[syzbot] [bcachefs?] UBSAN: shift-out-of-bounds in __bch2_bkey_invalid

From: syzbot
Date: Sun May 05 2024 - 14:26:54 EST


Hello,

syzbot found the following issue on:

HEAD commit: 78186bd77b47 Merge branch 'for-next/mm-ryan-staging' into ..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1258e8a7180000
kernel config: https://syzkaller.appspot.com/x/.config?x=5ee4da92608aba71
dashboard link: https://syzkaller.appspot.com/bug?extid=ae4dc916da3ce51f284f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1074b908980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=156cad60980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6645ec7d501b/disk-78186bd7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0d272001bc0f/vmlinux-78186bd7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/95e2c70cba6e/Image-78186bd7.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/56d58dd39151/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae4dc916da3ce51f284f@xxxxxxxxxxxxxxxxxxxxxxxxx

loop0: detected capacity change from 0 to 32768
bcachefs (loop0): mounting version 1.7: mi_btree_bitmap opts=metadata_checksum=none,data_checksum=none,nojournal_transaction_names
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/bcachefs/bkey_methods.c:174:2
shift exponent 255 is too large for 64-bit type 'unsigned long long'
CPU: 1 PID: 6237 Comm: syz-executor106 Not tainted 6.9.0-rc6-syzkaller-g78186bd77b47 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:317
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:114
dump_stack+0x1c/0x28 lib/dump_stack.c:123
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_shift_out_of_bounds+0x2f4/0x36c lib/ubsan.c:468
__bch2_bkey_invalid+0x630/0x64c fs/bcachefs/bkey_methods.c:174
bch2_bkey_invalid+0x58/0x1d8 fs/bcachefs/bkey_methods.c:230
journal_validate_key+0x5ec/0xc08 fs/bcachefs/journal_io.c:344
journal_entry_btree_root_validate+0x130/0x3c8 fs/bcachefs/journal_io.c:440
bch2_journal_entry_validate+0xb8/0xec fs/bcachefs/journal_io.c:823
bch2_sb_clean_validate_late fs/bcachefs/sb-clean.c:40 [inline]
bch2_read_superblock_clean+0x188/0x414 fs/bcachefs/sb-clean.c:168
bch2_fs_recovery+0x1b0/0x4854 fs/bcachefs/recovery.c:573
bch2_fs_start+0x30c/0x53c fs/bcachefs/super.c:1043
bch2_fs_open+0x8b4/0xb64 fs/bcachefs/super.c:2102
bch2_mount+0x558/0xe10 fs/bcachefs/fs.c:1903
legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
vfs_get_tree+0x90/0x288 fs/super.c:1779
do_new_mount+0x278/0x900 fs/namespace.c:3352
path_mount+0x590/0xe04 fs/namespace.c:3679
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount fs/namespace.c:3875 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3875
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
---[ end trace ]---
invalid journal entry, version=1.7: mi_btree_bitmap type=btree_root in superblock:
u64s 11 type 255 SPOS_MAX len 0 ver 0:
invalid key type for btree internal btree node ((unknown)), shutting down
bcachefs (loop0): inconsistency detected - emergency read only at journal seq 0
------------[ cut here ]------------
virt_to_phys used for non-linear address: fffffffffffff75e (0xfffffffffffff75e)
WARNING: CPU: 1 PID: 6237 at arch/arm64/mm/physaddr.c:15 __virt_to_phys+0xc4/0x138 arch/arm64/mm/physaddr.c:12
Modules linked in:
CPU: 1 PID: 6237 Comm: syz-executor106 Not tainted 6.9.0-rc6-syzkaller-g78186bd77b47 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __virt_to_phys+0xc4/0x138 arch/arm64/mm/physaddr.c:12
lr : __virt_to_phys+0xc4/0x138 arch/arm64/mm/physaddr.c:12
sp : ffff80009ad06e00
x29: ffff80009ad06e00 x28: 1ffff000135a0e02 x27: fffffffffffff75e
x26: ffff80009ad07010 x25: ffff7000135a0df4 x24: dfff800000000000
x23: ffff0000df080000 x22: 000f600000000000 x21: 000000000000002d
x20: fffffffffffff75e x19: 000ffffffffff75e x18: 0000000000000008
x17: 6666783028206535 x16: ffff80008ae8863c x15: 0000000000000001
x14: 1fffe000367bd602 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000002 x10: 0000000000ff0100 x9 : 6f3d61fbe7072c00
x8 : 6f3d61fbe7072c00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80009ad06578 x4 : ffff80008ef850a0 x3 : ffff8000805e8270
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
