2023-02-16 21:45:21

by Sanan Hasanov

[permalink] [raw]
Subject: WARNING in udf_truncate_extents

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.2.0-rc6-next-20230203
Kernel config:?https://drive.google.com/file/d/1jWHyzy2KABqlRawd3FO2V2ZVNoMWpkZu/view?usp=share_link
C Reproducer:?https://drive.google.com/file/d/1zH4AtT1D3O-vqihwMy-kxrFW6Rni6bZ_/view?usp=share_link

Thank you!

Best regards,
Sanan Hasanov

------------[ cut here ]------------
WARNING: CPU: 6 PID: 10426 at fs/udf/truncate.c:208 udf_truncate_extents+0x8a9/0x9d0
Modules linked in:
CPU: 6 PID: 10426 Comm: syz-executor.3 Not tainted 6.2.0-rc6-next-20230203 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:udf_truncate_extents+0x8a9/0x9d0
Code: 84 d2 74 05 e8 e8 1e f9 fe 8b 44 24 20 be 07 00 00 00 48 89 df 89 83 cc fe ff ff e8 61 0b 13 ff e9 a5 fd ff ff e8 b7 23 aa fe <0f> 0b e9 1f fe ff ff e8 ab 23 aa fe 0f 0b 48 8b 7c 24 08 48 89 74
RSP: 0000:ffffc9000c6f7050 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888045252160 RCX: 0000000000000000
RDX: ffff888114e53900 RSI: ffffffff82d5b399 RDI: 0000000000000007
RBP: ffffc9000c6f7140 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000350 R11: 0000000000000001 R12: ffff8880530de000
R13: 0000000000000350 R14: 00000000000000ff R15: ffffc9000c6f7100
FS: 00007f601837e700(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000001ffffe40 CR3: 000000004c1b1000 CR4: 0000000000350ee0
Call Trace:
<TASK>
udf_write_failed.isra.0+0x173/0x1c0
udf_write_begin+0x2c5/0x370
generic_perform_write+0x259/0x580
__generic_file_write_iter+0x2ae/0x500
udf_file_write_iter+0x233/0x740
__kernel_write_iter+0x262/0x7a0
__kernel_write+0xc9/0x110
dump_emit+0x21d/0x340
elf_core_dump+0x215c/0x3720
do_coredump+0x2d30/0x3ce0
get_signal+0x1c11/0x25c0
arch_do_signal_or_restart+0x79/0x5a0
exit_to_user_mode_prepare+0x11f/0x240
irqentry_exit_to_user_mode+0x9/0x30
asm_exc_general_protection+0x26/0x30
RIP: 0033:0x7f601728edd5
Code: 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 48 3d 01 f0 ff ff 73 01 <c3> 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 84
RSP: 002b:0000000020000040 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007f60173bc120 RCX: 00007f601728edcd
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 00007f60172fc59c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc959cbaaf R14: 00007ffc959cbc50 R15: 00007f601837dd80
</TASK>
irq event stamp: 1369
hardirqs last enabled at (1379): [<ffffffff81643788>] __up_console_sem+0x78/0x80
hardirqs last disabled at (1388): [<ffffffff8164376d>] __up_console_sem+0x5d/0x80
softirqs last enabled at (490): [<ffffffff814b2d7d>] __irq_exit_rcu+0x11d/0x190
softirqs last disabled at (351): [<ffffffff814b2d7d>] __irq_exit_rcu+0x11d/0x190
---[ end trace 0000000000000000 ]---


2023-02-17 11:23:07

by Jan Kara

[permalink] [raw]
Subject: Re: WARNING in udf_truncate_extents

Hello!

On Thu 16-02-23 21:44:45, Sanan Hasanov wrote:
> We found a bug using a modified kernel configuration file used by syzbot.
>
> We enhanced the coverage of the configuration file using our tool, klocalizer.
>
> Kernel Branch: 6.2.0-rc6-next-20230203
> Kernel config:?https://drive.google.com/file/d/1jWHyzy2KABqlRawd3FO2V2ZVNoMWpkZu/view?usp=share_link
> C Reproducer:?https://drive.google.com/file/d/1zH4AtT1D3O-vqihwMy-kxrFW6Rni6bZ_/view?usp=share_link

Hum, so looking into the reproducer I don't see how it could trigger the
warning below because the reproducer just mounts UDF image and then forks
64 processes. In particular there is no write happening to the UDF
filesystem shown in the stacktrace. Are you sure this reproducer indeed
triggers this warning for you?

Honza

> ------------[ cut here ]------------
> WARNING: CPU: 6 PID: 10426 at fs/udf/truncate.c:208 udf_truncate_extents+0x8a9/0x9d0
> Modules linked in:
> CPU: 6 PID: 10426 Comm: syz-executor.3 Not tainted 6.2.0-rc6-next-20230203 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:udf_truncate_extents+0x8a9/0x9d0
> Code: 84 d2 74 05 e8 e8 1e f9 fe 8b 44 24 20 be 07 00 00 00 48 89 df 89 83 cc fe ff ff e8 61 0b 13 ff e9 a5 fd ff ff e8 b7 23 aa fe <0f> 0b e9 1f fe ff ff e8 ab 23 aa fe 0f 0b 48 8b 7c 24 08 48 89 74
> RSP: 0000:ffffc9000c6f7050 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffff888045252160 RCX: 0000000000000000
> RDX: ffff888114e53900 RSI: ffffffff82d5b399 RDI: 0000000000000007
> RBP: ffffc9000c6f7140 R08: 0000000000000007 R09: 0000000000000000
> R10: 0000000000000350 R11: 0000000000000001 R12: ffff8880530de000
> R13: 0000000000000350 R14: 00000000000000ff R15: ffffc9000c6f7100
> FS: 00007f601837e700(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000001ffffe40 CR3: 000000004c1b1000 CR4: 0000000000350ee0
> Call Trace:
> <TASK>
> udf_write_failed.isra.0+0x173/0x1c0
> udf_write_begin+0x2c5/0x370
> generic_perform_write+0x259/0x580
> __generic_file_write_iter+0x2ae/0x500
> udf_file_write_iter+0x233/0x740
> __kernel_write_iter+0x262/0x7a0
> __kernel_write+0xc9/0x110
> dump_emit+0x21d/0x340
> elf_core_dump+0x215c/0x3720
> do_coredump+0x2d30/0x3ce0
> get_signal+0x1c11/0x25c0
> arch_do_signal_or_restart+0x79/0x5a0
> exit_to_user_mode_prepare+0x11f/0x240
> irqentry_exit_to_user_mode+0x9/0x30
> asm_exc_general_protection+0x26/0x30
> RIP: 0033:0x7f601728edd5
> Code: 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 48 3d 01 f0 ff ff 73 01 <c3> 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 84
> RSP: 002b:0000000020000040 EFLAGS: 00010217
> RAX: 0000000000000000 RBX: 00007f60173bc120 RCX: 00007f601728edcd
> RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000000
> RBP: 00007f60172fc59c R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffc959cbaaf R14: 00007ffc959cbc50 R15: 00007f601837dd80
> </TASK>
> irq event stamp: 1369
> hardirqs last enabled at (1379): [<ffffffff81643788>] __up_console_sem+0x78/0x80
> hardirqs last disabled at (1388): [<ffffffff8164376d>] __up_console_sem+0x5d/0x80
> softirqs last enabled at (490): [<ffffffff814b2d7d>] __irq_exit_rcu+0x11d/0x190
> softirqs last disabled at (351): [<ffffffff814b2d7d>] __irq_exit_rcu+0x11d/0x190
> ---[ end trace 0000000000000000 ]---
--
Jan Kara <[email protected]>
SUSE Labs, CR