lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 30 Apr 2024 03:11:58 +0900
From: Ryusuke Konishi <konishi.ryusuke@...il.com>
To: syzbot <syzbot+32c3706ebf5d95046ea1@...kaller.appspotmail.com>
Cc: akpm@...ux-foundation.org, linux-fsdevel@...r.kernel.org, 
	linux-kernel@...r.kernel.org, linux-nilfs@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [nilfs?] kernel BUG in nilfs_delete_entry

On Mon, Apr 29, 2024 at 10:18 PM syzbot wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    5eb4573ea63d Merge tag 'soc-fixes-6.9-2' of git://git.kern..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1591a5e8980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=3d46aa9d7a44f40d
> dashboard link: https://syzkaller.appspot.com/bug?extid=32c3706ebf5d95046ea1
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1213956b180000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13ac32ef180000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/7e4c1378cbb1/disk-5eb4573e.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8e4487ecdd86/vmlinux-5eb4573e.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/d84518ee028f/bzImage-5eb4573e.xz
> mounted in repro #1: https://storage.googleapis.com/syzbot-assets/350446baf90d/mount_0.gz
> mounted in repro #2: https://storage.googleapis.com/syzbot-assets/e66542e7352f/mount_2.gz
>
> The issue was bisected to:
>
> commit 602ce7b8e1343b19c0cf93a3dd1926838ac5a1cc
> Author: Ryusuke Konishi <konishi.ryusuke@...il.com>
> Date:   Fri Jan 27 13:22:02 2023 +0000
>
>     nilfs2: prevent WARNING in nilfs_dat_commit_end()
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15d757d8980000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=17d757d8980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d757d8980000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+32c3706ebf5d95046ea1@...kaller.appspotmail.com
> Fixes: 602ce7b8e134 ("nilfs2: prevent WARNING in nilfs_dat_commit_end()")
>
> ------------[ cut here ]------------
> kernel BUG at fs/nilfs2/dir.c:545!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 1 PID: 5115 Comm: syz-executor410 Not tainted 6.9.0-rc5-syzkaller-00296-g5eb4573ea63d #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
> RIP: 0010:nilfs_delete_entry+0x349/0x350 fs/nilfs2/dir.c:545
> Code: 8d fe e9 de fd ff ff 44 89 f9 80 e1 07 fe c1 38 c1 0f 8c 20 ff ff ff 4c 89 ff e8 f2 a6 8d fe e9 13 ff ff ff e8 68 56 2c fe 90 <0f> 0b 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> RSP: 0018:ffffc900036078b8 EFLAGS: 00010293
> RAX: ffffffff8369aa08 RBX: 0000000000000050 RCX: ffff888018339e00
> RDX: 0000000000000000 RSI: 00000000fffffffb RDI: 0000000000000000
> RBP: 00000000fffffffb R08: ffffffff8369a8de R09: 1ffff1100806d722
> R10: dffffc0000000000 R11: ffffed100806d723 R12: ffffea00010fed80
> R13: ffff888043fb6038 R14: 0000000000000020 R15: ffff888043fb6020
> FS:  00007fa2992ee6c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffd3dbd8b98 CR3: 0000000024b86000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  nilfs_rename+0x57d/0xaf0 fs/nilfs2/namei.c:413
>  vfs_rename+0xbdb/0xf00 fs/namei.c:4880
>  do_renameat2+0xd94/0x13f0 fs/namei.c:5037
>  __do_sys_renameat2 fs/namei.c:5071 [inline]
>  __se_sys_renameat2 fs/namei.c:5068 [inline]
>  __x64_sys_renameat2+0xd2/0xf0 fs/namei.c:5068
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fa299358f49
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fa2992ee218 EFLAGS: 00000246 ORIG_RAX: 000000000000013c
> RAX: ffffffffffffffda RBX: 00007fa2993e16d8 RCX: 00007fa299358f49
> RDX: 0000000000000006 RSI: 0000000020000100 RDI: 0000000000000005
> RBP: 00007fa2993e16d0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000020000580 R11: 0000000000000246 R12: 00007fa2993ade20
> R13: 00007fa2993adb68 R14: 0030656c69662f2e R15: 3e2efc42dc31fca1
>  </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:nilfs_delete_entry+0x349/0x350 fs/nilfs2/dir.c:545
> Code: 8d fe e9 de fd ff ff 44 89 f9 80 e1 07 fe c1 38 c1 0f 8c 20 ff ff ff 4c 89 ff e8 f2 a6 8d fe e9 13 ff ff ff e8 68 56 2c fe 90 <0f> 0b 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> RSP: 0018:ffffc900036078b8 EFLAGS: 00010293
>
> RAX: ffffffff8369aa08 RBX: 0000000000000050 RCX: ffff888018339e00
> RDX: 0000000000000000 RSI: 00000000fffffffb RDI: 0000000000000000
> RBP: 00000000fffffffb R08: ffffffff8369a8de R09: 1ffff1100806d722
> R10: dffffc0000000000 R11: ffffed100806d723 R12: ffffea00010fed80
> R13: ffff888043fb6038 R14: 0000000000000020 R15: ffff888043fb6020
> FS:  00007fa2992ee6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa2993149f0 CR3: 0000000024b86000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

According to the stack trace, syzbot was hitting a legacy part that
uses BUG_ON() instead of returning errors in the directory code, so I
would like to fix it to cover this.

The bisected commit itself detects metadata corruption generated by
syzbot and handles it as an error, so it doesn't seem to be a problem.
  I'm guessing that the commit just affected reproducibility.

Ryusuke Konishi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