lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID:
	<TYSPR06MB7158A2235E4058D3E32818A5F68D2@TYSPR06MB7158.apcprd06.prod.outlook.com>
Date: Fri, 2 May 2025 04:49:16 +0000
From: "huk23@...udan.edu.cn" <huk23@...udan.edu.cn>
To: Dave Kleikamp <shaggy@...nel.org>
CC: Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn>,
	jfs-discussion <jfs-discussion@...ts.sourceforge.net>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"syzkaller@...glegroups.com" <syzkaller@...glegroups.com>
Subject: BUG:read_message failed in LogSyncRelease

Dear Maintainers,




When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (36th)was triggered.




HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
git tree: upstream
Output:https://github.com/pghk13/Kernel-Bug/blob/main/0103_6.13rc5_%E6%9C%AA%E6%8A%A5%E5%91%8A/%E6%9C%89%E7%9B%B8%E4%BC%BC%E6%A3%80%E7%B4%A2%E8%AE%B0%E5%BD%95/36-kernel%20BUG%20in%20txAbort/36call_trace.txt
Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/config.txt
C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0103_6.13rc5_%E6%9C%AA%E6%8A%A5%E5%91%8A/%E6%9C%89%E7%9B%B8%E4%BC%BC%E6%A3%80%E7%B4%A2%E8%AE%B0%E5%BD%95/36-kernel%20BUG%20in%20txAbort/36repro.c
Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0103_6.13rc5_%E6%9C%AA%E6%8A%A5%E5%91%8A/%E6%9C%89%E7%9B%B8%E4%BC%BC%E6%A3%80%E7%B4%A2%E8%AE%B0%E5%BD%95/36-kernel%20BUG%20in%20txAbort/36repro.txt



This error is triggered in the transaction abort function txAbort, which is located in the JFS transaction manager code. The error occurs on line 2796 of the fs/jfs/jfs_txnmgr.c file, asserting that mp->nohomeok failed. This indicates that in the specified "metapage" (MP) object, the value of the nohomeok flag does not meet the expected condition (possibly 0 or false, while the assertion requires it to be non-zero or true).
We have reproduced this issue several times on 6.15-rc1 again.






If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn>

=======================================================
read_mapping_page failed!
BUG at fs/jfs/jfs_txnmgr.c:2796 assert(mp->nohomeok)
------------[ cut here ]------------
kernel BUG at fs/jfs/jfs_txnmgr.c:2796!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 9491 Comm: syz-executor237 Not tainted 6.15.0-rc1 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:txAbort+0x51e/0x570
Code: e9 96 fd ff ff e8 22 2c 73 fe 48 c7 c1 00 4f cd 8b ba ec 0a 00 00 48 c7 c6 e0 41 cd 8b 48 c7 c7 20 42 cd 8b e8 23 5d 52 fe 90 <0f> 0b e8 fb 2b 73 fe 48 c7 c1 40 4f cd 8b ba ed 0a 00 00 48 c7 c6
RSP: 0018:ffffc90014c7f4c0 EFLAGS: 00010286
RAX: 0000000000000034 RBX: dffffc0000000000 RCX: ffffffff819a5799
RDX: 0000000000000000 RSI: ffff888022bc0000 RDI: 0000000000000002
RBP: 0000000000000003 R08: fffffbfff1c4bb00 R09: ffffed100fdc47ba
R10: ffffed100fdc47b9 R11: ffff88807ee23dcb R12: 0000000000000000
R13: ffffc90001b69110 R14: ffff8880548a2ba0 R15: ffff8880548a2c48
FS:  000055558797f880(0000) GS:ffff8880eb36b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5264200058 CR3: 0000000023ba8000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 txCommit+0x2149/0x4720
 jfs_create+0x808/0xb40
 lookup_open+0x11ba/0x15f0
 path_openat+0xed3/0x2980
 do_filp_open+0x1f9/0x2f0
 do_sys_openat2+0x4e3/0x710
 do_sys_open+0xc6/0x150
 __x64_sys_openat+0x9d/0x110
 do_syscall_64+0xcf/0x260
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbeaee100bd
Code: c3 e8 17 2c 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffebb56d188 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbeaee100bd
RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffebb56d19c
R13: 00007ffebb56d1a0 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:txAbort+0x51e/0x570
Code: e9 96 fd ff ff e8 22 2c 73 fe 48 c7 c1 00 4f cd 8b ba ec 0a 00 00 48 c7 c6 e0 41 cd 8b 48 c7 c7 20 42 cd 8b e8 23 5d 52 fe 90 <0f> 0b e8 fb 2b 73 fe 48 c7 c1 40 4f cd 8b ba ed 0a 00 00 48 c7 c6
RSP: 0018:ffffc90014c7f4c0 EFLAGS: 00010286
RAX: 0000000000000034 RBX: dffffc0000000000 RCX: ffffffff819a5799
RDX: 0000000000000000 RSI: ffff888022bc0000 RDI: 0000000000000002
RBP: 0000000000000003 R08: fffffbfff1c4bb00 R09: ffffed100fdc47ba
R10: ffffed100fdc47b9 R11: ffff88807ee23dcb R12: 0000000000000000
R13: ffffc90001b69110 R14: ffff8880548a2ba0 R15: ffff8880548a2c48
FS:  000055558797f880(0000) GS:ffff8880eb36b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5264200058 CR3: 0000000023ba8000 CR4: 0000000000750ef0
PKRU: 55555554
2025/04/23 15:35:05 reproducing crash 'kernel BUG in txAbort': final repro crashed as (corrupted=false):
=======================================================


thanks,
Kun Hu



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