running recovery passes: check_allocations,check_extents_to_backpointers,check_snapshots,check_subvols,check_inodes,check_dirents,set_fs_needs_rebalance ================================================================== BUG: KASAN: use-after-free in poly1305_update+0x138/0x188 lib/crypto/poly1305.c:44 Read of size 8 at addr ffff0000fd7b2a10 by task syz.4.38/6832 CPU: 1 UID: 0 PID: 6832 Comm: syz.4.38 Not tainted 6.16.0-rc2-syzkaller-g9aa9b43d689e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105 poly1305_update+0x138/0x188 lib/crypto/poly1305.c:44 bch2_checksum+0x1d4/0x4ac fs/bcachefs/checksum.c:157 bch2_btree_node_read_done+0xa2c/0x4320 fs/bcachefs/btree_io.c:1185 btree_node_read_work+0x328/0xc1c fs/bcachefs/btree_io.c:1411 bch2_btree_node_read+0x814/0x23f8 fs/bcachefs/btree_io.c:-1 __bch2_btree_root_read fs/bcachefs/btree_io.c:1877 [inline] bch2_btree_root_read+0x280/0x3c8 fs/bcachefs/btree_io.c:1899 read_btree_roots+0x218/0x6bc fs/bcachefs/recovery.c:604 bch2_fs_recovery+0x1cbc/0x2fa8 fs/bcachefs/recovery.c:979 bch2_fs_start+0x914/0xbc0 fs/bcachefs/super.c:1203 bch2_fs_get_tree+0x890/0x1048 fs/bcachefs/fs.c:2489 vfs_get_tree+0x90/0x28c fs/super.c:1802 do_new_mount+0x228/0x814 fs/namespace.c:3885 path_mount+0x5b4/0xde0 fs/namespace.c:4209 do_mount fs/namespace.c:4222 [inline] __do_sys_mount fs/namespace.c:4433 [inline] __se_sys_mount fs/namespace.c:4410 [inline] __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4410 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13d7b2 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 fffffdffc3f5ec88 fffffdffc3f5ec88 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000fd7b2900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000fd7b2980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff0000fd7b2a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000fd7b2a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000fd7b2b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== bcachefs (loop4): btree node read error at btree inodes level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 2a20405ac3f40602 written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0 loop4 node offset 16/24 bset u64s 57662: checksum error, type chacha20_poly1305_128: got 44897596421f1d9d039b4de0af5b95b2 should be d1e256903dc89dd6436b0db8b45d2093 flagging btree inodes lost data running recovery pass check_topology (2), currently at recovery_pass_empty (0) running recovery pass check_lrus (14), currently at recovery_pass_empty (0) running recovery pass check_backpointers_to_extents (16), currently at recovery_pass_empty (0) running recovery pass check_topology (2), currently at recovery_pass_empty (0) running recovery pass scan_for_btree_nodes (1), currently at recovery_pass_empty (0) ret fsck_errors_not_fixed bcachefs (loop4): error reading btree root btree=inodes level=0: btree_node_read_error, fixing bcachefs (loop4): btree node read error at btree dirents level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 267fcf747c875937 written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0 loop4 node offset 8/24 bset u64s 6: checksum error, type chacha20_poly1305_128: got a4346e9064ab0d65c5cbd6c0b87edd28 should be abbf307d6f4195551a4398bf111cbb27 flagging btree dirents lost data ret fsck_errors_not_fixed bcachefs (loop4): error reading btree root btree=dirents level=0: btree_node_read_error, fixing bcachefs (loop4): btree node read error at btree xattrs level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1b881868e2a6abe1 written 16 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0 loop4 node offset 8/16 bset u64s 10: checksum error, type chacha20_poly1305_128: got 308f382c5ac21e8914cc710dac74a28b should be 1a1e92182bf9d380b4c7d201495bc585 flagging btree xattrs lost data ret fsck_errors_not_fixed bcachefs (loop4): error reading btree root btree=xattrs level=0: btree_node_read_error, fixing bcachefs (loop4): btree node read error at btree alloc level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1818ce08861e3527 written 40 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0 loop4 node offset 8/40 bset u64s 375: checksum error, type chacha20_poly1305_128: got 3c9a4269dade53214047db48ac9990c5 should be 61ec379a8789477e76ff1a5280fd6dbd flagging btree alloc lost data running recovery pass check_alloc_info (13), currently at recovery_pass_empty (0) ret fsck_errors_not_fixed bcachefs (loop4): error reading btree root btree=alloc level=0: btree_node_read_error, fixing bcachefs (loop4): btree node read error at btree snapshots level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq d771a06d670df06c written 16 min_key POS_MIN durability: 1 ptr: 0:32:0 gen 0 loop4 node offset 8/16 bset u64s 6: checksum error, type chacha20_poly1305_128: got 15f9ee883f5acb7e2fcbf886da7072c6 should be 0176b982601c8c7be5dd888361fca1bb flagging btree snapshots lost data running recovery pass reconstruct_snapshots (21), currently at recovery_pass_empty (0) ret fsck_errors_not_fixed bcachefs (loop4): error reading btree root btree=snapshots level=0: btree_node_read_error, fixing bcachefs (loop4): btree node read error at btree freespace level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq b6c44d07df4e9bb7 written 48 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0 loop4 node offset 24/48 bset u64s 8: checksum error, type chacha20_poly1305_128: got 25092e5850a3508323899be4f168d897 should be 87471a53d12495829bed93d84e7fbb87 flagging btree freespace lost data ret fsck_errors_not_fixed bcachefs (loop4): error reading btree root btree=freespace level=0: btree_node_read_error, fixing bcachefs (loop4): btree node read error at btree backpointers level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 3b468546fb27822d written 24 min_key POS_MIN durability: 1 ptr: 0:36:0 gen 0 loop4 node offset 16/24 bset u64s 14: checksum error, type chacha20_poly1305_128: got f1b5cf4c0bbfc343e08c990e41f6f375 should be 6399ef4aeb6d8a4369c39b0b9ed27362 flagging btree backpointers lost data running recovery pass check_btree_backpointers (15), currently at recovery_pass_empty (0) ret fsck_errors_not_fixed bcachefs (loop4): error reading btree root btree=backpointers level=0: btree_node_read_error, fixing bcachefs (loop4): check_topology... bcachefs (loop4): btree root inodes unreadable, must recover from scan bcachefs (loop4): no nodes found for btree inodes, continuing bcachefs (loop4): btree root dirents unreadable, must recover from scan bcachefs (loop4): no nodes found for btree dirents, continuing bcachefs (loop4): btree root xattrs unreadable, must recover from scan bcachefs (loop4): no nodes found for btree xattrs, continuing bcachefs (loop4): btree root snapshots unreadable, must recover from scan bcachefs (loop4): no nodes found for btree snapshots, continuing done bcachefs (loop4): accounting_read... done bcachefs (loop4): alloc_read... done bcachefs (loop4): snapshots_read... done bcachefs (loop4): check_allocations... bcachefs (loop4): bucket 0:34 data type user ptr gen 0 missing in alloc btree while marking u64s 8 type extent 4099:8:U32_MAX len 8 ver 1: durability: 1 crc: c_size 8 size 8 offset 0 nonce 0 csum chacha20_poly1305_80 e371:ac69b75b10c57971 compress incompressible ptr: 0:34:0 gen 0, fixing bcachefs (loop4): bucket 0:27 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 4e0410879b0c2f04 written 16 min_key POS_MIN durability: 1 ptr: 0:27:0 gen 0, fixing bcachefs (loop4): bucket 0:35 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq d682cebdf2a7eb26 written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0, fixing bcachefs (loop4): bucket 0:28 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 93dda84068e88b3f written 16 min_key POS_MIN durability: 1 ptr: 0:28:0 gen 0, fixing bcachefs (loop4): bucket 0:40 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 82036bda63714c10 written 8 min_key POS_MIN durability: 1 ptr: 0:40:0 gen 0, fixing done bcachefs (loop4): going read-write bcachefs (loop4): journal_replay... done bcachefs (loop4): check_alloc_info... bcachefs (loop4): hole in alloc btree missing in freespace btree device 0 buckets 25-27, fixing bcachefs (loop4): hole in alloc btree missing in freespace btree device 0 buckets 29-30, fixing bcachefs (loop4): hole in alloc btree missing in freespace btree device 0 buckets 32-34, fixing bcachefs (loop4): hole in alloc btree missing in freespace btree device 0 buckets 36-39, fixing bcachefs (loop4): hole in alloc btree missing in freespace btree device 0 buckets 41-120, fixing bcachefs (loop4): hole in alloc btree missing in freespace btree device 0 buckets 41-46, fixing bcachefs (loop4): hole in alloc btree missing in freespace btree device 0 buckets 47-120, fixing done bcachefs (loop4): check_lrus... done bcachefs (loop4): check_btree_backpointers... done bcachefs (loop4): check_backpointers_to_extents... done bcachefs (loop4): check_extents_to_backpointers... bcachefs (loop4): scanning for missing backpointers in 6/128 buckets done bcachefs (loop4): reconstruct_snapshots... bcachefs (loop4): snapshot node 4294967295 from tree 4294967295 missing, recreating done bcachefs (loop4): check_snapshots... done bcachefs (loop4): check_subvols... bcachefs (loop4): subvolume 1 points to missing subvolume root 4096:4294967295, shutting down error not marked as autofix and not in fsck run fsck, and forward to devs so error can be marked for self-healing emergency read only at seq 21 bcachefs (loop4): bch2_check_subvols(): error fsck_errors_not_fixed bcachefs (loop4): error in recovery: fsck_errors_not_fixed bcachefs (loop4): bch2_fs_start(): error starting filesystem fsck_errors_not_fixed bcachefs (loop4): shutting down bcachefs (loop4): shutdown complete bcachefs: bch2_fs_get_tree() error: fsck_errors_not_fixed