[Android 5.15] general protection fault in ext4_acquire_dquot

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 19c0ed55a470 Merge 5.15.106 into android13-5.15-lts
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=135e4b72280000
kernel config: https://syzkaller.appspot.com/x/.config?x=e8bc8779358f24fb
dashboard link: https://syzkaller.appspot.com/bug?extid=eeb3feb44c9a5a30c748
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112f7591280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1275bd91280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8ade0e897782/disk-19c0ed55.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/203011b1fd4d/vmlinux-19c0ed55.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7f39bb0b7ba9/bzImage-19c0ed55.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1892c23cf3a5/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+eeb3fe...@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 0 PID: 528 Comm: syz-executor261 Tainted: G W 5.15.106-syzkaller-00249-g19c0ed55a470 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
RIP: 0010:ext4_acquire_dquot+0x22e/0x3f0 fs/ext4/super.c:6161
Code: 9c d8 80 01 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 b0 fa ba ff 4c 8b 33 49 83 c6 28 4c 89 f0 48 c1 e8 03 <42> 80 3c 38 00 74 08 4c 89 f7 e8 93 fa ba ff bb c8 03 00 00 49 03
RSP: 0018:ffffc900012f7498 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff8881063d9180 RCX: ffff888110b9e2c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffffc900012f74e8 R08: ffffffff81f637df R09: ffffed10238be5cb
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000162
R13: 0000000000000049 R14: 0000000000000028 R15: dffffc0000000000
FS: 00007f3c04737700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffee9b537c0 CR3: 0000000104fe3000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
dqget+0x9d4/0xde0 fs/quota/dquot.c:914
__dquot_initialize+0x2d9/0xe10 fs/quota/dquot.c:1492
dquot_initialize fs/quota/dquot.c:1550 [inline]
dquot_file_open+0x83/0xb0 fs/quota/dquot.c:2174
ext4_file_open+0x2cf/0x700 fs/ext4/file.c:883
do_dentry_open+0x81c/0xfd0 fs/open.c:828
vfs_open+0x73/0x80 fs/open.c:958
do_open fs/namei.c:3538 [inline]
path_openat+0x26f0/0x2f40 fs/namei.c:3672
do_filp_open+0x21c/0x460 fs/namei.c:3699
do_sys_openat2+0x13b/0x500 fs/open.c:1234
do_sys_open fs/open.c:1250 [inline]
__do_sys_openat fs/open.c:1266 [inline]
__se_sys_openat fs/open.c:1261 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1261
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f3c0cb8d679
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3c047372f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f3c0cc127c0 RCX: 00007f3c0cb8d679
RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
RBP: 00007f3c0cbdf58c R08: 00007f3c04737700 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3c0cbdf0c0
R13: 0000000020000ec0 R14: 0030656c69662f2e R15: 00007f3c0cc127c8
</TASK>
Modules linked in:
---[ end trace ae5e43b253dd7532 ]---
RIP: 0010:ext4_acquire_dquot+0x22e/0x3f0 fs/ext4/super.c:6161
Code: 9c d8 80 01 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 b0 fa ba ff 4c 8b 33 49 83 c6 28 4c 89 f0 48 c1 e8 03 <42> 80 3c 38 00 74 08 4c 89 f7 e8 93 fa ba ff bb c8 03 00 00 49 03
RSP: 0018:ffffc900012f7498 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff8881063d9180 RCX: ffff888110b9e2c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffffc900012f74e8 R08: ffffffff81f637df R09: ffffed10238be5cb
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000162
R13: 0000000000000049 R14: 0000000000000028 R15: dffffc0000000000
FS: 00007f3c04737700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffee9b537c0 CR3: 0000000104fe3000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 9c pushfq
1: d8 80 01 00 00 48 fadds 0x48000001(%rax)
7: 89 d8 mov %ebx,%eax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 b0 fa ba ff callq 0xffbafacc
1c: 4c 8b 33 mov (%rbx),%r14
1f: 49 83 c6 28 add $0x28,%r14
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 f7 mov %r14,%rdi
34: e8 93 fa ba ff callq 0xffbafacc
39: bb c8 03 00 00 mov $0x3c8,%ebx
3e: 49 rex.WB
3f: 03 .byte 0x3


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 86a6bbdc8ffe ANDROID: ABI: Update oplus symbol list
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=113a5786280000
kernel config: https://syzkaller.appspot.com/x/.config?x=772a621c45fe488b
dashboard link: https://syzkaller.appspot.com/bug?extid=c0cc0a5cb98ffbf49add

compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=130ef119280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b1cf09280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e552959a3488/disk-86a6bbdc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7b5b3ed9e5d6/vmlinux-86a6bbdc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ee3a6868ab68/bzImage-86a6bbdc.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/0812e83108f8/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+c0cc0a...@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]

CPU: 0 PID: 394 Comm: syz-executor375 Tainted: G W 6.1.25-syzkaller-00265-g86a6bbdc8ffe #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023

RIP: 0010:ext4_acquire_dquot+0x22b/0x3f0 fs/ext4/super.c:6740
Code: 9c d8 60 01 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 93 49 b9 ff 4c 8b 33 49 83 c6 28 4c 89 f0 48 c1 e8 03 <42> 80 3c 38 00 74 08 4c 89 f7 e8 76 49 b9 ff bb a8 03 00 00 49 03
RSP: 0018:ffffc90000f874b8 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff888109aee160 RCX: ffff88811c0d5f00

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: ffffc90000f87508 R08: ffffffff81ffcafc R09: ffffed1024319039

R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000162
R13: 0000000000000049 R14: 0000000000000028 R15: dffffc0000000000

FS: 00007fdac2c64700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fdaba883000 CR3: 000000010fe73000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

dqget+0x9bc/0xdc0 fs/quota/dquot.c:914

__dquot_initialize+0x2d9/0xe10 fs/quota/dquot.c:1492
dquot_initialize fs/quota/dquot.c:1550 [inline]

dquot_file_open+0x83/0xb0 fs/quota/dquot.c:2181
ext4_file_open+0x308/0x750 fs/ext4/file.c:893
do_dentry_open+0x891/0x1250 fs/open.c:884
vfs_open+0x73/0x80 fs/open.c:1015
do_open fs/namei.c:3557 [inline]
path_openat+0x2532/0x2d60 fs/namei.c:3714
do_filp_open+0x230/0x480 fs/namei.c:3741
do_sys_openat2+0x13f/0x850 fs/open.c:1333
do_sys_open fs/open.c:1349 [inline]
__do_sys_openat fs/open.c:1365 [inline]
__se_sys_openat fs/open.c:1360 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1360

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80

entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fdac2cb88e9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fdac2c64208 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fdac2d3d7a8 RCX: 00007fdac2cb88e9

RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c

RBP: 00007fdac2d3d7a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdac2d3d7ac
R13: 00007fffc02c93ff R14: 00007fdac2c64300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_acquire_dquot+0x22b/0x3f0 fs/ext4/super.c:6740
Code: 9c d8 60 01 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 93 49 b9 ff 4c 8b 33 49 83 c6 28 4c 89 f0 48 c1 e8 03 <42> 80 3c 38 00 74 08 4c 89 f7 e8 76 49 b9 ff bb a8 03 00 00 49 03
RSP: 0018:ffffc90000f874b8 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff888109aee160 RCX: ffff88811c0d5f00

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: ffffc90000f87508 R08: ffffffff81ffcafc R09: ffffed1024319039

R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000162
R13: 0000000000000049 R14: 0000000000000028 R15: dffffc0000000000

FS: 00007fdac2c64700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fffc02c839c CR3: 000000010fe73000 CR4: 00000000003506a0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 9c pushfq

