| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <rVaWgPULej8K7HqMPNIu8kVNyXNjjCiTB-QBtItLFBmk0alH6fV2tk4joVPk97Evnuv4ZRDd8HB5uDCkiFG6u81xKdzDj-KrtIMJSlF6Kt8=@proton.me>
Date: Mon, 16 Sep 2024 22:37:24 +0000
From: Piotr Zalewski <pZ010001011111@...ton.me>
To: syzbot <syzbot+6f655a60d3244d0c6718@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined
Hello,
On Saturday, September 14th, 2024 at 2:15 PM, syzbot <syzbot+6f655a60d3244d0c6718@...kaller.appspotmail.com> wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> kernel panic: corrupted stack end in x64_sys_call
>
> bucket 0:127 gen 0 has wrong data_type: got free, should be sb, fixing
> bucket 0:127 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
> done
> bcachefs (loop0): going read-write
> bcachefs (loop0): journal_replay...
> Kernel panic - not syncing: corrupted stack end detected inside scheduler
> CPU: 0 UID: 0 PID: 5945 Comm: syz.0.15 Not tainted 6.11.0-rc7-syzkaller-g57719771a244-dirty #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
> Call Trace:
> <TASK>
>
> __dump_stack lib/dump_stack.c:93 [inline]
> dump_stack_lvl+0x216/0x2d0 lib/dump_stack.c:119
> dump_stack+0x1e/0x30 lib/dump_stack.c:128
> panic+0x4e2/0xcd0 kernel/panic.c:354
> schedule_debug kernel/sched/core.c:5745 [inline]
The place where kernel task's stack magic number gets
smashed was found. Backtrace was presented below. Seems
like it is KMSAN's fault. Is this considered a bug?
```
Thread 1 hit Hardware watchpoint 15: *(unsigned long*)0xffff888112370000
Old value = 1470918301
New value = 18446744071600444244
kmsan_get_shadow_origin_ptr (address=<optimized out>, size=<optimized out>, store=<optimized out>) at mm/kmsan/shadow.c:83
83 {
(gdb) where
#0 kmsan_get_shadow_origin_ptr (address=<optimized out>, size=<optimized out>, store=<optimized out>) at mm/kmsan/shadow.c:83
#1 0xffffffff82499354 in get_shadow_origin_ptr (addr=0xffff888112370110, size=8, store=false) at mm/kmsan/instrumentation.c:38
#2 __msan_metadata_ptr_for_load_8 (addr=0xffff888112370110) at mm/kmsan/instrumentation.c:94
#3 0xffffffff8194dfc9 in filter_irq_stacks (entries=<optimized out>, nr_entries=4) at kernel/stacktrace.c:397
#4 0xffffffff866d79cb in stack_depot_save_flags (entries=0xffff888112370110, nr_entries=8, alloc_flags=0, depot_flags=1) at lib/stackdepot.c:609
#5 0xffffffff866d8062 in stack_depot_save (entries=0xffff888112370110, nr_entries=8, alloc_flags=0) at lib/stackdepot.c:678
#6 0xffffffff82499c92 in __msan_poison_alloca (address=0xffff888112370200, size=24, descr=<optimized out>) at mm/kmsan/instrumentation.c:286
#7 0xffffffff8fef8326 in sprintf (buf=0xffff8881123703b7 "", fmt=0xffffffff910e22a3 "+%#lx/%#lx") at lib/vsprintf.c:3024
#8 0xffffffff81a1e08e in __sprint_symbol (buffer=buffer@...ry=0xffff8881123703a0 "bch2_bucket_alloc_trans", address=<optimized out>, address@...ry=18446744071649627845, symbol_offset=symbol_offset@...ry=0, add_offset=add_offset@...ry=1, add_buildid=<optimized out>) at kernel/kallsyms.c:452
#9 0xffffffff81a1de7d in sprint_symbol (buffer=0xffff8881123703a0 "bch2_bucket_alloc_trans", address=18446744071649627845) at kernel/kallsyms.c:484
#10 0xffffffff8ff0130d in symbol_string (buf=buf@...ry=0xffff888121efe436 "_MIN bch2", end=end@...ry=0xffff888121efe440 "\006", ptr=ptr@...ry=0xffffffff85380ec5 <bch2_bucket_alloc_trans+2085>, spec=spec@...ry=..., fmt=fmt@...ry=0xffffffff91194721 "S") at lib/vsprintf.c:1002
