syzbot


KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager

Status: upstream: reported C repro on 2020/10/17 08:54
Reported-by: syzbot+c4113d7fde34d9da20de@syzkaller.appspotmail.com
First crash: 1512d, last: 756d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager C 5 1515d 1534d 0/2 auto-obsoleted due to no activity on 2023/04/17 07:54
upstream KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager f2fs C error 2 1534d 1533d 15/28 fixed on 2020/11/16 12:12
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2021/11/08 14:17 17m bisect fix linux-4.19.y error job log
2021/07/21 23:43 28m bisect fix linux-4.19.y OK (0) job log log
2021/06/21 23:08 34m bisect fix linux-4.19.y OK (0) job log log
2021/05/22 06:24 31m bisect fix linux-4.19.y OK (0) job log log
2021/04/06 09:28 24m bisect fix linux-4.19.y OK (0) job log log
2021/02/14 00:00 0m bisect fix linux-4.19.y error job log
2021/01/08 13:17 25m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
F2FS-fs (loop0): invalid crc value
==================================================================
BUG: KASAN: slab-out-of-bounds in build_sit_entries fs/f2fs/segment.c:3961 [inline]
BUG: KASAN: slab-out-of-bounds in f2fs_build_segment_manager+0xa926/0xad90 fs/f2fs/segment.c:4230
Read of size 4 at addr ffff88809c700068 by task syz-executor241/8076

CPU: 0 PID: 8076 Comm: syz-executor241 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432
 build_sit_entries fs/f2fs/segment.c:3961 [inline]
 f2fs_build_segment_manager+0xa926/0xad90 fs/f2fs/segment.c:4230
 f2fs_fill_super+0x31d9/0x7050 fs/f2fs/super.c:3016
 mount_bdev+0x2fc/0x3b0 fs/super.c:1158
 mount_fs+0xa3/0x310 fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2492 [inline]
 do_mount+0x115c/0x2f50 fs/namespace.c:2822
 ksys_mount+0xcf/0x130 fs/namespace.c:3038
 __do_sys_mount fs/namespace.c:3052 [inline]
 __se_sys_mount fs/namespace.c:3049 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3049
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f84913adefa
Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff86b22c78 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f84913adefa
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff86b22c90
RBP: 00007fff86b22c90 R08: 00007fff86b22cd0 R09: 00005555567302c0
R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004
R13: 00007fff86b22cd0 R14: 0000000000000027 R15: 00000000200005a8

Allocated by task 8076:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node+0x4c/0x70 mm/slab.c:3696
 kmalloc_node include/linux/slab.h:557 [inline]
 kvmalloc_node+0x61/0xf0 mm/util.c:423
 kvmalloc include/linux/mm.h:577 [inline]
 f2fs_kvmalloc fs/f2fs/f2fs.h:2687 [inline]
 f2fs_kvzalloc fs/f2fs/f2fs.h:2693 [inline]
 build_sit_info fs/f2fs/segment.c:3809 [inline]
 f2fs_build_segment_manager+0x213d/0xad90 fs/f2fs/segment.c:4219
 f2fs_fill_super+0x31d9/0x7050 fs/f2fs/super.c:3016
 mount_bdev+0x2fc/0x3b0 fs/super.c:1158
 mount_fs+0xa3/0x310 fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2492 [inline]
 do_mount+0x115c/0x2f50 fs/namespace.c:2822
 ksys_mount+0xcf/0x130 fs/namespace.c:3038
 __do_sys_mount fs/namespace.c:3052 [inline]
 __se_sys_mount fs/namespace.c:3049 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3049
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 18:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 __rcu_reclaim kernel/rcu/rcu.h:231 [inline]
 rcu_do_batch kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0xa0d/0x18b0 kernel/rcu/tree.c:2881
 __do_softirq+0x265/0x980 kernel/softirq.c:292

The buggy address belongs to the object at ffff88809c700000
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 104 bytes inside of
 128-byte region [ffff88809c700000, ffff88809c700080)
The buggy address belongs to the page:
page:ffffea000271c000 count:1 mapcount:0 mapping:ffff88813bff0640 index:0xffff88809c700480
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002a94948 ffffea0002d37e48 ffff88813bff0640
raw: ffff88809c700480 ffff88809c700000 0000000100000011 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809c6fff00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
 ffff88809c6fff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809c700000: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
                                                          ^
 ffff88809c700080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff88809c700100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================

Crashes (24):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/11/11 17:18 linux-4.19.y 3f8a27f9e27b f42ee5d8 .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2022/07/28 22:09 linux-4.19.y 3f8a27f9e27b fb95c74d .config console log report syz C ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2020/10/17 09:27 linux-4.19.y a1b977b49b66 6e262c73 .config console log report syz C ci2-linux-4-19
2020/10/17 08:53 linux-4.19.y a1b977b49b66 6e262c73 .config console log report syz C ci2-linux-4-19
2022/11/11 17:09 linux-4.19.y 3f8a27f9e27b f42ee5d8 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2022/09/22 17:46 linux-4.19.y 3f8a27f9e27b 0042f2b4 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2022/09/08 18:04 linux-4.19.y 3f8a27f9e27b f3027468 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2022/08/17 13:15 linux-4.19.y 3f8a27f9e27b 4e72d229 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2022/08/17 01:34 linux-4.19.y 3f8a27f9e27b 9e4b39c2 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2022/08/07 14:13 linux-4.19.y 3f8a27f9e27b 88e3a122 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2022/07/28 21:48 linux-4.19.y 3f8a27f9e27b fb95c74d .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2022/04/13 12:03 linux-4.19.y 3f8a27f9e27b b17b2923 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2022/04/02 06:10 linux-4.19.y 3f8a27f9e27b 79a2a8fc .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2021/11/20 13:12 linux-4.19.y 3f8a27f9e27b 4eb20a4e .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2021/10/09 14:17 linux-4.19.y e34184f53363 838e7e2c .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2021/09/23 14:09 linux-4.19.y 2950c9c5e0df 8cac236e .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2021/08/29 00:39 linux-4.19.y e23d55af0e1f be2c130d .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2021/08/16 07:39 linux-4.19.y 59456c9cc40c 2489ab88 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2021/04/22 06:24 linux-4.19.y 2965db2e004c 2bc8999a .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2021/03/07 09:28 linux-4.19.y dfb571610ba3 c599ed12 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2021/02/17 08:57 linux-4.19.y 811218eceeaa 052f8d9f .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in f2fs_build_segment_manager
2021/01/15 00:00 linux-4.19.y 675cc038067f 468dbb55 .config console log report info ci2-linux-4-19
2020/12/09 13:16 linux-4.19.y 4abf26854aad 99917735 .config console log report info ci2-linux-4-19
2020/11/15 16:58 linux-4.19.y 31acccdc8774 1bf9a662 .config console log report info ci2-linux-4-19
* Struck through repros no longer work on HEAD.