[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20221129155631.GU5824@twin.jikos.cz>
Date: Tue, 29 Nov 2022 16:56:31 +0100
From: David Sterba <dsterba@...e.cz>
To: syzbot <syzbot+4376a9a073770c173269@...kaller.appspotmail.com>
Cc: clm@...com, dsterba@...e.com, josef@...icpanda.com,
linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] WARNING: kmalloc bug in btrfs_ioctl_send
On Tue, Nov 29, 2022 at 12:21:41AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 6d464646530f Merge branch 'for-next/core' into for-kernelci
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=176a733d880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=54b747d981acc7b7
> dashboard link: https://syzkaller.appspot.com/bug?extid=4376a9a073770c173269
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: arm64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134c3d03880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13237ca1880000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/d75f5f77b3a3/disk-6d464646.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/9382f86e4d95/vmlinux-6d464646.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/cf2b5f0d51dd/Image-6d464646.gz.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/aa0da055eccb/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+4376a9a073770c173269@...kaller.appspotmail.com
>
> BTRFS info (device loop0): using free space tree
> BTRFS info (device loop0): enabling ssd optimizations
> BTRFS info (device loop0): checking UUID tree
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 3072 at mm/util.c:596 kvmalloc_node+0x19c/0x1a4
594 /* Don't even allow crazy sizes */
595 if (unlikely(size > INT_MAX)) {
596 WARN_ON_ONCE(!(flags & __GFP_NOWARN));
597 return NULL;
598 }
> Modules linked in:
> CPU: 1 PID: 3072 Comm: syz-executor189 Not tainted 6.1.0-rc6-syzkaller-32662-g6d464646530f #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : kvmalloc_node+0x19c/0x1a4
> lr : kvmalloc_node+0x198/0x1a4 mm/util.c:596
> sp : ffff800012f13c40
> x29: ffff800012f13c50 x28: ffff0000cbb01000 x27: 0000000000000000
> x26: 0000000000000000 x25: ffff0000c97a8a10 x24: ffff0000c6fa6400
> x23: 0000000000000000 x22: ffff8000091f72d8 x21: 000caf0ca5eccda0
> x20: 00000000ffffffff x19: 0000000000000dc0 x18: 0000000000000010
> x17: ffff80000c0f0b68 x16: ffff80000dbe6158 x15: ffff0000c43a1a40
> x14: 0000000000000000 x13: 00000000ffffffff x12: ffff0000c43a1a40
> x11: ff808000084361e8 x10: 0000000000000000 x9 : ffff8000084361e8
> x8 : ffff0000c43a1a40 x7 : ffff800008578874 x6 : 0000000000000000
> x5 : 00000000ffffffff x4 : 0000000000012dc0 x3 : 0010000000000000
> x2 : 000caf0ca5eccda0 x1 : 0000000000000000 x0 : 0000000000000000
> Call trace:
> kvmalloc_node+0x19c/0x1a4
> kvmalloc include/linux/slab.h:706 [inline]
> kvmalloc_array include/linux/slab.h:724 [inline]
> kvcalloc include/linux/slab.h:729 [inline]
> btrfs_ioctl_send+0x64c/0xed0 fs/btrfs/send.c:7915
7915 sctx->clone_roots = kvcalloc(sizeof(*sctx->clone_roots),
7916 arg->clone_sources_count + 1,
7917 GFP_KERNEL)
So we get some insane amount of clone_sources_count
> _btrfs_ioctl_send+0x188/0x218 fs/btrfs/ioctl.c:5233
> btrfs_ioctl+0x5c0/0xa64
> vfs_ioctl fs/ioctl.c:51 [inline]
Powered by blists - more mailing lists