4.19 is not supported or maintained by the upstream XFS community. You're welcome to contribute to that effort. --D ________________________________________ From: Shuangpeng Bai <bb993561614@xxxxxxxxx> Sent: Thursday, September 21, 2023 12:23 To: syzkaller; Darrick Wong; linux-xfs@xxxxxxxxxxxxxxx Subject: BUG: KASAN: slab-out-of-bounds in xfs_iext_get_extent Hi Kernel Maintainers, Our tool found a new kernel bug KASAN: slab-out-of-bounds in xfs_iext_get_extent. Please see the details below. Kenrel commit: v4.19.294 (longterm) Kernel config: see attachment C/Syz reproducer: see attachment [ 75.486892] BUG: KASAN: slab-out-of-bounds in xfs_iext_get_extent (fs/xfs/libxfs/xfs_iext_tree.c:47 fs/xfs/libxfs/xfs_iext_tree.c:156 fs/xfs/libxfs/xfs_iext_tree.c:1018) [ 75.487761] 000000001c8ced51: 00 00 00 04 00 00 00 05 00 00 00 00 00 00 00 01 ................ [ 75.487862] Read of size 8 at addr ffff8882350b4d58 by task a.out/8319 [ 75.489112] 00000000fec1508e: 00 00 00 01 00 00 00 00 00 00 07 00 00 00 00 04 ................ [ 75.489991] [ 75.490001] CPU: 1 PID: 8319 Comm: a.out Not tainted 4.19.294 #2 [ 75.491203] 000000001e2fb696: 00 00 00 04 00 00 7f be 00 00 7f be 00 00 00 00 ................ [ 75.491423] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 75.492261] 000000005b2b9690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 75.493434] Call Trace: [ 75.493445] dump_stack (lib/dump_stack.c:120) [ 75.494595] 000000008bfa4abe: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 75.495768] print_address_description.cold (mm/kasan/report.c:256) [ 75.495778] kasan_report_error.cold (mm/kasan/report.c:354) [ 75.495786] ? xfs_iext_get_extent (fs/xfs/libxfs/xfs_iext_tree.c:47 fs/xfs/libxfs/xfs_iext_tree.c:156 fs/xfs/libxfs/xfs_iext_tree.c:1018) [ 75.495793] __asan_report_load8_noabort (mm/kasan/report.c:432) [ 75.495801] ? xfs_iext_get_extent (fs/xfs/libxfs/xfs_iext_tree.c:47 fs/xfs/libxfs/xfs_iext_tree.c:156 fs/xfs/libxfs/xfs_iext_tree.c:1018) [ 75.495808] xfs_iext_get_extent (fs/xfs/libxfs/xfs_iext_tree.c:47 fs/xfs/libxfs/xfs_iext_tree.c:156 fs/xfs/libxfs/xfs_iext_tree.c:1018) [ 75.495816] xfs_iextents_copy (fs/xfs/libxfs/xfs_inode_fork.c:562 (discriminator 1)) [ 75.495826] ? xfs_iformat_fork (fs/xfs/libxfs/xfs_inode_fork.c:552) [ 75.495837] ? mark_held_locks (kernel/locking/lockdep.c:3275) [ 75.495848] xfs_inode_item_format_attr_fork (fs/xfs/xfs_inode_item.c:244) [ 75.495860] xfs_inode_item_format (fs/xfs/xfs_inode_item.c:429) [ 75.500673] 000000007e4099b5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 75.501050] ? xfs_inode_item_format_attr_fork (fs/xfs/xfs_inode_item.c:391) [ 75.501661] 00000000a3693a78: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 75.502222] ? xfs_log_commit_cil (fs/xfs/xfs_log_cil.c:393 fs/xfs/xfs_log_cil.c:994) [ 75.502234] xfs_log_commit_cil (fs/xfs/xfs_log_cil.c:377 fs/xfs/xfs_log_cil.c:407 fs/xfs/xfs_log_cil.c:994) [ 75.502824] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at daddr 0x1 len 1 error 117 [ 75.503362] ? xfs_buf_item_log (fs/xfs/xfs_buf_item.c:890 (discriminator 2)) [ 75.504108] XFS (loop0): xfs_do_force_shutdown(0x1) called from line 300 of file fs/xfs/xfs_trans_buf.c. Return address = 00000002 [ 75.504731] ? xlog_cil_empty (fs/xfs/xfs_log_cil.c:979) [ 75.504739] ? xfs_trans_apply_dquot_deltas (fs/xfs/xfs_trans_dquot.c:326) [ 75.504753] ? xfs_defer_trans_roll (fs/xfs/libxfs/xfs_defer.c:277) [ 75.504759] __xfs_trans_commit (fs/xfs/xfs_trans.c:969) [ 75.504767] ? xfs_trans_free_items (fs/xfs/xfs_trans.c:923) [ 75.504775] ? kmem_zone_alloc (fs/xfs/kmem.c:96) [ 75.504786] ? xfs_defer_finish (fs/xfs/libxfs/xfs_defer.c:465) [ 75.509734] XFS (loop0): I/O Error Detected. Shutting down filesystem [ 75.510318] ? xfs_defer_trans_roll (fs/xfs/libxfs/xfs_defer.c:277) [ 75.510929] XFS (loop0): Please umount the filesystem and rectify the problem(s) [ 75.512597] xfs_trans_roll (fs/xfs/xfs_trans.c:1100) [ 75.512606] ? xfs_trans_alloc_empty (fs/xfs/xfs_trans.c:1077) [ 75.520389] ? xfs_defer_finish (fs/xfs/libxfs/xfs_defer.c:461) [ 75.520969] ? check_preemption_disabled (lib/smp_processor_id.c:52 (discriminator 1)) [ 75.521640] ? xfs_defer_finish (fs/xfs/libxfs/xfs_defer.c:465) [ 75.522208] xfs_defer_trans_roll (fs/xfs/libxfs/xfs_defer.c:277) [ 75.522811] ? xfs_defer_create_intents (fs/xfs/libxfs/xfs_defer.c:224) [ 75.523483] ? check_preemption_disabled (lib/smp_processor_id.c:52 (discriminator 1)) [ 75.524154] xfs_defer_finish (fs/xfs/libxfs/xfs_defer.c:465) [ 75.524700] xfs_attr_set_args (fs/xfs/libxfs/xfs_attr.c:271) [ 75.525274] ? xfs_attr_get (fs/xfs/libxfs/xfs_attr.c:228) [ 75.525809] ? rcu_is_watching (./include/linux/compiler.h:263 ./arch/x86/include/asm/atomic.h:31 ./include/asm-generic/atomic-instrumented.h:22 kernel/rcu/tree.c:350 kernel/rcu/tree.c:1025) [ 75.526353] ? xfs_trans_reserve_quota_nblks (fs/xfs/xfs_trans_dquot.c:833) [ 75.527080] ? xfs_trans_add_item (fs/xfs/xfs_trace.h:3345 fs/xfs/xfs_trans.c:753) [ 75.527683] xfs_attr_set (fs/xfs/libxfs/xfs_attr.c:377) [ 75.528193] ? xfs_attr_remove_args (fs/xfs/libxfs/xfs_attr.c:316) [ 75.528818] ? kernel_text_address (kernel/extable.c:161) [ 75.529425] xfs_xattr_set (fs/xfs/xfs_xattr.c:83) [ 75.529936] ? xfs_forget_acl (fs/xfs/xfs_xattr.c:68) [ 75.530469] __vfs_setxattr (fs/xattr.c:149) [ 75.531001] ? xattr_resolve_name (fs/xattr.c:139) [ 75.531618] ? evm_protect_xattr.constprop.0 (security/integrity/evm/evm_main.c:365) [ 75.532337] __vfs_setxattr_noperm (fs/xattr.c:181) [ 75.532957] __vfs_setxattr_locked (fs/xattr.c:238) [ 75.533571] vfs_setxattr (./include/linux/fs.h:753 fs/xattr.c:257) [ 75.534072] ? __vfs_setxattr_locked (fs/xattr.c:248) [ 75.534709] ? __might_fault (mm/memory.c:4811) [ 75.535256] setxattr (fs/xattr.c:524) [ 75.535721] ? vfs_setxattr (fs/xattr.c:485) [ 75.536260] ? __phys_addr (arch/x86/mm/physaddr.c:31 (discriminator 4)) [ 75.536769] ? __phys_addr_symbol (arch/x86/mm/physaddr.c:41 (discriminator 2)) [ 75.537355] ? check_preemption_disabled (lib/smp_processor_id.c:52 (discriminator 1)) [ 75.538024] ? check_preemption_disabled (lib/smp_processor_id.c:52 (discriminator 1)) [ 75.538698] ? preempt_count_add (./include/linux/ftrace.h:696 kernel/sched/core.c:3222 kernel/sched/core.c:3247) [ 75.539277] ? __mnt_want_write (fs/namespace.c:345 (discriminator 3)) [ 75.539857] path_setxattr (fs/xattr.c:540) [ 75.540379] ? __se_sys_fsetxattr (fs/xattr.c:530) [ 75.540986] ? task_work_run (kernel/task_work.c:108) [ 75.541533] __x64_sys_setxattr (fs/xattr.c:550) [ 75.542101] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:2839 kernel/locking/lockdep.c:2884) [ 75.542714] do_syscall_64 (arch/x86/entry/common.c:293) [ 75.543227] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:244) [ 75.543919] RIP: 0033:0x7f026bfc773d [ 75.544417] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 48 Code starting with the faulting instruction =========================================== 0: 00 c3 add %al,%bl 2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 9: 00 00 00 c: 90 nop d: f3 0f 1e fa endbr64 11: 48 89 f8 mov %rdi,%rax 14: 48 89 f7 mov %rsi,%rdi 17: 48 89 d6 mov %rdx,%rsi 1a: 48 89 ca mov %rcx,%rdx 1d: 4d 89 c2 mov %r8,%r10 20: 4d 89 c8 mov %r9,%r8 23: 4c rex.WR 24: 8b .byte 0x8b 25: 48 rex.W [ 75.546915] RSP: 002b:00007f026b6a9da8 EFLAGS: 00000297 ORIG_RAX: 00000000000000bc [ 75.547938] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f026bfc773d [ 75.548905] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000020000080 [ 75.549867] RBP: 00007f026b6a9e00 R08: 0000000000000001 R09: 0000000000000000 [ 75.550831] R10: 0000000000000016 R11: 0000000000000297 R12: 00007fff53e328de [ 75.551794] R13: 00007fff53e328df R14: 00007fff53e32980 R15: 00007f026b6a9f00 Best, Shuangpeng
