| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANp29Y5LiryeHFtHtx2XPZkPitOW2NhQfwDbUGw6XxDQ0q-vRw@mail.gmail.com>
Date: Tue, 17 Sep 2024 08:27:22 +0200
From: Aleksandr Nogikh <nogikh@...gle.com>
To: Piotr Zalewski <pZ010001011111@...ton.me>, Alexander Potapenko <glider@...gle.com>
Cc: syzbot <syzbot+6f655a60d3244d0c6718@...kaller.appspotmail.com>,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined
+Alexander Potapenko
On Tue, Sep 17, 2024 at 8:26 AM 'Piotr Zalewski' via syzkaller-bugs
<syzkaller-bugs@...glegroups.com> wrote:
>
> Hello,
>
> On Saturday, September 14th, 2024 at 2:15 PM, syzbot <syzbot+6f655a60d3244d0c6718@...kaller.appspotmail.com> wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > kernel panic: corrupted stack end in x64_sys_call
> >
> > bucket 0:127 gen 0 has wrong data_type: got free, should be sb, fixing
> > bucket 0:127 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
> > done
> > bcachefs (loop0): going read-write
> > bcachefs (loop0): journal_replay...
> > Kernel panic - not syncing: corrupted stack end detected inside scheduler
> > CPU: 0 UID: 0 PID: 5945 Comm: syz.0.15 Not tainted 6.11.0-rc7-syzkaller-g57719771a244-dirty #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
> > Call Trace:
> > <TASK>
> >
> > __dump_stack lib/dump_stack.c:93 [inline]
> > dump_stack_lvl+0x216/0x2d0 lib/dump_stack.c:119
> > dump_stack+0x1e/0x30 lib/dump_stack.c:128
> > panic+0x4e2/0xcd0 kernel/panic.c:354
> > schedule_debug kernel/sched/core.c:5745 [inline]
>
> The place where kernel task's stack magic number gets
> smashed was found. Backtrace was presented below. Seems
> like it is KMSAN's fault. Is this considered a bug?
>
> ```
> Thread 1 hit Hardware watchpoint 15: *(unsigned long*)0xffff888112370000
>
> Old value = 1470918301
> New value = 18446744071600444244
> kmsan_get_shadow_origin_ptr (address=<optimized out>, size=<optimized out>, store=<optimized out>) at mm/kmsan/shadow.c:83
> 83 {
>
> (gdb) where
>
> #0 kmsan_get_shadow_origin_ptr (address=<optimized out>, size=<optimized out>, store=<optimized out>) at mm/kmsan/shadow.c:83
> #1 0xffffffff82499354 in get_shadow_origin_ptr (addr=0xffff888112370110, size=8, store=false) at mm/kmsan/instrumentation.c:38
> #2 __msan_metadata_ptr_for_load_8 (addr=0xffff888112370110) at mm/kmsan/instrumentation.c:94
> #3 0xffffffff8194dfc9 in filter_irq_stacks (entries=<optimized out>, nr_entries=4) at kernel/stacktrace.c:397
> #4 0xffffffff866d79cb in stack_depot_save_flags (entries=0xffff888112370110, nr_entries=8, alloc_flags=0, depot_flags=1) at lib/stackdepot.c:609
> #5 0xffffffff866d8062 in stack_depot_save (entries=0xffff888112370110, nr_entries=8, alloc_flags=0) at lib/stackdepot.c:678
> #6 0xffffffff82499c92 in __msan_poison_alloca (address=0xffff888112370200, size=24, descr=<optimized out>) at mm/kmsan/instrumentation.c:286
> #7 0xffffffff8fef8326 in sprintf (buf=0xffff8881123703b7 "", fmt=0xffffffff910e22a3 "+%#lx/%#lx") at lib/vsprintf.c:3024
> #8 0xffffffff81a1e08e in __sprint_symbol (buffer=buffer@...ry=0xffff8881123703a0 "bch2_bucket_alloc_trans", address=<optimized out>, address@...ry=18446744071649627845, symbol_offset=symbol_offset@...ry=0, add_offset=add_offset@...ry=1, add_buildid=<optimized out>) at kernel/kallsyms.c:452
> #9 0xffffffff81a1de7d in sprint_symbol (buffer=0xffff8881123703a0 "bch2_bucket_alloc_trans", address=18446744071649627845) at kernel/kallsyms.c:484
> #10 0xffffffff8ff0130d in symbol_string (buf=buf@...ry=0xffff888121efe436 "_MIN bch2", end=end@...ry=0xffff888121efe440 "\006", ptr=ptr@...ry=0xffffffff85380ec5 <bch2_bucket_alloc_trans+2085>, spec=spec@...ry=..., fmt=fmt@...ry=0xffffffff91194721 "S") at lib/vsprintf.c:1002
> #11 0xffffffff8fef50b8 in pointer (fmt=fmt@...ry=0xffffffff91194721 "S", buf=buf@...ry=0xffff888121efe436 "_MIN bch2", end=end@...ry=0xffff888121efe440 "\006", ptr=ptr@...ry=0xffffffff85380ec5 <bch2_bucket_alloc_trans+2085>, spec=spec@...ry=...) at lib/vsprintf.c:2422
> #12 0xffffffff8fef1b70 in vsnprintf (buf=0xffff888121efe435 " _MIN bch2", size=11, fmt=0xffffffff91194721 "S", args=0xffff8881123708f0) at lib/vsprintf.c:2828
> #13 0xffffffff8580676b in bch2_prt_printf (out=0xffff888112370b28, fmt=0xffffffff9119471e " %pS") at fs/bcachefs/printbuf.c:183
> #14 0xffffffff8546d2c4 in bch2_btree_path_to_text_short (out=out@...ry=0xffff888112370b28, trans=trans@...ry=0xffff888121ef0000, path_idx=5) at fs/bcachefs/btree_iter.c:1485
> #15 0xffffffff8ff58bf3 in __bch2_trans_paths_to_text (out=out@...ry=0xffff888112370b28, trans=trans@...ry=0xffff888121ef0000, nosort=<optimized out>) at fs/bcachefs/btree_iter.c:1540
> #16 0xffffffff8ff58ae8 in bch2_trans_paths_to_text (out=0xffff888112370b28, trans=0xffff888121ef0000) at fs/bcachefs/btree_iter.c:1548
> #17 0xffffffff8ff59245 in bch2_trans_update_max_paths (trans=trans@...ry=0xffff888121ef0000) at fs/bcachefs/btree_iter.c:1576
> #18 0xffffffff8546fea7 in btree_path_alloc (trans=trans@...ry=0xffff888121ef0000, pos=0) at fs/bcachefs/btree_iter.c:1673
> #19 0xffffffff8546f02e in bch2_path_get (trans=0xffff888121ef0000, btree_id=BTREE_ID_alloc, pos=..., locks_want=0, level=0, flags=24640, ip=18446744071650896280) at fs/bcachefs/btree_iter.c:1723
> #20 0xffffffff85496915 in bch2_trans_iter_init_common (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=4, pos=..., locks_want=0, depth=0, flags=24640, ip=18446744071650896280) at fs/bcachefs/btree_iter.h:484
> #21 bch2_trans_iter_init_outlined (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=BTREE_ID_alloc, pos=..., flags=24576) at fs/bcachefs/btree_iter.c:2876
> #22 0xffffffff854b6998 in bch2_trans_iter_init (trans=0xffff888121ef0000, iter=0xffff888112370f08, btree_id=4, pos=..., flags=24576) at fs/bcachefs/btree_iter.h:502
> #23 btree_key_cache_fill (trans=trans@...ry=0xffff888121ef0000, ck_path=ck_path@...ry=0xffff888121ef0420, flags=flags@...ry=32) at fs/bcachefs/btree_key_cache.c:438
> #24 0xffffffff854b634d in bch2_btree_path_traverse_cached (trans=0xffff888121ef0000, path=0xffff888121ef0420, flags=32) at fs/bcachefs/btree_key_cache.c:504
> #25 0xffffffff8545ff9f in bch2_btree_path_traverse_one (trans=0xffff888121ef0000, path_idx=5, flags=32, trace_ip=18446744071649632148) at fs/bcachefs/btree_iter.c:1144
> #26 0xffffffff8548e8bc in bch2_btree_path_traverse (trans=0xffff888121ef0000, path=5, flags=32) at fs/bcachefs/btree_iter.h:229
> #27 bch2_btree_iter_peek_slot (iter=0xffff8881123718a8) at fs/bcachefs/btree_iter.c:2602
> #28 0xffffffff85381f94 in __bch2_bkey_get_iter (trans=0xffff888121ef0000, iter=0xffff8881123718a8, btree_id=4, pos=..., flags=32, type=0) at fs/bcachefs/btree_iter.h:551
> #29 bch2_bkey_get_iter (trans=0xffff888121ef0000, iter=0xffff8881123718a8, btree_id=4, pos=..., flags=32) at fs/bcachefs/btree_iter.h:565
> #30 try_alloc_bucket (trans=0xffff888121ef0000, ca=0xffff888116aac000, watermark=BCH_WATERMARK_btree, free_entry=25, s=0xffff8881123717f0, freespace_k=..., cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:301
> #31 bch2_bucket_alloc_freelist (trans=0xffff888121ef0000, ca=0xffff888116aac000, watermark=BCH_WATERMARK_btree, s=0xffff8881123717f0, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:521
> #32 bch2_bucket_alloc_trans (trans=trans@...ry=0xffff888121ef0000, ca=ca@...ry=0xffff888116aac000, watermark=BCH_WATERMARK_btree, data_type=BCH_DATA_btree, cl=0x0 <fixed_percpu_data>, usage=usage@...ry=0xffff888112371b50) at fs/bcachefs/alloc_foreground.c:643
> #33 0xffffffff85386492 in bch2_bucket_alloc_set_trans (trans=0xffff888121ef0000, ptrs=0xffff8881123722e8, stripe=0xffff88811698ec68, devs_may_alloc=0xffff8881123720d0, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, flags=<optimized out>, data_type=BCH_DATA_btree, watermark=BCH_WATERMARK_btree, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:804
> #34 0xffffffff85399b83 in __open_bucket_add_buckets (trans=trans@...ry=0xffff888121ef0000, ptrs=0xffff8881123722e8, wp=0xffff88811698ec00, devs_have=devs_have@...ry=0xffff888112372497, target=target@...ry=0, erasure_code=false, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, watermark=BCH_WATERMARK_btree, flags=0, _cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:1052
> #35 0xffffffff8538c939 in open_bucket_add_buckets (trans=trans@...ry=0xffff888121ef0000, ptrs=ptrs@...ry=0xffff8881123722e8, wp=wp@...ry=0xffff88811698ec00, devs_have=devs_have@...ry=0xffff888112372497, target=target@...ry=0, erasure_code=erasure_code@...ry=0, nr_replicas=1, nr_effective=0xffff888112372394, have_cache=0xffff88811237242f, watermark=BCH_WATERMARK_btree, flags=0, cl=0x0 <fixed_percpu_data>) at fs/bcachefs/alloc_foreground.c:1096
> #36 0xffffffff8538b4c2 in bch2_alloc_sectors_start_trans (trans=0xffff888121ef0000, target=0, erasure_code=0, write_point=..., devs_have=0xffff888112372497, nr_replicas=1, nr_replicas_required=1, watermark=BCH_WATERMARK_btree, flags=0, cl=0x0 <fixed_percpu_data>, wp_ret=0xffff8881123725d0) at fs/bcachefs/alloc_foreground.c:1404
> #37 0xffffffff8554cdd2 in __bch2_btree_node_alloc (trans=0xffff888121ef0000, cl=0x0 <fixed_percpu_data>, interior_node=false, res=<optimized out>, flags=<optimized out>) at fs/bcachefs/btree_update_interior.c:338
> #38 bch2_btree_reserve_get (trans=trans@...ry=0xffff888121ef0000, as=as@...ry=0xffff88810e56e000, nr_nodes=nr_nodes@...ry=0xffff888112372780, flags=flags@...ry=435, cl=cl@...ry=0x0 <fixed_percpu_data>) at fs/bcachefs/btree_update_interior.c:549
> #39 0xffffffff8551d02a in bch2_btree_update_start (trans=trans@...ry=0xffff888121ef0000, path=path@...ry=0xffff888121ef0200, level_start=level_start@...ry=0, split=<optimized out>, flags=<optimized out>, flags@...ry=432) at fs/bcachefs/btree_update_interior.c:1247
> #40 0xffffffff8551ac12 in bch2_btree_split_leaf (trans=0xffff888121ef0000, path=1, flags=432) at fs/bcachefs/btree_update_interior.c:1845
> #41 0xffffffff854f660f in bch2_trans_commit_error (trans=0xffff888121ef0000, flags=flags@...ry=432, i=i@...ry=0xffff888121ef2400, ret=ret@...ry=-2203, trace_ip=18446744071651609665) at fs/bcachefs/btree_trans_commit.c:903
> #42 0xffffffff854f1713 in __bch2_trans_commit (trans=0xffff888121ef0000, flags=432) at fs/bcachefs/btree_trans_commit.c:1135
> #43 0xffffffff85564c41 in bch2_trans_commit (trans=0xffff888121ef0000, disk_res=0x0 <fixed_percpu_data>, journal_seq=0x0 <fixed_percpu_data>, flags=432) at fs/bcachefs/btree_update.h:184
> #44 wb_flush_one_slowpath (trans=0xffff888121ef0000, iter=iter@...ry=0xffff888112372c88, wb=wb@...ry=0xffffc900088004b0) at fs/bcachefs/btree_write_buffer.c:129
> #45 0xffffffff8555a1fb in wb_flush_one (trans=0xffff888121ef0000, iter=0xffff888112372c88, wb=0xffffc900088004b0, write_locked=<optimized out>, accounting_accumulated=<optimized out>, fast=<optimized out>) at fs/bcachefs/btree_write_buffer.c:183
> #46 bch2_btree_write_buffer_flush_locked (trans=trans@...ry=0xffff888121ef0000) at fs/bcachefs/btree_write_buffer.c:375
> #47 0xffffffff85555c86 in btree_write_buffer_flush_seq (trans=trans@...ry=0xffff888121ef0000, seq=seq@...ry=11) at fs/bcachefs/btree_write_buffer.c:510
> #48 0xffffffff855600d1 in bch2_btree_write_buffer_journal_flush (j=<optimized out>, _pin=<optimized out>, seq=11) at fs/bcachefs/btree_write_buffer.c:525
> #49 0xffffffff857c285c in journal_flush_pins (j=j@...ry=0xffff8881169a6fc0, seq_to_flush=seq_to_flush@...ry=18446744073709551615, allowed_below_seq=allowed_below_seq@...ry=6, allowed_above_seq=0, min_any=0, min_key_cache=min_key_cache@...ry=0) at fs/bcachefs/journal_reclaim.c:565
> #50 0xffffffff857c0e1d in journal_flush_done (j=j@...ry=0xffff8881169a6fc0, seq_to_flush=seq_to_flush@...ry=18446744073709551615, did_work=did_work@...ry=0xffff888112373327) at fs/bcachefs/journal_reclaim.c:818
> #51 0xffffffff857c0c2d in bch2_journal_flush_pins (j=0xffff8881169a6fc0, seq_to_flush=18446744073709551615) at fs/bcachefs/journal_reclaim.c:851
> #52 0xffffffff85826851 in bch2_journal_flush_all_pins (j=0xffff8881169a6fc0) at fs/bcachefs/journal_reclaim.h:76
> #53 bch2_journal_replay (c=0xffff888116980000) at fs/bcachefs/recovery.c:383
> #54 0xffffffff85836243 in bch2_run_recovery_pass (c=0xffff888116980000, pass=BCH_RECOVERY_PASS_journal_replay) at fs/bcachefs/recovery_passes.c:183
> #55 bch2_run_recovery_passes (c=0xffff888116980000) at fs/bcachefs/recovery_passes.c:230
> #56 0xffffffff8582c99a in bch2_fs_recovery (c=0xffff888116980000) at fs/bcachefs/recovery.c:859
> #57 0xffffffff858b5f56 in bch2_fs_start (c=0xffff888116980000) at fs/bcachefs/super.c:1036
> #58 0xffffffff8567507e in bch2_fs_get_tree (fc=0xffff88815d061600) at fs/bcachefs/fs.c:1946
> #59 0xffffffff82632873 in vfs_get_tree (fc=0xffff88815d061600) at fs/super.c:1800
> #60 0xffffffff8271cd6e in do_new_mount (path=path@...ry=0xffff888112373d90, fstype=fstype@...ry=0xffff888116ac8b00 "bcachefs", sb_flags=sb_flags@...ry=0, mnt_flags=mnt_flags@...ry=32, name=name@...ry=0xffff888116ac8b10 "/dev/loop0", data=data@...ry=0xffff88815d37b000) at fs/namespace.c:3472
> #61 0xffffffff82719e93 in path_mount (dev_name=0xffff888116ac8b10 "/dev/loop0", path=0xffff888112373d90, type_page=0xffff888116ac8b00 "bcachefs", flags=<optimized out>, data_page=0xffff88815d37b000) at fs/namespace.c:3799
> #62 0xffffffff827215d3 in do_mount (dev_name=0xffff888116ac8b10 "/dev/loop0", dir_name=0x20005900 "./file0", type_page=0xffff888116ac8b00 "bcachefs", flags=0, data_page=0xffff88815d37b000) at fs/namespace.c:3812
> #63 __do_sys_mount (type=<optimized out>, dev_name=<optimized out>, dir_name=<optimized out>, flags=<optimized out>, data=<optimized out>) at fs/namespace.c:4020
> #64 __se_sys_mount (dev_name=dev_name@...ry=140734779799792, dir_name=dir_name@...ry=536893696, type=type@...ry=536893632, flags=flags@...ry=0, data=data@...ry=140734779799856) at fs/namespace.c:3997
> #65 0xffffffff82720e24 in __x64_sys_mount (regs=0xffff888112373f58) at fs/namespace.c:3997
> #66 0xffffffff81009251 in x64_sys_call (regs=0xffff888112373f58, nr=165) at ./arch/x86/include/generated/asm/syscalls_64.h:166
> #67 0xffffffff8ff838d9 in do_syscall_x64 (regs=0xffff888112373f58, nr=165) at arch/x86/entry/common.c:52
> #68 do_syscall_64 (regs=0xffff888112373f58, nr=165) at arch/x86/entry/common.c:83
> #69 0xffffffff90000130 in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:121
> #70 0x00007f7e7e0dca80 in ?? ()
> #71 0x00005596cb52a242 in ?? ()
> #72 0x00007fff5e8ebbc8 in ?? ()
> #73 0x00007fff5e8ebbb8 in ?? ()
> #74 0x00007fff5e8eba40 in ?? ()
> #75 0x00005596cb531dd8 in ?? ()
> #76 0x0000000000000202 in ?? ()
> #77 0x0000000000000000 in ?? ()
> ```
>
> Best Regards, Piotr Zalewski
>
>
Powered by blists - more mailing lists