Hello,
syzbot found the following issue on:
HEAD commit: 0dd2a6fb1e34 Merge tag 'tty-6.4-rc3' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14343765280000
kernel config: https://syzkaller.appspot.com/x/.config?x=9afc9b1b9107cdcd
dashboard link: https://syzkaller.appspot.com/bug?extid=0ad741797f4565e7e2d2
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1746d572280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/df4d9c4d67a3/disk-0dd2a6fb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/76f164dda927/vmlinux-0dd2a6fb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3f4f63ee8d7e/bzImage-0dd2a6fb.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/420107162e49/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
general protection fault, probably for non-canonical address 0xdffffc000000003d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001e8-0x00000000000001ef]
CPU: 0 PID: 5383 Comm: segctord Not tainted 6.4.0-rc2-syzkaller-00330-g0dd2a6fb1e34 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
RIP: 0010:__lock_acquire+0xdce/0x5df0 kernel/locking/lockdep.c:4942
Code: 00 00 3b 05 04 82 59 0f 0f 87 42 0a 00 00 41 be 01 00 00 00 e9 83 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 19 32 00 00 48 81 3b 20 08 16 90 0f 84 06 f3 ff
RSP: 0018:ffffc9000549f618 EFLAGS: 00010012
RAX: dffffc0000000000 RBX: 00000000000001e8 RCX: 0000000000000000
RDX: 000000000000003d RSI: 0000000000000000 RDI: 00000000000001e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88802009bb80 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000016b15000 CR4: 0000000000350ef0
Call Trace:
<TASK>
lock_acquire kernel/locking/lockdep.c:5691 [inline]
lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5656
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:350 [inline]
folio_create_empty_buffers+0xb0/0x470 fs/buffer.c:1615
nilfs_lookup_dirty_data_buffers+0x580/0x6f0 fs/nilfs2/segment.c:730
nilfs_segctor_scan_file+0x1b1/0x6f0 fs/nilfs2/segment.c:1075
nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]
nilfs_segctor_collect fs/nilfs2/segment.c:1524 [inline]
nilfs_segctor_do_construct+0x267f/0x7200 fs/nilfs2/segment.c:2070
nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2404
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2512 [inline]
nilfs_segctor_thread+0x3c7/0xf30 fs/nilfs2/segment.c:2595
kthread+0x344/0x440 kernel/kthread.c:379
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0xdce/0x5df0 kernel/locking/lockdep.c:4942
Code: 00 00 3b 05 04 82 59 0f 0f 87 42 0a 00 00 41 be 01 00 00 00 e9 83 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 19 32 00 00 48 81 3b 20 08 16 90 0f 84 06 f3 ff
RSP: 0018:ffffc9000549f618 EFLAGS: 00010012
RAX: dffffc0000000000 RBX: 00000000000001e8 RCX: 0000000000000000
RDX: 000000000000003d RSI: 0000000000000000 RDI: 00000000000001e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88802009bb80 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000016b15000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 3b 05 04 82 59 0f cmp 0xf598204(%rip),%eax # 0xf59820c
8: 0f 87 42 0a 00 00 ja 0xa50
e: 41 be 01 00 00 00 mov $0x1,%r14d
14: e9 83 00 00 00 jmpq 0x9c
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 da mov %rbx,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 19 32 00 00 jne 0x324d
34: 48 81 3b 20 08 16 90 cmpq $0xffffffff90160820,(%rbx)
3b: 0f .byte 0xf
3c: 84 06 test %al,(%rsi)
3e: f3 repz
3f: ff .byte 0xff
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot has found a reproducer for the following issue on:
HEAD commit: bdffb18b5dd8 Add linux-next specific files for 20230804
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1625c47da80000
kernel config: https://syzkaller.appspot.com/x/.config?x=4edf5fc5e1e5446f
dashboard link: https://syzkaller.appspot.com/bug?extid=0ad741797f4565e7e2d2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b893bea80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16764a71a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9d65b99a07c2/disk-bdffb18b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b9623d8bd2e/vmlinux-bdffb18b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e6c96c97edb/bzImage-bdffb18b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/17c4ca724160/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
general protection fault, probably for non-canonical address 0xdffffc000000003a: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001d0-0x00000000000001d7]
CPU: 0 PID: 5323 Comm: segctord Not tainted 6.5.0-rc4-next-20230804-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x6e/0x2b0 kernel/locking/spinlock_debug.c:114
Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
RSP: 0018:ffffc9000507f6e8 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 00000000000001d0 RCX: 0000000000000000
RDX: 000000000000003a RSI: ffffffff8ac889a0 RDI: 00000000000001d4
RBP: 1ffff92000a0fede R08: 0000000000000000 R09: fffffbfff1d598ca
R10: ffffffff8eacc657 R11: 000000000000004e R12: 0000000000000000
R13: ffffea0001ca6bc0 R14: ffff888072088d98 R15: ffffea0001ca6bd8
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000480 CR3: 0000000027f80000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
spin_lock include/linux/spinlock.h:351 [inline]
folio_create_empty_buffers+0xb0/0x470 fs/buffer.c:1657
nilfs_lookup_dirty_data_buffers+0x5a1/0x720 fs/nilfs2/segment.c:730
nilfs_segctor_scan_file+0x1b1/0x6f0 fs/nilfs2/segment.c:1080
nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1202 [inline]
nilfs_segctor_collect fs/nilfs2/segment.c:1529 [inline]
nilfs_segctor_do_construct+0x2f11/0x8bf0 fs/nilfs2/segment.c:2077
nilfs_segctor_construct+0x924/0xb50 fs/nilfs2/segment.c:2411
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2519 [inline]
nilfs_segctor_thread+0x38f/0xe90 fs/nilfs2/segment.c:2602
kthread+0x33a/0x430 kernel/kthread.c:389
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
RIP: 0010:do_raw_spin_lock+0x6e/0x2b0 kernel/locking/spinlock_debug.c:114
Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
RSP: 0018:ffffc9000507f6e8 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 00000000000001d0 RCX: 0000000000000000
RDX: 000000000000003a RSI: ffffffff8ac889a0 RDI: 00000000000001d4
RBP: 1ffff92000a0fede R08: 0000000000000000 R09: fffffbfff1d598ca
R10: ffffffff8eacc657 R11: 000000000000004e R12: 0000000000000000
R13: ffffea0001ca6bc0 R14: ffff888072088d98 R15: ffffea0001ca6bd8
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000480 CR3: 0000000027f80000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 81 48 8d 54 05 00 c7 orl $0xc7000554,-0x73(%rax)
7: 02 f1 add %cl,%dh
9: f1 int1
a: f1 int1
b: f1 int1
c: c7 42 04 04 f3 f3 f3 movl $0xf3f3f304,0x4(%rdx)
13: 65 48 8b 14 25 28 00 mov %gs:0x28,%rdx
1a: 00 00
1c: 48 89 54 24 60 mov %rdx,0x60(%rsp)
21: 31 d2 xor %edx,%edx
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 f8 mov %rdi,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 e3 test %esp,%ebx
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
A syzbot stress test reported that create_empty_buffers() called from
nilfs_lookup_dirty_data_buffers() can cause a general protection fault.
Analysis using its reproducer revealed that the back reference "mapping"
from a page/folio has been changed to NULL after dirty page/folio gang
lookup in nilfs_lookup_dirty_data_buffers().
Fix this issue by excluding pages/folios from being collected if, after
acquiring a lock on each page/folio, its back reference "mapping"
differs from the pointer to the address space struct that held the
page/folio.
Signed-off-by: Ryusuke Konishi <[email protected]>
Reported-by: [email protected]
Closes: https://lkml.kernel.org/r/[email protected]
Tested-by: Ryusuke Konishi <[email protected]>
Cc: <[email protected]>
---
fs/nilfs2/segment.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
index 581691e4be49..7ec16879756e 100644
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -725,6 +725,11 @@ static size_t nilfs_lookup_dirty_data_buffers(struct inode *inode,
struct folio *folio = fbatch.folios[i];
folio_lock(folio);
+ if (unlikely(folio->mapping != mapping)) {
+ /* Exclude folios removed from the address space */
+ folio_unlock(folio);
+ continue;
+ }
head = folio_buffers(folio);
if (!head) {
create_empty_buffers(&folio->page, i_blocksize(inode), 0);
--
2.34.1