2023-05-01 17:23:51

by syzbot

[permalink] [raw]
Subject: [syzbot] [f2fs?] WARNING: lock held when returning to user space in f2fs_write_single_data_page

Hello,

syzbot found the following issue on:

HEAD commit: 58390c8ce1bd Merge tag 'iommu-updates-v6.4' of git://git.k..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=136e6ef8280000
kernel config: https://syzkaller.appspot.com/x/.config?x=5eadbf0d3c2ece89
dashboard link: https://syzkaller.appspot.com/bug?extid=eb6201248f684e99b9f8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16bbb03c280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140d36f8280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/60130779f509/disk-58390c8c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d7f0cdd29b71/vmlinux-58390c8c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/de415ad52ae4/bzImage-58390c8c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/dc89d01cd6e9/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

syz-executor768: attempt to access beyond end of device
loop0: rw=2049, sector=77824, nr_sectors = 2048 limit=63271
syz-executor768: attempt to access beyond end of device
loop0: rw=2049, sector=79872, nr_sectors = 2048 limit=63271
================================================
WARNING: lock held when returning to user space!
6.3.0-syzkaller-12049-g58390c8ce1bd #0 Not tainted
------------------------------------------------
syz-executor768/4998 is leaving the kernel with locks still held!
1 lock held by syz-executor768/4998:
#0: ffff88807e800448 (&sbi->node_write){++++}-{3:3}, at: f2fs_down_read fs/f2fs/f2fs.h:2087 [inline]
#0: ffff88807e800448 (&sbi->node_write){++++}-{3:3}, at: f2fs_write_single_data_page+0xa10/0x1d50 fs/f2fs/data.c:2842


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup


2023-05-02 02:57:36

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [f2fs?] WARNING: lock held when returning to user space in f2fs_write_single_data_page

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
no output from test machine



Tested on:

commit: 58390c8c Merge tag 'iommu-updates-v6.4' of git://git.k..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17fe6ef8280000
kernel config: https://syzkaller.appspot.com/x/.config?x=5eadbf0d3c2ece89
dashboard link: https://syzkaller.appspot.com/bug?extid=eb6201248f684e99b9f8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=141e43c2280000

2023-05-03 15:34:43

by Chao Yu

[permalink] [raw]
Subject: Re: [syzbot] [f2fs?] WARNING: lock held when returning to user space in f2fs_write_single_data_page

On 2023/5/2 1:05, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 58390c8ce1bd Merge tag 'iommu-updates-v6.4' of git://git.k..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=136e6ef8280000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5eadbf0d3c2ece89
> dashboard link: https://syzkaller.appspot.com/bug?extid=eb6201248f684e99b9f8
> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16bbb03c280000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140d36f8280000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/60130779f509/disk-58390c8c.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/d7f0cdd29b71/vmlinux-58390c8c.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/de415ad52ae4/bzImage-58390c8c.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/dc89d01cd6e9/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git dev-test

>
> syz-executor768: attempt to access beyond end of device
> loop0: rw=2049, sector=77824, nr_sectors = 2048 limit=63271
> syz-executor768: attempt to access beyond end of device
> loop0: rw=2049, sector=79872, nr_sectors = 2048 limit=63271
> ================================================
> WARNING: lock held when returning to user space!
> 6.3.0-syzkaller-12049-g58390c8ce1bd #0 Not tainted
> ------------------------------------------------
> syz-executor768/4998 is leaving the kernel with locks still held!
> 1 lock held by syz-executor768/4998:
> #0: ffff88807e800448 (&sbi->node_write){++++}-{3:3}, at: f2fs_down_read fs/f2fs/f2fs.h:2087 [inline]
> #0: ffff88807e800448 (&sbi->node_write){++++}-{3:3}, at: f2fs_write_single_data_page+0xa10/0x1d50 fs/f2fs/data.c:2842
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at [email protected].
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to change bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup

2023-05-03 16:11:25

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [f2fs?] WARNING: lock held when returning to user space in f2fs_write_single_data_page

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in f2fs_quota_on

general protection fault, probably for non-canonical address 0xdffffc00000000e6: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000730-0x0000000000000737]
CPU: 0 PID: 5450 Comm: syz-executor.0 Not tainted 6.3.0-syzkaller-05651-gfd78b242ba1b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942
Code: df 0f b6 04 30 84 c0 0f 85 5a 16 00 00 83 3d c1 51 e9 0c 00 0f 84 02 11 00 00 83 3d f0 89 74 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 f7 e8 c9 54 76 00 48 be 00 00 00 00 00 fc
RSP: 0018:ffffc90005a1faf8 EFLAGS: 00010002
RAX: 00000000000000e6 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000730
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000730 R15: ffff888077f13b80
FS: 00007fc1c2b17700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055800180a000 CR3: 00000000706b1000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5691
down_write+0x3a/0x50 kernel/locking/rwsem.c:1573
f2fs_down_write fs/f2fs/f2fs.h:2125 [inline]
f2fs_quota_on+0x120/0x320 fs/f2fs/super.c:2916
__do_sys_quotactl fs/quota/quota.c:960 [inline]
__se_sys_quotactl+0x2b5/0x810 fs/quota/quota.c:916
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc1c1e8c169
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc1c2b17168 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3
RAX: ffffffffffffffda RBX: 00007fc1c1fac050 RCX: 00007fc1c1e8c169
RDX: 0000000000000000 RSI: 0000000020000080 RDI: ffffffff80000202
RBP: 00007fc1c1ee7ca1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020008040 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd3e2e112f R14: 00007fc1c2b17300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942
Code: df 0f b6 04 30 84 c0 0f 85 5a 16 00 00 83 3d c1 51 e9 0c 00 0f 84 02 11 00 00 83 3d f0 89 74 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 f7 e8 c9 54 76 00 48 be 00 00 00 00 00 fc
RSP: 0018:ffffc90005a1faf8 EFLAGS: 00010002
RAX: 00000000000000e6 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000730
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000730 R15: ffff888077f13b80
FS: 00007fc1c2b17700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055800180a000 CR3: 00000000706b1000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df 0f fisttps (%rdi)
2: b6 04 mov $0x4,%dh
4: 30 84 c0 0f 85 5a 16 xor %al,0x165a850f(%rax,%rax,8)
b: 00 00 add %al,(%rax)
d: 83 3d c1 51 e9 0c 00 cmpl $0x0,0xce951c1(%rip) # 0xce951d5
14: 0f 84 02 11 00 00 je 0x111c
1a: 83 3d f0 89 74 0b 00 cmpl $0x0,0xb7489f0(%rip) # 0xb748a11
21: 74 2b je 0x4e
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 30 00 cmpb $0x0,(%rax,%rsi,1) <-- trapping instruction
2e: 74 12 je 0x42
30: 4c 89 f7 mov %r14,%rdi
33: e8 c9 54 76 00 callq 0x765501
38: 48 rex.W
39: be 00 00 00 00 mov $0x0,%esi
3e: 00 fc add %bh,%ah


Tested on:

commit: fd78b242 f2fs: fix potential deadlock due to unpaired ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git dev-test
console output: https://syzkaller.appspot.com/x/log.txt?x=11d46838280000
kernel config: https://syzkaller.appspot.com/x/.config?x=86e4eb913e90d4b2
dashboard link: https://syzkaller.appspot.com/bug?extid=eb6201248f684e99b9f8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

2023-05-04 12:20:57

by Chao Yu

[permalink] [raw]
Subject: Re: [syzbot] [f2fs?] WARNING: lock held when returning to user space in f2fs_write_single_data_page

On 2023/5/2 1:05, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 58390c8ce1bd Merge tag 'iommu-updates-v6.4' of git://git.k..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=136e6ef8280000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5eadbf0d3c2ece89
> dashboard link: https://syzkaller.appspot.com/bug?extid=eb6201248f684e99b9f8
> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16bbb03c280000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140d36f8280000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/60130779f509/disk-58390c8c.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/d7f0cdd29b71/vmlinux-58390c8c.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/de415ad52ae4/bzImage-58390c8c.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/dc89d01cd6e9/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git dev-test

>
> syz-executor768: attempt to access beyond end of device
> loop0: rw=2049, sector=77824, nr_sectors = 2048 limit=63271
> syz-executor768: attempt to access beyond end of device
> loop0: rw=2049, sector=79872, nr_sectors = 2048 limit=63271
> ================================================
> WARNING: lock held when returning to user space!
> 6.3.0-syzkaller-12049-g58390c8ce1bd #0 Not tainted
> ------------------------------------------------
> syz-executor768/4998 is leaving the kernel with locks still held!
> 1 lock held by syz-executor768/4998:
> #0: ffff88807e800448 (&sbi->node_write){++++}-{3:3}, at: f2fs_down_read fs/f2fs/f2fs.h:2087 [inline]
> #0: ffff88807e800448 (&sbi->node_write){++++}-{3:3}, at: f2fs_write_single_data_page+0xa10/0x1d50 fs/f2fs/data.c:2842
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at [email protected].
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to change bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup

2023-05-04 13:44:04

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [f2fs?] WARNING: lock held when returning to user space in f2fs_write_single_data_page

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
no output from test machine



Tested on:

commit: 2adb872d f2fs: fix potential deadlock due to unpaired ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git dev-test
console output: https://syzkaller.appspot.com/x/log.txt?x=114b5338280000
kernel config: https://syzkaller.appspot.com/x/.config?x=86e4eb913e90d4b2
dashboard link: https://syzkaller.appspot.com/bug?extid=eb6201248f684e99b9f8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

2023-05-04 13:54:07

by Chao Yu

[permalink] [raw]
Subject: Re: [syzbot] [f2fs?] WARNING: lock held when returning to user space in f2fs_write_single_data_page

Hi,

On 2023/5/4 21:31, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:

It said the reproducer is still triggering an issue, however, there is
no error output from the test.

Could you please help to check whether such status is normal or not, or
am I missing something?

Thanks,

> no output from test machine
>
>
>
> Tested on:
>
> commit: 2adb872d f2fs: fix potential deadlock due to unpaired ..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git dev-test
> console output: https://syzkaller.appspot.com/x/log.txt?x=114b5338280000
> kernel config: https://syzkaller.appspot.com/x/.config?x=86e4eb913e90d4b2
> dashboard link: https://syzkaller.appspot.com/bug?extid=eb6201248f684e99b9f8
> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Note: no patches were applied.

2023-05-04 14:21:51

by Aleksandr Nogikh

[permalink] [raw]
Subject: Re: [syzbot] [f2fs?] WARNING: lock held when returning to user space in f2fs_write_single_data_page

On Thu, May 4, 2023 at 3:48 PM Chao Yu <[email protected]> wrote:
>
> Hi,
>
> On 2023/5/4 21:31, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>
> It said the reproducer is still triggering an issue, however, there is
> no error output from the test.
>
> Could you please help to check whether such status is normal or not, or
> am I missing something?

The status means that syzbot has not received a single byte from the
VM for 5 minutes in a row, i.e. the kernel likely just hung.

--
Aleksandr

>
> Thanks,
>
> > no output from test machine
> >
> >
> >
> > Tested on:
> >
> > commit: 2adb872d f2fs: fix potential deadlock due to unpaired ..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git dev-test
> > console output: https://syzkaller.appspot.com/x/log.txt?x=114b5338280000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=86e4eb913e90d4b2
> > dashboard link: https://syzkaller.appspot.com/bug?extid=eb6201248f684e99b9f8
> > compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> >
> > Note: no patches were applied.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/d6a26ad8-3c90-d932-d966-85414e0ae42a%40kernel.org.

2023-09-15 05:52:49

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [f2fs?] WARNING: lock held when returning to user space in f2fs_write_single_data_page

syzbot suspects this issue was fixed by commit:

commit 5079e1c0c879311668b77075de3e701869804adf
Author: Chao Yu <[email protected]>
Date: Fri Jun 2 08:36:05 2023 +0000

f2fs: avoid dead loop in f2fs_issue_checkpoint()

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15aae552680000
start commit: c8c655c34e33 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=5eadbf0d3c2ece89
dashboard link: https://syzkaller.appspot.com/bug?extid=eb6201248f684e99b9f8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13130a1c280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d919f8280000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: f2fs: avoid dead loop in f2fs_issue_checkpoint()

For information about bisection process see: https://goo.gl/tpsmEJ#bisection