264 >> kasan_slab_free include/linux/kasan.h:233 [inline] >> slab_free_hook mm/slub.c:2338 [inline] >> slab_free mm/slub.c:4598 [inline] >> kmem_cache_free+0x198/0x554 mm/slub.c:4700 >> putname+0x130/0x184 fs/namei.c:296 >> do_sys_openat2+0x164/0x1b8 fs/open.c:1410 >> do_sys_open fs/open.c:1417 [inline] >> __do_sys_openat fs/open.c:1433 [inline] >> __se_sys_openat fs/open.c:1428 [inline] >> __arm64_sys_openat+0x1f0/0x240 fs/open.c:1428 >> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] >> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 >> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 >> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 >> el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 >> el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 >> el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 >> >> The buggy address belongs to the object at ffff0000d7f1e600 >> which belongs to the cache names_cache of size 4096 >> The buggy address is located 1492 bytes inside of >> freed 4096-byte region [ffff0000d7f1e600, ffff0000d7f1f600) >> >> The buggy address belongs to the physical page: >> page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117f18 >> head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 >> flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) >> page_type: f5(slab) >> raw: 05ffc00000000040 ffff0000c18958c0 dead000000000122 0000000000000000 >> raw: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000 >> head: 05ffc00000000040 ffff0000c18958c0 dead000000000122 0000000000000000 >> head: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000 >> head: 05ffc00000000003 fffffdffc35fc601 ffffffffffffffff 0000000000000000 >> head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 >> page dumped because: kasan: bad access detected >> >> Memory state around the buggy address: >> ffff0000d7f1ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ffff0000d7f1eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >>> ffff0000d7f1eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ^ >> ffff0000d7f1ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ffff0000d7f1ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ================================================================== >> >> >> --- >> This report is generated by a bot. It may contain errors. >> See https://goo.gl/tpsmEJ for more information about syzbot. >> syzbot engineers can be reached at syzkaller@googlegroups.com. >> >> syzbot will keep track of this issue. See: >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot. >> >> If the report is already addressed, let syzbot know by replying with: >> #syz fix: exact-commit-title >> >> If you want syzbot to run the reproducer, reply with: >> #syz test: git://repo/address.git branch-or-commit-hash >> If you attach or paste a git patch, syzbot will apply it before testing. >> >> If you want to overwrite report's subsystems, reply with: >> #syz set subsystems: new-subsystem >> (See the list of subsystem names on the web dashboard) >> >> If the report is a duplicate of another one, reply with: >> #syz dup: exact-subject-of-another-report >> >> If you want to undo deduplication, reply with: >> #syz undup >