Hi Kent, When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (82th) was triggered.
HEAD commit: d082ecbc71e9e0bf49883ee4afd435a77a5101b6 git tree: upstream Output: https://github.com/pghk13/Kernel-Bug/blob/main/0225_6.14rc2/82-KASAN_%20slab-out-of-bounds%20Read%20in%20mapping_try_invalidate/output_on_6.14rc4 Kernel config: https://github.com/pghk13/Kernel-Bug/blob/main/0225_6.14rc2/config_6.14rc4.txt C reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0225_6.14rc2/82-KASAN_%20slab-out-of-bounds%20Read%20in%20mapping_try_invalidate/repro.c Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0225_6.14rc2/82-KASAN_%20slab-out-of-bounds%20Read%20in%20mapping_try_invalidate/repro.syz The file images in the repro are randomly constructed by syzkaller. According to the report, this issue points to line 999 in the validate_bset_keys function. Based on multiple reproductions of the issue, the problem appears to occur when parsing corrupted btree nodes (where k->u64s might be 0). The memmove_u64s_down operation attempts to shift subsequent data forward, but the calculation of vstruct_end(i) might be out of bounds when handling such invalid nodes. This could lead to heap memory corruption, potentially causing subsequently allocated memory to contain invalid pointers. Our knowledge of the kernel is somewhat limited, and we'd appreciate it if you could determine if there is such an issue. If this issue doesn't have an impact, please ignore it ☺. If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <[email protected]>, Jiaji Qin <[email protected]>, Shuoran Bai <[email protected]> ================================================================== kernel BUG at arch/x86/mm/physaddr.c:28! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 3 UID: 0 PID: 57 Comm: kworker/3:1H Not tainted 6.14.0-rc4 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: bcachefs_btree_read_complete btree_node_read_work RIP: 0010:__phys_addr+0xdc/0x150 Code: ff 48 d3 eb 48 89 de e8 22 76 4f 00 48 85 db 75 13 e8 d8 73 4f 00 4c 89 e0 5b 5d 41 5c 41 5d e9 e5 c0 a5 ff e8 c5 73 4f 00 90 <0f> 0b e8 bd 73 4f 00 48 c7 c0 10 a0 fa 8d 48 ba 00 00 00 00 00 fc RSP: 0018:ffffc9000071efe8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffffffff816a7fa2 RDX: 000077800000000e RSI: ffff8880412ac900 RDI: 0000000000000002 RBP: 000000008000000e R08: 0000000000000000 R09: fffffbfff2de6d9f R10: fffffbfff2de6d9e R11: 0000000000000001 R12: 000077800000000e R13: 0000000000000000 R14: ffffc9000071f048 R15: ffff888075c2a140 FS: 0000000000000000(0000) GS:ffff88807ef00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f955b82c15d CR3: 000000006f1e0000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> qlist_free_all+0x68/0x130 kasan_quarantine_reduce+0x168/0x1c0 __kasan_slab_alloc+0x67/0x90 __kmalloc_node_track_caller_noprof+0x1c5/0x5f0 krealloc_noprof+0x2a7/0x390 bch2_printbuf_make_room+0x1be/0x2e0 bch2_prt_printf+0x18b/0x4d0 __btree_err+0x16c/0x950 validate_bset_keys+0xd79/0x18d0 bch2_btree_node_read_done+0x2223/0x5340 btree_node_read_work+0xa7e/0x1cc0 process_scheduled_works+0x5c0/0x1aa0 worker_thread+0x59f/0xcf0 kthread+0x42a/0x880 ret_from_fork+0x48/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__phys_addr+0xdc/0x150 Code: ff 48 d3 eb 48 89 de e8 22 76 4f 00 48 85 db 75 13 e8 d8 73 4f 00 4c 89 e0 5b 5d 41 5c 41 5d e9 e5 c0 a5 ff e8 c5 73 4f 00 90 <0f> 0b e8 bd 73 4f 00 48 c7 c0 10 a0 fa 8d 48 