Hello,
syzbot found the following issue on:
HEAD commit: ba4f184e Linux 5.9-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13a0ccad900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6f192552d75898a1
dashboard link: https://syzkaller.appspot.com/bug?extid=50a8a9cf8127f2c6f5df
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
gfs2: fsid=syz:syz.0: fatal: invalid metadata block
bh = 2072 (magic number)
function = gfs2_meta_indirect_buffer, file = fs/gfs2/meta_io.c, line = 417
gfs2: fsid=syz:syz.0: about to withdraw this file system
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 27118 Comm: syz-executor.0 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:signal_our_withdraw fs/gfs2/util.c:97 [inline]
RIP: 0010:gfs2_withdraw.cold+0xff/0xc0e fs/gfs2/util.c:294
Code: 00 48 c1 e0 2a 80 3c 02 00 0f 85 19 02 00 00 4c 8b bb a0 08 00 00 b8 ff ff 37 00 48 c1 e0 2a 49 8d 7f 70 48 89 fa 48 c1 ea 03 <80> 3c 02 00 74 05 e8 67 6d 68 fe 4d 8b 7f 70 b8 ff ff 37 00 48 c1
RSP: 0018:ffffc900018b73b8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888059d70000 RCX: ffffc90002639000
RDX: 000000000000000e RSI: ffffffff834e9fdf RDI: 0000000000000070
RBP: ffff888059d7026d R08: 0000000000000038 R09: ffff88802ce318e7
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888059d70050
R13: ffff888059d702f0 R14: ffffffff88cc1320 R15: 0000000000000000
FS: 00007f348fd73700(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000b60004 CR3: 000000004a089000 CR4: 0000000000350ef0
DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
gfs2_meta_check_ii+0x68/0xa0 fs/gfs2/util.c:450
gfs2_metatype_check_i fs/gfs2/util.h:126 [inline]
gfs2_meta_indirect_buffer+0x3a3/0x3f0 fs/gfs2/meta_io.c:417
gfs2_meta_inode_buffer fs/gfs2/meta_io.h:70 [inline]
gfs2_inode_refresh+0x95/0xdf0 fs/gfs2/glops.c:438
inode_go_lock+0x309/0x49f fs/gfs2/glops.c:468
do_promote+0x4a0/0xc10 fs/gfs2/glock.c:390
finish_xmote+0x4ed/0xf40 fs/gfs2/glock.c:560
do_xmote+0x812/0xba0 fs/gfs2/glock.c:686
run_queue+0x323/0x680 fs/gfs2/glock.c:751
gfs2_glock_nq+0x716/0x11b0 fs/gfs2/glock.c:1410
gfs2_glock_nq_init fs/gfs2/glock.h:238 [inline]
gfs2_lookupi+0x314/0x630 fs/gfs2/inode.c:317
gfs2_lookup_simple+0x99/0xe0 fs/gfs2/inode.c:268
init_journal fs/gfs2/ops_fstype.c:620 [inline]
init_inodes+0x367/0x1f40 fs/gfs2/ops_fstype.c:756
gfs2_fill_super+0x195e/0x254a fs/gfs2/ops_fstype.c:1125
get_tree_bdev+0x421/0x740 fs/super.c:1342
gfs2_get_tree+0x4a/0x270 fs/gfs2/ops_fstype.c:1201
vfs_get_tree+0x89/0x2f0 fs/super.c:1547
do_new_mount fs/namespace.c:2875 [inline]
path_mount+0x1387/0x20a0 fs/namespace.c:3192
do_mount fs/namespace.c:3205 [inline]
__do_sys_mount fs/namespace.c:3413 [inline]
__se_sys_mount fs/namespace.c:3390 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e5ea
Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d 9e fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4a 9e fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007f348fd72aa8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f348fd72b40 RCX: 000000000045e5ea
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f348fd72b00
RBP: 00007f348fd72b00 R08: 00007f348fd72b40 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000100 R14: 0000000020000200 R15: 0000000020047a20
Modules linked in:
---[ end trace a1967e7d2c26629b ]---
RIP: 0010:signal_our_withdraw fs/gfs2/util.c:97 [inline]
RIP: 0010:gfs2_withdraw.cold+0xff/0xc0e fs/gfs2/util.c:294
Code: 00 48 c1 e0 2a 80 3c 02 00 0f 85 19 02 00 00 4c 8b bb a0 08 00 00 b8 ff ff 37 00 48 c1 e0 2a 49 8d 7f 70 48 89 fa 48 c1 ea 03 <80> 3c 02 00 74 05 e8 67 6d 68 fe 4d 8b 7f 70 b8 ff ff 37 00 48 c1
RSP: 0018:ffffc900018b73b8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888059d70000 RCX: ffffc90002639000
RDX: 000000000000000e RSI: ffffffff834e9fdf RDI: 0000000000000070
RBP: ffff888059d7026d R08: 0000000000000038 R09: ffff88802ce318e7
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888059d70050
R13: ffff888059d702f0 R14: ffffffff88cc1320 R15: 0000000000000000
FS: 00007f348fd73700(0000) GS:ffff88802cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000256f020 CR3: 000000004a089000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot has found a reproducer for the following issue on:
HEAD commit: 7c7ec322 Merge tag 'for-linus' of git://git.kernel.org/pub..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11f2ff27900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6184b75aa6d48d66
dashboard link: https://syzkaller.appspot.com/bug?extid=50a8a9cf8127f2c6f5df
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160fb773900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1104f109900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
gfs2: fsid=syz:syz.0: fatal: invalid metadata block
bh = 2072 (magic number)
function = gfs2_meta_indirect_buffer, file = fs/gfs2/meta_io.c, line = 417
gfs2: fsid=syz:syz.0: about to withdraw this file system
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 6842 Comm: syz-executor264 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:signal_our_withdraw fs/gfs2/util.c:97 [inline]
RIP: 0010:gfs2_withdraw+0x2b0/0xe20 fs/gfs2/util.c:294
Code: e8 03 48 89 44 24 38 42 80 3c 38 00 74 08 48 89 ef e8 34 f7 69 fe 48 89 6c 24 20 48 8b 6d 00 48 83 c5 70 48 89 e8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 ef e8 11 f7 69 fe 48 8b 45 00 48 89 44
RSP: 0018:ffffc900057474f0 EFLAGS: 00010202
RAX: 000000000000000e RBX: ffff8880a71e0000 RCX: 98268db4dfe86a00
RDX: ffff888092bb6100 RSI: 0000000000000000 RDI: ffff8880a71e0430
RBP: 0000000000000070 R08: ffffffff834ad50c R09: ffffed1015d041c3
R10: ffffed1015d041c3 R11: 0000000000000000 R12: 1ffff11014e3c04d
R13: ffff8880a71e0050 R14: ffff8880a71e026c R15: dffffc0000000000
FS: 000000000233b880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f74f826d6c0 CR3: 00000000a04cc000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
gfs2_meta_check_ii+0x70/0x80 fs/gfs2/util.c:450
gfs2_metatype_check_i fs/gfs2/util.h:126 [inline]
gfs2_meta_indirect_buffer+0x29f/0x380 fs/gfs2/meta_io.c:417
gfs2_meta_inode_buffer fs/gfs2/meta_io.h:70 [inline]
gfs2_inode_refresh+0x65/0xc00 fs/gfs2/glops.c:438
inode_go_lock+0x12c/0x480 fs/gfs2/glops.c:468
do_promote+0x4db/0xcd0 fs/gfs2/glock.c:390
finish_xmote+0x907/0x1350 fs/gfs2/glock.c:560
do_xmote+0xadb/0x14c0 fs/gfs2/glock.c:686
gfs2_glock_nq+0xac3/0x14d0 fs/gfs2/glock.c:1410
gfs2_glock_nq_init fs/gfs2/glock.h:238 [inline]
gfs2_lookupi+0x36f/0x4f0 fs/gfs2/inode.c:317
gfs2_lookup_simple+0xa4/0x100 fs/gfs2/inode.c:268
init_journal+0x132/0x1970 fs/gfs2/ops_fstype.c:620
init_inodes fs/gfs2/ops_fstype.c:756 [inline]
gfs2_fill_super+0x2717/0x3fe0 fs/gfs2/ops_fstype.c:1125
get_tree_bdev+0x3e9/0x5f0 fs/super.c:1342
gfs2_get_tree+0x4c/0x1f0 fs/gfs2/ops_fstype.c:1201
vfs_get_tree+0x88/0x270 fs/super.c:1547
do_new_mount fs/namespace.c:2875 [inline]
path_mount+0x179d/0x29e0 fs/namespace.c:3192
do_mount fs/namespace.c:3205 [inline]
__do_sys_mount fs/namespace.c:3413 [inline]
__se_sys_mount+0x126/0x180 fs/namespace.c:3390
do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x458e1a
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007ffc76f65c88 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc76f65ce0 RCX: 0000000000458e1a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc76f65ca0
RBP: 00007ffc76f65ca0 R08: 00007ffc76f65ce0 R09: 00007ffc00000015
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000809
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003
Modules linked in:
---[ end trace 1e62174917573e95 ]---
RIP: 0010:signal_our_withdraw fs/gfs2/util.c:97 [inline]
RIP: 0010:gfs2_withdraw+0x2b0/0xe20 fs/gfs2/util.c:294
Code: e8 03 48 89 44 24 38 42 80 3c 38 00 74 08 48 89 ef e8 34 f7 69 fe 48 89 6c 24 20 48 8b 6d 00 48 83 c5 70 48 89 e8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 ef e8 11 f7 69 fe 48 8b 45 00 48 89 44
RSP: 0018:ffffc900057474f0 EFLAGS: 00010202
RAX: 000000000000000e RBX: ffff8880a71e0000 RCX: 98268db4dfe86a00
RDX: ffff888092bb6100 RSI: 0000000000000000 RDI: ffff8880a71e0430
RBP: 0000000000000070 R08: ffffffff834ad50c R09: ffffed1015d041c3
R10: ffffed1015d041c3 R11: 0000000000000000 R12: 1ffff11014e3c04d
R13: ffff8880a71e0050 R14: ffff8880a71e026c R15: dffffc0000000000
FS: 000000000233b880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f74f826d6c0 CR3: 00000000a04cc000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
On 26/09/2020 18:21, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 7c7ec322 Merge tag 'for-linus' of git://git.kernel.org/pub..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11f2ff27900000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6184b75aa6d48d66
> dashboard link: https://syzkaller.appspot.com/bug?extid=50a8a9cf8127f2c6f5df
> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160fb773900000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1104f109900000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> gfs2: fsid=syz:syz.0: fatal: invalid metadata block
> bh = 2072 (magic number)
> function = gfs2_meta_indirect_buffer, file = fs/gfs2/meta_io.c, line = 417
> gfs2: fsid=syz:syz.0: about to withdraw this file system
> general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
> CPU: 0 PID: 6842 Comm: syz-executor264 Not tainted 5.9.0-rc6-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:signal_our_withdraw fs/gfs2/util.c:97 [inline]
Seems that it's withdrawing in the init_inodes() path early enough
(while looking up the jindex) that sdp->sd_jdesc is still NULL here:
static void signal_our_withdraw(struct gfs2_sbd *sdp)
{
struct gfs2_glock *gl = sdp->sd_live_gh.gh_gl;
struct inode *inode = sdp->sd_jdesc->jd_inode;
I'm undecided as to whether the bug is that we're withdrawing that early
at all, or that we're not checking for NULL there?
Probably introduced by:
601ef0d52e96 gfs2: Force withdraw to replay journals and wait for it to
finish
Andy
> RIP: 0010:gfs2_withdraw+0x2b0/0xe20 fs/gfs2/util.c:294
> Code: e8 03 48 89 44 24 38 42 80 3c 38 00 74 08 48 89 ef e8 34 f7 69 fe 48 89 6c 24 20 48 8b 6d 00 48 83 c5 70 48 89 e8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 ef e8 11 f7 69 fe 48 8b 45 00 48 89 44
> RSP: 0018:ffffc900057474f0 EFLAGS: 00010202
> RAX: 000000000000000e RBX: ffff8880a71e0000 RCX: 98268db4dfe86a00
> RDX: ffff888092bb6100 RSI: 0000000000000000 RDI: ffff8880a71e0430
> RBP: 0000000000000070 R08: ffffffff834ad50c R09: ffffed1015d041c3
> R10: ffffed1015d041c3 R11: 0000000000000000 R12: 1ffff11014e3c04d
> R13: ffff8880a71e0050 R14: ffff8880a71e026c R15: dffffc0000000000
> FS: 000000000233b880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f74f826d6c0 CR3: 00000000a04cc000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> gfs2_meta_check_ii+0x70/0x80 fs/gfs2/util.c:450
> gfs2_metatype_check_i fs/gfs2/util.h:126 [inline]
> gfs2_meta_indirect_buffer+0x29f/0x380 fs/gfs2/meta_io.c:417
> gfs2_meta_inode_buffer fs/gfs2/meta_io.h:70 [inline]
> gfs2_inode_refresh+0x65/0xc00 fs/gfs2/glops.c:438
> inode_go_lock+0x12c/0x480 fs/gfs2/glops.c:468
> do_promote+0x4db/0xcd0 fs/gfs2/glock.c:390
> finish_xmote+0x907/0x1350 fs/gfs2/glock.c:560
> do_xmote+0xadb/0x14c0 fs/gfs2/glock.c:686
> gfs2_glock_nq+0xac3/0x14d0 fs/gfs2/glock.c:1410
> gfs2_glock_nq_init fs/gfs2/glock.h:238 [inline]
> gfs2_lookupi+0x36f/0x4f0 fs/gfs2/inode.c:317
> gfs2_lookup_simple+0xa4/0x100 fs/gfs2/inode.c:268
> init_journal+0x132/0x1970 fs/gfs2/ops_fstype.c:620
> init_inodes fs/gfs2/ops_fstype.c:756 [inline]
> gfs2_fill_super+0x2717/0x3fe0 fs/gfs2/ops_fstype.c:1125
> get_tree_bdev+0x3e9/0x5f0 fs/super.c:1342
> gfs2_get_tree+0x4c/0x1f0 fs/gfs2/ops_fstype.c:1201
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> do_new_mount fs/namespace.c:2875 [inline]
> path_mount+0x179d/0x29e0 fs/namespace.c:3192
> do_mount fs/namespace.c:3205 [inline]
> __do_sys_mount fs/namespace.c:3413 [inline]
> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x458e1a
> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00
> RSP: 002b:00007ffc76f65c88 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 00007ffc76f65ce0 RCX: 0000000000458e1a
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc76f65ca0
> RBP: 00007ffc76f65ca0 R08: 00007ffc76f65ce0 R09: 00007ffc00000015
> R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000809
> R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003
> Modules linked in:
> ---[ end trace 1e62174917573e95 ]---
> RIP: 0010:signal_our_withdraw fs/gfs2/util.c:97 [inline]
> RIP: 0010:gfs2_withdraw+0x2b0/0xe20 fs/gfs2/util.c:294
> Code: e8 03 48 89 44 24 38 42 80 3c 38 00 74 08 48 89 ef e8 34 f7 69 fe 48 89 6c 24 20 48 8b 6d 00 48 83 c5 70 48 89 e8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 ef e8 11 f7 69 fe 48 8b 45 00 48 89 44
> RSP: 0018:ffffc900057474f0 EFLAGS: 00010202
> RAX: 000000000000000e RBX: ffff8880a71e0000 RCX: 98268db4dfe86a00
> RDX: ffff888092bb6100 RSI: 0000000000000000 RDI: ffff8880a71e0430
> RBP: 0000000000000070 R08: ffffffff834ad50c R09: ffffed1015d041c3
> R10: ffffed1015d041c3 R11: 0000000000000000 R12: 1ffff11014e3c04d
> R13: ffff8880a71e0050 R14: ffff8880a71e026c R15: dffffc0000000000
> FS: 000000000233b880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f74f826d6c0 CR3: 00000000a04cc000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
----- Original Message -----
> On 26/09/2020 18:21, syzbot wrote:
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: 7c7ec322 Merge tag 'for-linus' of
> > git://git.kernel.org/pub..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=11f2ff27900000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=6184b75aa6d48d66
> > dashboard link:
> > https://syzkaller.appspot.com/bug?extid=50a8a9cf8127f2c6f5df
> > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/
> > c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160fb773900000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1104f109900000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the
> > commit:
> > Reported-by: [email protected]
> >
> > gfs2: fsid=syz:syz.0: fatal: invalid metadata block
> > bh = 2072 (magic number)
> > function = gfs2_meta_indirect_buffer, file = fs/gfs2/meta_io.c, line =
> > 417
> > gfs2: fsid=syz:syz.0: about to withdraw this file system
> > general protection fault, probably for non-canonical address
> > 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
> > CPU: 0 PID: 6842 Comm: syz-executor264 Not tainted 5.9.0-rc6-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > RIP: 0010:signal_our_withdraw fs/gfs2/util.c:97 [inline]
>
> Seems that it's withdrawing in the init_inodes() path early enough
> (while looking up the jindex) that sdp->sd_jdesc is still NULL here:
>
> static void signal_our_withdraw(struct gfs2_sbd *sdp)
> {
> struct gfs2_glock *gl = sdp->sd_live_gh.gh_gl;
> struct inode *inode = sdp->sd_jdesc->jd_inode;
>
> I'm undecided as to whether the bug is that we're withdrawing that early
> at all, or that we're not checking for NULL there?
>
> Probably introduced by:
>
> 601ef0d52e96 gfs2: Force withdraw to replay journals and wait for it to
> finish
>
> Andy
Hi Andy. Thanks for your analysis.
I suspect you're right.
It's probably another exception to the rule. We knew there would be a few of
those with 601ef0d52e96, such as the one we made for "withdrawing during withdraw".
We should probably just add a check for NULL and make it do the right thing.
Regards,
Bob Peterson
syzbot has bisected this issue to:
commit 601ef0d52e9617588fcff3df26953592f2eb44ac
Author: Bob Peterson <[email protected]>
Date: Tue Jan 28 19:23:45 2020 +0000
gfs2: Force withdraw to replay journals and wait for it to finish
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=151d25e3900000
start commit: 7c7ec322 Merge tag 'for-linus' of git://git.kernel.org/pub..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=171d25e3900000
console output: https://syzkaller.appspot.com/x/log.txt?x=131d25e3900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6184b75aa6d48d66
dashboard link: https://syzkaller.appspot.com/bug?extid=50a8a9cf8127f2c6f5df
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c6a109900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d45ed3900000
Reported-by: [email protected]
Fixes: 601ef0d52e96 ("gfs2: Force withdraw to replay journals and wait for it to finish")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
On 29/09/2020 06:34, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit 601ef0d52e9617588fcff3df26953592f2eb44ac
> Author: Bob Peterson <[email protected]>
> Date: Tue Jan 28 19:23:45 2020 +0000
>
> gfs2: Force withdraw to replay journals and wait for it to finish
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=151d25e3900000
> start commit: 7c7ec322 Merge tag 'for-linus' of git://git.kernel.org/pub..
> git tree: upstream
> final oops: https://syzkaller.appspot.com/x/report.txt?x=171d25e3900000
> console output: https://syzkaller.appspot.com/x/log.txt?x=131d25e3900000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6184b75aa6d48d66
> dashboard link: https://syzkaller.appspot.com/bug?extid=50a8a9cf8127f2c6f5df
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c6a109900000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d45ed3900000
>
> Reported-by: [email protected]
> Fixes: 601ef0d52e96 ("gfs2: Force withdraw to replay journals and wait for it to finish")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
Bug filed for this one:
https://bugzilla.redhat.com/show_bug.cgi?id=1883932
Andy