#11 0xffffffff8fef50b8 in pointer (fmt=fmt@...ry=0xffffffff91194721 "S", buf=buf@...ry=0xffff888121efe436 "_MIN bch2", end=end@...ry=0xffff888121efe440 "\006", ptr=ptr@...ry=0xffffffff85380ec5 <bch2_bucket_alloc_trans+2085>, spec=spec@...ry=...) at lib/vsprintf.c:2422
#12 0xffffffff8fef1b70 in vsnprintf (buf=0xffff888121efe435 " _MIN bch2", size=11, fmt=0xffffffff91194721 "S", args=0xffff8881123708f0) at lib/vsprintf.c:2828
#13 0xffffffff8580676b in bch2_prt_printf (out=0xffff888112370b28, fmt=0xffffffff9119471e " %pS") at fs/bcachefs/printbuf.c:183
#14 0xffffffff8546d2c4 in bch2_btree_path_to_text_short (out=out@...ry=0xffff888112370b28, trans=trans@...ry=0xffff888121ef0000, path_idx=5) at fs/bcachefs/btree_iter.c:1485
#15 0xffffffff8ff58bf3 in __bch2_trans_paths_to_text (out=out@...ry=0xffff888112370b28, trans=trans@...ry=0xffff888121ef0000, nosort=<optimized out>) at fs/bcachefs/btree_iter.c:1540
#16 0xffffffff8ff58ae8 in bch2_trans_paths_to_text (out=0xffff888112370b28, trans=0xffff888121ef0000) at fs/bcachefs/btree_iter.c:1548
#17 0xffffffff8ff59245 in bch2_trans_update_max_paths (trans=trans@...ry=0xffff888121ef0000) at fs/bcachefs/btree_iter.c:1576
#18 0xffffffff8546fea7 in btree_path_alloc (trans=trans@...ry=0xffff888121ef0000, pos=0) at fs/bcachefs/btree_iter.c:1673
#19 0xffffffff8546f02e in bch2_path_get (trans=0xffff888121ef0000, btree_id=BTREE_ID_alloc, pos=..., locks_want=0, level=0, flags=24640, ip=18446744071650896280) at fs/bcachefs/btree_iter.c:1723
#20 0xffffffff85496915 in bch2_trans_iter_init_common (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=4, pos=..., locks_want=0, depth=0, flags=24640, ip=18446744071650896280) at fs/bcachefs/btree_iter.h:484
#21 bch2_trans_iter_init_outlined (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=BTREE_ID_alloc, pos=..., flags=24576) at fs/bcachefs/btree_iter.c:2876
#22 0xffffffff854b6998 in bch2_trans_iter_init (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=4, pos=..., flags=24576) at fs/bcachefs/btree_iter.h:502
#23 btree_key_cache_fill (trans=trans@...ry=0xffff888121ef0000, ck_path=ck_path@...ry=0xffff888121ef0420, flags=flags@...ry=32) at fs/bcachefs/btree_key_cache.c:438
#24 0xffffffff854b634d in bch2_btree_path_traverse_cached (trans=0xffff888121ef0000, path=0xffff888121ef0420, flags=32) at fs/bcachefs/btree_key_cache.c:504
#25 0xffffffff8545ff9f in bch2_btree_path_traverse_one (trans=0xffff888121ef0000, path_idx=5, flags=32, trace_ip=18446744071649632148) at fs/bcachefs/btree_iter.c:1144
#26 0xffffffff8548e8bc in bch2_btree_path_traverse (trans=0xffff888121ef0000, path=5, flags=32) at fs/bcachefs/btree_iter.h:229
#27 bch2_btree_iter_peek_slot (iter=0xffff8881123718a8) at fs/bcachefs/btree_iter.c:2602
#28 0xffffffff85381f94 in __bch2_bkey_get_iter (trans=0xffff888121ef0000, iter=0xffff8881123718a8, btree_id=4, pos=..., flags=32, type=0) at fs/bcachefs/btree_iter.h:551
#29 bch2_bkey_get_iter (trans=0xffff888121ef0000, iter=0xffff8881123718a8, btree_id=4, pos=..., flags=32) at fs/bcachefs/btree_iter.h:565
#30 try_alloc_bucket (trans=0xffff888121ef0000, ca=0xffff888116aac000, watermark=BCH_WATERMARK_btree, free_entry=25, s=0xffff8881123717f0, freespace_k=..., cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:301
#31 bch2_bucket_alloc_freelist (trans=0xffff888121ef0000, ca=0xffff888116aac000, watermark=BCH_WATERMARK_btree, s=0xffff8881123717f0, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:521
#32 bch2_bucket_alloc_trans (trans=trans@...ry=0xffff888121ef0000, ca=ca@...ry=0xffff888116aac000, watermark=BCH_WATERMARK_btree, data_type=BCH_DATA_btree, cl=0x0 <fixed_percpu_data>, usage=usage@...ry=0xffff888112371b50) at fs/bcachefs/alloc_foreground.c:643
#33 0xffffffff85386492 in bch2_bucket_alloc_set_trans (trans=0xffff888121ef0000, ptrs=0xffff8881123722e8, stripe=0xffff88811698ec68, devs_may_alloc=0xffff8881123720d0, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, flags=<optimized out>, data_type=BCH_DATA_btree, watermark=BCH_WATERMARK_btree, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:804
#34 0xffffffff85399b83 in __open_bucket_add_buckets (trans=trans@...ry=0xffff888121ef0000, ptrs=0xffff8881123722e8, wp=0xffff88811698ec00, devs_have=devs_have@...ry=0xffff888112372497, target=target@...ry=0, erasure_code=false, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, watermark=BCH_WATERMARK_btree, flags=0, _cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:1052
#35 0xffffffff8538c939 in open_bucket_add_buckets (trans=trans@...ry=0xffff888121ef0000, ptrs=ptrs@...ry=0xffff8881123722e8, wp=wp@...ry=0xffff88811698ec00, devs_have=devs_have@...ry=0xffff888112372497, target=target@...ry=0, erasure_code=erasure_code@...ry=0, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, watermark=BCH_WATERMARK_btree, flags=0, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:1096
#36 0xffffffff8538b4c2 in bch2_alloc_sectors_start_trans (trans=0xffff888121ef0000, target=0, erasure_code=0, write_point=..., devs_have=0xffff888112372497, nr_replicas=1, nr_replicas_required=1, watermark=BCH_WATERMARK_btree, flags=0, cl=0x0 <fixed_percpu_data>, wp_ret=0xffff8881123725d0) at fs/bcachefs/alloc_foreground.c:1404
#37 0xffffffff8554cdd2 in __bch2_btree_node_alloc (trans=0xffff888121ef0000, cl=0x0 <fixed_percpu_data>, interior_node=false, res=<optimized out>, flags=<optimized out>) at fs/bcachefs/btree_update_interior.c:338
#38 bch2_btree_reserve_get (trans=trans@...ry=0xffff888121ef0000, as=as@...ry=0xffff88810e56e000, nr_nodes=nr_nodes@...ry=0xffff888112372780, flags=flags@...ry=435, cl=cl@...ry=0x0 <fixed_percpu_data>) at fs/bcachefs/btree_update_interior.c:549
#39 0xffffffff8551d02a in bch2_btree_update_start (trans=trans@...ry=0xffff888121ef0000, path=path@...ry=0xffff888121ef0200, level_start=level_start@...ry=0, split=<optimized out>, flags=<optimized out>, flags@...ry=432) at fs/bcachefs/btree_update_interior.c:1247
#40 0xffffffff8551ac12 in bch2_btree_split_leaf (trans=0xffff888121ef0000, path=1, flags=432) at fs/bcachefs/btree_update_interior.c:1845
#41 0xffffffff854f660f in bch2_trans_commit_error (trans=0xffff888121ef0000, flags=flags@...ry=432, i=i@...ry=0xffff888121ef2400, ret=ret@...ry=-2203, trace_ip=18446744071651609665) at fs/bcachefs/btree_trans_commit.c:903
#42 0xffffffff854f1713 in __bch2_trans_commit (trans=0xffff888121ef0000, flags=432) at fs/bcachefs/btree_trans_commit.c:1135
#43 0xffffffff85564c41 in bch2_trans_commit (trans=0xffff888121ef0000, disk_res=0x0 <fixed_percpu_data>, journal_seq=0x0 <fixed_percpu_data>, flags=432) at fs/bcachefs/btree_update.h:184
#44 wb_flush_one_slowpath (trans=0xffff888121ef0000, iter=iter@...ry=0xffff888112372c88, wb=wb@...ry=0xffffc900088004b0) at fs/bcachefs/btree_write_buffer.c:129
#45 0xffffffff8555a1fb in wb_flush_one (trans=0xffff888121ef0000, iter=0xffff888112372c88, wb=0xffffc900088004b0, write_locked=<optimized out>, accounting_accumulated=<optimized out>, fast=<optimized out>) at fs/bcachefs/btree_write_buffer.c:183
#46 bch2_btree_write_buffer_flush_locked (trans=trans@...ry=0xffff888121ef0000) at fs/bcachefs/btree_write_buffer.c:375
#47 0xffffffff85555c86 in btree_write_buffer_flush_seq (trans=trans@...ry=0xffff888121ef0000, seq=seq@...ry=11) at fs/bcachefs/btree_write_buffer.c:510
#48 0xffffffff855600d1 in bch2_btree_write_buffer_journal_flush (j=<optimized out>, _pin=<optimized out>, seq=11) at fs/bcachefs/btree_write_buffer.c:525
#49 0xffffffff857c285c in journal_flush_pins (j=j@...ry=0xffff8881169a6fc0, seq_to_flush=seq_to_flush@...ry=18446744073709551615, allowed_below_seq=allowed_below_seq@...ry=6, allowed_above_seq=0, min_any=0, min_key_cache=min_key_cache@...ry=0) at fs/bcachefs/journal_reclaim.c:565
#50 0xffffffff857c0e1d in journal_flush_done (j=j@...ry=0xffff8881169a6fc0, seq_to_flush=seq_to_flush@...ry=18446744073709551615, did_work=did_work@...ry=0xffff888112373327) at fs/bcachefs/journal_reclaim.c:818
#51 0xffffffff857c0c2d in bch2_journal_flush_pins (j=0xffff8881169a6fc0, seq_to_flush=18446744073709551615) at fs/bcachefs/journal_reclaim.c:851
#52 0xffffffff85826851 in bch2_journal_flush_all_pins (j=0xffff8881169a6fc0) at fs/bcachefs/journal_reclaim.h:76
#53 bch2_journal_replay (c=0xffff888116980000) at fs/bcachefs/recovery.c:383
#54 0xffffffff85836243 in bch2_run_recovery_pass (c=0xffff888116980000, pass=BCH_RECOVERY_PASS_journal_replay) at fs/bcachefs/recovery_passes.c:183
#55 bch2_run_recovery_passes (c=0xffff888116980000) at fs/bcachefs/recovery_passes.c:230
#56 0xffffffff8582c99a in bch2_fs_recovery (c=0xffff888116980000) at fs/bcachefs/recovery.c:859
#57 0xffffffff858b5f56 in bch2_fs_start (c=0xffff888116980000) at fs/bcachefs/super.c:1036
#58 0xffffffff8567507e in bch2_fs_get_tree (fc=0xffff88815d061600) at fs/bcachefs/fs.c:1946
#59 0xffffffff82632873 in vfs_get_tree (fc=0xffff88815d061600) at fs/super.c:1800
#60 0xffffffff8271cd6e in do_new_mount (path=path@...ry=0xffff888112373d90, fstype=fstype@...ry=0xffff888116ac8b00 "bcachefs", sb_flags=sb_flags@...ry=0, mnt_flags=mnt_flags@...ry=32, name=name@...ry=0xffff888116ac8b10 "/dev/loop0", data=data@...ry=0xffff88815d37b000) at fs/namespace.c:3472
#61 0xffffffff82719e93 in path_mount (dev_name=0xffff888116ac8b10 "/dev/loop0", path=0xffff888112373d90, type_page=0xffff888116ac8b00 "bcachefs", flags=<optimized out>, data_page=0xffff88815d37b000) at fs/namespace.c:3799
#62 0xffffffff827215d3 in do_mount (dev_name=0xffff888116ac8b10 "/dev/loop0", dir_name=0x20005900 "./file0", type_page=0xffff888116ac8b00 "bcachefs", flags=0, data_page=0xffff88815d37b000) at fs/namespace.c:3812
#63 __do_sys_mount (type=<optimized out>, dev_name=<optimized out>, dir_name=<optimized out>, flags=<optimized out>, data=<optimized out>) at fs/namespace.c:4020
#64 __se_sys_mount (dev_name=dev_name@...ry=140734779799792, dir_name=dir_name@...ry=536893696, type=type@...ry=536893632, flags=flags@...ry=0, data=data@...ry=140734779799856) at fs/namespace.c:3997
#65 0xffffffff82720e24 in __x64_sys_mount (regs=0xffff888112373f58) at fs/namespace.c:3997
#66 0xffffffff81009251 in x64_sys_call (regs=0xffff888112373f58, nr=165) at ./arch/x86/include/generated/asm/syscalls_64.h:166
#67 0xffffffff8ff838d9 in do_syscall_x64 (regs=0xffff888112373f58, nr=165) at arch/x86/entry/common.c:52
#68 do_syscall_64 (regs=0xffff888112373f58, nr=165) at arch/x86/entry/common.c:83
#69 0xffffffff90000130 in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:121
#70 0x00007f7e7e0dca80 in ?? ()
#71 0x00005596cb52a242 in ?? ()
#72 0x00007fff5e8ebbc8 in ?? ()
#73 0x00007fff5e8ebbb8 in ?? ()
#74 0x00007fff5e8eba40 in ?? ()
#75 0x00005596cb531dd8 in ?? ()
#76 0x0000000000000202 in ?? ()
#77 0x0000000000000000 in ?? ()
```
Best Regards, Piotr Zalewski
Powered by blists - more mailing lists