1: d8 60 01 fsubs 0x1(%rax)
4: 00 00 add %al,(%rax)
6: 48 89 d8 mov %rbx,%rax

9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi

17: e8 93 49 b9 ff callq 0xffb949af

1c: 4c 8b 33 mov (%rbx),%r14
1f: 49 83 c6 28 add $0x28,%r14
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 f7 mov %r14,%rdi

34: e8 76 49 b9 ff callq 0xffb949af
39: bb a8 03 00 00 mov $0x3a8,%ebx

[syzbot]

syzbot has bisected this issue to:

commit 214194610a18477146588eeb2c8e120fdea21150
Author: Jan Kara <ja...@suse.cz>
Date: Thu Sep 8 09:21:27 2022 +0000

ext4: use locality group preallocation for small closed files

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=145bf7d9280000
start commit: 19c0ed55a470 Merge 5.15.106 into android13-5.15-lts
git tree: android13-5.15-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=165bf7d9280000
console output: https://syzkaller.appspot.com/x/log.txt?x=125bf7d9280000

kernel config: https://syzkaller.appspot.com/x/.config?x=e8bc8779358f24fb
dashboard link: https://syzkaller.appspot.com/bug?extid=eeb3feb44c9a5a30c748

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112f7591280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1275bd91280000

Reported-by: syzbot+eeb3fe...@syzkaller.appspotmail.com
Fixes: 214194610a18 ("ext4: use locality group preallocation for small closed files")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[syzbot]

syzbot has bisected this issue to:

commit a9f2a2931d0e197ab28c6007966053fdababd53f

Author: Jan Kara <ja...@suse.cz>
Date: Thu Sep 8 09:21:27 2022 +0000

ext4: use locality group preallocation for small closed files

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13652869280000
start commit: 86a6bbdc8ffe ANDROID: ABI: Update oplus symbol list
git tree: android14-6.1
final oops: https://syzkaller.appspot.com/x/report.txt?x=10e52869280000
console output: https://syzkaller.appspot.com/x/log.txt?x=17652869280000

kernel config: https://syzkaller.appspot.com/x/.config?x=772a621c45fe488b
dashboard link: https://syzkaller.appspot.com/bug?extid=c0cc0a5cb98ffbf49add

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=130ef119280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b1cf09280000

Reported-by: syzbot+c0cc0a...@syzkaller.appspotmail.com
Fixes: a9f2a2931d0e ("ext4: use locality group preallocation for small closed files")

[syzbot]

syzbot suspects this issue was fixed by commit:

commit d55e76e11592a1d18a179c7fd34ca1b52632beb3
Author: Ye Bin <yeb...@huawei.com>
Date: Mon Jan 16 02:00:15 2023 +0000

ext4: fix WARNING in mb_find_extent

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1571f614680000
start commit: 19c0ed55a470 Merge 5.15.106 into android13-5.15-lts
git tree: android13-5.15-lts

kernel config: https://syzkaller.appspot.com/x/.config?x=e8bc8779358f24fb
dashboard link: https://syzkaller.appspot.com/bug?extid=eeb3feb44c9a5a30c748

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112f7591280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1275bd91280000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: ext4: fix WARNING in mb_find_extent

[Aleksandr Nogikh]

Not exactly. The repro was triggering two problems, so bisection got confused.

#syz fix: quota: Properly disable quotas when add_dquot_ref() fails

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/000000000000f70014060496a612%40google.com.

[syzbot]

syzbot suspects this issue was fixed by commit:

commit dba62fa84a8eac44a53a2862de8a40e5bdfa0ae3

Author: Ye Bin <yeb...@huawei.com>
Date: Mon Jan 16 02:00:15 2023 +0000

ext4: fix WARNING in mb_find_extent

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=112cf473680000
start commit: 86a6bbdc8ffe ANDROID: ABI: Update oplus symbol list
git tree: android14-6.1

kernel config: https://syzkaller.appspot.com/x/.config?x=772a621c45fe488b
dashboard link: https://syzkaller.appspot.com/bug?extid=c0cc0a5cb98ffbf49add

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=130ef119280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b1cf09280000

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.