kernel BUG at fs/ext4/fsync.c:LINE!
11 views
Skip to first unread message
syzbot
Apr 14, 2019, 4:51:27 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 9f23a833 Merge 4.9.148 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=17c97880c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=55dc746adbeac1dd
dashboard link: https://syzkaller.appspot.com/bug?extid=43f100a7b0d7527cc7e0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d23dfd400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109bd46f400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+43f100...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: crng init done
------------[ cut here ]------------
kernel BUG at fs/ext4/fsync.c:103!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 2080 Comm: syz-executor138 Not tainted 4.9.148+ #1
task: ffff8801cf2b2f80 task.stack: ffff8801cef58000
RIP: 0010:[<ffffffff816b8b98>] [<ffffffff816b8b98>]
ext4_sync_file+0x7f8/0x10a0 fs/ext4/fsync.c:103
RSP: 0018:ffff8801db707af0 EFLAGS: 00010206
RAX: ffff8801cf2b2f80 RBX: ffff8801ca73ca80 RCX: dffffc0000000000
RDX: 0000000000000100 RSI: ffffffff816b8b98 RDI: ffff8801cf2b3fb8
RBP: ffff8801db707b38 R08: 0000000000000000 R09: ffff8801cf2b3878
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801cf1f5800
R13: ffff8801ca73caa8 R14: ffff8801d5cdd500 R15: 0000000000000000
FS: 0000000001b63880(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000021000000 CR3: 00000001cf358000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801ca73cb58 000000000000ffff 0000000000000000 ffff880100000001
ffffffff816b83a0 ffff8801cf1f5800 0000000000000001 0000000000000000
000000000000ffff ffff8801db707b88 ffffffff815b37f1 e9e627954b055420
Call Trace:
<IRQ>
[<ffffffff815b37f1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815cf916>] generic_write_sync include/linux/fs.h:2609 [inline]
[<ffffffff815cf916>] dio_complete+0x376/0x6e0 fs/direct-io.c:282
[<ffffffff815cfda4>] dio_bio_end_aio+0x124/0x390 fs/direct-io.c:323
[<ffffffff81ab817d>] bio_endio+0x1ad/0x200 block/bio.c:1781
[<ffffffff81ad869e>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81ad869e>] blk_update_request+0x24e/0x9d0 block/blk-core.c:2628
[<ffffffff81e1cbcc>] scsi_end_request+0x9c/0x5c0
drivers/scsi/scsi_lib.c:606
[<ffffffff81e25bc5>] scsi_io_completion+0x275/0x17e0
drivers/scsi/scsi_lib.c:829
[<ffffffff81e0878d>] scsi_finish_command+0x3ad/0x520
drivers/scsi/scsi.c:607
[<ffffffff81e240f9>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1567
[<ffffffff81af672e>] blk_done_softirq+0x27e/0x3e0 block/blk-softirq.c:35
[<ffffffff82817d7d>] __do_softirq+0x22d/0x964 kernel/softirq.c:288
[<ffffffff810eeae9>] invoke_softirq kernel/softirq.c:368 [inline]
[<ffffffff810eeae9>] irq_exit+0x119/0x160 kernel/softirq.c:409
[<ffffffff82814ca1>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
[<ffffffff82814ca1>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:252
[<ffffffff8281329d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:461
<EOI>
[<ffffffff8280c841>] down_write+0x41/0xa0 kernel/locking/rwsem.c:52
[<ffffffff816cc1ba>] ext4_map_blocks+0x77a/0x1710 fs/ext4/inode.c:605
[<ffffffff816d937e>] mpage_map_one_extent fs/ext4/inode.c:2387 [inline]
[<ffffffff816d937e>] mpage_map_and_submit_extent fs/ext4/inode.c:2443
[inline]
[<ffffffff816d937e>] ext4_writepages+0x155e/0x2d20 fs/ext4/inode.c:2783
[<ffffffff814344ac>] do_writepages+0xfc/0x1e0 mm/page-writeback.c:2331
[<ffffffff814121bd>] __filemap_fdatawrite_range+0x1ad/0x260
mm/filemap.c:390
[<ffffffff814122c4>] __filemap_fdatawrite mm/filemap.c:398 [inline]
[<ffffffff814122c4>] filemap_flush+0x24/0x30 mm/filemap.c:423
[<ffffffff816cf976>] ext4_alloc_da_blocks+0xd6/0x340 fs/ext4/inode.c:3157
[<ffffffff816b5abf>] ext4_release_file+0x1ff/0x2e0 fs/ext4/file.c:42
[<ffffffff81511ad4>] __fput+0x274/0x720 fs/file_table.c:208
[<ffffffff81512006>] ____fput+0x16/0x20 fs/file_table.c:244
[<ffffffff8113cd98>] task_work_run+0x108/0x180 kernel/task_work.c:116
[<ffffffff81003deb>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff81003deb>] exit_to_usermode_loop+0x13b/0x160
arch/x86/entry/common.c:162
[<ffffffff81005907>] prepare_exit_to_usermode arch/x86/entry/common.c:194
[inline]
[<ffffffff81005907>] syscall_return_slowpath arch/x86/entry/common.c:263
[inline]
[<ffffffff81005907>] do_syscall_64+0x3f7/0x570 arch/x86/entry/common.c:290
[<ffffffff82812993>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 00 0f 85 03 08 00 00 49 8b bd 28 01 00 00 31 d2 be c0 00 40 02 e8 89
d5 42 00 45 85 e4 44 0f 44 e0 e9 ef fa ff ff e8 98 27 c6 ff <0f> 0b e8 91
27 c6 ff 65 8b 15 8a d5 95 7e 89 d2 48 0f a3 15 c8
RIP [<ffffffff816b8b98>] ext4_sync_file+0x7f8/0x10a0 fs/ext4/fsync.c:103
RSP <ffff8801db707af0>
---[ end trace 6b6bb05cdaf8665d ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 9f23a833 Merge 4.9.148 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=17c97880c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=55dc746adbeac1dd
dashboard link: https://syzkaller.appspot.com/bug?extid=43f100a7b0d7527cc7e0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d23dfd400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109bd46f400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+43f100...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: crng init done
------------[ cut here ]------------
kernel BUG at fs/ext4/fsync.c:103!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 2080 Comm: syz-executor138 Not tainted 4.9.148+ #1
task: ffff8801cf2b2f80 task.stack: ffff8801cef58000
RIP: 0010:[<ffffffff816b8b98>] [<ffffffff816b8b98>]
ext4_sync_file+0x7f8/0x10a0 fs/ext4/fsync.c:103
RSP: 0018:ffff8801db707af0 EFLAGS: 00010206
RAX: ffff8801cf2b2f80 RBX: ffff8801ca73ca80 RCX: dffffc0000000000
RDX: 0000000000000100 RSI: ffffffff816b8b98 RDI: ffff8801cf2b3fb8
RBP: ffff8801db707b38 R08: 0000000000000000 R09: ffff8801cf2b3878
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801cf1f5800
R13: ffff8801ca73caa8 R14: ffff8801d5cdd500 R15: 0000000000000000
FS: 0000000001b63880(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000021000000 CR3: 00000001cf358000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801ca73cb58 000000000000ffff 0000000000000000 ffff880100000001
ffffffff816b83a0 ffff8801cf1f5800 0000000000000001 0000000000000000
000000000000ffff ffff8801db707b88 ffffffff815b37f1 e9e627954b055420
Call Trace:
<IRQ>
[<ffffffff815b37f1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815cf916>] generic_write_sync include/linux/fs.h:2609 [inline]
[<ffffffff815cf916>] dio_complete+0x376/0x6e0 fs/direct-io.c:282
[<ffffffff815cfda4>] dio_bio_end_aio+0x124/0x390 fs/direct-io.c:323
[<ffffffff81ab817d>] bio_endio+0x1ad/0x200 block/bio.c:1781
[<ffffffff81ad869e>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81ad869e>] blk_update_request+0x24e/0x9d0 block/blk-core.c:2628
[<ffffffff81e1cbcc>] scsi_end_request+0x9c/0x5c0
drivers/scsi/scsi_lib.c:606
[<ffffffff81e25bc5>] scsi_io_completion+0x275/0x17e0
drivers/scsi/scsi_lib.c:829
[<ffffffff81e0878d>] scsi_finish_command+0x3ad/0x520
drivers/scsi/scsi.c:607
[<ffffffff81e240f9>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1567
[<ffffffff81af672e>] blk_done_softirq+0x27e/0x3e0 block/blk-softirq.c:35
[<ffffffff82817d7d>] __do_softirq+0x22d/0x964 kernel/softirq.c:288
[<ffffffff810eeae9>] invoke_softirq kernel/softirq.c:368 [inline]
[<ffffffff810eeae9>] irq_exit+0x119/0x160 kernel/softirq.c:409
[<ffffffff82814ca1>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
[<ffffffff82814ca1>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:252
[<ffffffff8281329d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:461
<EOI>
[<ffffffff8280c841>] down_write+0x41/0xa0 kernel/locking/rwsem.c:52
[<ffffffff816cc1ba>] ext4_map_blocks+0x77a/0x1710 fs/ext4/inode.c:605
[<ffffffff816d937e>] mpage_map_one_extent fs/ext4/inode.c:2387 [inline]
[<ffffffff816d937e>] mpage_map_and_submit_extent fs/ext4/inode.c:2443
[inline]
[<ffffffff816d937e>] ext4_writepages+0x155e/0x2d20 fs/ext4/inode.c:2783
[<ffffffff814344ac>] do_writepages+0xfc/0x1e0 mm/page-writeback.c:2331
[<ffffffff814121bd>] __filemap_fdatawrite_range+0x1ad/0x260
mm/filemap.c:390
[<ffffffff814122c4>] __filemap_fdatawrite mm/filemap.c:398 [inline]
[<ffffffff814122c4>] filemap_flush+0x24/0x30 mm/filemap.c:423
[<ffffffff816cf976>] ext4_alloc_da_blocks+0xd6/0x340 fs/ext4/inode.c:3157
[<ffffffff816b5abf>] ext4_release_file+0x1ff/0x2e0 fs/ext4/file.c:42
[<ffffffff81511ad4>] __fput+0x274/0x720 fs/file_table.c:208
[<ffffffff81512006>] ____fput+0x16/0x20 fs/file_table.c:244
[<ffffffff8113cd98>] task_work_run+0x108/0x180 kernel/task_work.c:116
[<ffffffff81003deb>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff81003deb>] exit_to_usermode_loop+0x13b/0x160
arch/x86/entry/common.c:162
[<ffffffff81005907>] prepare_exit_to_usermode arch/x86/entry/common.c:194
[inline]
[<ffffffff81005907>] syscall_return_slowpath arch/x86/entry/common.c:263
[inline]
[<ffffffff81005907>] do_syscall_64+0x3f7/0x570 arch/x86/entry/common.c:290
[<ffffffff82812993>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 00 0f 85 03 08 00 00 49 8b bd 28 01 00 00 31 d2 be c0 00 40 02 e8 89
d5 42 00 45 85 e4 44 0f 44 e0 e9 ef fa ff ff e8 98 27 c6 ff <0f> 0b e8 91
27 c6 ff 65 8b 15 8a d5 95 7e 89 d2 48 0f a3 15 c8
RIP [<ffffffff816b8b98>] ext4_sync_file+0x7f8/0x10a0 fs/ext4/fsync.c:103
RSP <ffff8801db707af0>
---[ end trace 6b6bb05cdaf8665d ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages