Hello,
syzbot found the following issue on:
HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b0a595e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169fac19e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14aafc81e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fcf70b38bafb/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x257e/0x2a70 fs/erofs/decompressor.c:311
z_erofs_decompress_pcluster fs/erofs/zdata.c:1290 [inline]
z_erofs_decompress_queue+0x338c/0x6460 fs/erofs/zdata.c:1372
z_erofs_runqueue+0x36cd/0x3830
z_erofs_read_folio+0x435/0x810 fs/erofs/zdata.c:1843
filemap_read_folio+0xce/0x370 mm/filemap.c:2323
do_read_cache_folio+0x3b4/0x11e0 mm/filemap.c:3691
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
do_read_cache_folio+0x163/0x11e0 mm/filemap.c:3655
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5006 Comm: syz-executor342 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Syzbot reported a KMSAN warning,
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
..
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x257e/0x2a70 fs/erofs/decompressor.c:311
z_erofs_decompress_pcluster fs/erofs/zdata.c:1290 [inline]
z_erofs_decompress_queue+0x338c/0x6460 fs/erofs/zdata.c:1372
z_erofs_runqueue+0x36cd/0x3830
z_erofs_read_folio+0x435/0x810 fs/erofs/zdata.c:1843
The root cause is that the printed decompressed buffer may be filled
incompletely due to decompression failure. Since they were once only
used for debugging, get rid of them now.
Reported-by: [email protected]
Closes: https://lore.kernel.org/r/[email protected]
Signed-off-by: Gao Xiang <[email protected]>
---
fs/erofs/decompressor.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index af98e88908ee..923afef7997a 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -246,15 +246,9 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
if (ret != rq->outputsize) {
erofs_err(rq->sb, "failed to decompress %d in[%u, %u] out[%u]",
ret, rq->inputsize, inputmargin, rq->outputsize);
-
- print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
- 16, 1, src + inputmargin, rq->inputsize, true);
- print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
-
if (ret >= 0)
memset(out + ret, 0, rq->outputsize - ret);
- ret = -EIO;
+ ret = -EFSCORRUPTED;
} else {
ret = 0;
}
--
2.39.3
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: [erofs?] KMSAN: uninit-value in z_erofs_lz4_decompress (2)
Author: [email protected]
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/lib/hexdump.c b/lib/hexdump.c
index 06833d404398..68b30bf6c6a3 100644
--- a/lib/hexdump.c
+++ b/lib/hexdump.c
@@ -263,12 +263,14 @@ void print_hex_dump(const char *level, const char *prefix_str, int prefix_type,
const void *buf, size_t len, bool ascii)
{
const u8 *ptr = buf;
- int i, linelen, remaining = len;
+ int i, linelen, remaining;
unsigned char linebuf[32 * 3 + 2 + 32 + 1];
if (rowsize != 16 && rowsize != 32)
rowsize = 16;
+ len = len > sizeof(linebuf) ? sizeof(linebuf) : len;
+ remaining = len;
for (i = 0; i < len; i += rowsize) {
linelen = min(remaining, rowsize);
remaining -= rowsize;
On Wed, 27 Dec 2023 23:19:03 +0800
Gao Xiang <[email protected]> wrote:
> Syzbot reported a KMSAN warning,
> erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
> =====================================================
> BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
> ..
> print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
> z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
> z_erofs_lz4_decompress+0x257e/0x2a70 fs/erofs/decompressor.c:311
> z_erofs_decompress_pcluster fs/erofs/zdata.c:1290 [inline]
> z_erofs_decompress_queue+0x338c/0x6460 fs/erofs/zdata.c:1372
> z_erofs_runqueue+0x36cd/0x3830
> z_erofs_read_folio+0x435/0x810 fs/erofs/zdata.c:1843
>
> The root cause is that the printed decompressed buffer may be filled
> incompletely due to decompression failure. Since they were once only
> used for debugging, get rid of them now.
>
> Reported-by: [email protected]
> Closes: https://lore.kernel.org/r/[email protected]
> Signed-off-by: Gao Xiang <[email protected]>
Reviewed-by: Yue Hu <[email protected]>
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x14c/0x3d0 lib/hexdump.c:278
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x257e/0x2a70 fs/erofs/decompressor.c:311
z_erofs_decompress_pcluster fs/erofs/zdata.c:1290 [inline]
z_erofs_decompress_queue+0x338c/0x6460 fs/erofs/zdata.c:1372
z_erofs_runqueue+0x36cd/0x3830
z_erofs_read_folio+0x435/0x810 fs/erofs/zdata.c:1843
filemap_read_folio+0xce/0x370 mm/filemap.c:2323
do_read_cache_folio+0x3b4/0x11e0 mm/filemap.c:3691
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
do_read_cache_folio+0x163/0x11e0 mm/filemap.c:3655
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5483 Comm: syz-executor.0 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=167c416ee80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1576ce6ee80000
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 94da00a0 erofs: avoid debugging output for (de)compres..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test
console output: https://syzkaller.appspot.com/x/log.txt?x=13715b95e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f711bc2a7eb1db25
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: [erofs?] KMSAN: uninit-value in z_erofs_lz4_decompress (2)
Author: [email protected]
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/lib/hexdump.c b/lib/hexdump.c
index 06833d404398..e146b1bf73dc 100644
--- a/lib/hexdump.c
+++ b/lib/hexdump.c
@@ -264,7 +264,7 @@ void print_hex_dump(const char *level, const char *prefix_str, int prefix_type,
{
const u8 *ptr = buf;
int i, linelen, remaining = len;
- unsigned char linebuf[32 * 3 + 2 + 32 + 1];
+ unsigned char linebuf[32 * 3 + 2 + 32 + 1] = "";
if (rowsize != 16 && rowsize != 32)
rowsize = 16;
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x14f/0x3f0 lib/hexdump.c:276
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x257e/0x2a70 fs/erofs/decompressor.c:311
z_erofs_decompress_pcluster fs/erofs/zdata.c:1290 [inline]
z_erofs_decompress_queue+0x338c/0x6460 fs/erofs/zdata.c:1372
z_erofs_runqueue+0x36cd/0x3830
z_erofs_read_folio+0x435/0x810 fs/erofs/zdata.c:1843
filemap_read_folio+0xce/0x370 mm/filemap.c:2323
do_read_cache_folio+0x3b4/0x11e0 mm/filemap.c:3691
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
do_read_cache_folio+0x163/0x11e0 mm/filemap.c:3655
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5491 Comm: syz-executor.0 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1101d8f6e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=118f5f9ee80000
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: Re: [syzbot] [erofs?] KMSAN: uninit-value in z_erofs_lz4_decompress (2)
Author: [email protected]
please test uninit-value in z_erofs_lz4_decompress (2)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..1c19731c8fc6 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,7 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, ret > 0 ? ret : rq->outputsize, true);
if (ret >= 0)
memset(out + ret, 0, rq->outputsize - ret);
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: Re: [syzbot] [erofs?] KMSAN: uninit-value in z_erofs_lz4_decompress (2)
Author: [email protected]
please test uninit-value in z_erofs_lz4_decompress (2)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..c0983c3db77f 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, ret < 0 ? min_t(unsigned int,
+ rq->outputsize, rq->inputsize) : rq->outputsize, true);
if (ret >= 0)
memset(out + ret, 0, rq->outputsize - ret);
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x2624/0x2b30 fs/erofs/decompressor.c:311
z_erofs_decompress_pcluster fs/erofs/zdata.c:1290 [inline]
z_erofs_decompress_queue+0x338c/0x6460 fs/erofs/zdata.c:1372
z_erofs_runqueue+0x36cd/0x3830
z_erofs_read_folio+0x435/0x810 fs/erofs/zdata.c:1843
filemap_read_folio+0xce/0x370 mm/filemap.c:2323
do_read_cache_folio+0x3b4/0x11e0 mm/filemap.c:3691
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
do_read_cache_folio+0x163/0x11e0 mm/filemap.c:3655
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 0 PID: 5477 Comm: syz-executor.0 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14751455e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=128ea2a1e80000
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x28d0/0x2ae0 fs/erofs/decompressor.c:312
z_erofs_decompress_pcluster fs/erofs/zdata.c:1290 [inline]
z_erofs_decompress_queue+0x338c/0x6460 fs/erofs/zdata.c:1372
z_erofs_runqueue+0x36cd/0x3830
z_erofs_read_folio+0x435/0x810 fs/erofs/zdata.c:1843
filemap_read_folio+0xce/0x370 mm/filemap.c:2323
do_read_cache_folio+0x3b4/0x11e0 mm/filemap.c:3691
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
do_read_cache_folio+0x163/0x11e0 mm/filemap.c:3655
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5487 Comm: syz-executor.0 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12bcb509e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16888cb5e80000
For archival purposes, forwarding an incoming command email to
[email protected].
***
Subject: Re: [syzbot] [erofs?] KMSAN: uninit-value in z_erofs_lz4_decompress (2)
Author: [email protected]
please test uninit-value in z_erofs_lz4_decompress (2)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..f4cc77e3255f 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, ret < 0 ? (ret + rq->inputsize) :
+ rq->outputsize, true);
if (ret >= 0)
memset(out + ret, 0, rq->outputsize - ret);
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=132559bee80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12db5255e80000
Note: testing is done by a robot and is best-effort only.
When LZ4 decompression fails, the number of bytes read from out should be
inputsize plus the returned overflow value ret.
Reported-and-tested-by: [email protected]
Signed-off-by: Edward Adam Davis <[email protected]>
---
fs/erofs/decompressor.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..8ac3f96676c4 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
+ (ret + rq->inputsize) : rq->outputsize, true);
if (ret >= 0)
memset(out + ret, 0, rq->outputsize - ret);
--
2.43.0
On 2023/12/29 19:09, Edward Adam Davis wrote:
> When LZ4 decompression fails, the number of bytes read from out should be
> inputsize plus the returned overflow value ret.
>
> Reported-and-tested-by: [email protected]
> Signed-off-by: Edward Adam Davis <[email protected]>
> ---
> fs/erofs/decompressor.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
> index 021be5feb1bc..8ac3f96676c4 100644
> --- a/fs/erofs/decompressor.c
> +++ b/fs/erofs/decompressor.c
> @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
> print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
> 16, 1, src + inputmargin, rq->inputsize, true);
> print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
> - 16, 1, out, rq->outputsize, true);
> + 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
> + (ret + rq->inputsize) : rq->outputsize, true);
It's incorrect since output decompressed buffer has no relationship
with `rq->inputsize` and `ret + rq->inputsize` is meaningless too.
Also, the issue was already fixed by avoiding debugging messages as
https://lore.kernel.org/r/[email protected]
Thanks,
Gao Xiang
On Sun, 31 Dec 2023 09:14:11 +0800, Gao Xiang wrote:
> > When LZ4 decompression fails, the number of bytes read from out should be
> > inputsize plus the returned overflow value ret.
> >
> > Reported-and-tested-by: [email protected]
> > Signed-off-by: Edward Adam Davis <[email protected]>
> > ---
> > fs/erofs/decompressor.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
> > index 021be5feb1bc..8ac3f96676c4 100644
> > --- a/fs/erofs/decompressor.c
> > +++ b/fs/erofs/decompressor.c
> > @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
> > print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
> > 16, 1, src + inputmargin, rq->inputsize, true);
> > print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
> > - 16, 1, out, rq->outputsize, true);
> > + 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
> > + (ret + rq->inputsize) : rq->outputsize, true);
>
> It's incorrect since output decompressed buffer has no relationship
> with `rq->inputsize` and `ret + rq->inputsize` is meaningless too.
In this case, the value of ret is -12.
When LZ4_decompress_generic() fails, it will return "return (int) (- ((const char *) ip) - src) -1;"
Therefore, it can be clearly stated that the decompression has been carried out
to the 11 bytes of src, so reading the value of the first 11 bytes of out is
effective. Therefore, my patch should be more accurate as follows:
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
+ (0 - ret) : rq->outputsize, true);
>
> Also, the issue was already fixed by avoiding debugging messages as
> https://lore.kernel.org/r/[email protected]
This just deleted the output.
BR,
Edward