On Tue, Mar 04, 2025 at 08:15:32AM -0800, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 99fa936e8e4f Merge tag 'affs-6.14-rc5-tag' of git://git.ke.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=111c9464580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2040405600e83619 > dashboard link: https://syzkaller.appspot.com/bug?extid=9f6d080dece587cfdd4c > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132f0078580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1483fc54580000 > > Downloadable assets: > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-99fa936e.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/ef04f83d96f6/vmlinux-99fa936e.xz > kernel image: https://storage.googleapis.com/syzbot-assets/583a7eea5c8e/bzImage-99fa936e.xz > mounted in repro: https://storage.googleapis.com/syzbot-assets/6232fcdbddfb/mount_1.gz > fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=11d457a0580000) > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+9f6d080dece587cfdd4c@xxxxxxxxxxxxxxxxxxxxxxxxx > > ======================================================= > XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791 > ================================================================== > BUG: KASAN: slab-out-of-bounds in crc32c_le_arch+0xc7/0x1b0 arch/x86/lib/crc32-glue.c:81 > Read of size 8 at addr ffff888040dfea00 by task syz-executor260/5304 > > CPU: 0 UID: 0 PID: 5304 Comm: syz-executor260 Not tainted 6.14.0-rc5-syzkaller-00013-g99fa936e8e4f #0 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:408 [inline] > print_report+0x16e/0x5b0 mm/kasan/report.c:521 > kasan_report+0x143/0x180 mm/kasan/report.c:634 > crc32c_le_arch+0xc7/0x1b0 arch/x86/lib/crc32-glue.c:81 > __crc32c_le include/linux/crc32.h:36 [inline] > crc32c include/linux/crc32c.h:9 [inline] > xlog_cksum+0x91/0xf0 fs/xfs/xfs_log.c:1588 > xlog_recover_process+0x78/0x1e0 fs/xfs/xfs_log_recover.c:2900 > xlog_do_recovery_pass+0xa01/0xdc0 fs/xfs/xfs_log_recover.c:3235 > xlog_verify_head+0x21f/0x5a0 fs/xfs/xfs_log_recover.c:1058 > xlog_find_tail+0xa04/0xdf0 fs/xfs/xfs_log_recover.c:1315 > xlog_recover+0xe1/0x540 fs/xfs/xfs_log_recover.c:3419 This got sent "To:" me because of crc32c in the call stack. The bug is in XFS, though; it's passing an invalid buffer to crc32c(). - Eric