__virt_to_phys+0xc4/0x138 arch/arm64/mm/physaddr.c:12
virt_to_phys arch/arm64/include/asm/memory.h:368 [inline]
virt_to_pfn arch/arm64/include/asm/memory.h:382 [inline]
virt_to_folio include/linux/mm.h:1306 [inline]
kfree+0xa4/0x3e8 mm/slub.c:4382
bch2_fs_recovery+0x32c/0x4854 fs/bcachefs/recovery.c:905
bch2_fs_start+0x30c/0x53c fs/bcachefs/super.c:1043
bch2_fs_open+0x8b4/0xb64 fs/bcachefs/super.c:2102
bch2_mount+0x558/0xe10 fs/bcachefs/fs.c:1903
legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
vfs_get_tree+0x90/0x288 fs/super.c:1779
do_new_mount+0x278/0x900 fs/namespace.c:3352
path_mount+0x590/0xe04 fs/namespace.c:3679
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount fs/namespace.c:3875 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3875
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 76314
hardirqs last enabled at (76313): [<ffff800080375438>] __up_console_sem kernel/printk/printk.c:341 [inline]
hardirqs last enabled at (76313): [<ffff800080375438>] __console_unlock kernel/printk/printk.c:2731 [inline]
hardirqs last enabled at (76313): [<ffff800080375438>] console_unlock+0x17c/0x3d4 kernel/printk/printk.c:3050
hardirqs last disabled at (76314): [<ffff80008ae83a88>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
softirqs last enabled at (76276): [<ffff8000800218e4>] softirq_handle_end kernel/softirq.c:400 [inline]
softirqs last enabled at (76276): [<ffff8000800218e4>] __do_softirq+0xb10/0xd2c kernel/softirq.c:583
softirqs last disabled at (76247): [<ffff80008002ad34>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:81
---[ end trace 0000000000000000 ]---
Unable to handle kernel paging request at virtual address ffffffffc37affc8
KASAN: maybe wild-memory-access in range [0x0003fffe1bd7fe40-0x0003fffe1bd7fe47]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000001ad5df000
[ffffffffc37affc8] pgd=0000000000000000, p4d=00000001b0db9003, pud=00000001b0dba003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 6237 Comm: syz-executor106 Tainted: G W 6.9.0-rc6-syzkaller-g78186bd77b47 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : _compound_head include/linux/page-flags.h:246 [inline]
pc : virt_to_folio include/linux/mm.h:1308 [inline]
pc : kfree+0xbc/0x3e8 mm/slub.c:4382
lr : virt_to_phys arch/arm64/include/asm/memory.h:368 [inline]
lr : virt_to_pfn arch/arm64/include/asm/memory.h:382 [inline]
lr : virt_to_folio include/linux/mm.h:1306 [inline]
lr : kfree+0xa4/0x3e8 mm/slub.c:4382
sp : ffff80009ad06e30
x29: ffff80009ad06e40 x28: 1ffff000135a0e02 x27: fffffffffffff75e
x26: ffff80009ad07010 x25: ffff7000135a0df4 x24: dfff800000000000
x23: ffff0000df080000 x22: 0000000000000001 x21: ffffffffc37affc0
x20: ffff80008294a5bc x19: fffffffffffff75e x18: 0000000000000008
x17: 6666783028206535 x16: ffff80008ae8863c x15: 0000000000000001
x14: 1fffe000367bd602 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000002 x10: 0000000000ff0100 x9 : 00003e00037affc0
x8 : ffffc1ffc0000000 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80009ad06578 x4 : ffff80008ef850a0 x3 : ffff8000805e8270
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000080011ebff75e
Call trace:
virt_to_folio include/linux/mm.h:1306 [inline]
kfree+0xbc/0x3e8 mm/slub.c:4382
bch2_fs_recovery+0x32c/0x4854 fs/bcachefs/recovery.c:905
bch2_fs_start+0x30c/0x53c fs/bcachefs/super.c:1043
bch2_fs_open+0x8b4/0xb64 fs/bcachefs/super.c:2102
bch2_mount+0x558/0xe10 fs/bcachefs/fs.c:1903
legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
vfs_get_tree+0x90/0x288 fs/super.c:1779
do_new_mount+0x278/0x900 fs/namespace.c:3352
path_mount+0x590/0xe04 fs/namespace.c:3679
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount fs/namespace.c:3875 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3875
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: 927acd29 f2d83fe8 cb151929 8b080135 (f94006a8)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 927acd29 and x9, x9, #0x3ffffffffffffc0
4: f2d83fe8 movk x8, #0xc1ff, lsl #32
8: cb151929 sub x9, x9, x21, lsl #6
c: 8b080135 add x21, x9, x8
* 10: f94006a8 ldr x8, [x21, #8] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup