node offset 16/40 bset u64s 30: checksum error, type chacha20_poly1305_128: got 29c49b2fdd8d9048e17ac38271cc7e07 should be d4669159f868458f2b4c55fc2a69f1aa, fixing ================================================================== BUG: KASAN: use-after-free in poly1305_update_arch+0x2a0/0x3f0 arch/arm64/crypto/poly1305-glue.c:165 Read of size 8 at addr ffff0000e225b070 by task syz-executor418/6487 CPU: 0 UID: 0 PID: 6487 Comm: syz-executor418 Not tainted 6.15.0-rc5-syzkaller-gc32f8dc5aaf9 #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105 poly1305_update_arch+0x2a0/0x3f0 arch/arm64/crypto/poly1305-glue.c:165 poly1305_update include/crypto/poly1305.h:83 [inline] bch2_checksum+0x1d4/0x4ac fs/bcachefs/checksum.c:157 bch2_btree_node_read_done+0xd20/0x4328 fs/bcachefs/btree_io.c:1132 btree_node_read_work+0x414/0xc64 fs/bcachefs/btree_io.c:1366 bch2_btree_node_read+0x1c88/0x228c fs/bcachefs/btree_io.c:-1 __bch2_btree_root_read fs/bcachefs/btree_io.c:1797 [inline] bch2_btree_root_read+0x274/0x3b0 fs/bcachefs/btree_io.c:1819 read_btree_roots+0x220/0x6c0 fs/bcachefs/recovery.c:582 bch2_fs_recovery+0x1a60/0x2d30 fs/bcachefs/recovery.c:929 bch2_fs_start+0x5b0/0x908 fs/bcachefs/super.c:1091 bch2_fs_get_tree+0xa0c/0xf30 fs/bcachefs/fs.c:2570 vfs_get_tree+0x90/0x28c fs/super.c:1759 do_new_mount+0x228/0x814 fs/namespace.c:3884 path_mount+0x5b4/0xde0 fs/namespace.c:4211 do_mount fs/namespace.c:4224 [inline] __do_sys_mount fs/namespace.c:4435 [inline] __se_sys_mount fs/namespace.c:4412 [inline] __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4412 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12225b flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 0000000000000000 fffffdffc38896c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000e225af00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000e225af80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff0000e225b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000e225b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000e225b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== bcachefs (loop0): bcachefs (loop0): error validating btree node on loop0 at btree alloc level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1818ce08861e3527 written 40 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0 node offset 24/40 bset u64s 61450: checksum error, type chacha20_poly1305_128: got cc4708a18a79d18b0e29d148f3f534b5 should be eca0b87f8a1bd5d855d98c80b1d5305e, fixing bcachefs (loop0): bcachefs (loop0): error validating btree node on loop0 at btree alloc level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1818ce08861e3527 written 40 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0 node offset 24/40 bset u64s 61450: bset past end of btree node (offset 24 len 968 but written 40), fixing bcachefs (loop0): bcachefs (loop0): error validating btree node on loop0 at btree alloc level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1818ce08861e3527 written 40 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0 node offset 24/40 bset u64s 0: empty bset, fixing bcachefs (loop0): invalid bkey in btree_node btree=alloc level=0: u64s 11 type alloc_v4 0:22:0 len 0 ver 0: gen 0 oldest_gen 0 data_type sb journal_seq_nonempty 1 journal_seq_empty 0 need_discard 1 need_inc_gen 1 dirty_sectors 256 stripe_sectors 0 cached_sectors 0 stripe 0 stripe_redundancy 0 io_time[READ] 1 io_time[WRITE] 1 fragmentation 0 bp_start 8 bad val size (14 > 6), deleting bcachefs (loop0): btree_node_read_work: rewriting btree node at due to error btree=alloc level=0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1818ce08861e3527 written 40 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0 bcachefs (loop0): bcachefs (loop0): error validating btree node on loop0 at btree freespace level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq b6c44d07df4e9bb7 written 48 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0 node offset 8/48 bset u64s 35: checksum error, type chacha20_poly1305_128: got 9a0c7e4fba9774736fd5fe399afe0fd4 should be 696606121d98d113a1b1dc69c6e72339, fixing bcachefs (loop0): btree_node_read_work: rewriting btree node at due to error btree=freespace level=0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq b6c44d07df4e9bb7 written 48 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0 bcachefs (loop0): accounting_read... done bcachefs (loop0): alloc_read... done bcachefs (loop0): snapshots_read... done bcachefs (loop0): check_allocations... bcachefs (loop0): bucket 0:28 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 93dda84068e88b3f written 16 min_key POS_MIN durability: 1 ptr: 0:28:0 gen 0, fixing bcachefs (loop0): bucket 0:36 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 3b468546fb27822d written 24 min_key POS_MIN durability: 1 ptr: 0:36:0 gen 0, fixing bcachefs (loop0): bucket 0:40 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 82036bda63714c10 written 8 min_key POS_MIN durability: 1 ptr: 0:40:0 gen 0, fixing bcachefs (loop0): bucket 0:22 gen 0 has wrong data_type: got free, should be sb, fixing bcachefs (loop0): bucket 0:22 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing bcachefs (loop0): bucket 0:28 gen 0 has wrong data_type: got free, should be btree, fixing bcachefs (loop0): bucket 0:28 gen 0 data type btree has wrong dirty_sectors: got 0, should be 256, fixing bcachefs (loop0): bucket 0:36 gen 0 has wrong data_type: got free, should be btree, fixing bcachefs (loop0): bucket 0:36 gen 0 data type btree has wrong dirty_sectors: got 0, should be 256, fixing bcachefs (loop0): bucket 0:40 gen 0 has wrong data_type: got free, should be btree, fixing bcachefs (loop0): bucket 0:40 gen 0 data type btree has wrong dirty_sectors: got 0, should be 256, fixing done bcachefs (loop0): going read-write bcachefs (loop0): journal_replay... done bcachefs (loop0): check_extents_to_backpointers... bcachefs (loop0): scanning for missing backpointers in 2/128 buckets done bcachefs (loop0): check_snapshots... bcachefs (loop0): snapshot points to missing/incorrect tree: u64s 8 type snapshot 0:4294967295:0 len 0 ver 0: is_subvol 1 deleted 0 parent 0 children 0 0 subvol 1 tree 0, fixing done bcachefs (loop0): check_subvols... done bcachefs (loop0): check_inodes... bcachefs (loop0): inode points to missing dirent inum: 4099:4294967295 mode=100755 flags=(15300000) journal_seq=5 hash_seed=ab878b4c5ab7c89e hash_type=siphash bi_size=1050 bi_sectors=8 bi_version=0 bi_atime=1997793410 bi_ctime=1997793410 bi_mtime=1997793410 bi_otime=1997793410 bi_uid=0 bi_gid=0 bi_nlink=0 bi_generation=0 bi_dev=0 bi_data_checksum=0 bi_compression=0 bi_project=0 bi_background_compression=0 bi_data_replicas=0 bi_promote_target=0 bi_foreground_target=0 bi_background_target=0 bi_erasure_code=0 bi_fields_set=0 bi_dir=4098 bi_dir_offset=2566586984702133180 bi_subvol=0 bi_parent_subvol=0 bi_nocow=0 bi_depth=0 bi_inodes_32bit=0 bi_casefold=0, fixing bcachefs (loop0): inode journal seq in future (currently at 21) inum: 1073741825:4294967295 mode=100755 flags=(15300000) journal_seq=10300415144517173253 hash_seed=259b6b0d0abf3ed4 hash_type=siphash bi_size=9000 bi_sectors=24 bi_version=0 bi_atime=2007793514 bi_ctime=2007793514 bi_mtime=2007793514 bi_otime=2007793514 bi_uid=0 bi_gid=0 bi_nlink=1 bi_generation=0 bi_dev=0 bi_data_checksum=0 bi_compression=0 bi_project=0 bi_background_compression=0 bi_data_replicas=0 bi_promote_target=0 bi_foreground_target=0 bi_background_target=0 bi_erasure_code=0 bi_fields_set=0 bi_dir=4096 bi_dir_offset=3784119180373593407 bi_subvol=0 bi_parent_subvol=0 bi_nocow=0 bi_depth=0 bi_inodes_32bit=0 bi_casefold=0, fixing done bcachefs (loop0): check_dirents... bcachefs (loop0): dirent points to missing inode: u64s 8 type dirent 4096:1859603997870691834:U32_MAX len 0 ver 0: lost+found -> 4097 type dir, fixing bcachefs (loop0): key in missing snapshot dirents u64s 7 type dirent 4098:2566587684781802388:1895552767 len 0 ver 0: file0 -> 4099 type reg, deleting bcachefs (loop0): dirent points to missing inode: u64s 7 type dirent 4098:4600437421902197670:U32_MAX len 0 ver 0: file1 -> 4100 type lnk, fixing done bcachefs (loop0): resume_logged_ops... done bcachefs (loop0): delete_dead_inodes... done bcachefs (loop0): set_fs_needs_rebalance... done bcachefs (loop0): Fixed errors, running fsck a second time to verify fs is clean bcachefs (loop0): check_extents_to_backpointers... done bcachefs (loop0): check_snapshots... done bcachefs (loop0): check_subvols... done bcachefs (loop0): check_inodes... done bcachefs (loop0): check_dirents... bcachefs (loop0): key in missing snapshot dirents u64s 7 type dirent 4098:2566587684781802388:1895552767 len 0 ver 0: file0 -> 4099 type reg, deleting bcachefs (loop0): directory 4096:4294967295 with wrong i_nlink: got 2, should be 1, fixing done bcachefs (loop0): resume_logged_ops... done bcachefs (loop0): delete_dead_inodes... done bcachefs (loop0): set_fs_needs_rebalance... done bcachefs (loop0): Second fsck run was not clean bcachefs (loop0): reading quotas bcachefs (loop0): quotas done bcachefs (loop0): done starting filesystem