| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <TYSPR06MB7158A2235E4058D3E32818A5F68D2@TYSPR06MB7158.apcprd06.prod.outlook.com> Date: Fri, 2 May 2025 04:49:16 +0000 From: "huk23@...udan.edu.cn" <huk23@...udan.edu.cn> To: Dave Kleikamp <shaggy@...nel.org> CC: Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn>, jfs-discussion <jfs-discussion@...ts.sourceforge.net>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "syzkaller@...glegroups.com" <syzkaller@...glegroups.com> Subject: BUG:read_message failed in LogSyncRelease Dear Maintainers, When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (36th)was triggered. HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2 git tree: upstream Output:https://github.com/pghk13/Kernel-Bug/blob/main/0103_6.13rc5_%E6%9C%AA%E6%8A%A5%E5%91%8A/%E6%9C%89%E7%9B%B8%E4%BC%BC%E6%A3%80%E7%B4%A2%E8%AE%B0%E5%BD%95/36-kernel%20BUG%20in%20txAbort/36call_trace.txt Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/config.txt C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0103_6.13rc5_%E6%9C%AA%E6%8A%A5%E5%91%8A/%E6%9C%89%E7%9B%B8%E4%BC%BC%E6%A3%80%E7%B4%A2%E8%AE%B0%E5%BD%95/36-kernel%20BUG%20in%20txAbort/36repro.c Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0103_6.13rc5_%E6%9C%AA%E6%8A%A5%E5%91%8A/%E6%9C%89%E7%9B%B8%E4%BC%BC%E6%A3%80%E7%B4%A2%E8%AE%B0%E5%BD%95/36-kernel%20BUG%20in%20txAbort/36repro.txt This error is triggered in the transaction abort function txAbort, which is located in the JFS transaction manager code. The error occurs on line 2796 of the fs/jfs/jfs_txnmgr.c file, asserting that mp->nohomeok failed. This indicates that in the specified "metapage" (MP) object, the value of the nohomeok flag does not meet the expected condition (possibly 0 or false, while the assertion requires it to be non-zero or true). We have reproduced this issue several times on 6.15-rc1 again. If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn> ======================================================= read_mapping_page failed! BUG at fs/jfs/jfs_txnmgr.c:2796 assert(mp->nohomeok) ------------[ cut here ]------------ kernel BUG at fs/jfs/jfs_txnmgr.c:2796! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 9491 Comm: syz-executor237 Not tainted 6.15.0-rc1 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:txAbort+0x51e/0x570 Code: e9 96 fd ff ff e8 22 2c 73 fe 48 c7 c1 00 4f cd 8b ba ec 0a 00 00 48 c7 c6 e0 41 cd 8b 48 c7 c7 20 42 cd 8b e8 23 5d 52 fe 90 <0f> 0b e8 fb 2b 73 fe 48 c7 c1 40 4f cd 8b ba ed 0a 00 00 48 c7 c6 RSP: 0018:ffffc90014c7f4c0 EFLAGS: 00010286 RAX: 0000000000000034 RBX: dffffc0000000000 RCX: ffffffff819a5799 RDX: 0000000000000000 RSI: ffff888022bc0000 RDI: 0000000000000002 RBP: 0000000000000003 R08: fffffbfff1c4bb00 R09: ffffed100fdc47ba R10: ffffed100fdc47b9 R11: ffff88807ee23dcb R12: 0000000000000000 R13: ffffc90001b69110 R14: ffff8880548a2ba0 R15: ffff8880548a2c48 FS: 000055558797f880(0000) GS:ffff8880eb36b000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5264200058 CR3: 0000000023ba8000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> txCommit+0x2149/0x4720 jfs_create+0x808/0xb40 lookup_open+0x11ba/0x15f0 path_openat+0xed3/0x2980 do_filp_open+0x1f9/0x2f0 do_sys_openat2+0x4e3/0x710 do_sys_open+0xc6/0x150 __x64_sys_openat+0x9d/0x110 do_syscall_64+0xcf/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeaee100bd Code: c3 e8 17 2c 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffebb56d188 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbeaee100bd RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffebb56d19c R13: 00007ffebb56d1a0 R14: 0000000000000000 R15: 0000000000000000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:txAbort+0x51e/0x570 Code: e9 96 fd ff ff e8 22 2c 73 fe 48 c7 c1 00 4f cd 8b ba ec 0a 00 00 48 c7 c6 e0 41 cd 8b 48 c7 c7 20 42 cd 8b e8 23 5d 52 fe 90 <0f> 0b e8 fb 2b 73 fe 48 c7 c1 40 4f cd 8b ba ed 0a 00 00 48 c7 c6 RSP: 0018:ffffc90014c7f4c0 EFLAGS: 00010286 RAX: 0000000000000034 RBX: dffffc0000000000 RCX: ffffffff819a5799 RDX: 0000000000000000 RSI: ffff888022bc0000 RDI: 0000000000000002 RBP: 0000000000000003 R08: fffffbfff1c4bb00 R09: ffffed100fdc47ba R10: ffffed100fdc47b9 R11: ffff88807ee23dcb R12: 0000000000000000 R13: ffffc90001b69110 R14: ffff8880548a2ba0 R15: ffff8880548a2c48 FS: 000055558797f880(0000) GS:ffff8880eb36b000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5264200058 CR3: 0000000023ba8000 CR4: 0000000000750ef0 PKRU: 55555554 2025/04/23 15:35:05 reproducing crash 'kernel BUG in txAbort': final repro crashed as (corrupted=false): ======================================================= thanks, Kun Hu
Powered by blists - more mailing lists