ba 00 00 00 00 00 fc RSP: 0018:ffffc9000071efe8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffffffff816a7fa2 RDX: 000077800000000e RSI: ffff8880412ac900 RDI: 0000000000000002 RBP: 000000008000000e R08: 0000000000000000 R09: fffffbfff2de6d9f R10: fffffbfff2de6d9e R11: 0000000000000001 R12: 000077800000000e R13: 0000000000000000 R14: ffffc9000071f048 R15: ffff888075c2a140 FS: 0000000000000000(0000) GS:ffff88807ef00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f955b82c15d CR3: 000000006f1e0000 CR4: 0000000000750ef0 PKRU: 55555554 2025/02/26 11:21:55 reproducing crash 'KASAN: slab-out-of-bounds Read in mapping_try_invalidate': final repro crashed as (corrupted=false): u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq c6c25c03258c59c5 written 1032 min_key POS_MIN durability: 1 ptr: 0:27:0 gen 0 node offset 0/1032 bset u64s 33578 bset byte offset 160: bad k->u64s 0 (min 3 max 253), fixing ------------[ cut here ]------------ kernel BUG at arch/x86/mm/physaddr.c:28! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 3 UID: 0 PID: 57 Comm: kworker/3:1H Not tainted 6.14.0-rc4 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: bcachefs_btree_read_complete btree_node_read_work RIP: 0010:__phys_addr+0xdc/0x150 Code: ff 48 d3 eb 48 89 de e8 22 76 4f 00 48 85 db 75 13 e8 d8 73 4f 00 4c 89 e0 5b 5d 41 5c 41 5d e9 e5 c0 a5 ff e8 c5 73 4f 00 90 <0f> 0b e8 bd 73 4f 00 48 c7 c0 10 a0 fa 8d 48 ba 00 00 00 00 00 fc RSP: 0018:ffffc9000071efe8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffffffff816a7fa2 RDX: 000077800000000e RSI: ffff8880412ac900 RDI: 0000000000000002 RBP: 000000008000000e R08: 0000000000000000 R09: fffffbfff2de6d9f R10: fffffbfff2de6d9e R11: 0000000000000001 R12: 000077800000000e R13: 0000000000000000 R14: ffffc9000071f048 R15: ffff888075c2a140 FS: 0000000000000000(0000) GS:ffff88807ef00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f955b82c15d CR3: 000000006f1e0000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> qlist_free_all+0x68/0x130 kasan_quarantine_reduce+0x168/0x1c0 __kasan_slab_alloc+0x67/0x90 __kmalloc_node_track_caller_noprof+0x1c5/0x5f0 krealloc_noprof+0x2a7/0x390 bch2_printbuf_make_room+0x1be/0x2e0 bch2_prt_printf+0x18b/0x4d0 __btree_err+0x16c/0x950 validate_bset_keys+0xd79/0x18d0 bch2_btree_node_read_done+0x2223/0x5340 btree_node_read_work+0xa7e/0x1cc0 process_scheduled_works+0x5c0/0x1aa0 worker_thread+0x59f/0xcf0 kthread+0x42a/0x880 ret_from_fork+0x48/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__phys_addr+0xdc/0x150 Code: ff 48 d3 eb 48 89 de e8 22 76 4f 00 48 85 db 75 13 e8 d8 73 4f 00 4c 89 e0 5b 5d 41 5c 41 5d e9 e5 c0 a5 ff e8 c5 73 4f 00 90 <0f> 0b e8 bd 73 4f 00 48 c7 c0 10 a0 fa 8d 48 ba 00 00 00 00 00 fc RSP: 0018:ffffc9000071efe8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffffffff816a7fa2 RDX: 000077800000000e RSI: ffff8880412ac900 RDI: 0000000000000002 RBP: 000000008000000e R08: 0000000000000000 R09: fffffbfff2de6d9f R10: fffffbfff2de6d9e R11: 0000000000000001 R12: 000077800000000e R13: 0000000000000000 R14: ffffc9000071f048 R15: ffff888075c2a140 FS: 0000000000000000(0000) GS:ffff88807ef00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f955b82c15d CR3: 000000006f1e0000 CR4: 0000000000750ef0 PKRU: 55555554 (base) qjj@syzkaller109:~/go1.22.1_projects/go_projects/syzkaller$ exit exit Script done on 2025-02-26 18:17:09+08:00 [COMMAND_EXIT_CODE="0"] --------------- thanks, Kun Hu
