syzbot

 sign-in | mailing list | source | docs
🐞 Open [569] 🐞 Fixed [32] 🐞 Invalid [301] Missing Backports [45] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: slab-out-of-bounds Read in xlog_pack_data

Status: upstream: reported C repro on 2023/06/14 08:07
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+66f256de193ab682584f@syzkaller.appspotmail.com
First crash: 327d, last: 281d
Fix bisection: failed (error log, bisect log)
  
Bug presence (3)
Date Name Commit Repro Result
2023/07/30 linux-5.15.y (ToT) 09996673e313 C [report] KASAN: slab-out-of-bounds Read in xlog_pack_data
2023/06/14 upstream (ToT) b6dad5178cea C [report] KASAN: slab-out-of-bounds Read in xlog_pack_data
2023/07/29 upstream (ToT) 12214540ad87 C Didn't crash
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in xlog_pack_data xfs C error done 4 327d 323d 23/26 fixed on 2023/10/12 12:48
linux-6.1 KASAN: slab-out-of-bounds Read in xlog_pack_data origin:upstream missing-backport C inconclusive 1 282d 327d 0/3 upstream: reported C repro on 2023/06/14 05:02
Fix bisection attempts (5)
Created Duration User Patch Repo Result
2024/03/15 02:11 1m fix candidate upstream error job log (0)
2024/02/10 23:30 0m fix candidate upstream error job log (0)
2023/12/30 17:00 16m fix candidate upstream error job log (0)
2023/10/25 05:21 0m fix candidate upstream error job log (0)
2023/07/23 18:43 0m bisect fix linux-5.15.y error job log (0)

Sample crash report:
XFS (loop0): Torn write (CRC failure) detected at log block 0x10. Truncating head block from 0x20.
XFS (loop0): Ending clean mount
XFS (loop0): Unmounting Filesystem
==================================================================
BUG: KASAN: slab-out-of-bounds in xlog_pack_data+0x2c8/0x444 fs/xfs/xfs_log.c:1760
Read of size 4 at addr ffff0000d4164e00 by task syz-executor146/3966

CPU: 0 PID: 3966 Comm: syz-executor146 Not tainted 5.15.116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x174/0x1e4 mm/kasan/report.c:451
 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
 xlog_pack_data+0x2c8/0x444 fs/xfs/xfs_log.c:1760
 xlog_sync+0x3ec/0xe78 fs/xfs/xfs_log.c:2014
 xlog_state_release_iclog+0x554/0xaf0 fs/xfs/xfs_log.c:596
 xlog_force_iclog fs/xfs/xfs_log.c:864 [inline]
 xlog_force_and_check_iclog+0x12c/0x258 fs/xfs/xfs_log.c:3223
 xlog_force_lsn+0x690/0x7bc fs/xfs/xfs_log.c:3395
 xfs_log_force_seq+0x310/0x81c fs/xfs/xfs_log.c:3460
 __xfs_trans_commit+0x8cc/0xe98 fs/xfs/xfs_trans.c:890
 xfs_trans_commit+0x24/0x34 fs/xfs/xfs_trans.c:925
 xfs_sync_sb+0x144/0x1ac fs/xfs/libxfs/xfs_sb.c:1004
 xfs_log_cover fs/xfs/xfs_log.c:1235 [inline]
 xfs_log_quiesce+0x424/0x684 fs/xfs/xfs_log.c:1052
 xfs_log_clean+0xb4/0x9bc fs/xfs/xfs_log.c:1059
 xfs_log_unmount+0x30/0xbc fs/xfs/xfs_log.c:1074
 xfs_unmountfs+0x128/0x1c8 fs/xfs/xfs_mount.c:1040
 xfs_fs_put_super+0x70/0x250 fs/xfs/xfs_super.c:1090
 generic_shutdown_super+0x130/0x29c fs/super.c:475
 kill_block_super+0x70/0xdc fs/super.c:1405
 deactivate_locked_super+0xb8/0x13c fs/super.c:335
 deactivate_super+0x108/0x128 fs/super.c:366
 cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
 __cleanup_mnt+0x20/0x30 fs/namespace.c:1150
 task_work_run+0x130/0x1e4 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0x688/0x2134 kernel/exit.c:872
 do_group_exit+0x110/0x268 kernel/exit.c:994
 __do_sys_exit_group kernel/exit.c:1005 [inline]
 __se_sys_exit_group kernel/exit.c:1003 [inline]
 __wake_up_parent+0x0/0x60 kernel/exit.c:1003
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

The buggy address belongs to the page:
page:00000000e62389df refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114140
head:00000000e62389df order:6 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010000(head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000d4164d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000d4164d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000d4164e00: 01 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                   ^
 ffff0000d4164e80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff0000d4164f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/06/14 08:07 linux-5.15.y 7349e40704a0 d2ee9228 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in xlog_pack_data
* Struck through repros no longer work on HEAD.