Hi, (+cc Chengyang Fan) On Fri, Oct 29, 2021 at 07:55:27AM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 87066fdd2e30 Revert "mm/secretmem: use refcount_t instead .. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=10c2c88cb00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=59f3ef2b4077575 > dashboard link: https://syzkaller.appspot.com/bug?extid=63d688f1d899c588fb71 > compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17032c4ab00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=170f8c3cb00000 > > The issue was bisected to: > > commit f86cf25a609107960cf05263e491463feaae1f99 > Author: Gao Xiang <gaoxiang25@xxxxxxxxxx> > Date: Tue Aug 28 03:39:48 2018 +0000 > > Revert "staging: erofs: disable compiling temporarile" > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11de0328b00000 > final oops: https://syzkaller.appspot.com/x/report.txt?x=13de0328b00000 > console output: https://syzkaller.appspot.com/x/log.txt?x=15de0328b00000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+63d688f1d899c588fb71@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: f86cf25a6091 ("Revert "staging: erofs: disable compiling temporarile"") > > ================================================================== > BUG: KASAN: use-after-free in get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] > BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] > BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] > BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0xff8/0x1580 lib/lz4/lz4_decompress.c:469 > Read of size 2 at addr ffff88806dd1f000 by task kworker/u5:0/150 > > CPU: 1 PID: 150 Comm: kworker/u5:0 Not tainted 5.15.0-rc6-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Workqueue: erofs_unzipd z_erofs_decompressqueue_work > Call Trace: > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 > print_address_description+0x66/0x3e0 mm/kasan/report.c:256 > __kasan_report mm/kasan/report.c:442 [inline] > kasan_report+0x19a/0x1f0 mm/kasan/report.c:459 > get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] > LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] > LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] > LZ4_decompress_safe_partial+0xff8/0x1580 lib/lz4/lz4_decompress.c:469 > z_erofs_lz4_decompress+0x4c3/0x1100 fs/erofs/decompressor.c:226 > z_erofs_decompress_generic fs/erofs/decompressor.c:354 [inline] > z_erofs_decompress+0xa8e/0xe30 fs/erofs/decompressor.c:407 > z_erofs_decompress_pcluster+0x15e4/0x2550 fs/erofs/zdata.c:977 > z_erofs_decompress_queue fs/erofs/zdata.c:1055 [inline] > z_erofs_decompressqueue_work+0x123/0x1a0 fs/erofs/zdata.c:1066 > process_one_work+0x853/0x1140 kernel/workqueue.c:2297 > worker_thread+0xac1/0x1320 kernel/workqueue.c:2444 > kthread+0x453/0x480 kernel/kthread.c:319 > ret_from_fork+0x1f/0x30 > It's quite similar to https://lore.kernel.org/r/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@xxxxxx But I'm not sure if Chengyang Fan is still working on this stuff. Anyway, it can only be reproduced by specific craft compressed data. Thanks, Gao Xiang
