[Android 5.15] BUG: scheduling while atomic in f2fs_register_inmem_page

17 views
Skip to first unread message

syzbot

unread,
Mar 16, 2023, 12:05:48 AM3/16/23
to syzkaller-a...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 5448b2fda85f Merge 5.15.94 into android13-5.15-lts
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11f5de2ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb55b12f877ddc70
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ef3a2cc80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=111facdcc80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/24924398a010/disk-5448b2fd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e244d5b44fff/vmlinux-5448b2fd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bc13eddc3000/bzImage-5448b2fd.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/11e08b13a215/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b9c671...@syzkaller.appspotmail.com

BUG: scheduling while atomic: syz-executor186/325/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a582cf>] spin_lock include/linux/spinlock.h:363 [inline]
[<ffffffff81a582cf>] zap_pte_range mm/memory.c:1377 [inline]
[<ffffffff81a582cf>] zap_pmd_range mm/memory.c:1540 [inline]
[<ffffffff81a582cf>] zap_pud_range mm/memory.c:1569 [inline]
[<ffffffff81a582cf>] zap_p4d_range mm/memory.c:1590 [inline]
[<ffffffff81a582cf>] unmap_page_range+0xa2f/0x1ca0 mm/memory.c:1611
CPU: 0 PID: 325 Comm: syz-executor186 Not tainted 5.15.94-syzkaller-03204-g5448b2fda85f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x195/0x260 kernel/sched/core.c:5730
schedule_debug kernel/sched/core.c:5757 [inline]
__schedule+0xdd0/0x1620 kernel/sched/core.c:6425
schedule+0x11f/0x1e0 kernel/sched/core.c:6618
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6677
__mutex_lock_common kernel/locking/mutex.c:680 [inline]
__mutex_lock+0x86a/0x13f0 kernel/locking/mutex.c:743
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:994
mutex_lock+0x135/0x1e0 kernel/locking/mutex.c:288
f2fs_register_inmem_page+0x22c/0x4b0 fs/f2fs/segment.c:202
f2fs_set_data_page_dirty+0x591/0x730 fs/f2fs/data.c:3627
set_page_dirty+0x1a4/0x300 mm/page-writeback.c:2611
zap_pte_range mm/memory.c:1412 [inline]
zap_pmd_range mm/memory.c:1540 [inline]
zap_pud_range mm/memory.c:1569 [inline]
zap_p4d_range mm/memory.c:1590 [inline]
unmap_page_range+0xf33/0x1ca0 mm/memory.c:1611
unmap_single_vma mm/memory.c:1656 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1688
exit_mmap+0x3d8/0x6f0 mm/mmap.c:3209
__mmput+0x95/0x310 kernel/fork.c:1171
mmput+0x5b/0x170 kernel/fork.c:1194
exit_mm kernel/exit.c:551 [inline]
do_exit+0xbb4/0x2b60 kernel/exit.c:862
do_group_exit+0x141/0x310 kernel/exit.c:997
__do_sys_exit_group kernel/exit.c:1008 [inline]
__se_sys_exit_group kernel/exit.c:1006 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1006
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f76e319fbe9
Code: Unable to access opcode bytes at RIP 0x7f76e319fbbf.
RSP: 002b:00007ffd49cfdce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f76e32263d0 RCX: 00007f76e319fbe9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffb8 R09: 0000000800000015
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f76e32263d0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 0 PID: 325 at kernel/sched/core.c:5673 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5673
Modules linked in:
CPU: 0 PID: 325 Comm: syz-executor186 Tainted: G W 5.15.94-syzkaller-03204-g5448b2fda85f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5673
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d f5 ca 78 05 00 75 d1 48 c7 c7 20 91 08 85 48 c7 c6 c0 91 08 85 e8 48 66 f5 ff <0f> 0b eb ba e8 8f 9e 0d 01 85 c0 74 b1 48 c7 c0 28 3c c5 86 48 c1
RSP: 0018:ffffc900009a7828 EFLAGS: 00010246
RAX: 384aca67b5260b00 RBX: 0000000000000001 RCX: ffff88811b09bb40
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc900009a7838 R08: ffffffff8156a435 R09: ffffed103ee04e93
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0400000000000080 R14: dffffc0000000000 R15: 0000000020200000
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f76e31ea3c8 CR3: 000000000640f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__raw_spin_unlock include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock+0x4d/0x70 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:403 [inline]
zap_pte_range mm/memory.c:1481 [inline]
zap_pmd_range mm/memory.c:1540 [inline]
zap_pud_range mm/memory.c:1569 [inline]
zap_p4d_range mm/memory.c:1590 [inline]
unmap_page_range+0x1a8c/0x1ca0 mm/memory.c:1611
unmap_single_vma mm/memory.c:1656 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1688
exit_mmap+0x3d8/0x6f0 mm/mmap.c:3209
__mmput+0x95/0x310 kernel/fork.c:1171
mmput+0x5b/0x170 kernel/fork.c:1194
exit_mm kernel/exit.c:551 [inline]
do_exit+0xbb4/0x2b60 kernel/exit.c:862
do_group_exit+0x141/0x310 kernel/exit.c:997
__do_sys_exit_group kernel/exit.c:1008 [inline]
__se_sys_exit_group kernel/exit.c:1006 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1006
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f76e319fbe9
Code: Unable to access opcode bytes at RIP 0x7f76e319fbbf.
RSP: 002b:00007ffd49cfdce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f76e32263d0 RCX: 00007f76e319fbe9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffb8 R09: 0000000800000015
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f76e32263d0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
---[ end trace 700aae2420ec127c ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

syzbot

unread,
Mar 16, 2023, 12:27:53 AM3/16/23
to syzkaller-a...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 416c4356f372 Merge 5.10.161 into android12-5.10-lts
git tree: android12-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=112c4ffac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=ba29236d2f217808
dashboard link: https://syzkaller.appspot.com/bug?extid=1797812e4d8839a03370
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=106b2b1ac80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161ff352c80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0149809cf436/disk-416c4356.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2bf0b26aed77/vmlinux-416c4356.xz
kernel image: https://storage.googleapis.com/syzbot-assets/224b4978be5c/bzImage-416c4356.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ebfcdf47d2e1/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+179781...@syzkaller.appspotmail.com

BUG: scheduling while atomic: syz-executor370/465/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff819bc8c4>] spin_lock include/linux/spinlock.h:354 [inline]
[<ffffffff819bc8c4>] zap_pte_range mm/memory.c:1284 [inline]
[<ffffffff819bc8c4>] zap_pmd_range mm/memory.c:1444 [inline]
[<ffffffff819bc8c4>] zap_pud_range mm/memory.c:1473 [inline]
[<ffffffff819bc8c4>] zap_p4d_range mm/memory.c:1494 [inline]
[<ffffffff819bc8c4>] unmap_page_range+0xad4/0x2070 mm/memory.c:1516
CPU: 0 PID: 465 Comm: syz-executor370 Not tainted 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
__schedule_bug+0x1b1/0x2b0 kernel/sched/core.c:4535
schedule_debug+0x97/0x180 kernel/sched/core.c:4562
__schedule+0x106/0xc00 kernel/sched/core.c:4690
schedule+0x14b/0x1e0 kernel/sched/core.c:4874
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:4933
__mutex_lock_common kernel/locking/mutex.c:1057 [inline]
__mutex_lock+0x8c2/0x1340 kernel/locking/mutex.c:1122
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1385
mutex_lock+0x134/0x1e0 kernel/locking/mutex.c:301
f2fs_register_inmem_page+0x22a/0x480 fs/f2fs/segment.c:199
f2fs_set_data_page_dirty+0x5d0/0x750 fs/f2fs/data.c:3805
set_page_dirty+0x1c6/0x350 mm/page-writeback.c:2586
zap_pte_range mm/memory.c:1319 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0xffa/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
check_preemption_disabled: 4 callbacks suppressed
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor370/465
caller is __this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
CPU: 0 PID: 465 Comm: syz-executor370 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
check_preemption_disabled+0xf7/0x100 lib/smp_processor_id.c:48
__this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
__mod_node_page_state+0x6d/0xf0 mm/vmstat.c:349
__mod_lruvec_state+0x48/0x70 mm/memcontrol.c:855
__mod_lruvec_page_state include/linux/memcontrol.h:873 [inline]
page_remove_file_rmap+0x65c/0x960 mm/rmap.c:1322
page_remove_rmap+0x158/0x6d0 mm/rmap.c:1395
zap_pte_range mm/memory.c:1326 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x119b/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor370/465
caller is __this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
CPU: 0 PID: 465 Comm: syz-executor370 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
check_preemption_disabled+0xf7/0x100 lib/smp_processor_id.c:48
__this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
__mod_node_page_state+0x89/0xf0 mm/vmstat.c:351
__mod_lruvec_state+0x48/0x70 mm/memcontrol.c:855
__mod_lruvec_page_state include/linux/memcontrol.h:873 [inline]
page_remove_file_rmap+0x65c/0x960 mm/rmap.c:1322
page_remove_rmap+0x158/0x6d0 mm/rmap.c:1395
zap_pte_range mm/memory.c:1326 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x119b/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
BUG: using __this_cpu_write() in preemptible [00000000] code: syz-executor370/465
caller is __this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
CPU: 0 PID: 465 Comm: syz-executor370 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
check_preemption_disabled+0xf7/0x100 lib/smp_processor_id.c:48
__this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
__mod_node_page_state+0xac/0xf0 mm/vmstat.c:357
__mod_lruvec_state+0x48/0x70 mm/memcontrol.c:855
__mod_lruvec_page_state include/linux/memcontrol.h:873 [inline]
page_remove_file_rmap+0x65c/0x960 mm/rmap.c:1322
page_remove_rmap+0x158/0x6d0 mm/rmap.c:1395
zap_pte_range mm/memory.c:1326 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x119b/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor370/465
caller is __this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
CPU: 0 PID: 465 Comm: syz-executor370 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
check_preemption_disabled+0xf7/0x100 lib/smp_processor_id.c:48
__this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
__mod_memcg_state+0x51/0x230 mm/memcontrol.c:783
__mod_memcg_lruvec_state+0x50/0x310 mm/memcontrol.c:821
__mod_lruvec_state+0x5b/0x70 mm/memcontrol.c:859
__mod_lruvec_page_state include/linux/memcontrol.h:873 [inline]
page_remove_file_rmap+0x65c/0x960 mm/rmap.c:1322
page_remove_rmap+0x158/0x6d0 mm/rmap.c:1395
zap_pte_range mm/memory.c:1326 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x119b/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
BUG: using __this_cpu_write() in preemptible [00000000] code: syz-executor370/465
caller is __this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
CPU: 0 PID: 465 Comm: syz-executor370 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
check_preemption_disabled+0xf7/0x100 lib/smp_processor_id.c:48
__this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
__mod_memcg_state+0xb4/0x230 mm/memcontrol.c:796
__mod_memcg_lruvec_state+0x50/0x310 mm/memcontrol.c:821
__mod_lruvec_state+0x5b/0x70 mm/memcontrol.c:859
__mod_lruvec_page_state include/linux/memcontrol.h:873 [inline]
page_remove_file_rmap+0x65c/0x960 mm/rmap.c:1322
page_remove_rmap+0x158/0x6d0 mm/rmap.c:1395
zap_pte_range mm/memory.c:1326 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x119b/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor370/465
caller is __this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
CPU: 0 PID: 465 Comm: syz-executor370 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
check_preemption_disabled+0xf7/0x100 lib/smp_processor_id.c:48
__this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
__mod_memcg_lruvec_state+0x5c/0x310 mm/memcontrol.c:824
__mod_lruvec_state+0x5b/0x70 mm/memcontrol.c:859
__mod_lruvec_page_state include/linux/memcontrol.h:873 [inline]
page_remove_file_rmap+0x65c/0x960 mm/rmap.c:1322
page_remove_rmap+0x158/0x6d0 mm/rmap.c:1395
zap_pte_range mm/memory.c:1326 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x119b/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor370/465
caller is __this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
CPU: 0 PID: 465 Comm: syz-executor370 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
check_preemption_disabled+0xf7/0x100 lib/smp_processor_id.c:48
__this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
__mod_memcg_lruvec_state+0xbf/0x310 mm/memcontrol.c:829
__mod_lruvec_state+0x5b/0x70 mm/memcontrol.c:859
__mod_lruvec_page_state include/linux/memcontrol.h:873 [inline]
page_remove_file_rmap+0x65c/0x960 mm/rmap.c:1322
page_remove_rmap+0x158/0x6d0 mm/rmap.c:1395
zap_pte_range mm/memory.c:1326 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x119b/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
BUG: using __this_cpu_write() in preemptible [00000000] code: syz-executor370/465
caller is __this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
CPU: 0 PID: 465 Comm: syz-executor370 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
check_preemption_disabled+0xf7/0x100 lib/smp_processor_id.c:48
__this_cpu_preempt_check+0x13/0x20 lib/smp_processor_id.c:65
__mod_memcg_lruvec_state+0x136/0x310 mm/memcontrol.c:838
__mod_lruvec_state+0x5b/0x70 mm/memcontrol.c:859
__mod_lruvec_page_state include/linux/memcontrol.h:873 [inline]
page_remove_file_rmap+0x65c/0x960 mm/rmap.c:1322
page_remove_rmap+0x158/0x6d0 mm/rmap.c:1395
zap_pte_range mm/memory.c:1326 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x119b/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 1 PID: 465 at kernel/sched/core.c:4477 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:4477
Modules linked in:
CPU: 1 PID: 465 Comm: syz-executor370 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:4477
Code: 42 8a 04 30 84 c0 0f 85 89 00 00 00 83 3d 37 e6 54 05 00 75 d2 48 c7 c7 20 5d e9 84 48 c7 c6 c0 5d e9 84 31 c0 e8 58 f3 f4 ff <0f> 0b eb b9 e8 7f 2a 00 01 85 c0 74 b0 48 c7 c0 38 2b 9f 86 48 c1
RSP: 0018:ffffc90000df7528 EFLAGS: 00010246
RAX: 4430a681aca5f100 RBX: 0000000000000001 RCX: ffff88810c658000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000df7538 R08: ffffffff81540db8 R09: ffffed103ee24e93
R10: ffffed103ee24e93 R11: 1ffff1103ee24e92 R12: 1ffff920001bef20
R13: dffffc0000000000 R14: dffffc0000000000 R15: ffffc90000df78e0
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8681310000 CR3: 000000011e6ea000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__raw_spin_unlock include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock+0x4d/0x70 kernel/locking/spinlock.c:183
spin_unlock include/linux/spinlock.h:394 [inline]
zap_pte_range mm/memory.c:1385 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x1dd8/0x2070 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3d4/0x5b0 mm/memory.c:1594
exit_mmap+0x2f9/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2c0 kernel/fork.c:1133
mmput+0x4b/0x50 kernel/fork.c:1154
exit_mm+0x5cd/0x790 kernel/exit.c:489
do_exit+0x5f2/0x2340 kernel/exit.c:800
do_group_exit+0x13a/0x300 kernel/exit.c:910
get_signal+0xe17/0x1440 kernel/signal.c:2780
arch_do_signal+0x8e/0x650 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0xa3/0xe0 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f86813636c9
Code: Unable to access opcode bytes at RIP 0x7f868136369f.
RSP: 002b:00007f868130f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000001179000 RBX: 00007f86813f07e8 RCX: 00007f86813636c9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f86813f07e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 00007f86813f07ec
R13: 00007f86813bcf28 R14: 0032656c69662f2e R15: 0000000000022000
---[ end trace 76762afaf09b868f ]---

Tudor Ambarus

unread,
Mar 20, 2023, 7:51:02 AM3/20/23
to syzbot+b9c671...@syzkaller.appspotmail.com, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test: https://android.googlesource.com/kernel/common
5448b2fda85f2d90de03f053226f721ba2f7e731

syzbot

unread,
Mar 20, 2023, 8:00:23 AM3/20/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

m: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/drivers/usb/serial/usbserial.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/drivers/usb/serial/ftdi_sio.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/drivers/bluetooth/hci_uart.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/drivers/bluetooth/btqca.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/drivers/bluetooth/btsdio.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/drivers/bluetooth/btbcm.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/ppp_generic.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/nfc.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/can-bcm.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/usbserial.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/can-gw.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/nhc_dest.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/mac802154.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/cdc-acm.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/nhc_hop.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/6lowpan.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/can-raw.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/rfcomm.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/cfg80211.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/ieee802154_socket.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/nhc_ipv6.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/l2tp_ppp.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/diag.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/rfkill.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/slcan.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/ppp_deflate.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/tipc.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/vcan.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/slhc.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/bluetooth.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/ppp_mppe.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/hci_uart.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/ieee802154_6lowpan.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/nhc_mobility.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/mac80211.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/l2tp_core.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/bsd_comp.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/hidp.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/nhc_routing.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/btqca.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/can.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/nhc_fragment.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/ieee802154.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/pptp.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/pppox.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/can-dev.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/libarc4.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/zsmalloc.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/btsdio.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/ftdi_sio.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/8021q.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/nhc_udp.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/btbcm.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/unstripped/zram.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/diag.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/rfkill.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/slcan.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/ppp_deflate.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/tipc.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/vcan.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/slhc.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/bluetooth.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/ppp_mppe.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/hci_uart.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/ieee802154_6lowpan.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/nhc_mobility.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/mac80211.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/l2tp_core.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/lib/crypto/libarc4.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/bsd_comp.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/hidp.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/nhc_routing.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/btqca.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/can.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/nhc_fragment.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/ieee802154.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/pptp.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/pppox.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/can-dev.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/libarc4.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/zsmalloc.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/btsdio.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/ftdi_sio.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/mm/zsmalloc.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/8021q.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/nhc_udp.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/btbcm.ko': Permission denied
rm: cannot remove './out/bazel/output_user_root/c186719396625f4bf74deeea0ad5a464/execroot/__main__/bazel-out/k8-fastbuild/bin/common/kernel_x86_64/zram.ko': Permission denied
make: *** [Makefile:1960: clean] Error 123


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10beb41cc80000


Tested on:

commit: 5448b2fd Merge 5.15.94 into android13-5.15-lts
git tree: https://android.googlesource.com/kernel/common
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler:

Note: no patches were applied.

Tudor Ambarus

unread,
Mar 20, 2023, 8:17:05 AM3/20/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test https://android.googlesource.com/kernel/common android13-5.15-lts

syzbot

unread,
Mar 20, 2023, 8:18:20 AM3/20/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

kernel clean failed: failed to run ["make" "-j" "32" "ARCH=x86_64" "distclean"]: exit status 2
rm: cannot remove './dist/virtio_balloon.ko': Permission denied
rm: cannot remove './dist/hci_vhci.ko': Permission denied
rm: cannot remove './dist/mt76x2u.ko': Permission denied
rm: cannot remove './dist/mt76-usb.ko': Permission denied
rm: cannot remove './dist/mt76x0-common.ko': Permission denied
rm: cannot remove './dist/virtio_input.ko': Permission denied
rm: cannot remove './dist/e1000.ko': Permission denied
rm: cannot remove './dist/vmw_vsock_virtio_transport.ko': Permission denied
rm: cannot remove './dist/dummy_hcd.ko': Permission denied
rm: cannot remove './dist/mac80211_hwsim.ko': Permission denied
rm: cannot remove './dist/mt76x0u.ko': Permission denied
rm: cannot remove './dist/virtio_console.ko': Permission denied
rm: cannot remove './dist/virtio_pci.ko': Permission denied
rm: cannot remove './dist/net_failover.ko': Permission denied
rm: cannot remove './dist/goldfish_battery.ko': Permission denied
rm: cannot remove './dist/virtio_net.ko': Permission denied
rm: cannot remove './dist/btintel.ko': Permission denied
rm: cannot remove './dist/vhci-hcd.ko': Permission denied
rm: cannot remove './dist/btusb.ko': Permission denied
rm: cannot remove './dist/virtio_snd.ko': Permission denied
rm: cannot remove './dist/mt76x02-usb.ko': Permission denied
rm: cannot remove './dist/nd_virtio.ko': Permission denied
rm: cannot remove './dist/test_stackinit.ko': Permission denied
rm: cannot remove './dist/system_heap.ko': Permission denied
rm: cannot remove './dist/pulse8-cec.ko': Permission denied
rm: cannot remove './dist/virtio-gpu.ko': Permission denied
rm: cannot remove './dist/rtc-test.ko': Permission denied
rm: cannot remove './dist/virtio_pci_modern_dev.ko': Permission denied
rm: cannot remove './dist/goldfish_pipe.ko': Permission denied
rm: cannot remove './dist/virt_wifi.ko': Permission denied
rm: cannot remove './dist/virtio_dma_buf.ko': Permission denied
rm: cannot remove './dist/failover.ko': Permission denied
rm: cannot remove './dist/dummy-cpufreq.ko': Permission denied
rm: cannot remove './dist/goldfish_sync.ko': Permission denied
rm: cannot remove './dist/virtio_blk.ko': Permission denied
rm: cannot remove './dist/btrtl.ko': Permission denied
rm: cannot remove './dist/test_meminit.ko': Permission denied
rm: cannot remove './dist/mt76x02-lib.ko': Permission denied
rm: cannot remove './dist/virtio_pmem.ko': Permission denied
rm: cannot remove './dist/mt76.ko': Permission denied
rm: cannot remove './dist/gs_usb.ko': Permission denied
rm: cannot remove './dist/usbip-core.ko': Permission denied
rm: cannot remove './dist/virtio-rng.ko': Permission denied
rm: cannot remove './dist/vkms.ko': Permission denied
rm: cannot remove './dist/goldfish_address_space.ko': Permission denied
rm: cannot remove './dist/mt76x2-common.ko': Permission denied
make: *** [Makefile:1960: clean] Error 123



Tested on:

commit: 5448b2fd Merge 5.15.94 into android13-5.15-lts
git tree: android13-5.15-lts

Aleksandr Nogikh

unread,
Mar 20, 2023, 8:42:22 AM3/20/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Let me fix the repository on the syz-ci instance. We've recently moved
Cuttlefish out of the ci2 instance, so it shouldn't be happening
anymore.
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/0000000000001cd0f305f753ece0%40google.com.

Aleksandr Nogikh

unread,
Mar 20, 2023, 8:47:13 AM3/20/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
#syz test https://android.googlesource.com/kernel/common android13-5.15-lts

syzbot

unread,
Mar 20, 2023, 9:12:26 AM3/20/23
to jone...@google.com, nog...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/386/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a56caf>] spin_lock include/linux/spinlock.h:363 [inline]
[<ffffffff81a56caf>] zap_pte_range mm/memory.c:1377 [inline]
[<ffffffff81a56caf>] zap_pmd_range mm/memory.c:1540 [inline]
[<ffffffff81a56caf>] zap_pud_range mm/memory.c:1569 [inline]
[<ffffffff81a56caf>] zap_p4d_range mm/memory.c:1590 [inline]
[<ffffffff81a56caf>] unmap_page_range+0xa2f/0x1ca0 mm/memory.c:1611
CPU: 0 PID: 386 Comm: syz-executor.0 Not tainted 5.15.94-syzkaller-g5448b2fda85f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x195/0x260 kernel/sched/core.c:5730
schedule_debug kernel/sched/core.c:5757 [inline]
__schedule+0xdd0/0x1620 kernel/sched/core.c:6425
schedule+0x11f/0x1e0 kernel/sched/core.c:6618
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6677
mutex_optimistic_spin kernel/locking/mutex.c:511 [inline]
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x51d/0x13f0 kernel/locking/mutex.c:743
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:994
mutex_lock+0x135/0x1e0 kernel/locking/mutex.c:288
f2fs_register_inmem_page+0x22c/0x4b0 fs/f2fs/segment.c:202
f2fs_set_data_page_dirty+0x591/0x730 fs/f2fs/data.c:3627
set_page_dirty+0x1a4/0x300 mm/page-writeback.c:2611
zap_pte_range mm/memory.c:1412 [inline]
zap_pmd_range mm/memory.c:1540 [inline]
zap_pud_range mm/memory.c:1569 [inline]
zap_p4d_range mm/memory.c:1590 [inline]
unmap_page_range+0xf33/0x1ca0 mm/memory.c:1611
unmap_single_vma mm/memory.c:1656 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1688
exit_mmap+0x3d8/0x6f0 mm/mmap.c:3209
__mmput+0x95/0x310 kernel/fork.c:1171
mmput+0x5b/0x170 kernel/fork.c:1194
exit_mm kernel/exit.c:551 [inline]
do_exit+0xbb4/0x2b60 kernel/exit.c:862
do_group_exit+0x141/0x310 kernel/exit.c:997
get_signal+0x7a3/0x1630 kernel/signal.c:2891
arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:172
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:300
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fafe53f10f9
Code: Unable to access opcode bytes at RIP 0x7fafe53f10cf.
RSP: 002b:00007fafe4f64218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fafe5510f88 RCX: 00007fafe53f10f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fafe5510f88
RBP: 00007fafe5510f80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fafe5510f8c
R13: 00007ffe41c6363f R14: 00007fafe4f64300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 1 PID: 386 at kernel/sched/core.c:5673 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5673
Modules linked in:
CPU: 1 PID: 386 Comm: syz-executor.0 Tainted: G W 5.15.94-syzkaller-g5448b2fda85f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5673
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d f5 ca 38 05 00 75 d1 48 c7 c7 00 91 08 85 48 c7 c6 a0 91 08 85 e8 48 66 f5 ff <0f> 0b eb ba e8 6f 88 0d 01 85 c0 74 b1 48 c7 c0 28 3c 85 86 48 c1
RSP: 0018:ffffc90000d374c8 EFLAGS: 00010246
RAX: b0af714b6a4bbe00 RBX: 0000000000000001 RCX: ffff88810cf062c0
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000d374d8 R08: ffffffff8156a435 R09: ffffed103ee64e93
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0400000000000080 R14: dffffc0000000000 R15: 0000000020200000
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020003700 CR3: 000000000600f000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__raw_spin_unlock include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock+0x4d/0x70 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:403 [inline]
zap_pte_range mm/memory.c:1481 [inline]
zap_pmd_range mm/memory.c:1540 [inline]
zap_pud_range mm/memory.c:1569 [inline]
zap_p4d_range mm/memory.c:1590 [inline]
unmap_page_range+0x1a8c/0x1ca0 mm/memory.c:1611
unmap_single_vma mm/memory.c:1656 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1688
exit_mmap+0x3d8/0x6f0 mm/mmap.c:3209
__mmput+0x95/0x310 kernel/fork.c:1171
mmput+0x5b/0x170 kernel/fork.c:1194
exit_mm kernel/exit.c:551 [inline]
do_exit+0xbb4/0x2b60 kernel/exit.c:862
do_group_exit+0x141/0x310 kernel/exit.c:997
get_signal+0x7a3/0x1630 kernel/signal.c:2891
arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:172
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:300
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fafe53f10f9
Code: Unable to access opcode bytes at RIP 0x7fafe53f10cf.
RSP: 002b:00007fafe4f64218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fafe5510f88 RCX: 00007fafe53f10f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fafe5510f88
RBP: 00007fafe5510f80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fafe5510f8c
R13: 00007ffe41c6363f R14: 00007fafe4f64300 R15: 0000000000022000
</TASK>
---[ end trace 4940d84b1cbe92cd ]---


Tested on:

commit: 5448b2fd Merge 5.15.94 into android13-5.15-lts
git tree: android13-5.15-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=14fe8f26c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=2bc7633dee4d7ae2
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Tudor Ambarus

unread,
Mar 22, 2023, 7:58:33 AM3/22/23
to syzbot, jone...@google.com, nog...@google.com, syzkaller-a...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux
master

Tudor Ambarus

unread,
Mar 22, 2023, 8:01:57 AM3/22/23
to syzbot, jone...@google.com, nog...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev-test

Tudor Ambarus

unread,
Mar 22, 2023, 8:14:31 AM3/22/23
to syzbot, Lee Jones, syzkaller-a...@googlegroups.com

Tudor Ambarus

unread,
Mar 22, 2023, 8:16:11 AM3/22/23
to syzbot+f61e8f...@syzkaller.appspotmail.com, Lee Jones, syzkaller-a...@googlegroups.com

syzbot

unread,
Mar 22, 2023, 8:16:13 AM3/22/23
to tudor....@linaro.org, jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org, syzkaller...@googlegroups.com
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux

This crash does not have a reproducer. I cannot test it.

> master

Tudor Ambarus

unread,
Mar 22, 2023, 8:17:43 AM3/22/23
to syzbot+19f255...@syzkaller.appspotmail.com, Lee Jones, syzkaller-a...@googlegroups.com

syzbot

unread,
Mar 22, 2023, 2:16:24 PM3/22/23
to jone...@google.com, nog...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: a1effab7 Merge tag 'vfio-v6.3-rc4' of https://github.c..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux master
console output: https://syzkaller.appspot.com/x/log.txt?x=136a0a4ec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=39ca98d9e19a815e
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

syzbot

unread,
Mar 22, 2023, 2:27:25 PM3/22/23
to jone...@google.com, nog...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: 6b36cfa5 f2fs: apply zone capacity to all zone type
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev-test
console output: https://syzkaller.appspot.com/x/log.txt?x=12029c5ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf0df7a3e8ee3482

syzbot

unread,
Mar 22, 2023, 2:37:21 PM3/22/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: a1effab7 Merge tag 'vfio-v6.3-rc4' of https://github.c..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux master
console output: https://syzkaller.appspot.com/x/log.txt?x=10545991c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=39ca98d9e19a815e

syzbot

unread,
Mar 22, 2023, 2:45:26 PM3/22/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: soft lockup in smp_call_function

watchdog: BUG: soft lockup - CPU#1 stuck for 246s! [kworker/u4:0:8]
Modules linked in:
CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 6.3.0-rc3-syzkaller-00021-ga1effab7a3a3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:csd_lock_wait kernel/smp.c:442 [inline]
RIP: 0010:smp_call_function_many_cond+0x9c3/0xad0 kernel/smp.c:987
Code: 89 f6 83 e6 01 31 ff e8 7b 9e 09 00 41 83 e6 01 49 be 00 00 00 00 00 fc ff df 75 07 e8 96 9a 09 00 eb 38 f3 90 42 0f b6 04 33 <84> c0 75 11 41 f7 45 00 01 00 00 00 74 1e e8 7a 9a 09 00 eb e4 44
RSP: 0018:ffffc90000087840 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 1ffff1103ee47cb9 RCX: ffff888108278000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000087998 R08: ffffffff816b1fa5 R09: ffffed103ee673b3
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff8881f723e5c8 R14: dffffc0000000000 R15: ffff8881f7339d88
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffdd4788148 CR3: 00000000062a4000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
on_each_cpu_cond_mask+0x44/0x80 kernel/smp.c:1155
on_each_cpu include/linux/smp.h:71 [inline]
text_poke_sync arch/x86/kernel/alternative.c:1770 [inline]
text_poke_bp_batch+0x1ed/0x740 arch/x86/kernel/alternative.c:1970
text_poke_flush arch/x86/kernel/alternative.c:2161 [inline]
text_poke_finish+0x1e/0x30 arch/x86/kernel/alternative.c:2168
arch_jump_label_transform_apply+0x19/0x30 arch/x86/kernel/jump_label.c:146
__jump_label_update+0x36a/0x380 kernel/jump_label.c:483
jump_label_update+0x3af/0x450 kernel/jump_label.c:829
static_key_enable_cpuslocked+0x133/0x250 kernel/jump_label.c:205
static_key_enable+0x1e/0x30 kernel/jump_label.c:218
toggle_allocation_gate+0xb5/0x240 mm/kfence/core.c:799
process_one_work+0x6ab/0xc00 kernel/workqueue.c:2390
worker_thread+0xac7/0x12b0 kernel/workqueue.c:2537
kthread+0x271/0x310 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 2273 Comm: syz-executor.0 Not tainted 6.3.0-rc3-syzkaller-00021-ga1effab7a3a3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:check_kcov_mode kernel/kcov.c:184 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:236 [inline]
RIP: 0010:__sanitizer_cov_trace_const_cmp4+0x38/0x90 kernel/kcov.c:304
Code: 8b 15 8c c4 8e 7e 65 8b 05 8d c4 8e 7e a9 00 01 ff 00 74 10 a9 00 01 00 00 74 5b 83 ba 54 0a 00 00 00 74 52 8b 82 30 0a 00 00 <83> f8 03 75 47 48 8b 8a 38 0a 00 00 44 8b 8a 34 0a 00 00 49 c1 e1
RSP: 0018:ffffc90001bdfc78 EFLAGS: 00000046
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888113c73000
RDX: ffff888113c73000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001bdfc78 R08: ffffffff82b2dca8 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000
R13: ffffffff865cb3a0 R14: ffff8881091a4ea8 R15: dffffc0000000000
FS: 00005555571a1400(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fde7980e718 CR3: 000000011fdc1000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__vga_put drivers/pci/vgaarb.c:379 [inline]
vga_put drivers/pci/vgaarb.c:540 [inline]
vga_arb_release+0x358/0x950 drivers/pci/vgaarb.c:1463
__fput+0x3fe/0x910 fs/file_table.c:321
____fput+0x19/0x20 fs/file_table.c:349
task_work_run+0x24a/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x8b/0xa0 kernel/entry/common.c:171
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x2a/0x140 kernel/entry/common.c:296
do_syscall_64+0x4d/0x90 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fde78a3dfab
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffdd4787f70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fde78a3dfab
RDX: 00007fde78600338 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 00007fde78bad980 R08: 0000000000000000 R09: 00007fde78600000
R10: 00007fde78600340 R11: 0000000000000293 R12: 0000000000009f07
R13: 00007ffdd4788070 R14: 00007fde78bac050 R15: 0000000000000032
</TASK>


Tested on:

commit: a1effab7 Merge tag 'vfio-v6.3-rc4' of https://github.c..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux master
console output: https://syzkaller.appspot.com/x/log.txt?x=13266c19c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=39ca98d9e19a815e
dashboard link: https://syzkaller.appspot.com/bug?extid=19f2558f0b4ac07df383

Tudor Ambarus

unread,
Mar 23, 2023, 2:44:23 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git v5.16

syzbot

unread,
Mar 23, 2023, 3:24:22 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

03/23 07:23:43 connecting to host at 10.128.0.163:44595
2023/03/23 07:23:43 checking machine...
2023/03/23 07:23:43 checking revisions...
2023/03/23 07:23:43 testing simple program...
[ 21.011819][ T28] audit: type=1400 audit(1679556223.419:62): avc: denied { getattr } for pid=398 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.035831][ T28] audit: type=1400 audit(1679556223.449:63): avc: denied { read } for pid=398 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.053895][ T407] cgroup: Unknown subsys name 'net'
[ 21.057011][ T28] audit: type=1400 audit(1679556223.449:64): avc: denied { open } for pid=398 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.085249][ T28] audit: type=1400 audit(1679556223.449:65): avc: denied { read } for pid=398 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=161 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.085448][ T407] cgroup: Unknown subsys name 'devices'
[ 21.108197][ T28] audit: type=1400 audit(1679556223.449:66): avc: denied { open } for pid=398 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=161 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.108228][ T28] audit: type=1400 audit(1679556223.449:67): avc: denied { mounton } for pid=407 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 21.159492][ T28] audit: type=1400 audit(1679556223.449:68): avc: denied { mount } for pid=407 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 21.181728][ T28] audit: type=1400 audit(1679556223.469:69): avc: denied { unmount } for pid=407 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 21.294981][ T407] cgroup: Unknown subsys name 'hugetlb'
[ 21.300791][ T407] cgroup: Unknown subsys name 'rlimit'
[ 21.514560][ T28] audit: type=1400 audit(1679556223.929:70): avc: denied { setattr } for pid=407 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=161 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.537853][ T28] audit: type=1400 audit(1679556223.949:71): avc: denied { execmem } for pid=408 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 21.607446][ T409] bridge0: port 1(bridge_slave_0) entered blocking state
[ 21.614748][ T409] bridge0: port 1(bridge_slave_0) entered disabled state
[ 21.621951][ T409] device bridge_slave_0 entered promiscuous mode
[ 21.629053][ T409] bridge0: port 2(bridge_slave_1) entered blocking state
[ 21.636099][ T409] bridge0: port 2(bridge_slave_1) entered disabled state
[ 21.643402][ T409] device bridge_slave_1 entered promiscuous mode
[ 21.685313][ T409] bridge0: port 2(bridge_slave_1) entered blocking state
[ 21.692285][ T409] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 21.699501][ T409] bridge0: port 1(bridge_slave_0) entered blocking state
[ 21.706379][ T409] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 21.727142][ T23] bridge0: port 1(bridge_slave_0) entered disabled state
[ 21.735796][ T23] bridge0: port 2(bridge_slave_1) entered disabled state
[ 21.743382][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 21.750664][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 21.759767][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 21.768096][ T17] bridge0: port 1(bridge_slave_0) entered blocking state
[ 21.775497][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 21.793991][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 21.802530][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 21.811156][ T17] bridge0: port 2(bridge_slave_1) entered blocking state
[ 21.818051][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 21.825521][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 21.834078][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 21.845230][ T409] device veth0_vlan entered promiscuous mode
[ 21.853240][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 21.861113][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 21.868834][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 21.879979][ T409] device veth1_macvtap entered promiscuous mode
[ 21.887218][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 21.902548][ T57] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 21.912337][ T57] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 21.922591][ T17] ================================================================================
[ 21.931957][ T17] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2086:28
[ 21.939624][ T17] member access within address ffffc900001171c0 with insufficient space
[ 21.948000][ T17] for an object of type 'struct sk_buff'
[ 21.953659][ T17] CPU: 0 PID: 17 Comm: kworker/0:1 Not tainted 5.16.0-syzkaller #0
[ 21.961748][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 21.971647][ T17] Workqueue: ipv6_addrconf addrconf_dad_work
[ 21.977460][ T17] Call Trace:
[ 21.981344][ T17] <TASK>
[ 21.984202][ T17] dump_stack_lvl+0x151/0x1b7
[ 21.989213][ T17] ? bfq_pos_tree_add_move+0x439/0x439
[ 21.994567][ T17] dump_stack+0x15/0x17
[ 21.998524][ T17] ubsan_type_mismatch_common+0x21b/0x3b0
[ 22.004054][ T17] __ubsan_handle_type_mismatch_v1+0x4d/0x60
[ 22.009985][ T17] wg_xmit+0x4e7/0xaa0
[ 22.013890][ T17] ? wg_stop+0x5c0/0x5c0
[ 22.018243][ T17] ? netif_skb_features+0x82b/0xbc0
[ 22.023236][ T17] netdev_start_xmit+0x8a/0x160
[ 22.027920][ T17] dev_hard_start_xmit+0x1aa/0x540
[ 22.032919][ T17] __dev_queue_xmit+0x11f7/0x21c0
[ 22.037988][ T17] ? dev_queue_xmit+0x20/0x20
[ 22.042506][ T17] ? __kasan_check_write+0x14/0x20
[ 22.047453][ T17] ? _raw_write_lock_bh+0xa4/0x170
[ 22.052405][ T17] ? _raw_write_lock_irq+0x170/0x170
[ 22.057604][ T17] ? ndisc_constructor+0x5ea/0x7d0
[ 22.062548][ T17] ? __local_bh_enable_ip+0x58/0x80
[ 22.067756][ T17] ? _raw_write_unlock_bh+0x32/0x48
[ 22.072963][ T17] ? dev_hard_header+0xdb/0xf0
[ 22.077577][ T17] dev_queue_xmit+0x17/0x20
[ 22.081918][ T17] neigh_connected_output+0x275/0x2a0
[ 22.089118][ T17] ip6_finish_output2+0xac7/0x10f0
[ 22.094497][ T17] ? worker_thread+0x6b4/0xa20
[ 22.099277][ T17] ? __ip6_finish_output+0x520/0x520
[ 22.104682][ T17] ? ip6_mtu+0xda/0x120
[ 22.108844][ T17] ? ip6_skb_dst_mtu+0xaf/0x260
[ 22.113528][ T17] __ip6_finish_output+0x3e2/0x520
[ 22.118656][ T17] ip6_finish_output+0x31/0x210
[ 22.123520][ T17] ? ip6_output+0x468/0x4a0
[ 22.127861][ T17] ip6_output+0x1db/0x4a0
[ 22.132015][ T17] ? ac6_get_next+0x290/0x290
[ 22.136617][ T17] ? ip6_dst_idev+0x40/0x40
[ 22.141565][ T17] ? selinux_ip_forward+0x800/0x800
[ 22.146692][ T17] ndisc_send_skb+0x752/0xcf0
[ 22.151407][ T17] ? ndisc_fill_addr_option+0x2e0/0x2e0
[ 22.157126][ T17] ? should_failslab+0x9/0x20
[ 22.161815][ T17] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 22.167296][ T17] ? __kasan_check_write+0x14/0x20
[ 22.172590][ T17] ? skb_set_owner_w+0x1ad/0x310
[ 22.177477][ T17] ? skb_put+0x11e/0x210
[ 22.181550][ T17] ndisc_send_rs+0x268/0x360
[ 22.186086][ T17] addrconf_dad_completed+0x4d4/0x9f0
[ 22.191271][ T17] ? addrconf_dad_stop+0x410/0x410
[ 22.196217][ T17] addrconf_dad_work+0xbb9/0x1420
[ 22.201179][ T17] ? move_linked_works+0x10c/0x120
[ 22.206553][ T17] ? INIT_LIST_HEAD+0x60/0x60
[ 22.211060][ T17] ? __kasan_check_write+0x14/0x20
[ 22.216102][ T17] process_one_work+0x3c8/0x860
[ 22.220792][ T17] worker_thread+0x6b4/0xa20
[ 22.225297][ T17] ? __kthread_parkme+0x12d/0x180
[ 22.230164][ T17] kthread+0x376/0x450
[ 22.234145][ T17] ? pr_cont_work+0x110/0x110
[ 22.238761][ T17] ? __list_add+0xc0/0xc0
[ 22.243021][ T17] ret_from_fork+0x1f/0x30
[ 22.247302][ T17] </TASK>
[ 22.250295][ T17] ================================================================================
[ 22.259372][ T17] ================================================================================
[ 22.268801][ T17] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1979:2
[ 22.276391][ T17] member access within address ffffc900001171c0 with insufficient space
[ 22.284635][ T17] for an object of type 'struct sk_buff'
[ 22.290341][ T17] CPU: 0 PID: 17 Comm: kworker/0:1 Not tainted 5.16.0-syzkaller #0
[ 22.298145][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 22.308146][ T17] Workqueue: ipv6_addrconf addrconf_dad_work
[ 22.313964][ T17] Call Trace:
[ 22.317161][ T17] <TASK>
[ 22.319928][ T17] dump_stack_lvl+0x151/0x1b7
[ 22.324444][ T17] ? bfq_pos_tree_add_move+0x439/0x439
[ 22.329840][ T17] dump_stack+0x15/0x17
[ 22.334165][ T17] ubsan_type_mismatch_common+0x21b/0x3b0
[ 22.339715][ T17] __ubsan_handle_type_mismatch_v1+0x4d/0x60
[ 22.345619][ T17] wg_xmit+0x558/0xaa0
[ 22.349611][ T17] ? wg_stop+0x5c0/0x5c0
[ 22.353776][ T17] ? netif_skb_features+0x82b/0xbc0
[ 22.358819][ T17] netdev_start_xmit+0x8a/0x160
[ 22.363973][ T17] dev_hard_start_xmit+0x1aa/0x540
[ 22.368917][ T17] __dev_queue_xmit+0x11f7/0x21c0
[ 22.373873][ T17] ? dev_queue_xmit+0x20/0x20
[ 22.378370][ T17] ? __kasan_check_write+0x14/0x20
[ 22.383317][ T17] ? _raw_write_lock_bh+0xa4/0x170
[ 22.388272][ T17] ? _raw_write_lock_irq+0x170/0x170
[ 22.393476][ T17] ? ndisc_constructor+0x5ea/0x7d0
[ 22.398473][ T17] ? __local_bh_enable_ip+0x58/0x80
[ 22.403461][ T17] ? _raw_write_unlock_bh+0x32/0x48
[ 22.408488][ T17] ? dev_hard_header+0xdb/0xf0
[ 22.413092][ T17] dev_queue_xmit+0x17/0x20
[ 22.417602][ T17] neigh_connected_output+0x275/0x2a0
[ 22.423169][ T17] ip6_finish_output2+0xac7/0x10f0
[ 22.428195][ T17] ? worker_thread+0x6b4/0xa20
[ 22.433061][ T17] ? __ip6_finish_output+0x520/0x520
[ 22.438169][ T17] ? ip6_mtu+0xda/0x120
[ 22.442162][ T17] ? ip6_skb_dst_mtu+0xaf/0x260
[ 22.446851][ T17] __ip6_finish_output+0x3e2/0x520
[ 22.451883][ T17] ip6_finish_output+0x31/0x210
[ 22.456568][ T17] ? ip6_output+0x468/0x4a0
[ 22.460918][ T17] ip6_output+0x1db/0x4a0
[ 22.465194][ T17] ? ac6_get_next+0x290/0x290
[ 22.469914][ T17] ? ip6_dst_idev+0x40/0x40
[ 22.474234][ T17] ? selinux_ip_forward+0x800/0x800
[ 22.479267][ T17] ndisc_send_skb+0x752/0xcf0
[ 22.483784][ T17] ? ndisc_fill_addr_option+0x2e0/0x2e0
[ 22.489169][ T17] ? should_failslab+0x9/0x20
[ 22.493850][ T17] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 22.499328][ T17] ? __kasan_check_write+0x14/0x20
[ 22.504262][ T17] ? skb_set_owner_w+0x1ad/0x310
[ 22.509127][ T17] ? skb_put+0x11e/0x210
[ 22.513206][ T17] ndisc_send_rs+0x268/0x360
[ 22.517634][ T17] addrconf_dad_completed+0x4d4/0x9f0
[ 22.522850][ T17] ? addrconf_dad_stop+0x410/0x410
[ 22.527791][ T17] addrconf_dad_work+0xbb9/0x1420
[ 22.532648][ T17] ? move_linked_works+0x10c/0x120
[ 22.537811][ T17] ? INIT_LIST_HEAD+0x60/0x60
[ 22.542400][ T17] ? __kasan_check_write+0x14/0x20
[ 22.547338][ T17] process_one_work+0x3c8/0x860
2023/03/23 07:23:45 building call list...
[ 22.552255][ T17] worker_thread+0x6b4/0xa20
[ 22.556676][ T17] ? __kthread_parkme+0x12d/0x180
[ 22.561533][ T17] kthread+0x376/0x450
[ 22.565446][ T17] ? pr_cont_work+0x110/0x110
[ 22.569968][ T17] ? __list_add+0xc0/0xc0
[ 22.574304][ T17] ret_from_fork+0x1f/0x30
[ 22.578544][ T17] </TASK>
[ 22.581460][ T17] ================================================================================
[ 22.663596][ T409] syz-executor.0 (409) used greatest stack depth: 22240 bytes left
[ 23.083821][ T9] device bridge_slave_1 left promiscuous mode
[ 23.089962][ T9] bridge0: port 2(bridge_slave_1) entered disabled state
[ 23.097840][ T9] device bridge_slave_0 left promiscuous mode
[ 23.104210][ T9] bridge0: port 1(bridge_slave_0) entered disabled state
[ 23.112717][ T9] device veth1_macvtap left promiscuous mode
[ 23.118933][ T9] device veth0_vlan left promiscuous mode


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build53529342=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at 18b586030
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=18b586030b9a7e7f4c7208f44be8994740608841 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230315-085655'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=18b586030b9a7e7f4c7208f44be8994740608841 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230315-085655'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=18b586030b9a7e7f4c7208f44be8994740608841 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230315-085655'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"18b586030b9a7e7f4c7208f44be8994740608841\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=17c8ca5ec80000


Tested on:

commit: df0cc57e Linux 5.16
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git v5.16
kernel config: https://syzkaller.appspot.com/x/.config?x=1e103a4965d55b7d

Tudor Ambarus

unread,
Mar 23, 2023, 4:01:15 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git v5.19

syzbot

unread,
Mar 23, 2023, 4:18:24 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: 3d7cb6b0 Linux 5.19
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git v5.19
console output: https://syzkaller.appspot.com/x/log.txt?x=12cbdf09c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1b17fd68a2ef145e
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

Tudor Ambarus

unread,
Mar 23, 2023, 6:15:52 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git v5.17

syzbot

unread,
Mar 23, 2023, 6:39:23 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/487/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a3ee87>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a3ee87>] zap_pte_range mm/memory.c:1346 [inline]
[<ffffffff81a3ee87>] zap_pmd_range mm/memory.c:1490 [inline]
[<ffffffff81a3ee87>] zap_pud_range mm/memory.c:1519 [inline]
[<ffffffff81a3ee87>] zap_p4d_range mm/memory.c:1540 [inline]
[<ffffffff81a3ee87>] unmap_page_range+0xa37/0x1c00 mm/memory.c:1561
CPU: 0 PID: 487 Comm: syz-executor.0 Not tainted 5.17.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x1a0/0x240 kernel/sched/core.c:5539
schedule_debug kernel/sched/core.c:5566 [inline]
__schedule+0xcef/0x1540 kernel/sched/core.c:6195
schedule+0x12a/0x1f0 kernel/sched/core.c:6377
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6436
mutex_optimistic_spin kernel/locking/mutex.c:507 [inline]
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x4b2/0x1040 kernel/locking/mutex.c:733
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1021
mutex_lock+0xeb/0x120 kernel/locking/mutex.c:283
f2fs_register_inmem_page+0x22c/0x4b0 fs/f2fs/segment.c:203
f2fs_set_data_page_dirty+0x508/0x6a0 fs/f2fs/data.c:3566
folio_mark_dirty+0xd0/0x150 mm/page-writeback.c:2643
set_page_dirty+0x5c/0x70 mm/folio-compat.c:83
zap_pte_range mm/memory.c:1373 [inline]
zap_pmd_range mm/memory.c:1490 [inline]
zap_pud_range mm/memory.c:1519 [inline]
zap_p4d_range mm/memory.c:1540 [inline]
unmap_page_range+0x1030/0x1c00 mm/memory.c:1561
unmap_single_vma mm/memory.c:1606 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1638
exit_mmap+0x3fb/0x6f0 mm/mmap.c:3178
__mmput+0x95/0x300 kernel/fork.c:1114
mmput+0x59/0x70 kernel/fork.c:1135
exit_mm kernel/exit.c:507 [inline]
do_exit+0xab3/0x2850 kernel/exit.c:793
do_group_exit+0x255/0x320 kernel/exit.c:935
get_signal+0x83c/0x17b0 kernel/signal.c:2863
arch_do_signal_or_restart+0xbd/0x16a0 arch/x86/kernel/signal.c:868
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:172
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:300
do_syscall_64+0x50/0xd0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2028ced0f9
Code: Unable to access opcode bytes at RIP 0x7f2028ced0cf.
RSP: 002b:00007f2028860218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2028e0cf88 RCX: 00007f2028ced0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2028e0cf88
RBP: 00007f2028e0cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2028e0cf8c
R13: 00007fff30a07c8f R14: 00007f2028860300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 0 PID: 487 at kernel/sched/core.c:5483 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5483
Modules linked in:
CPU: 0 PID: 487 Comm: syz-executor.0 Tainted: G W 5.17.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5483
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d 85 b5 35 05 00 75 d1 48 c7 c7 00 ee 08 85 48 c7 c6 a0 ee 08 85 e8 78 9d f5 ff <0f> 0b eb ba e8 8f f6 06 01 85 c0 74 b1 48 c7 c0 88 1b 83 86 48 c1
RSP: 0018:ffffc90000d47448 EFLAGS: 00010246
RAX: 6bfdf75a132db000 RBX: 0000000000000001 RCX: ffff88810b373240
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000d47458 R08: ffffffff81569348 R09: fffff520001a8da9
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0400000000000080 R14: dffffc0000000000 R15: 000000002007d000
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2022324718 CR3: 0000000123491000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_unlock+0x4d/0x70 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:389 [inline]
zap_pte_range mm/memory.c:1431 [inline]
zap_pmd_range mm/memory.c:1490 [inline]
zap_pud_range mm/memory.c:1519 [inline]
zap_p4d_range mm/memory.c:1540 [inline]
unmap_page_range+0x19cf/0x1c00 mm/memory.c:1561
unmap_single_vma mm/memory.c:1606 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1638
exit_mmap+0x3fb/0x6f0 mm/mmap.c:3178
__mmput+0x95/0x300 kernel/fork.c:1114
mmput+0x59/0x70 kernel/fork.c:1135
exit_mm kernel/exit.c:507 [inline]
do_exit+0xab3/0x2850 kernel/exit.c:793
do_group_exit+0x255/0x320 kernel/exit.c:935
get_signal+0x83c/0x17b0 kernel/signal.c:2863
arch_do_signal_or_restart+0xbd/0x16a0 arch/x86/kernel/signal.c:868
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:172
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:300
do_syscall_64+0x50/0xd0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2028ced0f9
Code: Unable to access opcode bytes at RIP 0x7f2028ced0cf.
RSP: 002b:00007f2028860218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2028e0cf88 RCX: 00007f2028ced0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2028e0cf88
RBP: 00007f2028e0cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2028e0cf8c
R13: 00007fff30a07c8f R14: 00007f2028860300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---


Tested on:

commit: f443e374 Linux 5.17
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git v5.17
console output: https://syzkaller.appspot.com/x/log.txt?x=12f95ccec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c150534b89b28d10

Tudor Ambarus

unread,
Mar 23, 2023, 6:40:45 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git v5.18

syzbot

unread,
Mar 23, 2023, 7:14:19 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/471/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a48a42>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a48a42>] zap_pte_range mm/memory.c:1355 [inline]
[<ffffffff81a48a42>] zap_pmd_range mm/memory.c:1497 [inline]
[<ffffffff81a48a42>] zap_pud_range mm/memory.c:1526 [inline]
[<ffffffff81a48a42>] zap_p4d_range mm/memory.c:1547 [inline]
[<ffffffff81a48a42>] unmap_page_range+0xa82/0x1ed0 mm/memory.c:1568
CPU: 0 PID: 471 Comm: syz-executor.0 Not tainted 5.18.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x1a0/0x240 kernel/sched/core.c:5617
schedule_debug kernel/sched/core.c:5644 [inline]
__schedule+0xd0a/0x1560 kernel/sched/core.c:6279
schedule+0xeb/0x1a0 kernel/sched/core.c:6460
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6519
mutex_optimistic_spin kernel/locking/mutex.c:507 [inline]
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x4b1/0x1040 kernel/locking/mutex.c:733
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1021
mutex_lock+0xeb/0x120 kernel/locking/mutex.c:283
f2fs_register_inmem_page+0x22c/0x4b0 fs/f2fs/segment.c:203
f2fs_dirty_data_folio+0x31d/0x440 fs/f2fs/data.c:3568
folio_mark_dirty+0xd3/0xf0 mm/page-writeback.c:2630
set_page_dirty+0x5c/0x70 mm/folio-compat.c:84
zap_pte_range mm/memory.c:1382 [inline]
zap_pmd_range mm/memory.c:1497 [inline]
zap_pud_range mm/memory.c:1526 [inline]
zap_p4d_range mm/memory.c:1547 [inline]
unmap_page_range+0x12e4/0x1ed0 mm/memory.c:1568
unmap_single_vma mm/memory.c:1613 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1645
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3140
__mmput+0x95/0x300 kernel/fork.c:1184
mmput+0x59/0x70 kernel/fork.c:1205
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2864
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2ce468c0f9
Code: Unable to access opcode bytes at RIP 0x7f2ce468c0cf.
RSP: 002b:00007f2ce5335218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2ce47abf88 RCX: 00007f2ce468c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2ce47abf88
RBP: 00007f2ce47abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2ce47abf8c
R13: 00007ffd046a06ef R14: 00007f2ce5335300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 0 PID: 471 at kernel/sched/core.c:5561 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Modules linked in:
CPU: 0 PID: 471 Comm: syz-executor.0 Tainted: G W 5.18.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d b5 b3 35 05 00 75 d1 48 c7 c7 40 dc 08 85 48 c7 c6 e0 dc 08 85 e8 a8 bb f5 ff <0f> 0b eb ba e8 af 1e 08 01 85 c0 74 b1 48 c7 c0 98 0c 83 86 48 c1
RSP: 0018:ffffc90002b2f488 EFLAGS: 00010246
RAX: a46c710448cf8800 RBX: 0000000000000001 RCX: ffff88810dc10000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90002b2f498 R08: ffffffff815697c8 R09: ffffed103ee44e8b
R10: 0000000000000000 R11: dffffc0000000001 R12: 0400000000000080
R13: 0000000020200000 R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020003700 CR3: 000000010b04d000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_unlock+0x4c/0x70 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:389 [inline]
zap_pte_range mm/memory.c:1438 [inline]
zap_pmd_range mm/memory.c:1497 [inline]
zap_pud_range mm/memory.c:1526 [inline]
zap_p4d_range mm/memory.c:1547 [inline]
unmap_page_range+0x1c84/0x1ed0 mm/memory.c:1568
unmap_single_vma mm/memory.c:1613 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1645
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3140
__mmput+0x95/0x300 kernel/fork.c:1184
mmput+0x59/0x70 kernel/fork.c:1205
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2864
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2ce468c0f9
Code: Unable to access opcode bytes at RIP 0x7f2ce468c0cf.
RSP: 002b:00007f2ce5335218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2ce47abf88 RCX: 00007f2ce468c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2ce47abf88
RBP: 00007f2ce47abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2ce47abf8c
R13: 00007ffd046a06ef R14: 00007f2ce5335300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---


Tested on:

commit: 4b0986a3 Linux 5.18
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git v5.18
console output: https://syzkaller.appspot.com/x/log.txt?x=1516cb7ec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=dfe3cbf74b48289a

Tudor Ambarus

unread,
Mar 23, 2023, 8:07:45 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
c011dd537ffe47462051930413fed07dbdc80313

syzbot

unread,
Mar 23, 2023, 8:16:21 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/495/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a5f422>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a5f422>] zap_pte_range mm/memory.c:1355 [inline]
[<ffffffff81a5f422>] zap_pmd_range mm/memory.c:1497 [inline]
[<ffffffff81a5f422>] zap_pud_range mm/memory.c:1526 [inline]
[<ffffffff81a5f422>] zap_p4d_range mm/memory.c:1547 [inline]
[<ffffffff81a5f422>] unmap_page_range+0xa82/0x1ed0 mm/memory.c:1568
CPU: 0 PID: 495 Comm: syz-executor.0 Not tainted 5.18.0-syzkaller-07905-gc011dd537ffe #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x1a0/0x240 kernel/sched/core.c:5620
schedule_debug kernel/sched/core.c:5647 [inline]
__schedule+0xd04/0x1560 kernel/sched/core.c:6282
schedule+0xeb/0x1a0 kernel/sched/core.c:6463
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6522
mutex_optimistic_spin kernel/locking/mutex.c:510 [inline]
__mutex_lock_common kernel/locking/mutex.c:607 [inline]
__mutex_lock+0x4fa/0x1500 kernel/locking/mutex.c:747
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1035
mutex_lock+0xeb/0x120 kernel/locking/mutex.c:286
f2fs_register_inmem_page+0x22c/0x4b0 fs/f2fs/segment.c:203
f2fs_dirty_data_folio+0x31d/0x440 fs/f2fs/data.c:3570
folio_mark_dirty+0xd3/0xf0 mm/page-writeback.c:2632
set_page_dirty+0x5c/0x70 mm/folio-compat.c:84
zap_pte_range mm/memory.c:1382 [inline]
zap_pmd_range mm/memory.c:1497 [inline]
zap_pud_range mm/memory.c:1526 [inline]
zap_p4d_range mm/memory.c:1547 [inline]
unmap_page_range+0x12e4/0x1ed0 mm/memory.c:1568
unmap_single_vma mm/memory.c:1613 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1645
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3140
__mmput+0x95/0x300 kernel/fork.c:1189
mmput+0x59/0x70 kernel/fork.c:1210
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2875
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f774da8c0f9
Code: Unable to access opcode bytes at RIP 0x7f774da8c0cf.
RSP: 002b:00007f774e8c1218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f774dbabf88 RCX: 00007f774da8c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f774dbabf88
RBP: 00007f774dbabf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f774dbabf8c
R13: 00007ffd77cead6f R14: 00007f774e8c1300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 0 PID: 495 at kernel/sched/core.c:5564 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5564
Modules linked in:
CPU: 0 PID: 495 Comm: syz-executor.0 Tainted: G W 5.18.0-syzkaller-07905-gc011dd537ffe #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5564
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d a5 b7 35 05 00 75 d1 48 c7 c7 40 e8 08 85 48 c7 c6 e0 e8 08 85 e8 68 c4 f5 ff <0f> 0b eb ba e8 5f fc 09 01 85 c0 74 b1 48 c7 c0 e8 11 83 86 48 c1
RSP: 0018:ffffc90002c17488 EFLAGS: 00010246
RAX: f5c0ae69df6c5e00 RBX: 0000000000000001 RCX: ffff88810cf590c0
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90002c17498 R08: ffffffff8156da95 R09: ffffed103ee44e83
R10: 0000000000000000 R11: dffffc0000000001 R12: 0400000000000080
R13: 0000000020200000 R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020003700 CR3: 000000011c88c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_unlock+0x4c/0x70 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:389 [inline]
zap_pte_range mm/memory.c:1438 [inline]
zap_pmd_range mm/memory.c:1497 [inline]
zap_pud_range mm/memory.c:1526 [inline]
zap_p4d_range mm/memory.c:1547 [inline]
unmap_page_range+0x1c84/0x1ed0 mm/memory.c:1568
unmap_single_vma mm/memory.c:1613 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1645
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3140
__mmput+0x95/0x300 kernel/fork.c:1189
mmput+0x59/0x70 kernel/fork.c:1210
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2875
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f774da8c0f9
Code: Unable to access opcode bytes at RIP 0x7f774da8c0cf.
RSP: 002b:00007f774e8c1218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f774dbabf88 RCX: 00007f774da8c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f774dbabf88
RBP: 00007f774dbabf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f774dbabf8c
R13: 00007ffd77cead6f R14: 00007f774e8c1300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---


Tested on:

commit: c011dd53 Merge tag 'arm-soc-5.19' of git://git.kernel...
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=153fea36c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7662480b9b0c9752

Tudor Ambarus

unread,
Mar 23, 2023, 8:18:24 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
5d4af9c1f04ab0411ba5818baad9a68e87f33099

syzbot

unread,
Mar 23, 2023, 8:37:23 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: 5d4af9c1 Merge branch 'mv88e6xxx-fixes-for-reading-ser..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12bbfda1c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1f5ad8716741b91d
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

Tudor Ambarus

unread,
Mar 23, 2023, 8:43:09 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
7e284070abe53d448517b80493863595af4ab5f0

syzbot

unread,
Mar 23, 2023, 9:14:17 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

BUG: scheduling while atomic: syz-executor.0/459/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a6546d>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a6546d>] zap_pte_range mm/memory.c:1410 [inline]
[<ffffffff81a6546d>] zap_pmd_range mm/memory.c:1566 [inline]
[<ffffffff81a6546d>] zap_pud_range mm/memory.c:1595 [inline]
[<ffffffff81a6546d>] zap_p4d_range mm/memory.c:1616 [inline]
[<ffffffff81a6546d>] unmap_page_range+0xaad/0x24c0 mm/memory.c:1637
CPU: 0 PID: 459 Comm: syz-executor.0 Not tainted 5.18.0-syzkaller-10037-g7e284070abe5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x1a0/0x240 kernel/sched/core.c:5660
schedule_debug kernel/sched/core.c:5687 [inline]
__schedule+0xd04/0x1560 kernel/sched/core.c:6322
schedule+0xeb/0x1a0 kernel/sched/core.c:6503
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6562
mutex_optimistic_spin kernel/locking/mutex.c:510 [inline]
__mutex_lock_common kernel/locking/mutex.c:607 [inline]
__mutex_lock+0x4fa/0x1500 kernel/locking/mutex.c:747
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1035
mutex_lock+0xeb/0x120 kernel/locking/mutex.c:286
f2fs_register_inmem_page+0x22c/0x4b0 fs/f2fs/segment.c:203
f2fs_dirty_data_folio+0x31d/0x440 fs/f2fs/data.c:3570
folio_mark_dirty+0xd3/0xf0 mm/page-writeback.c:2723
set_page_dirty+0x5c/0x70 mm/folio-compat.c:84
zap_pte_range mm/memory.c:1439 [inline]
zap_pmd_range mm/memory.c:1566 [inline]
zap_pud_range mm/memory.c:1595 [inline]
zap_p4d_range mm/memory.c:1616 [inline]
unmap_page_range+0x113a/0x24c0 mm/memory.c:1637
unmap_single_vma mm/memory.c:1685 [inline]
unmap_vmas+0x3ac/0x580 mm/memory.c:1722
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3145
__mmput+0x95/0x300 kernel/fork.c:1187
mmput+0x59/0x70 kernel/fork.c:1208
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2875
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f2001e8c0f9
Code: Unable to access opcode bytes at RIP 0x7f2001e8c0cf.
RSP: 002b:00007f2002bd3218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2001fabf88 RCX: 00007f2001e8c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2001fabf88
RBP: 00007f2001fabf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2001fabf8c
R13: 00007fff80169c5f R14: 00007f2002bd3300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 1 PID: 459 at kernel/sched/core.c:5604 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5604
Modules linked in:
CPU: 1 PID: 459 Comm: syz-executor.0 Tainted: G W 5.18.0-syzkaller-10037-g7e284070abe5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5604
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d 75 c2 35 05 00 75 d1 48 c7 c7 a0 e8 08 85 48 c7 c6 40 e9 08 85 e8 68 c4 f5 ff <0f> 0b eb ba e8 5f bd 0a 01 85 c0 74 b1 48 c7 c0 d8 49 83 86 48 c1
RSP: 0018:ffffc90002b37408 EFLAGS: 00010246
RAX: a66e1d8c58d8a100 RBX: 0000000000000001 RCX: ffff88810e5d2180
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90002b37418 R08: ffffffff815701f5 R09: ffffed103ee64e83
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc90002b37750
R13: dffffc0000000000 R14: dffffc0000000000 R15: 0000000020200000
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562ca9ec0128 CR3: 000000011c8f5000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_unlock+0x4c/0x70 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:389 [inline]
zap_pte_range mm/memory.c:1507 [inline]
zap_pmd_range mm/memory.c:1566 [inline]
zap_pud_range mm/memory.c:1595 [inline]
zap_p4d_range mm/memory.c:1616 [inline]
unmap_page_range+0x2295/0x24c0 mm/memory.c:1637
unmap_single_vma mm/memory.c:1685 [inline]
unmap_vmas+0x3ac/0x580 mm/memory.c:1722
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3145
__mmput+0x95/0x300 kernel/fork.c:1187
mmput+0x59/0x70 kernel/fork.c:1208
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2875
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f2001e8c0f9
Code: Unable to access opcode bytes at RIP 0x7f2001e8c0cf.
RSP: 002b:00007f2002bd3218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2001fabf88 RCX: 00007f2001e8c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2001fabf88
RBP: 00007f2001fabf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2001fabf8c
R13: 00007fff80169c5f R14: 00007f2002bd3300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---


Tested on:

commit: 7e284070 Merge tag 'for-5.19/dm-changes' of git://git...
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15bfea7ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=acd1727c446ef459

Tudor Ambarus

unread,
Mar 23, 2023, 9:18:58 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
664a393a2663a0f62fc1b18157ccae33dcdbb8c8

syzbot

unread,
Mar 23, 2023, 9:48:24 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/496/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a65fb4>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a65fb4>] zap_pte_range mm/memory.c:1410 [inline]
[<ffffffff81a65fb4>] zap_pmd_range mm/memory.c:1567 [inline]
[<ffffffff81a65fb4>] zap_pud_range mm/memory.c:1596 [inline]
[<ffffffff81a65fb4>] zap_p4d_range mm/memory.c:1617 [inline]
[<ffffffff81a65fb4>] unmap_page_range+0xa64/0x2670 mm/memory.c:1638
CPU: 0 PID: 496 Comm: syz-executor.0 Not tainted 5.18.0-syzkaller-11080-g664a393a2663 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x1a0/0x240 kernel/sched/core.c:5660
schedule_debug kernel/sched/core.c:5687 [inline]
__schedule+0xd04/0x1560 kernel/sched/core.c:6322
schedule+0xeb/0x1a0 kernel/sched/core.c:6503
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6562
mutex_optimistic_spin kernel/locking/mutex.c:510 [inline]
__mutex_lock_common kernel/locking/mutex.c:607 [inline]
__mutex_lock+0x4fa/0x1500 kernel/locking/mutex.c:747
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1035
mutex_lock+0xeb/0x120 kernel/locking/mutex.c:286
f2fs_register_inmem_page+0x22c/0x4b0 fs/f2fs/segment.c:203
f2fs_dirty_data_folio+0x31d/0x440 fs/f2fs/data.c:3570
folio_mark_dirty+0xd3/0xf0 mm/page-writeback.c:2723
set_page_dirty+0x5c/0x70 mm/folio-compat.c:84
zap_pte_range mm/memory.c:1439 [inline]
zap_pmd_range mm/memory.c:1567 [inline]
zap_pud_range mm/memory.c:1596 [inline]
zap_p4d_range mm/memory.c:1617 [inline]
unmap_page_range+0x1379/0x2670 mm/memory.c:1638
unmap_single_vma mm/memory.c:1686 [inline]
unmap_vmas+0x3ac/0x580 mm/memory.c:1723
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3162
__mmput+0x95/0x300 kernel/fork.c:1187
mmput+0x59/0x70 kernel/fork.c:1208
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2875
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f273ee8c0f9
Code: Unable to access opcode bytes at RIP 0x7f273ee8c0cf.
RSP: 002b:00007f273fc89218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f273efabf88 RCX: 00007f273ee8c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f273efabf88
RBP: 00007f273efabf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f273efabf8c
R13: 00007ffe24fe785f R14: 00007f273fc89300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 0 PID: 496 at kernel/sched/core.c:5604 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5604
Modules linked in:
CPU: 0 PID: 496 Comm: syz-executor.0 Tainted: G W 5.18.0-syzkaller-11080-g664a393a2663 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5604
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d 85 c6 35 05 00 75 d1 48 c7 c7 e0 e9 08 85 48 c7 c6 80 ea 08 85 e8 68 c4 f5 ff <0f> 0b eb ba e8 cf dc 0a 01 85 c0 74 b1 48 c7 c0 08 52 83 86 48 c1
RSP: 0018:ffffc90002ba7408 EFLAGS: 00010246
RAX: da304f47cb4c9300 RBX: 0000000000000001 RCX: ffff88810f006480
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90002ba7418 R08: ffffffff81570615 R09: ffffed103ee44e83
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92000574f08
R13: 00000000201ff000 R14: dffffc0000000000 R15: 0000000020200000
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f273fc8a000 CR3: 00000001225d4000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_unlock+0x4c/0x70 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:389 [inline]
zap_pte_range mm/memory.c:1508 [inline]
zap_pmd_range mm/memory.c:1567 [inline]
zap_pud_range mm/memory.c:1596 [inline]
zap_p4d_range mm/memory.c:1617 [inline]
unmap_page_range+0x2379/0x2670 mm/memory.c:1638
unmap_single_vma mm/memory.c:1686 [inline]
unmap_vmas+0x3ac/0x580 mm/memory.c:1723
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3162
__mmput+0x95/0x300 kernel/fork.c:1187
mmput+0x59/0x70 kernel/fork.c:1208
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2875
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f273ee8c0f9
Code: Unable to access opcode bytes at RIP 0x7f273ee8c0cf.
RSP: 002b:00007f273fc89218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f273efabf88 RCX: 00007f273ee8c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f273efabf88
RBP: 00007f273efabf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f273efabf8c
R13: 00007ffe24fe785f R14: 00007f273fc89300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---


Tested on:

commit: 664a393a Merge tag 'input-for-v5.19-rc0' of git://git...
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1752a196c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b324a3dfde71e74a

Tudor Ambarus

unread,
Mar 23, 2023, 10:56:28 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
f8a52af9d00d59fd887d8ad1fa0c2c88a5d775b9

syzbot

unread,
Mar 23, 2023, 11:18:25 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/501/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a67074>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a67074>] zap_pte_range mm/memory.c:1410 [inline]
[<ffffffff81a67074>] zap_pmd_range mm/memory.c:1567 [inline]
[<ffffffff81a67074>] zap_pud_range mm/memory.c:1596 [inline]
[<ffffffff81a67074>] zap_p4d_range mm/memory.c:1617 [inline]
[<ffffffff81a67074>] unmap_page_range+0xa64/0x2670 mm/memory.c:1638
CPU: 1 PID: 501 Comm: syz-executor.0 Not tainted 5.18.0-syzkaller-11630-gf8a52af9d00d #0
RIP: 0033:0x7f169328c0f9
Code: Unable to access opcode bytes at RIP 0x7f169328c0cf.
RSP: 002b:00007f1693fe1218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f16933abf88 RCX: 00007f169328c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f16933abf88
RBP: 00007f16933abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f16933abf8c
R13: 00007ffc1a13908f R14: 00007f1693fe1300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 1 PID: 501 at kernel/sched/core.c:5604 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5604
Modules linked in:
CPU: 0 PID: 501 Comm: syz-executor.0 Tainted: G W 5.18.0-syzkaller-11630-gf8a52af9d00d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5604
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d 65 b8 35 05 00 75 d1 48 c7 c7 e0 e9 08 85 48 c7 c6 80 ea 08 85 e8 e8 b1 f5 ff <0f> 0b eb ba e8 ef 2d 0b 01 85 c0 74 b1 48 c7 c0 48 56 83 86 48 c1
RSP: 0018:ffffc90002c0f408 EFLAGS: 00010246
RAX: fbbb40b4b3dd4f00 RBX: 0000000000000001 RCX: ffff88810d4f4300
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90002c0f418 R08: ffffffff81571875 R09: ffffed103ee64e83
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92000581f08
R13: 00000000201ff000 R14: dffffc0000000000 R15: 0000000020200000
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020003700 CR3: 0000000121d14000 CR4: 00000000003506b0
RIP: 0033:0x7f169328c0f9
Code: Unable to access opcode bytes at RIP 0x7f169328c0cf.
RSP: 002b:00007f1693fe1218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f16933abf88 RCX: 00007f169328c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f16933abf88
RBP: 00007f16933abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f16933abf8c
R13: 00007ffc1a13908f R14: 00007f1693fe1300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---
syz-executor.0 (501) used greatest stack depth: 21416 bytes left


Tested on:

commit: f8a52af9 Merge tag 'i2c-for-5.19' of git://git.kernel...
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1774857ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=bb4d5d80a036040a

Tudor Ambarus

unread,
Mar 23, 2023, 11:30:24 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
96752be4d7b443e6f1e322428d61f777d7d8bd4d

syzbot

unread,
Mar 23, 2023, 11:47:21 AM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: 96752be4 Merge tag 'linux-watchdog-5.19-rc1' of git://..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=171c8deec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1f5ad8716741b91d
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

Tudor Ambarus

unread,
Mar 23, 2023, 11:55:21 AM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
68e6134bb70ab20e9f7c36c1ae7dc96b8ed778ae

On 3/23/23 15:47, syzbot wrote:

syzbot

unread,
Mar 23, 2023, 12:37:25 PM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: 68e6134b Merge tag 'rpmsg-v5.19' of git://git.kernel.o..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=148d6191c80000

Tudor Ambarus

unread,
Mar 23, 2023, 1:40:06 PM3/23/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
1501f707d2b24316b41d45bdc95a73bc8cc8dd49

syzbot

unread,
Mar 23, 2023, 5:43:26 PM3/23/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: 1501f707 Merge tag 'f2fs-for-5.19-rc1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17e3accec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=404d7ac5c626b4e6

Tudor Ambarus

unread,
Mar 24, 2023, 1:49:33 AM3/24/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
c81d5bae404abc6b257667e84d39b9b50c7063d4

syzbot

unread,
Mar 24, 2023, 2:06:33 AM3/24/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: c81d5bae f2fs: do not stop GC when requiring a free se..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1699a051c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=6cadb319a249e88e

Tudor Ambarus

unread,
Mar 24, 2023, 2:26:04 AM3/24/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
f2db71053dc0409fae785096ad19cce4c8a95af7

syzbot

unread,
Mar 24, 2023, 2:34:23 AM3/24/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/493/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a47902>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a47902>] zap_pte_range mm/memory.c:1355 [inline]
[<ffffffff81a47902>] zap_pmd_range mm/memory.c:1497 [inline]
[<ffffffff81a47902>] zap_pud_range mm/memory.c:1526 [inline]
[<ffffffff81a47902>] zap_p4d_range mm/memory.c:1547 [inline]
[<ffffffff81a47902>] unmap_page_range+0xa82/0x1ed0 mm/memory.c:1568
CPU: 0 PID: 493 Comm: syz-executor.0 Not tainted 5.18.0-rc4-syzkaller-00021-gf2db71053dc0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x1a0/0x240 kernel/sched/core.c:5617
schedule_debug kernel/sched/core.c:5644 [inline]
__schedule+0xd0a/0x1560 kernel/sched/core.c:6279
schedule+0xeb/0x1a0 kernel/sched/core.c:6460
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6519
__mutex_lock_common kernel/locking/mutex.c:673 [inline]
__mutex_lock+0x8b8/0x1040 kernel/locking/mutex.c:733
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1021
mutex_lock+0xeb/0x120 kernel/locking/mutex.c:283
f2fs_register_inmem_page+0x22c/0x4b0 fs/f2fs/segment.c:203
f2fs_dirty_data_folio+0x31d/0x440 fs/f2fs/data.c:3568
folio_mark_dirty+0xd3/0xf0 mm/page-writeback.c:2630
set_page_dirty+0x5c/0x70 mm/folio-compat.c:84
zap_pte_range mm/memory.c:1382 [inline]
zap_pmd_range mm/memory.c:1497 [inline]
zap_pud_range mm/memory.c:1526 [inline]
zap_p4d_range mm/memory.c:1547 [inline]
unmap_page_range+0x12e4/0x1ed0 mm/memory.c:1568
unmap_single_vma mm/memory.c:1613 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1645
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3140
__mmput+0x95/0x300 kernel/fork.c:1183
mmput+0x59/0x70 kernel/fork.c:1205
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2864
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fad8d88c0f9
Code: Unable to access opcode bytes at RIP 0x7fad8d88c0cf.
RSP: 002b:00007fad8e5e2218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fad8d9abf88 RCX: 00007fad8d88c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fad8d9abf88
RBP: 00007fad8d9abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fad8d9abf8c
R13: 00007fffaa57eb9f R14: 00007fad8e5e2300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 0 PID: 493 at kernel/sched/core.c:5561 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Modules linked in:
CPU: 0 PID: 493 Comm: syz-executor.0 Tainted: G W 5.18.0-rc4-syzkaller-00021-gf2db71053dc0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d 95 cd 35 05 00 75 d1 48 c7 c7 60 dc 08 85 48 c7 c6 00 dd 08 85 e8 a8 bb f5 ff <0f> 0b eb ba e8 8f 3b 08 01 85 c0 74 b1 48 c7 c0 d8 18 83 86 48 c1
RSP: 0018:ffffc90002b8f488 EFLAGS: 00010246
RAX: b3086512ea6d2700 RBX: 0000000000000001 RCX: ffff88810d1b6480
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90002b8f498 R08: ffffffff81568a28 R09: ffffed103ee44e8b
R10: 0000000000000000 R11: dffffc0000000001 R12: 0400000000000080
R13: 0000000020200000 R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020003700 CR3: 000000000600f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_unlock+0x4c/0x70 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:389 [inline]
zap_pte_range mm/memory.c:1438 [inline]
zap_pmd_range mm/memory.c:1497 [inline]
zap_pud_range mm/memory.c:1526 [inline]
zap_p4d_range mm/memory.c:1547 [inline]
unmap_page_range+0x1c84/0x1ed0 mm/memory.c:1568
unmap_single_vma mm/memory.c:1613 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1645
exit_mmap+0x1cc/0x4c0 mm/mmap.c:3140
__mmput+0x95/0x300 kernel/fork.c:1183
mmput+0x59/0x70 kernel/fork.c:1205
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa5b/0x27d0 kernel/exit.c:782
do_group_exit+0x255/0x320 kernel/exit.c:925
get_signal+0x170e/0x1870 kernel/signal.c:2864
arch_do_signal_or_restart+0xb0/0x12a0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop+0x6b/0xa0 kernel/entry/common.c:166
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:294
do_syscall_64+0x49/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fad8d88c0f9
Code: Unable to access opcode bytes at RIP 0x7fad8d88c0cf.
RSP: 002b:00007fad8e5e2218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fad8d9abf88 RCX: 00007fad8d88c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fad8d9abf88
RBP: 00007fad8d9abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fad8d9abf8c
R13: 00007fffaa57eb9f R14: 00007fad8e5e2300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---


Tested on:

commit: f2db7105 f2fs: fix to clear dirty inode in f2fs_evict_..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=174c0c29c80000

Tudor Ambarus

unread,
Mar 24, 2023, 3:06:50 AM3/24/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
2880f47b949f1f49e2d861ffbba91d57416be7d9

syzbot

unread,
Mar 24, 2023, 3:15:27 AM3/24/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/471/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a47902>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a47902>] zap_pte_range mm/memory.c:1355 [inline]
[<ffffffff81a47902>] zap_pmd_range mm/memory.c:1497 [inline]
[<ffffffff81a47902>] zap_pud_range mm/memory.c:1526 [inline]
[<ffffffff81a47902>] zap_p4d_range mm/memory.c:1547 [inline]
[<ffffffff81a47902>] unmap_page_range+0xa82/0x1ed0 mm/memory.c:1568
CPU: 1 PID: 471 Comm: syz-executor.0 Not tainted 5.18.0-rc4-syzkaller-00028-g2880f47b949f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x1a0/0x240 kernel/sched/core.c:5617
schedule_debug kernel/sched/core.c:5644 [inline]
__schedule+0xd0a/0x1560 kernel/sched/core.c:6279
schedule+0xeb/0x1a0 kernel/sched/core.c:6460
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6519
mutex_optimistic_spin kernel/locking/mutex.c:507 [inline]
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x4b1/0x1040 kernel/locking/mutex.c:733
RIP: 0033:0x7f676f68c0f9
Code: Unable to access opcode bytes at RIP 0x7f676f68c0cf.
RSP: 002b:00007f6770402218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f676f7abf88 RCX: 00007f676f68c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f676f7abf88
RBP: 00007f676f7abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f676f7abf8c
R13: 00007ffcd22eec3f R14: 00007f6770402300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 1 PID: 471 at kernel/sched/core.c:5561 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Modules linked in:
CPU: 1 PID: 471 Comm: syz-executor.0 Tainted: G W 5.18.0-rc4-syzkaller-00028-g2880f47b949f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d 95 cd 35 05 00 75 d1 48 c7 c7 60 dc 08 85 48 c7 c6 00 dd 08 85 e8 a8 bb f5 ff <0f> 0b eb ba e8 2f 29 08 01 85 c0 74 b1 48 c7 c0 d8 18 83 86 48 c1
RSP: 0018:ffffc90002adf488 EFLAGS: 00010246
RAX: 83b6626544251c00 RBX: 0000000000000001 RCX: ffff88810d19a180
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90002adf498 R08: ffffffff81568a28 R09: ffffed103ee64e8b
R10: 0000000000000000 R11: dffffc0000000001 R12: 0400000000000080
R13: 0000000020200000 R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010b229000 CR4: 00000000003506a0
RIP: 0033:0x7f676f68c0f9
Code: Unable to access opcode bytes at RIP 0x7f676f68c0cf.
RSP: 002b:00007f6770402218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f676f7abf88 RCX: 00007f676f68c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f676f7abf88
RBP: 00007f676f7abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f676f7abf8c
R13: 00007ffcd22eec3f R14: 00007f6770402300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---


Tested on:

commit: 2880f47b f2fs: skip GC if possible when checkpoint dis..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11cd3fbec80000

Tudor Ambarus

unread,
Mar 24, 2023, 3:50:51 AM3/24/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
7bc155fec5b371dbb57256e84a49c78692a09060

On 3/24/23 07:15, syzbot wrote:

syzbot

unread,
Mar 24, 2023, 4:07:21 AM3/24/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: 7bc155fe f2fs: kill volatile write support
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=141f4091c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=6cadb319a249e88e
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

Tudor Ambarus

unread,
Mar 24, 2023, 4:10:46 AM3/24/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
6213f5d4d23c50d393a31dc8e351e63a1fd10dbe

syzbot

unread,
Mar 24, 2023, 4:21:23 AM3/24/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/494/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a47902>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a47902>] zap_pte_range mm/memory.c:1355 [inline]
[<ffffffff81a47902>] zap_pmd_range mm/memory.c:1497 [inline]
[<ffffffff81a47902>] zap_pud_range mm/memory.c:1526 [inline]
[<ffffffff81a47902>] zap_p4d_range mm/memory.c:1547 [inline]
[<ffffffff81a47902>] unmap_page_range+0xa82/0x1ed0 mm/memory.c:1568
CPU: 1 PID: 494 Comm: syz-executor.0 Not tainted 5.18.0-rc4-syzkaller-00030-g6213f5d4d23c #0
RIP: 0033:0x7f3baf28c0f9
Code: Unable to access opcode bytes at RIP 0x7f3baf28c0cf.
RSP: 002b:00007f3baedff218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f3baf3abf88 RCX: 00007f3baf28c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f3baf3abf88
RBP: 00007f3baf3abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3baf3abf8c
R13: 00007fff441c742f R14: 00007f3baedff300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 1 PID: 494 at kernel/sched/core.c:5561 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Modules linked in:
CPU: 1 PID: 494 Comm: syz-executor.0 Tainted: G W 5.18.0-rc4-syzkaller-00030-g6213f5d4d23c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d 95 cd 35 05 00 75 d1 48 c7 c7 60 dc 08 85 48 c7 c6 00 dd 08 85 e8 a8 bb f5 ff <0f> 0b eb ba e8 4f 2b 08 01 85 c0 74 b1 48 c7 c0 d8 18 83 86 48 c1
RSP: 0018:ffffc90002c6f488 EFLAGS: 00010246
RAX: 865cb5a380802800 RBX: 0000000000000001 RCX: ffff888110e24300
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90002c6f498 R08: ffffffff81568a28 R09: ffffed103ee64e8b
R10: 0000000000000000 R11: dffffc0000000001 R12: 0400000000000080
R13: 0000000020200000 R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3ba88c3718 CR3: 000000010d260000 CR4: 00000000003506a0
RIP: 0033:0x7f3baf28c0f9
Code: Unable to access opcode bytes at RIP 0x7f3baf28c0cf.
RSP: 002b:00007f3baedff218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f3baf3abf88 RCX: 00007f3baf28c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f3baf3abf88
RBP: 00007f3baf3abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3baf3abf8c
R13: 00007fff441c742f R14: 00007f3baedff300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---


Tested on:

commit: 6213f5d4 f2fs: don't need inode lock for system hidden..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=129736eec80000

Tudor Ambarus

unread,
Mar 24, 2023, 4:22:31 AM3/24/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
3db1de0e582c358dd013f3703cd55b5fe4076436

syzbot

unread,
Mar 24, 2023, 4:39:21 AM3/24/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: 3db1de0e f2fs: change the current atomic write way
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1784fd19c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=6cadb319a249e88e
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

Tudor Ambarus

unread,
Mar 24, 2023, 4:40:51 AM3/24/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
For readers:

3db1de0e582c358dd013f3703cd55b5fe4076436 is the first fixed commit
commit 3db1de0e582c358dd013f3703cd55b5fe4076436
Author: Daeho Jeong <daeho...@google.com>
Date: Thu Apr 28 11:18:09 2022 -0700

f2fs: change the current atomic write way

Current atomic write has three major issues like below.
- keeps the updates in non-reclaimable memory space and they are even
hard to be migrated, which is not good for contiguous memory
allocation.
- disk spaces used for atomic files cannot be garbage collected, so
this makes it difficult for the filesystem to be defragmented.
- If atomic write operations hit the threshold of either memory usage
or garbage collection failure count, All the atomic write operations
will fail immediately.

To resolve the issues, I will keep a COW inode internally for all the
updates to be flushed from memory, when we need to flush them out in a
situation like high memory pressure. These COW inodes will be tagged
as orphan inodes to be reclaimed in case of sudden power-cut or system
failure during atomic writes.

Signed-off-by: Daeho Jeong <daeho...@google.com>
Signed-off-by: Jaegeuk Kim <jae...@kernel.org>

fs/f2fs/data.c | 180 +++++++++++++--------
fs/f2fs/debug.c | 12 +-
fs/f2fs/f2fs.h | 33 +---
fs/f2fs/file.c | 49 +++---
fs/f2fs/gc.c | 27 +---
fs/f2fs/inode.c | 3 +-
fs/f2fs/namei.c | 28 ++--
fs/f2fs/node.c | 4 -
fs/f2fs/node.h | 1 -
fs/f2fs/segment.c | 380
+++++++++++++++-----------------------------
fs/f2fs/segment.h | 4 +-
fs/f2fs/super.c | 6 +-
include/trace/events/f2fs.h | 22 ---
13 files changed, 303 insertions(+), 446 deletions(-)

Tudor Ambarus

unread,
May 11, 2023, 4:26:25 AM5/11/23
to syzbot+b9c671...@syzkaller.appspotmail.com, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test: https://android.googlesource.com/kernel/common
5448b2fda85f2d90de03f053226f721ba2f7e731

On 3/20/23 11:50, Tudor Ambarus wrote:
> #syz test: https://android.googlesource.com/kernel/common
> 5448b2fda85f2d90de03f053226f721ba2f7e731

Tudor Ambarus

unread,
May 11, 2023, 5:00:42 AM5/11/23
to syzbot+179781...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, Lee Jones
#syz test: https://android.googlesource.com/kernel/common
416c4356f37295d6da2d7b290069f9adb349dc9f

syzbot

unread,
May 11, 2023, 5:05:39 AM5/11/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/388/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a56caf>] spin_lock include/linux/spinlock.h:363 [inline]
[<ffffffff81a56caf>] zap_pte_range mm/memory.c:1377 [inline]
[<ffffffff81a56caf>] zap_pmd_range mm/memory.c:1540 [inline]
[<ffffffff81a56caf>] zap_pud_range mm/memory.c:1569 [inline]
[<ffffffff81a56caf>] zap_p4d_range mm/memory.c:1590 [inline]
[<ffffffff81a56caf>] unmap_page_range+0xa2f/0x1ca0 mm/memory.c:1611
CPU: 0 PID: 388 Comm: syz-executor.0 Not tainted 5.15.94-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
__schedule_bug+0x195/0x260 kernel/sched/core.c:5730
schedule_debug kernel/sched/core.c:5757 [inline]
__schedule+0xdd0/0x1620 kernel/sched/core.c:6425
schedule+0x11f/0x1e0 kernel/sched/core.c:6618
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6677
mutex_optimistic_spin kernel/locking/mutex.c:511 [inline]
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x51d/0x13f0 kernel/locking/mutex.c:743
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:994
mutex_lock+0x135/0x1e0 kernel/locking/mutex.c:288
f2fs_register_inmem_page+0x22c/0x4b0 fs/f2fs/segment.c:202
f2fs_set_data_page_dirty+0x591/0x730 fs/f2fs/data.c:3627
set_page_dirty+0x1a4/0x300 mm/page-writeback.c:2611
zap_pte_range mm/memory.c:1412 [inline]
zap_pmd_range mm/memory.c:1540 [inline]
zap_pud_range mm/memory.c:1569 [inline]
zap_p4d_range mm/memory.c:1590 [inline]
unmap_page_range+0xf33/0x1ca0 mm/memory.c:1611
unmap_single_vma mm/memory.c:1656 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1688
exit_mmap+0x3d8/0x6f0 mm/mmap.c:3209
__mmput+0x95/0x310 kernel/fork.c:1171
mmput+0x5b/0x170 kernel/fork.c:1194
exit_mm kernel/exit.c:551 [inline]
do_exit+0xbb4/0x2b60 kernel/exit.c:862
do_group_exit+0x141/0x310 kernel/exit.c:997
get_signal+0x7a3/0x1630 kernel/signal.c:2891
arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:172
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:300
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fe8d630d0f9
Code: Unable to access opcode bytes at RIP 0x7fe8d630d0cf.
RSP: 002b:00007fe8d5e80218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fe8d642cf88 RCX: 00007fe8d630d0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fe8d642cf88
RBP: 00007fe8d642cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe8d642cf8c
R13: 00007ffd8da491df R14: 00007fe8d5e80300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 0 PID: 388 at kernel/sched/core.c:5673 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5673
Modules linked in:
CPU: 0 PID: 388 Comm: syz-executor.0 Tainted: G W 5.15.94-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5673
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d f5 ca 38 05 00 75 d1 48 c7 c7 00 91 08 85 48 c7 c6 a0 91 08 85 e8 48 66 f5 ff <0f> 0b eb ba e8 6f 88 0d 01 85 c0 74 b1 48 c7 c0 28 3c 85 86 48 c1
RSP: 0018:ffffc90000de74c8 EFLAGS: 00010246
RAX: 8b5277920c7df800 RBX: 0000000000000001 RCX: ffff88810eea4f00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000de74d8 R08: ffffffff8156a435 R09: ffffed103ee44e93
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0400000000000080 R14: dffffc0000000000 R15: 0000000020200000
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe8cdb48000 CR3: 000000011f05c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__raw_spin_unlock include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock+0x4d/0x70 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:403 [inline]
zap_pte_range mm/memory.c:1481 [inline]
zap_pmd_range mm/memory.c:1540 [inline]
zap_pud_range mm/memory.c:1569 [inline]
zap_p4d_range mm/memory.c:1590 [inline]
unmap_page_range+0x1a8c/0x1ca0 mm/memory.c:1611
unmap_single_vma mm/memory.c:1656 [inline]
unmap_vmas+0x389/0x560 mm/memory.c:1688
exit_mmap+0x3d8/0x6f0 mm/mmap.c:3209
__mmput+0x95/0x310 kernel/fork.c:1171
mmput+0x5b/0x170 kernel/fork.c:1194
exit_mm kernel/exit.c:551 [inline]
do_exit+0xbb4/0x2b60 kernel/exit.c:862
do_group_exit+0x141/0x310 kernel/exit.c:997
get_signal+0x7a3/0x1630 kernel/signal.c:2891
arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:172
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:300
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fe8d630d0f9
Code: Unable to access opcode bytes at RIP 0x7fe8d630d0cf.
RSP: 002b:00007fe8d5e80218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fe8d642cf88 RCX: 00007fe8d630d0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fe8d642cf88
RBP: 00007fe8d642cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe8d642cf8c
R13: 00007ffd8da491df R14: 00007fe8d5e80300 R15: 0000000000022000
</TASK>
---[ end trace 495fe82a2bfbfb9a ]---


Tested on:

commit: 5448b2fd Merge 5.15.94 into android13-5.15-lts
git tree: https://android.googlesource.com/kernel/common
console output: https://syzkaller.appspot.com/x/log.txt?x=16a91942280000
kernel config: https://syzkaller.appspot.com/x/.config?x=2bc7633dee4d7ae2

Tudor Ambarus

unread,
May 11, 2023, 5:09:57 AM5/11/23
to syzbot+b9c671...@syzkaller.appspotmail.com, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
3db1de0e582c358dd013f3703cd55b5fe4076436

syzbot

unread,
May 11, 2023, 5:20:26 AM5/11/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b
BUG: scheduling while atomic: syz-executor.0/385/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81981bb5>] spin_lock include/linux/spinlock.h:354 [inline]
[<ffffffff81981bb5>] zap_pte_range mm/memory.c:1284 [inline]
[<ffffffff81981bb5>] zap_pmd_range mm/memory.c:1444 [inline]
[<ffffffff81981bb5>] zap_pud_range mm/memory.c:1473 [inline]
[<ffffffff81981bb5>] zap_p4d_range mm/memory.c:1494 [inline]
[<ffffffff81981bb5>] unmap_page_range+0xb05/0x2840 mm/memory.c:1516
CPU: 1 PID: 385 Comm: syz-executor.0 Not tainted 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
dump_stack+0x15/0x17 lib/dump_stack.c:135
__schedule_bug+0x1ad/0x2a0 kernel/sched/core.c:4535
schedule_debug kernel/sched/core.c:4562 [inline]
__schedule+0xc5a/0x1330 kernel/sched/core.c:4690
schedule+0x13d/0x1d0 kernel/sched/core.c:4874
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:4933
mutex_optimistic_spin kernel/locking/mutex.c:724 [inline]
__mutex_lock_common kernel/locking/mutex.c:979 [inline]
__mutex_lock+0x389/0x10b0 kernel/locking/mutex.c:1122
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1385
mutex_lock+0x133/0x1e0 kernel/locking/mutex.c:301
f2fs_register_inmem_page+0x220/0x4a0 fs/f2fs/segment.c:199
f2fs_set_data_page_dirty+0x57d/0x720 fs/f2fs/data.c:3805
set_page_dirty+0x196/0x300 mm/page-writeback.c:2586
zap_pte_range mm/memory.c:1319 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0xfd0/0x2840 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3ad/0x560 mm/memory.c:1594
exit_mmap+0x2f6/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2d0 kernel/fork.c:1133
mmput+0x54/0x70 kernel/fork.c:1154
exit_mm kernel/exit.c:489 [inline]
do_exit+0xb91/0x2a00 kernel/exit.c:800
do_group_exit+0x141/0x310 kernel/exit.c:910
get_signal+0xdef/0x1430 kernel/signal.c:2780
arch_do_signal+0xb3/0x1800 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0x63/0x90 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0xbc/0x1d0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f1a7c25d0f9
Code: Unable to access opcode bytes at RIP 0x7f1a7c25d0cf.
RSP: 002b:00007f1a7bdd0218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f1a7c37cf88 RCX: 00007f1a7c25d0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1a7c37cf88
RBP: 00007f1a7c37cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1a7c37cf8c
R13: 00007ffcd506998f R14: 00007f1a7bdd0300 R15: 0000000000022000
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 1 PID: 385 at kernel/sched/core.c:4477 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:4477
Modules linked in:
CPU: 0 PID: 385 Comm: syz-executor.0 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:4477
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d 45 69 16 05 00 75 d1 48 c7 c7 40 01 e8 84 48 c7 c6 e0 01 e8 84 e8 28 26 f5 ff <0f> 0b eb ba e8 0f f5 fa 00 85 c0 74 b1 48 c7 c0 f8 0b 5f 86 48 c1
RSP: 0018:ffffc90000ce74a8 EFLAGS: 00010246
RAX: 99aacd7ec2e57800 RBX: 0000000000000001 RCX: ffff88810c992780
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000ce74b8 R08: ffffffff8151dff8 R09: ffffed103ee64e93
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff9200019cf18
R13: 0000000020200000 R14: dffffc0000000000 R15: ffff88810c992780
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020003700 CR3: 000000011952d000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__raw_spin_unlock include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock+0x4d/0x70 kernel/locking/spinlock.c:183
spin_unlock include/linux/spinlock.h:394 [inline]
zap_pte_range mm/memory.c:1385 [inline]
zap_pmd_range mm/memory.c:1444 [inline]
zap_pud_range mm/memory.c:1473 [inline]
zap_p4d_range mm/memory.c:1494 [inline]
unmap_page_range+0x205e/0x2840 mm/memory.c:1516
unmap_single_vma mm/memory.c:1562 [inline]
unmap_vmas+0x3ad/0x560 mm/memory.c:1594
exit_mmap+0x2f6/0x5c0 mm/mmap.c:3341
__mmput+0x95/0x2d0 kernel/fork.c:1133
mmput+0x54/0x70 kernel/fork.c:1154
exit_mm kernel/exit.c:489 [inline]
do_exit+0xb91/0x2a00 kernel/exit.c:800
do_group_exit+0x141/0x310 kernel/exit.c:910
get_signal+0xdef/0x1430 kernel/signal.c:2780
arch_do_signal+0xb3/0x1800 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop+0x63/0x90 kernel/entry/common.c:161
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0xbc/0x1d0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f1a7c25d0f9
Code: Unable to access opcode bytes at RIP 0x7f1a7c25d0cf.
RSP: 002b:00007f1a7bdd0218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f1a7c37cf88 RCX: 00007f1a7c25d0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1a7c37cf88
RBP: 00007f1a7c37cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1a7c37cf8c
R13: 00007ffcd506998f R14: 00007f1a7bdd0300 R15: 0000000000022000
---[ end trace e0f2559e766c6c8d ]---


Tested on:

commit: 416c4356 Merge 5.10.161 into android12-5.10-lts
git tree: https://android.googlesource.com/kernel/common
console output: https://syzkaller.appspot.com/x/log.txt?x=15040e32280000
kernel config: https://syzkaller.appspot.com/x/.config?x=cf75f4dec7b1c0ec
dashboard link: https://syzkaller.appspot.com/bug?extid=1797812e4d8839a03370

syzbot

unread,
May 11, 2023, 5:44:23 AM5/11/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b9c671...@syzkaller.appspotmail.com

Tested on:

commit: 3db1de0e f2fs: change the current atomic write way
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12ca0d4c280000
kernel config: https://syzkaller.appspot.com/x/.config?x=6cadb319a249e88e
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

Tudor Ambarus

unread,
May 11, 2023, 5:47:56 AM5/11/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
6213f5d4d23c50d393a31dc8e351e63a1fd10dbe

syzbot

unread,
May 11, 2023, 6:19:22 AM5/11/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in f2fs_register_inmem_page

BUG: scheduling while atomic: syz-executor.0/429/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff81a47902>] spin_lock include/linux/spinlock.h:349 [inline]
[<ffffffff81a47902>] zap_pte_range mm/memory.c:1355 [inline]
[<ffffffff81a47902>] zap_pmd_range mm/memory.c:1497 [inline]
[<ffffffff81a47902>] zap_pud_range mm/memory.c:1526 [inline]
[<ffffffff81a47902>] zap_p4d_range mm/memory.c:1547 [inline]
[<ffffffff81a47902>] unmap_page_range+0xa82/0x1ed0 mm/memory.c:1568
CPU: 0 PID: 429 Comm: syz-executor.0 Not tainted 5.18.0-rc4-syzkaller-00030-g6213f5d4d23c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x17 lib/dump_stack.c:113
RIP: 0033:0x7fc35f08c0f9
Code: Unable to access opcode bytes at RIP 0x7fc35f08c0cf.
RSP: 002b:00007fc35fd87218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fc35f1abf88 RCX: 00007fc35f08c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fc35f1abf88
RBP: 00007fc35f1abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc35f1abf8c
R13: 00007ffdece9190f R14: 00007fc35fd87300 R15: 0000000000022000
</TASK>
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(val > preempt_count())
WARNING: CPU: 1 PID: 429 at kernel/sched/core.c:5561 preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Modules linked in:
CPU: 1 PID: 429 Comm: syz-executor.0 Tainted: G W 5.18.0-rc4-syzkaller-00030-g6213f5d4d23c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:preempt_count_sub+0xa8/0x160 kernel/sched/core.c:5561
Code: 03 42 0f b6 04 30 84 c0 0f 85 86 00 00 00 83 3d 95 cd 35 05 00 75 d1 48 c7 c7 60 dc 08 85 48 c7 c6 00 dd 08 85 e8 a8 bb f5 ff <0f> 0b eb ba e8 4f 2b 08 01 85 c0 74 b1 48 c7 c0 d8 18 83 86 48 c1
RSP: 0018:ffffc90002b5f488 EFLAGS: 00010246
RAX: e7cb13d80388d000 RBX: 0000000000000001 RCX: ffff88810d0f90c0
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90002b5f498 R08: ffffffff81568a28 R09: fffff5200056bdb1
R10: 0000000000000000 R11: dffffc0000000001 R12: 0400000000000080
R13: 0000000020200000 R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020003700 CR3: 000000000600f000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
RIP: 0033:0x7fc35f08c0f9
Code: Unable to access opcode bytes at RIP 0x7fc35f08c0cf.
RSP: 002b:00007fc35fd87218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fc35f1abf88 RCX: 00007fc35f08c0f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fc35f1abf88
RBP: 00007fc35f1abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc35f1abf8c
R13: 00007ffdece9190f R14: 00007fc35fd87300 R15: 0000000000022000
</TASK>
---[ end trace 0000000000000000 ]---


Tested on:

commit: 6213f5d4 f2fs: don't need inode lock for system hidden..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=123b8076280000

Tudor Ambarus

unread,
May 11, 2023, 6:34:40 AM5/11/23
to syzbot, jone...@google.com, syzkaller-a...@googlegroups.com
Ok, so the results are consistent on successive runs,
3db1de0e582c358dd013f3703cd55b5fe4076436 seems to be the first patch
that fixes the bug

Tudor Ambarus

unread,
May 12, 2023, 6:22:28 AM5/12/23
to syzbot+179781...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, Lee Jones, jae...@kernel.org
Bisected mainline and the patch that fixes the bug is:
3db1de0e582c358dd013f3703cd55b5fe4076436 "f2fs: change the current
atomic write way" .
Backporting the fix to older kernels up to 5.10 is too risky, close this
as invalid (won't fix):

#syz invalid

Tudor Ambarus

unread,
May 12, 2023, 6:24:04 AM5/12/23
to syzbot+96e77b...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, Lee Jones, jae...@kernel.org

syzbot

unread,
Dec 25, 2023, 5:43:05 PM12/25/23
to dae...@gmail.com, daeho...@google.com, jae...@kernel.org, jone...@google.com, kerne...@android.com, linux-f2...@lists.sourceforge.net, linux-...@vger.kernel.org, nog...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
syzbot suspects this issue was fixed by commit:

commit 76ca4a07659a31cc62977664bcf638d6a24af068
Author: Daeho Jeong <daeho...@google.com>
Date: Thu Apr 28 18:18:09 2022 +0000

BACKPORT: f2fs: change the current atomic write way

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11287ba5e80000
start commit: 61cfd264993d Revert "ipv4/fib: send notify when delete sou..
git tree: android13-5.15-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=86febd5cba631f80
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c67110e04430822b08
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=135fe388e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171ba588e80000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: BACKPORT: f2fs: change the current atomic write way

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

syzbot

unread,
Mar 4, 2024, 5:27:13 AMMar 4
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages