lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMVG2svM0G-=OZidTONdP6V7AjKiLLLYgwjZZC_fU7_pWa=zXQ@mail.gmail.com>
Date: Tue, 30 Dec 2025 15:32:39 +0800
From: Daniel J Blueman <daniel@...ra.org>
To: David Sterba <dsterba@...e.com>, Chris Mason <clm@...com>, 
	Linux BTRFS <linux-btrfs@...r.kernel.org>
Cc: linux-crypto@...r.kernel.org, Linux Kernel <linux-kernel@...r.kernel.org>
Subject: [6.19-rc3] xxhash invalid access during BTRFS mount

Hi Dave, Chris et al,

When mounting a BTRFS filesystem on 6.19-rc3 on ARM64 using xxhash
checksumming and KASAN, I see invalid access:

BTRFS info (device nvme0n1p5): first mount of filesystem
f99f2753-0283-4f93-8f5d-7a9f59f148cc
BTRFS info (device nvme0n1p5): using xxhash64 (xxhash64-generic)
checksum algorithm
==================================================================
BUG: KASAN: invalid-access in xxh64_update (lib/xxhash.c:143 lib/xxhash.c:283)
Read of size 8 at addr 21ff000802247000 by task kworker/u48:3/48
Pointer tag: [21], memory tag: [c0]

CPU: 1 UID: 0 PID: 48 Comm: kworker/u48:3 Tainted: G      E
6.19.0-rc3 #19 PREEMPTLAZY
Tainted: [E]=UNSIGNED_MODULE
Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025
Workqueue: btrfs-endio-meta simple_end_io_work
Call trace:
show_stack (arch/arm64/kernel/stacktrace.c:501) (C)
dump_stack_lvl (lib/dump_stack.c:122)
print_address_description.isra.0 (mm/kasan/report.c:379)
print_report (mm/kasan/report.c:450 (discriminator 1)
mm/kasan/report.c:483 (discriminator 1))
kasan_report (mm/kasan/report.c:597)
kasan_check_range (mm/kasan/sw_tags.c:86 (discriminator 1))
__hwasan_loadN_noabort (mm/kasan/sw_tags.c:158)
xxh64_update (lib/xxhash.c:143 lib/xxhash.c:283)
xxhash64_update (crypto/xxhash_generic.c:49)
crypto_shash_finup (crypto/shash.c:123 (discriminator 1))
csum_tree_block (fs/btrfs/disk-io.c:110 (discriminator 3))
btrfs_validate_extent_buffer (fs/btrfs/disk-io.c:404)
end_bbio_meta_read (fs/btrfs/extent_io.c:3822 (discriminator 1))
btrfs_bio_end_io (fs/btrfs/bio.c:146)
simple_end_io_work (fs/btrfs/bio.c:382)
process_one_work (./arch/arm64/include/asm/jump_label.h:36
./include/trace/events/workqueue.h:110 kernel/workqueue.c:3262)
worker_thread (kernel/workqueue.c:3334 (discriminator 2)
kernel/workqueue.c:3421 (discriminator 2))
kthread (kernel/kthread.c:463)
ret_from_fork (arch/arm64/kernel/entry.S:861)

The buggy address belongs to the physical page:
page: refcount:2 mapcount:0 mapping:00000000973bd0ac index:0x9731 pfn:0x882247
memcg:aaff000800ae1b00
aops:btree_aops ino:1
flags: 0x47e400000004020(lru|private|node=0|zone=2|kasantag=0x3f)
raw: 047e400000004020 fffffdffe0089188 fffffdffe0089208 ccff000814148300
raw: 0000000000009731 10ff0008493322d0 00000002ffffffff aaff000800ae1b00
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff000802246e00: 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
ffff000802246f00: 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
>ffff000802247000: c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0
^
ffff000802247100: c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0
ffff000802247200: c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0 c0

Let me know for any further testing or debug.

Thanks,
  Dan
--
Daniel J Blueman

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