(cc linux-bcachefs) On Mon, 30 Dec 2024 at 07:28, Liebes Wang <wanghaichi0403@xxxxxxxxx> wrote: > > Dear Linux maintainers and reviewers: > > We are reporting a Linux kernel bug titled **KASAN: use-after-free Read in poly1305_core_blocks**, discovered using a modified version of Syzkaller. > This looks like a bcachefs problem. > Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version) > The test case and kernel config is in attach. > > The KASAN report is (The full report is attached): > > BUG: KASAN: use-after-free in get_unaligned_le64 include/linux/unaligned.h:28 [inline] > BUG: KASAN: use-after-free in poly1305_core_blocks lib/crypto/poly1305-donna64.c:64 [inline] > BUG: KASAN: use-after-free in poly1305_core_blocks+0x404/0x480 lib/crypto/poly1305-donna64.c:32 > Read of size 8 at addr ff11000187440000 by task syz.0.5831/33784 > > CPU: 0 UID: 0 PID: 33784 Comm: syz.0.5831 Not tainted 6.12.0-rc6 #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0xca/0x120 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:377 [inline] > print_report+0xcb/0x620 mm/kasan/report.c:488 > kasan_report+0xbd/0xf0 mm/kasan/report.c:601 > get_unaligned_le64 include/linux/unaligned.h:28 [inline] > poly1305_core_blocks lib/crypto/poly1305-donna64.c:64 [inline] > poly1305_core_blocks+0x404/0x480 lib/crypto/poly1305-donna64.c:32 > crypto_poly1305_update+0x83/0x1e0 crypto/poly1305_generic.c:93 > bch2_checksum+0x1da/0x2a0 fs/bcachefs/checksum.c:238 > bch2_btree_node_read_done+0xfa4/0x4e70 fs/bcachefs/btree_io.c:1101 > btree_node_read_work+0x63e/0xf70 fs/bcachefs/btree_io.c:1327 > bch2_btree_node_read+0x76c/0xdf0 fs/bcachefs/btree_io.c:1712 > __bch2_btree_root_read fs/bcachefs/btree_io.c:1753 [inline] > bch2_btree_root_read+0x2c5/0x460 fs/bcachefs/btree_io.c:1775 > read_btree_roots fs/bcachefs/recovery.c:523 [inline] > bch2_fs_recovery+0x1db7/0x3c60 fs/bcachefs/recovery.c:853 > bch2_fs_start+0x2d8/0x610 fs/bcachefs/super.c:1036 > bch2_fs_get_tree+0xfda/0x15d0 fs/bcachefs/fs.c:2170 > vfs_get_tree+0x94/0x380 fs/super.c:1814 > do_new_mount fs/namespace.c:3507 [inline] > path_mount+0x6b2/0x1eb0 fs/namespace.c:3834 > do_mount fs/namespace.c:3847 [inline] > __do_sys_mount fs/namespace.c:4057 [inline] > __se_sys_mount fs/namespace.c:4034 [inline] > __x64_sys_mount+0x283/0x300 fs/namespace.c:4034 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Feel free to reach out if additional information or clarifications are needed. We hope this report aids in identifying and fixing the bug. > > Best regards, > > Haichi Wang > > Tianjin University
