[syzbot] [bcachefs?] KASAN: stack-out-of-bounds Read in do_encrypt
From: syzbot
Date: Mon Nov 18 2024 - 07:15:35 EST
Hello,
syzbot found the following issue on:
HEAD commit: 0a9b9d17f3a7 Merge tag 'pm-6.12-rc8' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10f14b5f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=1e42728e2fb48752d6f2
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-0a9b9d17.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b80dd0292210/vmlinux-0a9b9d17.xz
kernel image: https://storage.googleapis.com/syzbot-assets/42a07c5c6678/bzImage-0a9b9d17.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1e42728e2fb48752d6f2@xxxxxxxxxxxxxxxxxxxxxxxxx
loop0: detected capacity change from 0 to 32768
bcachefs (loop0): starting version 1.7: mi_btree_bitmap opts=metadata_checksum=none,data_checksum=none,compression=lz4,metadata_target=invalid device 255,noshard_inode_numbers,noinodes_use_key_cache,journal_flush_delay=1001,nojournal_transaction_names
bcachefs (loop0): recovering from clean shutdown, journal seq 13
bcachefs (loop0): Version upgrade required:
Version upgrade from 0.19: freespace to 1.7: mi_btree_bitmap incomplete
Doing incompatible version upgrade from 0.19: freespace to 1.13: inode_has_child_snapshots
running recovery passes: check_allocations,check_alloc_info,check_lrus,check_btree_backpointers,check_backpointers_to_extents,check_extents_to_backpointers,check_alloc_to_lru_refs,bucket_gens_init,check_snapshot_trees,check_snapshots,check_subvols,check_subvol_children,delete_dead_snapshots,check_inodes,check_extents,check_indirect_extents,check_dirents,check_xattrs,check_root,check_unreachable_inodes,check_subvolume_structure,check_directory_structure,check_nlinks,set_fs_needs_rebalance
==================================================================
BUG: KASAN: stack-out-of-bounds in sg_mark_end include/linux/scatterlist.h:258 [inline]
BUG: KASAN: stack-out-of-bounds in do_encrypt+0xa22/0xd70 fs/bcachefs/checksum.c:157
Read of size 8 at addr ffffc9000d3ce908 by task syz.0.0/5324
CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
sg_mark_end include/linux/scatterlist.h:258 [inline]
do_encrypt+0xa22/0xd70 fs/bcachefs/checksum.c:157
bset_encrypt fs/bcachefs/btree_io.h:118 [inline]
bch2_btree_node_read_done+0x1dfc/0x5e90 fs/bcachefs/btree_io.c:1074
btree_node_read_work+0x68b/0x1260 fs/bcachefs/btree_io.c:1327
bch2_btree_node_read+0x2433/0x2a10
__bch2_btree_root_read fs/bcachefs/btree_io.c:1753 [inline]
bch2_btree_root_read+0x617/0x7a0 fs/bcachefs/btree_io.c:1775
read_btree_roots+0x296/0x840 fs/bcachefs/recovery.c:523
bch2_fs_recovery+0x2585/0x39d0 fs/bcachefs/recovery.c:853
bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2170
vfs_get_tree+0x90/0x2b0 fs/super.c:1814
do_new_mount+0x2be/0xb40 fs/namespace.c:3507
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb19557feba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb19629be68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fb19629bef0 RCX: 00007fb19557feba
RDX: 0000000020000040 RSI: 000000002000f680 RDI: 00007fb19629beb0
RBP: 0000000020000040 R08: 00007fb19629bef0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000002000f680
R13: 00007fb19629beb0 R14: 000000000000f629 R15: 0000000020000000
</TASK>
The buggy address belongs to stack of task syz.0.0/5324
and is located at offset 1768 in frame:
do_encrypt+0x0/0xd70
This frame has 8 objects:
[32, 48) 'nonce.i242'
[64, 528) '__req_desc.i243'
[592, 608) 'nonce.i224'
[624, 1088) '__req_desc.i225'
[1152, 1168) 'nonce.i'
[1184, 1648) '__req_desc.i'
[1712, 1744) 'sg'
[1776, 1928) 'sgl'
The buggy address belongs to the virtual mapping at
[ffffc9000d3c8000, ffffc9000d3d1000) created by:
copy_process+0x5d1/0x3d50 kernel/fork.c:2204
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804272e9b0 pfn:0x4272e
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88804272e9b0 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5322, tgid 5322 (syz.0.0), ts 57859057176, free_ts 57840341861
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3474
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4750
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
vm_area_alloc_pages mm/vmalloc.c:3568 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0xa2b/0x13f0 mm/vmalloc.c:3828
alloc_thread_stack_node kernel/fork.c:315 [inline]
dup_task_struct+0x444/0x8c0 kernel/fork.c:1116
copy_process+0x5d1/0x3d50 kernel/fork.c:2204
kernel_clone+0x226/0x8f0 kernel/fork.c:2786
__do_sys_clone3 kernel/fork.c:3090 [inline]
__se_sys_clone3+0x2d8/0x360 kernel/fork.c:3069
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 4733 tgid 4733 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0xdf9/0x1140 mm/page_alloc.c:2657
__slab_free+0x31b/0x3d0 mm/slub.c:4490
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000d3ce800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000d3ce880: 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2
>ffffc9000d3ce900: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc9000d3ce980: 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
ffffc9000d3cea00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup