kernel BUG in ext4_write_inline_data
11 views
Skip to first unread message
syzbot
Nov 6, 2022, 3:16:42 AM11/6/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0118fb827bc7 Merge branch 'android12-5.10' into branch 'an..
git tree: android12-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1399a066880000
kernel config: https://syzkaller.appspot.com/x/.config?x=585a67b78cadff5
dashboard link: https://syzkaller.appspot.com/bug?extid=00f9392c959181b8e1c6
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169e50fa880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124327ee880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cc18609231c0/disk-0118fb82.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1d1a695e1b6f/vmlinux-0118fb82.xz
kernel image: https://storage.googleapis.com/syzbot-assets/05f981b5731d/bzImage-0118fb82.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/bc49768f6176/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00f939...@syzkaller.appspotmail.com
EXT4-fs (loop0): dirty_blocks=96
EXT4-fs (loop0): Block reservation details
EXT4-fs (loop0): i_reserved_data_blocks=1
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:226!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 371 Comm: syz-executor104 Not tainted 5.10.149-syzkaller-01350-g0118fb827bc7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:ext4_write_inline_data+0x382/0x390 fs/ext4/inline.c:226
Code: ff ff 89 d9 80 e1 07 fe c1 38 c1 0f 8c 35 ff ff ff 48 89 df e8 4f c5 cc ff e9 28 ff ff ff e8 05 a6 92 ff 0f 0b e8 fe a5 92 ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000a0f638 EFLAGS: 00010293
RAX: ffffffff81da4482 RBX: 000000000000003c RCX: ffff8881067e13c0
RDX: 0000000000000000 RSI: 000000000000003c RDI: 000000000002004c
RBP: ffffc90000a0f690 R08: ffffffff81da424f R09: ffffed10209fae53
R10: ffffed10209fae53 R11: 1ffff110209fae52 R12: 0000000000020026
R13: ffffc90000a0f700 R14: 000000000002004c R15: ffff88811a58dd7c
FS: 0000555555947300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004571f0 CR3: 0000000106bd4000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_write_inline_data_end+0x258/0x4b0 fs/ext4/inline.c:772
ext4_write_end+0x1e5/0xde0 fs/ext4/inode.c:1304
ext4_da_write_end+0xb7/0xb40 fs/ext4/inode.c:3144
generic_perform_write+0x410/0x5b0 mm/filemap.c:3479
ext4_buffered_write_iter+0x47c/0x610 fs/ext4/file.c:272
ext4_file_write_iter+0x192/0x1cd0 fs/ext4/file.c:683
call_write_iter include/linux/fs.h:1952 [inline]
new_sync_write fs/read_write.c:518 [inline]
vfs_write+0xc4a/0xf80 fs/read_write.c:605
ksys_write+0x198/0x2c0 fs/read_write.c:658
__do_sys_write fs/read_write.c:670 [inline]
__se_sys_write fs/read_write.c:667 [inline]
__x64_sys_write+0x7b/0x90 fs/read_write.c:667
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fe02542fa49
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff90bab7d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe02542fa49
RDX: 0000000000000026 RSI: 0000000020000580 RDI: 0000000000000003
RBP: 00007fe0253ef210 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe0253ef2a0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace f80412e140b121f6 ]---
RIP: 0010:ext4_write_inline_data+0x382/0x390 fs/ext4/inline.c:226
Code: ff ff 89 d9 80 e1 07 fe c1 38 c1 0f 8c 35 ff ff ff 48 89 df e8 4f c5 cc ff e9 28 ff ff ff e8 05 a6 92 ff 0f 0b e8 fe a5 92 ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000a0f638 EFLAGS: 00010293
RAX: ffffffff81da4482 RBX: 000000000000003c RCX: ffff8881067e13c0
RDX: 0000000000000000 RSI: 000000000000003c RDI: 000000000002004c
RBP: ffffc90000a0f690 R08: ffffffff81da424f R09: ffffed10209fae53
R10: ffffed10209fae53 R11: 1ffff110209fae52 R12: 0000000000020026
R13: ffffc90000a0f700 R14: 000000000002004c R15: ffff88811a58dd7c
FS: 0000555555947300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004571f0 CR3: 0000000106bd4000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 0118fb827bc7 Merge branch 'android12-5.10' into branch 'an..
git tree: android12-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1399a066880000
kernel config: https://syzkaller.appspot.com/x/.config?x=585a67b78cadff5
dashboard link: https://syzkaller.appspot.com/bug?extid=00f9392c959181b8e1c6
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169e50fa880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124327ee880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cc18609231c0/disk-0118fb82.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1d1a695e1b6f/vmlinux-0118fb82.xz
kernel image: https://storage.googleapis.com/syzbot-assets/05f981b5731d/bzImage-0118fb82.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/bc49768f6176/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00f939...@syzkaller.appspotmail.com
EXT4-fs (loop0): dirty_blocks=96
EXT4-fs (loop0): Block reservation details
EXT4-fs (loop0): i_reserved_data_blocks=1
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:226!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 371 Comm: syz-executor104 Not tainted 5.10.149-syzkaller-01350-g0118fb827bc7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:ext4_write_inline_data+0x382/0x390 fs/ext4/inline.c:226
Code: ff ff 89 d9 80 e1 07 fe c1 38 c1 0f 8c 35 ff ff ff 48 89 df e8 4f c5 cc ff e9 28 ff ff ff e8 05 a6 92 ff 0f 0b e8 fe a5 92 ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000a0f638 EFLAGS: 00010293
RAX: ffffffff81da4482 RBX: 000000000000003c RCX: ffff8881067e13c0
RDX: 0000000000000000 RSI: 000000000000003c RDI: 000000000002004c
RBP: ffffc90000a0f690 R08: ffffffff81da424f R09: ffffed10209fae53
R10: ffffed10209fae53 R11: 1ffff110209fae52 R12: 0000000000020026
R13: ffffc90000a0f700 R14: 000000000002004c R15: ffff88811a58dd7c
FS: 0000555555947300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004571f0 CR3: 0000000106bd4000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_write_inline_data_end+0x258/0x4b0 fs/ext4/inline.c:772
ext4_write_end+0x1e5/0xde0 fs/ext4/inode.c:1304
ext4_da_write_end+0xb7/0xb40 fs/ext4/inode.c:3144
generic_perform_write+0x410/0x5b0 mm/filemap.c:3479
ext4_buffered_write_iter+0x47c/0x610 fs/ext4/file.c:272
ext4_file_write_iter+0x192/0x1cd0 fs/ext4/file.c:683
call_write_iter include/linux/fs.h:1952 [inline]
new_sync_write fs/read_write.c:518 [inline]
vfs_write+0xc4a/0xf80 fs/read_write.c:605
ksys_write+0x198/0x2c0 fs/read_write.c:658
__do_sys_write fs/read_write.c:670 [inline]
__se_sys_write fs/read_write.c:667 [inline]
__x64_sys_write+0x7b/0x90 fs/read_write.c:667
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fe02542fa49
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff90bab7d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe02542fa49
RDX: 0000000000000026 RSI: 0000000020000580 RDI: 0000000000000003
RBP: 00007fe0253ef210 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe0253ef2a0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace f80412e140b121f6 ]---
RIP: 0010:ext4_write_inline_data+0x382/0x390 fs/ext4/inline.c:226
Code: ff ff 89 d9 80 e1 07 fe c1 38 c1 0f 8c 35 ff ff ff 48 89 df e8 4f c5 cc ff e9 28 ff ff ff e8 05 a6 92 ff 0f 0b e8 fe a5 92 ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000a0f638 EFLAGS: 00010293
RAX: ffffffff81da4482 RBX: 000000000000003c RCX: ffff8881067e13c0
RDX: 0000000000000000 RSI: 000000000000003c RDI: 000000000002004c
RBP: ffffc90000a0f690 R08: ffffffff81da424f R09: ffffed10209fae53
R10: ffffed10209fae53 R11: 1ffff110209fae52 R12: 0000000000020026
R13: ffffc90000a0f700 R14: 000000000002004c R15: ffff88811a58dd7c
FS: 0000555555947300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004571f0 CR3: 0000000106bd4000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Nov 6, 2022, 3:33:49 AM11/6/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d87b38e6be0f UPSTREAM: random: restore O_NONBLOCK support
syzbot found the following issue on:
git tree: android12-5.4
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10d2da51880000
kernel config: https://syzkaller.appspot.com/x/.config?x=587759e0bb2a632a
dashboard link: https://syzkaller.appspot.com/bug?extid=70cc467cf6a5d8999f4c
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f911a9880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=156894fe880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/74c80a67b5fa/disk-d87b38e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bb6e14c61b22/vmlinux-d87b38e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4b17d7ae152e/bzImage-d87b38e6.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/26f53d7620c1/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:223!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 304 Comm: syz-executor399 Not tainted 5.4.210-syzkaller-00073-gd87b38e6be0f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:ext4_write_inline_data+0x36d/0x370 fs/ext4/inline.c:223
Code: 07 fe c1 38 c1 0f 8c 35 ff ff ff 48 89 ef 48 89 f3 e8 27 3f d4 ff 48 89 de e9 22 ff ff ff e8 0a cc a7 ff 0f 0b e8 03 cc a7 ff <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 70 49 89 d7 89 f5
RSP: 0018:ffff8881dcc67a08 EFLAGS: 00010293
RAX: ffffffff81b8ccfd RBX: 000000000000003c RCX: ffff8881dd115e80
RDX: 0000000000000000 RSI: 000000000000003c RDI: 000000000002004c
RBP: 0000000000000026 R08: ffffffff81b8cac1 R09: ffffed103c18704f
R10: ffffed103c18704f R11: 1ffff1103c18704e R12: 000000000002004c
R13: ffff8881dcc67a98 R14: ffff8881e5c80414 R15: 0000000000020026
FS: 00005555570a6300(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004571f0 CR3: 00000001dd226000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_write_inline_data_end+0x214/0x430 fs/ext4/inline.c:769
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_write_end+0x1cd/0xe40 fs/ext4/inode.c:1446
generic_perform_write+0x395/0x510 mm/filemap.c:3322
__generic_file_write_iter+0x239/0x490 mm/filemap.c:3440
ext4_file_write_iter+0x46e/0x1040 fs/ext4/file.c:270
call_write_iter include/linux/fs.h:1976 [inline]
new_sync_write fs/read_write.c:483 [inline]
__vfs_write+0x4f9/0x6a0 fs/read_write.c:496
vfs_write+0x210/0x4f0 fs/read_write.c:558
ksys_write+0x158/0x260 fs/read_write.c:611
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fdb0f345a29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd05694b98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdb0f345a29
RDX: 0000000000000026 RSI: 0000000020000580 RDI: 0000000000000003
RBP: 00007fdb0f3051f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdb0f305280
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace ef252362d6b05493 ]---
Modules linked in:
RIP: 0010:ext4_write_inline_data+0x36d/0x370 fs/ext4/inline.c:223
Code: 07 fe c1 38 c1 0f 8c 35 ff ff ff 48 89 ef 48 89 f3 e8 27 3f d4 ff 48 89 de e9 22 ff ff ff e8 0a cc a7 ff 0f 0b e8 03 cc a7 ff <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 70 49 89 d7 89 f5
RSP: 0018:ffff8881dcc67a08 EFLAGS: 00010293
RAX: ffffffff81b8ccfd RBX: 000000000000003c RCX: ffff8881dd115e80
RDX: 0000000000000000 RSI: 000000000000003c RDI: 000000000002004c
RBP: 0000000000000026 R08: ffffffff81b8cac1 R09: ffffed103c18704f
R10: ffffed103c18704f R11: 1ffff1103c18704e R12: 000000000002004c
R13: ffff8881dcc67a98 R14: ffff8881e5c80414 R15: 0000000000020026
FS: 00005555570a6300(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004571f0 CR3: 00000001dd226000 CR4: 00000000003406e0
Jun Nie
Nov 22, 2022, 1:33:26 AM11/22/22
to syzkaller-android-bugs
Below patch fix the bug. Waiting for it merged to mainline, then back ported.
+++ b/fs/ext4/inode.c
@@ -1300,7 +1300,7 @@ static int ext4_write_end(struct file *file,
trace_android_fs_datawrite_end(inode, pos, len);
trace_ext4_write_end(inode, pos, len, copied);
- if (inline_data) {
+ if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) {
ret = ext4_write_inline_data_end(inode, pos, len,
copied, page);
if (ret < 0) {
@@ -1300,7 +1300,7 @@ static int ext4_write_end(struct file *file,
trace_android_fs_datawrite_end(inode, pos, len);
trace_ext4_write_end(inode, pos, len, copied);
- if (inline_data) {
+ if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) {
ret = ext4_write_inline_data_end(inode, pos, len,
copied, page);
if (ret < 0) {
Reply all
Reply to author
Forward
0 new messages