syzbot


linux-next boot error: KASAN: global-out-of-bounds Read in fs_validate_description

Status: auto-closed as invalid on 2021/01/23 14:36
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+37dba74686ae4898e969@syzkaller.appspotmail.com
First crash: 1193d, last: 1190d
Discussions (1)
Title Replies (including bot) Last reply
linux-next boot error: KASAN: global-out-of-bounds Read in fs_validate_description 0 (1) 2020/12/11 12:13

Sample crash report:
FS-Cache: Loaded
CacheFiles: Loaded
TOMOYO: 2.6.0
Mandatory Access Control activated.
AppArmor: AppArmor Filesystem Enabled
pnp: PnP ACPI init
pnp: PnP ACPI: found 7 devices
clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
NET: Registered protocol family 2
tcp_listen_portaddr_hash hash table entries: 4096 (order: 6, 327680 bytes, vmalloc)
TCP established hash table entries: 65536 (order: 7, 524288 bytes, vmalloc)
TCP bind hash table entries: 65536 (order: 10, 4718592 bytes, vmalloc)
TCP: Hash tables configured (established 65536 bind 65536)
MPTCP token hash table entries: 8192 (order: 7, 720896 bytes, vmalloc)
UDP hash table entries: 4096 (order: 7, 655360 bytes, vmalloc)
UDP-Lite hash table entries: 4096 (order: 7, 655360 bytes, vmalloc)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
NET: Registered protocol family 44
pci_bus 0000:00: resource 4 [io  0x0000-0x0cf7 window]
pci_bus 0000:00: resource 5 [io  0x0d00-0xffff window]
pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfefff window]
pci 0000:00:00.0: Limiting direct PCI/PCI transfers
pci 0000:00:05.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
PCI: CLS 0 bytes, default 64
PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
software IO TLB: mapped [mem 0x00000000b5c00000-0x00000000b9c00000] (64MB)
RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer
kvm: already loaded the other module
clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x212735223b2, max_idle_ns: 440795277976 ns
clocksource: Switched to clocksource tsc
Initialise system trusted keyrings
workingset: timestamp_bits=40 max_order=21 bucket_order=0
zbud: loaded
DLM installed
squashfs: version 4.0 (2009/01/31) Phillip Lougher
FS-Cache: Netfs 'nfs' registered for caching
NFS: Registering the id_resolver key type
Key type id_resolver registered
Key type id_legacy registered
nfs4filelayout_init: NFSv4 File Layout Driver Registering...
Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
FS-Cache: Netfs 'cifs' registered for caching
Key type cifs.spnego registered
Key type cifs.idmap registered
==================================================================
BUG: KASAN: global-out-of-bounds in fs_validate_description+0x1a5/0x1d0 fs/fs_parser.c:371
Read of size 8 at addr ffffffff899b8160 by task swapper/0/1

CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.10.0-rc7-next-20201214-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5/0x2f8 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 fs_validate_description+0x1a5/0x1d0 fs/fs_parser.c:371
 register_filesystem+0x78/0x320 fs/filesystems.c:78
 init_cifs+0x7a4/0x8cf fs/cifs/cifsfs.c:1622
 do_one_initcall+0x103/0x690 init/main.c:1220
 do_initcall_level init/main.c:1293 [inline]
 do_initcalls init/main.c:1309 [inline]
 do_basic_setup init/main.c:1329 [inline]
 kernel_init_freeable+0x600/0x684 init/main.c:1535
 kernel_init+0xe/0x1e0 init/main.c:1418
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

The buggy address belongs to the variable:
 smb3_fs_parameters+0xc80/0xf60

Memory state around the buggy address:
 ffffffff899b8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff899b8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff899b8100: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
                                                       ^
 ffffffff899b8180: 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
 ffffffff899b8200: 06 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
==================================================================

Crashes (18):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/14 14:35 linux-next 7bba37a15913 97183ed7 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/14 14:35 linux-next 7bba37a15913 97183ed7 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/14 14:35 linux-next 7bba37a15913 97183ed7 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/14 14:15 linux-next 7bba37a15913 b22a7ec3 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/14 14:15 linux-next 7bba37a15913 b22a7ec3 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/14 14:15 linux-next 7bba37a15913 b22a7ec3 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/13 20:25 linux-next 3cc2bd440f21 b22a7ec3 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/13 20:25 linux-next 3cc2bd440f21 b22a7ec3 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/13 20:25 linux-next 3cc2bd440f21 b22a7ec3 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/12 06:57 linux-next 3cc2bd440f21 bca53db9 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/12 06:57 linux-next 3cc2bd440f21 bca53db9 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/12 06:57 linux-next 3cc2bd440f21 bca53db9 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/11 12:19 linux-next 3cc2bd440f21 ba24ffcd .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/11 12:19 linux-next 3cc2bd440f21 ba24ffcd .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/11 12:19 linux-next 3cc2bd440f21 ba24ffcd .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/11 12:01 linux-next 3cc2bd440f21 f900b48c .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/11 12:01 linux-next 3cc2bd440f21 f900b48c .config console log report ci-upstream-linux-next-kasan-gce-root
2020/12/11 12:01 linux-next 3cc2bd440f21 f900b48c .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.