Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=156793ee600000
kernel config:
https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link:
https://syzkaller.appspot.com/bug?extid=043e9abba0e249556578
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+043e9a...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 3145 Comm: syz-executor.3 Not tainted 4.9.141+ #23
task: ffff88019de30000 task.stack: ffff88019de38000
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] __read_once_size
include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] compound_head
include/linux/page-flags.h:143 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] get_page
include/linux/mm.h:768 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] submit_page_section
fs/direct-io.c:825 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] do_direct_IO
fs/direct-io.c:1045 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] do_blockdev_direct_IO
fs/direct-io.c:1274 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>]
__blockdev_direct_IO+0x1b20/0xbd10 fs/direct-io.c:1360
RSP: 0018:ffff88019de3f330 EFLAGS: 00010202
RAX: 0000000000000004 RBX: dffffc0000000000 RCX: ffffc9000432c000
RDX: 0000000000000969 RSI: ffffffff815cf79d RDI: 0000000000000020
RBP: ffff88019de3f650 R08: ffffed003965d82e R09: ffff8801cb2ec100
R10: ffffed003965d82d R11: ffff8801cb2ec16f R12: 0000000000000000
R13: ffffea000677981c R14: ffffea0006779800 R15: ffff8801c99370c0
FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f5559b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002da23000 CR3: 00000001cfdec000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000000 fffffbfff0604a02 ffff88019de3f440 ffff8801c9937158
0005080000000000 0000000000001000 000000000002660d ffff8801c9937139
ffff88019de3f540 9547e25400000000 ffff88019de3f4a0 0000000000000fff
Call Trace:
[<ffffffff816de318>] ext4_direct_IO_write fs/ext4/inode.c:3507 [inline]
[<ffffffff816de318>] ext4_direct_IO+0x978/0x29c0 fs/ext4/inode.c:3663
[<ffffffff81411f64>] generic_file_direct_write+0x284/0x510
mm/filemap.c:2655
[<ffffffff8141240f>] __generic_file_write_iter+0x21f/0x540
mm/filemap.c:2835
[<ffffffff816b328d>] ext4_file_write_iter+0x63d/0xd70 fs/ext4/file.c:165
[<ffffffff815071c7>] vfs_iter_write+0x2d7/0x450 fs/read_write.c:390
[<ffffffff815ae4fb>] iter_file_splice_write+0x5fb/0xb30 fs/splice.c:768
[<ffffffff815b066d>] do_splice_from fs/splice.c:870 [inline]
[<ffffffff815b066d>] do_splice fs/splice.c:1166 [inline]
[<ffffffff815b066d>] SYSC_splice fs/splice.c:1416 [inline]
[<ffffffff815b066d>] SyS_splice+0xe4d/0x14d0 fs/splice.c:1399
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Code: ff e8 d5 c2 d4 ff 4c 89 ef e8 8d c1 e6 ff e9 39 ff ff ff e8 c3 c2 d4
ff 48 8b 84 24 c8 00 00 00 48 8d 78 20 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 06 83 00 00 48 8b 84 24 c8 00 00 00 4c 8b 68
RIP [<ffffffff815cf7b0>] __read_once_size include/linux/compiler.h:243
[inline]
RIP [<ffffffff815cf7b0>] compound_head include/linux/page-flags.h:143
[inline]
RIP [<ffffffff815cf7b0>] get_page include/linux/mm.h:768 [inline]
RIP [<ffffffff815cf7b0>] submit_page_section fs/direct-io.c:825 [inline]
RIP [<ffffffff815cf7b0>] do_direct_IO fs/direct-io.c:1045 [inline]
RIP [<ffffffff815cf7b0>] do_blockdev_direct_IO fs/direct-io.c:1274 [inline]
RIP [<ffffffff815cf7b0>] __blockdev_direct_IO+0x1b20/0xbd10
fs/direct-io.c:1360
RSP <ffff88019de3f330>
---[ end trace 6f1d92e22be773c7 ]---
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.