From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D65B8C02198 for ; Fri, 14 Feb 2025 20:34:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1445F280002; Fri, 14 Feb 2025 15:34:51 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0F46A280001; Fri, 14 Feb 2025 15:34:51 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F24A6280002; Fri, 14 Feb 2025 15:34:50 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id D401D280001 for ; Fri, 14 Feb 2025 15:34:50 -0500 (EST) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 7887E4A734 for ; Fri, 14 Feb 2025 20:34:50 +0000 (UTC) X-FDA: 83119703940.14.EF6D431 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf04.hostedemail.com (Postfix) with ESMTP id A406340011 for ; Fri, 14 Feb 2025 20:34:48 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=n2exppF8; spf=none (imf04.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1739565289; a=rsa-sha256; cv=none; b=JCv2kvbvt8Ddq9jq5mJ8JjjuNTsF6AYGWJvMoii+gl8ZUFH5VVzJGFDJM/YkcIBY3NKfda S/bWD7mPH+6gEsiZFG4XIyIdsKcmajf3WOECThST6Qf+tIjwtwQNiBnT8y08gH7PaW7n3n y64BAvBjA41Sm2i/rkg6sy/QuuzJj30= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=n2exppF8; spf=none (imf04.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1739565289; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=4Gk+Gl41zV4/ds48dGjzz+nvq0u8MT2WvURHCtpUanw=; b=Z/B98OjDJrjhsRJbSs5FYjEXRX85Bq/exaXPHCm++TpoRJlNafu3xVOZqjrDCzZ02iIM5I mjxg8JM+S+wDUZS4vHPhi7cMAK0yBgWpE0V8lxDfvP6UqrUgWKNrqdH3n94OrkdCvKp7er tBtCcL5z0RmSTnvX14Br/ce9sHuNgpI= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=4Gk+Gl41zV4/ds48dGjzz+nvq0u8MT2WvURHCtpUanw=; b=n2exppF8s2burixSMpwn3wasvK +TXXN6vr9sgEwCGjwMEUaL+IOv+5e7iRBk/2Zk/Re27Kzf5mwBiR/FqH0vmSv3vME9pNO3jC7S2iO 5iTbWyGVoTsQk4FvNP0erjFirJFmjkXr7ysIhs6++si6ay0f+ShJ9yoqiLfNLpx+TO11UneqGKcxB aaEien3nMOyhR757w/PQgEe+7hXcEQ5NAqifBlcOcmfRqg4SIBLerUD6zBdxztn/eEKdbQuEKSwG6 qH0SlP+3sdBbjg/OETbRv05l69sgXBjxAp4Tv9eQvUy+VbvlaDr4qgXsZ6RVyCzyYQX8ncclugWc8 6dA7NArw==; Received: from willy by casper.infradead.org with local (Exim 4.98 #2 (Red Hat Linux)) id 1tj2Ob-0000000C1V6-0TlA; Fri, 14 Feb 2025 20:34:45 +0000 Date: Fri, 14 Feb 2025 20:34:44 +0000 From: Matthew Wilcox To: syzbot Cc: akpm@linux-foundation.org, hughd@google.com, kent.overstreet@linux.dev, linux-bcachefs@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [mm?] [bcachefs?] KASAN: slab-out-of-bounds Read in folio_try_get Message-ID: References: <67afa09f.050a0220.21dd3.0053.GAE@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <67afa09f.050a0220.21dd3.0053.GAE@google.com> X-Stat-Signature: 8iwcmthmy7qaryh1ubgkw9mpzasujfod X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: A406340011 X-Rspam-User: X-HE-Tag: 1739565288-697419 X-HE-Meta: U2FsdGVkX1944o6rxwjT1GCN2DuVylIvCFl50s6+Co4cKetKJYpLUAKnYGW1u2pB7JU9Mz/08Gt96ZuQlPDVOps1Cx5/eNM8nC6XX7MQq2ux3oXv8U1tum1aZ2JOoeRje0TXbdaiRrat3GUr35OvNLFCbxsv4LsLS0PcKSQIhNhE2QWBwuVaEz+xeqLhTXROxvZ5ObQtlWdizYDq9p7Iji+QfsYOECDRaIVsQuzVD4G8J5qLiYEh6NCSgeRb2gURvFlCKOL/f0Zg5A330YVIaXnqntaXRwmi9hUHhQ145YyqNkS39B9WvhFle+bUU3qwgTX13DAc0ZZczzx3m6lf8/S2UtWaFJWRhksEUh0cnME9d8wkTMEHtNk1Z4tJ49AwNaRX+0HPpergiRup4cr8jqAbYhrv3BY9qGnWnD79SNwE6mSJL1DZI9nmm2M3vBYV5YfoFnUcf8cP3wVOOczyr+0QX4Aj8h6b2k4/4LivsTUBiJa8xA03b8EZ7I6Ii3d77Ts42k1Ts0scFB+04VVYM6aRgpjTyDJm+OmRW9Hsd4cQ0paC9ph4ky7I4kI0VJHO27UIMLfb/wiFST2EgWCcdUaGhiCg69f/8NWSRsROIBE+yAn47oF6YnD2AU3t+TV+E33VcC+f2IJeyPFNJDWItaMm4QLx5VrfOcF4HrGHE9Fh4PZyrpZwq6x2nRI3zb8o0C5Q3D91b6eR5qLiblRajwANqVkiIGSr/voo76Jhr4UkxrTGz1jWQXVHCiChf6PUh6mgZmArTe2k871QkJWgNoyRNQoCXuvD1YeJynrYMWxFel77SEdg59d2PnCMax/F+aCHyq1MxWLOUEfeYL27MsdEEM4yo05zGrN7QayqzkwqWZkp0LSwpvhaen9gV9mhao61f4p9Qxf7TCzQUNfg8A57c2VuEU2U1t6pBGIuY0PFVCAaM/KENpAoGNv8B+sKq36Za69elWcJqqOrJUM IuVkfiT9 gHgukkMyO+y5eTElwzsz0q8jh/Py9ZYB8VJ+nilIB3hUvJS0uM9JEqoguMS4PK3ouEn8N28vsT4HKxYgJMrzrTypqBxkUi03EMuOGBHkdWb8uM76/h2hhmlthsv02XtgJRT0heIxyO6eX73yGgAKKCI+ioTToeHDJUww7PqMSGA8uMHEuWOnG2z6x9Oj5wuryiL+mUMwlhxjIXQdWV2QmOSnuNkSiNEihxqR7DFOmCyq9xs9xiYSoTM0JxpG4bY28yyMRIbxnt5z+EKOvkhAtFiz3M6OdbW+Su9JebljYbCwMhiXBCU+TbNBrtsFxzb75eAdfuYOtnSD7V64fDcydxKntIQf1BL3F48r0csdpwcrw+nkndDRQE9rZ9QsYNqTZo1n4cUBr89GMiiZ3FjH6JMVWunuDyGqc/6tlsQl+KvCJ41M43DeV9JzaBOC5tN8aRWvUdZGuB/5r7ZHV6PangAQ8WWrqMG+IKt8o X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Feb 14, 2025 at 11:59:27AM -0800, syzbot wrote: > BUG: KASAN: slab-out-of-bounds in instrument_atomic_read include/linux/instrumented.h:68 [inline] > BUG: KASAN: slab-out-of-bounds in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] > BUG: KASAN: slab-out-of-bounds in page_ref_count include/linux/page_ref.h:67 [inline] > BUG: KASAN: slab-out-of-bounds in page_ref_add_unless include/linux/page_ref.h:237 [inline] > BUG: KASAN: slab-out-of-bounds in folio_ref_add_unless include/linux/page_ref.h:248 [inline] > BUG: KASAN: slab-out-of-bounds in folio_try_get+0xde/0x350 include/linux/page_ref.h:264 > Read of size 4 at addr ffff88804f904b34 by task syz-executor127/5388 > > CPU: 0 UID: 0 PID: 5388 Comm: syz-executor127 Not tainted 6.14.0-rc2-syzkaller-00056-gab68d7eb7b1a #0 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 > Call Trace: > > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0x169/0x550 mm/kasan/report.c:489 > kasan_report+0x143/0x180 mm/kasan/report.c:602 > kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 > instrument_atomic_read include/linux/instrumented.h:68 [inline] > atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] > page_ref_count include/linux/page_ref.h:67 [inline] > page_ref_add_unless include/linux/page_ref.h:237 [inline] > folio_ref_add_unless include/linux/page_ref.h:248 [inline] > folio_try_get+0xde/0x350 include/linux/page_ref.h:264 > filemap_get_entry+0x240/0x3b0 mm/filemap.c:1870 > shmem_get_folio_gfp+0x285/0x1840 mm/shmem.c:2446 > shmem_get_folio mm/shmem.c:2628 [inline] > shmem_write_begin+0x165/0x350 mm/shmem.c:3278 > generic_perform_write+0x346/0x990 mm/filemap.c:4189 > shmem_file_write_iter+0xf9/0x120 mm/shmem.c:3454 > new_sync_write fs/read_write.c:586 [inline] > vfs_write+0xacf/0xd10 fs/read_write.c:679 > ksys_write+0x18f/0x2b0 fs/read_write.c:731 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7fb60d00ef1f > Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 81 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 6c 81 02 00 48 > RSP: 002b:00007fb60c7b9fb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 > RAX: ffffffffffffffda RBX: 00007fb60c7b9ff0 RCX: 00007fb60d00ef1f > RDX: 0000000001000000 RSI: 00007fb604200000 RDI: 0000000000000003 > RBP: 00007fb60d0976e0 R08: 0000000000000000 R09: 000000000000590c > R10: 0000000000000002 R11: 0000000000000293 R12: 00007fb60d0976ec > R13: 00007fb60c7ba030 R14: 0000000000000003 R15: 00007ffe9f1d73d8 > > > The buggy address belongs to the object at ffff88804f904b00 > which belongs to the cache radix_tree_node of size 576 > The buggy address is located 52 bytes inside of > allocated 576-byte region [ffff88804f904b00, ffff88804f904d40) Wait, what? We're calling folio_try_get() on a pointer which isn't a pointer to a folio, but a pointer to somewhere in a radix_tree_node? This fits a pattern we're seeing a lot of recently. Bugs: https://syzkaller.appspot.com/bug?extid=b581c7106aa616bb522c https://syzkaller.appspot.com/bug?extid=8ae0902c29b15a27a4ee https://syzkaller.appspot.com/bug?extid=07392c132f11b1758ac3 https://syzkaller.appspot.com/bug?extid=fe375f77ba1a6ab944b6 https://syzkaller.appspot.com/bug?extid=a0ae55e3dde11d2d790c They all fit the form of syzbot mounts a (potentially fuzzed?) bcachefs file system and later we have a corruption in the radix tree. I have two suspicions (feel free to assign your own probabilities to which is correct). The first is that a bunch of tweaky little cleanups went into the xarray code in the last merge window. I really wish we could stop doing that kind of bullshit. Can we just agree that the xarray code is good enough and not keep pissing with it? Obviously if there's a bug, then we should fix it (and that should come with test cases!), but otherwise just leave it alone. Please. It would make finding this kind of problem much easier. The second is that bcachefs has a random memory stomper. That would suck. Kent, you said you had some automated tooling to feed syzbot reproducers into?