kernel BUG at fs/ext4/inode.c:LINE!
32 views
Skip to first unread message
syzbot
Apr 11, 2019, 4:44:38 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e14d1a35 ANDROID: sdcardfs: Don't d_drop in d_revalidate
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=163a1337800000
kernel config: https://syzkaller.appspot.com/x/.config?x=6346e8b8cd10af20
dashboard link: https://syzkaller.appspot.com/bug?extid=e53139ff36812041e772
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16c09d57800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1657a20f800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e53139...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2630!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4270 Comm: syz-executor172 Not tainted 4.9.100-ge14d1a3 #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d90dc800 task.stack: ffff8801b6350000
RIP: 0010:[<ffffffff8173cde8>] [<ffffffff8173cde8>]
mpage_prepare_extent_to_map+0x7f8/0xa40 fs/ext4/inode.c:2630
RSP: 0018:ffff8801b63573c0 EFLAGS: 00010293
RAX: ffff8801d90dc800 RBX: ffffea0006f19a80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8173cde8 RDI: ffffea0006f19a88
RBP: ffff8801b6357588 R08: ffff8801d90dd138 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff1003b21ba22 R12: 0000000000000009
R13: 0000000000000000 R14: ffff8801b63576f0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9f07c21e78 CR3: 000000000461e000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
1ffff10036c6ae88 ffff8801b63576f8 ffff8801b6357460 ffff8801b6357700
00000000d90dd0c0 ffff8801b6f37538 000000010000000c 7fffffffffffffff
ffff8801b63574a0 ffff8801b6357708 ffffea0006f19a90 ffffed0036c6aedf
Call Trace:
[<ffffffff8174dcb9>] ext4_writepages+0xdb9/0x2e50 fs/ext4/inode.c:2792
[<ffffffff8145ca7f>] do_writepages+0xef/0x1d0 mm/page-writeback.c:2347
[<ffffffff8143aae3>] __filemap_fdatawrite_range+0x1b3/0x250
mm/filemap.c:390
[<ffffffff8143ad03>] __filemap_fdatawrite mm/filemap.c:398 [inline]
[<ffffffff8143ad03>] filemap_flush+0x23/0x30 mm/filemap.c:423
[<ffffffff817431b9>] ext4_alloc_da_blocks+0xd9/0x330 fs/ext4/inode.c:3169
[<ffffffff8172921f>] ext4_release_file+0x1ff/0x2e0 fs/ext4/file.c:42
[<ffffffff81575a33>] __fput+0x263/0x700 fs/file_table.c:208
[<ffffffff81575f55>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8119603c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
[<ffffffff8113ec91>] exit_task_work include/linux/task_work.h:21 [inline]
[<ffffffff8113ec91>] do_exit+0x9e1/0x27c0 kernel/exit.c:837
[<ffffffff81144d91>] do_group_exit+0x111/0x340 kernel/exit.c:941
[<ffffffff81167b8f>] get_signal+0x4cf/0x1450 kernel/signal.c:2317
[<ffffffff810524d7>] do_signal+0x87/0x19f0 arch/x86/kernel/signal.c:807
[<ffffffff81005581>] exit_to_usermode_loop+0xe1/0x120
arch/x86/entry/common.c:157
[<ffffffff810064d4>] prepare_exit_to_usermode arch/x86/entry/common.c:191
[inline]
[<ffffffff810064d4>] syscall_return_slowpath arch/x86/entry/common.c:260
[inline]
[<ffffffff810064d4>] do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
[<ffffffff839f4613>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: ff 48 8b 75 d0 65 48 33 34 25 28 00 00 00 0f 85 50 02 00 00 48 81 c4
a0 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 18 fc c1 ff <0f> 0b e8 11
fc c1 ff 8b 95 18 ff ff ff 85 d2 75 7a e8 02 fc c1
RIP [<ffffffff8173cde8>] mpage_prepare_extent_to_map+0x7f8/0xa40
fs/ext4/inode.c:2630
RSP <ffff8801b63573c0>
---[ end trace d5cdce8e0c2c007b ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: e14d1a35 ANDROID: sdcardfs: Don't d_drop in d_revalidate
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=163a1337800000
kernel config: https://syzkaller.appspot.com/x/.config?x=6346e8b8cd10af20
dashboard link: https://syzkaller.appspot.com/bug?extid=e53139ff36812041e772
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16c09d57800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1657a20f800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e53139...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2630!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4270 Comm: syz-executor172 Not tainted 4.9.100-ge14d1a3 #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d90dc800 task.stack: ffff8801b6350000
RIP: 0010:[<ffffffff8173cde8>] [<ffffffff8173cde8>]
mpage_prepare_extent_to_map+0x7f8/0xa40 fs/ext4/inode.c:2630
RSP: 0018:ffff8801b63573c0 EFLAGS: 00010293
RAX: ffff8801d90dc800 RBX: ffffea0006f19a80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8173cde8 RDI: ffffea0006f19a88
RBP: ffff8801b6357588 R08: ffff8801d90dd138 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff1003b21ba22 R12: 0000000000000009
R13: 0000000000000000 R14: ffff8801b63576f0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9f07c21e78 CR3: 000000000461e000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
1ffff10036c6ae88 ffff8801b63576f8 ffff8801b6357460 ffff8801b6357700
00000000d90dd0c0 ffff8801b6f37538 000000010000000c 7fffffffffffffff
ffff8801b63574a0 ffff8801b6357708 ffffea0006f19a90 ffffed0036c6aedf
Call Trace:
[<ffffffff8174dcb9>] ext4_writepages+0xdb9/0x2e50 fs/ext4/inode.c:2792
[<ffffffff8145ca7f>] do_writepages+0xef/0x1d0 mm/page-writeback.c:2347
[<ffffffff8143aae3>] __filemap_fdatawrite_range+0x1b3/0x250
mm/filemap.c:390
[<ffffffff8143ad03>] __filemap_fdatawrite mm/filemap.c:398 [inline]
[<ffffffff8143ad03>] filemap_flush+0x23/0x30 mm/filemap.c:423
[<ffffffff817431b9>] ext4_alloc_da_blocks+0xd9/0x330 fs/ext4/inode.c:3169
[<ffffffff8172921f>] ext4_release_file+0x1ff/0x2e0 fs/ext4/file.c:42
[<ffffffff81575a33>] __fput+0x263/0x700 fs/file_table.c:208
[<ffffffff81575f55>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8119603c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
[<ffffffff8113ec91>] exit_task_work include/linux/task_work.h:21 [inline]
[<ffffffff8113ec91>] do_exit+0x9e1/0x27c0 kernel/exit.c:837
[<ffffffff81144d91>] do_group_exit+0x111/0x340 kernel/exit.c:941
[<ffffffff81167b8f>] get_signal+0x4cf/0x1450 kernel/signal.c:2317
[<ffffffff810524d7>] do_signal+0x87/0x19f0 arch/x86/kernel/signal.c:807
[<ffffffff81005581>] exit_to_usermode_loop+0xe1/0x120
arch/x86/entry/common.c:157
[<ffffffff810064d4>] prepare_exit_to_usermode arch/x86/entry/common.c:191
[inline]
[<ffffffff810064d4>] syscall_return_slowpath arch/x86/entry/common.c:260
[inline]
[<ffffffff810064d4>] do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
[<ffffffff839f4613>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: ff 48 8b 75 d0 65 48 33 34 25 28 00 00 00 0f 85 50 02 00 00 48 81 c4
a0 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 18 fc c1 ff <0f> 0b e8 11
fc c1 ff 8b 95 18 ff ff ff 85 d2 75 7a e8 02 fc c1
RIP [<ffffffff8173cde8>] mpage_prepare_extent_to_map+0x7f8/0xa40
fs/ext4/inode.c:2630
RSP <ffff8801b63573c0>
---[ end trace d5cdce8e0c2c007b ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 11, 2019, 4:44:43 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4f75c34f ANDROID: sdcardfs: Don't d_drop in d_revalidate
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=133c9057800000
kernel config: https://syzkaller.appspot.com/x/.config?x=69a973bb5ca1350a
dashboard link: https://syzkaller.appspot.com/bug?extid=35320e72780513e8f97c
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15842d57800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12635c7b800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2474!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3765 Comm: syz-executor170 Not tainted 4.4.132-g4f75c34 #43
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d95d8000 task.stack: ffff8801d9688000
Google 01/01/2011
RIP: 0010:[<ffffffff816d736f>] [<ffffffff816d736f>]
mpage_prepare_extent_to_map+0x74f/0x970 fs/ext4/inode.c:2474
RSP: 0018:ffff8801d968f0a0 EFLAGS: 00010293
RAX: ffff8801d95d8000 RBX: ffffea00074304c0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816d736f RDI: ffffea00074304c8
RBP: ffff8801d968f268 R08: ffff8801d95d8978 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8801d95d8000 R12: 0000000000000001
R13: 0000000000000000 R14: ffff8801d968f3b0 R15: dffffc0000000000
FS: 00007fd866234700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd8661d0e78 CR3: 00000001cedba000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d968f1c8 1ffff1003b2d1e24 ffff8801d968f3b8 ffff8801d968f140
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d968f3c0 00000002b64da2e8 ffff8801cc0fc3d8 000000090000000c
7fffffffffffffff ffff8801d968f180 ffff8801d968f3c8 ffffea00074304d0
Call Trace:
[<ffffffff816e9250>] ext4_writepages+0xbb0/0x2c80 fs/ext4/inode.c:2629
[<ffffffff8143fdbf>] do_writepages+0xef/0x1d0 mm/page-writeback.c:2350
[<ffffffff814223c3>] __filemap_fdatawrite_range+0x1b3/0x250
mm/filemap.c:347
[<ffffffff81422689>] filemap_write_and_wait_range+0x59/0xb0
mm/filemap.c:535
[<ffffffff81423961>] generic_file_direct_write+0x131/0x4e0
mm/filemap.c:2425
[<ffffffff81423f64>] __generic_file_write_iter+0x254/0x550
mm/filemap.c:2630
[<ffffffff816c4ae1>] ext4_file_write_iter+0x601/0xc60 fs/ext4/file.c:171
[<ffffffff8151be6c>] vfs_iter_write+0x1cc/0x2d0 fs/read_write.c:364
[<ffffffff815b7e62>] iter_file_splice_write+0x622/0xb90 fs/splice.c:1024
[<ffffffff815b49b8>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff815b49b8>] direct_splice_actor+0x128/0x190 fs/splice.c:1294
[<ffffffff815b5a67>] splice_direct_to_actor+0x2c7/0x830 fs/splice.c:1247
[<ffffffff815b6173>] do_splice_direct+0x1a3/0x270 fs/splice.c:1337
[<ffffffff8151ff14>] do_sendfile+0x4e4/0xb80 fs/read_write.c:1227
[<ffffffff81521f03>] SYSC_sendfile64 fs/read_write.c:1282 [inline]
[<ffffffff81521f03>] SyS_sendfile64+0xc3/0x150 fs/read_write.c:1274
[<ffffffff838c0225>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: ff 48 8b 75 d0 65 48 33 34 25 28 00 00 00 0f 85 2e 02 00 00 48 81 c4
a0 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 71 9e c7 ff <0f> 0b e8 6a
9e c7 ff 8b 95 18 ff ff ff 85 d2 75 7f e8 5b 9e c7
RIP [<ffffffff816d736f>] mpage_prepare_extent_to_map+0x74f/0x970
fs/ext4/inode.c:2474
RSP <ffff8801d968f0a0>
---[ end trace 4e161cc58efb0e6e ]---
syzbot
Apr 13, 2019, 8:02:25 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4e76528b Merge 4.14.81 into android-4.14
syzbot found the following crash on:
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=17d52c5d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e4a95e0186919ba
dashboard link: https://syzkaller.appspot.com/bug?extid=e9833787a48afa9d249d
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2199!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Modules linked in:
CPU: 1 PID: 8914 Comm: loop0 Not tainted 4.14.81+ #6
task: ffff8801ccc82f00 task.stack: ffff8801c3d50000
RIP: 0010:mpage_submit_page+0x1a3/0x220 fs/ext4/inode.c:2199
RSP: 0018:ffff8801c3d57358 EFLAGS: 00010297
RAX: ffff8801ccc82f00 RBX: ffff8801c3d576b0 RCX: ffff8801c3d57480
RDX: 0000000000000000 RSI: ffffea00063c5280 RDI: ffff8801c3d576b0
RBP: ffffea00063c5280 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8801ccc83780 R11: 0000000000000001 R12: ffff8801c3d576c0
R13: ffffea00063c5290 R14: 0000000000000000 R15: ffff880194e91e70
FS: 0000000000000000(0000) GS:ffff8801db900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001051338 CR3: 00000001a5c22002 CR4: 00000000001606a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
mpage_map_and_submit_buffers+0x3f3/0x710 fs/ext4/inode.c:2416
mpage_map_and_submit_extent fs/ext4/inode.c:2554 [inline]
ext4_writepages+0x1736/0x3040 fs/ext4/inode.c:2885
do_writepages+0xe0/0x270 mm/page-writeback.c:2341
__filemap_fdatawrite_range+0x19e/0x270 mm/filemap.c:345
filemap_write_and_wait_range+0x58/0xd0 mm/filemap.c:556
__generic_file_write_iter+0x2bc/0x540 mm/filemap.c:3148
ext4_file_write_iter+0x4f6/0xe20 fs/ext4/file.c:264
call_write_iter include/linux/fs.h:1782 [inline]
lo_rw_aio+0x97b/0x1050 drivers/block/loop.c:540
do_req_filebacked drivers/block/loop.c:582 [inline]
loop_handle_cmd drivers/block/loop.c:1737 [inline]
loop_queue_work+0x14c9/0x1e9a drivers/block/loop.c:1751
kthread_worker_fn+0x27e/0x6a0 kernel/kthread.c:642
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Code: 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 57 48 83 43
10 01 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 7d e7 bc ff <0f> 0b 4c 89
ef e8 23 e3 de ff e9 82 fe ff ff 4c 89 e7 e8 16 e3
RIP: mpage_submit_page+0x1a3/0x220 fs/ext4/inode.c:2199 RSP:
ffff8801c3d57358
---[ end trace 2cddbd41b5b4dc86 ]---
syzbot
May 15, 2019, 9:37:03 AM5/15/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages