[syzbot] [cluster?] general protection fault in gfs2_dump_glock (2)
16 views
Skip to first unread message
syzbot
Mar 6, 2023, 12:44:38 PM3/6/23
to agru...@redhat.com, cluste...@redhat.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, rpet...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: f915322fe014 Merge tag 'v6.3-p2' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16f297b0c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=dc0f7cfe5b32efe2
dashboard link: https://syzkaller.appspot.com/bug?extid=427fed3295e9a7e887f2
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a8b9bcc80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11955f54c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad716bf3cfc2/disk-f915322f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3dda0fefb7a2/vmlinux-f915322f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/009b2977ab37/bzImage-f915322f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6c7bfd847dac/mount_2.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+427fed...@syzkaller.appspotmail.com
gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:6113 [syz-executor409] __gfs2_lookup+0xa4/0x270 fs/gfs2/inode.c:888
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in gfs2_dump_glock+0x14b3/0x1ad0
Read of size 8 at addr ffffc90005957720 by task syz-executor409/6095
CPU: 0 PID: 6095 Comm: syz-executor409 Not tainted 6.2.0-syzkaller-13563-gf915322fe014 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:319 [inline]
print_report+0x163/0x540 mm/kasan/report.c:430
kasan_report+0x176/0x1b0 mm/kasan/report.c:536
gfs2_dump_glock+0x14b3/0x1ad0
gfs2_consist_inode_i+0xf5/0x110 fs/gfs2/util.c:465
gfs2_dirent_scan+0x512/0x640 fs/gfs2/dir.c:602
gfs2_dirent_search+0x30e/0x8c0 fs/gfs2/dir.c:850
gfs2_dir_search+0xb2/0x2f0 fs/gfs2/dir.c:1650
gfs2_lookupi+0x460/0x5d0 fs/gfs2/inode.c:332
__gfs2_lookup+0xa4/0x270 fs/gfs2/inode.c:888
gfs2_atomic_open+0x9e/0x230 fs/gfs2/inode.c:1292
atomic_open fs/namei.c:3279 [inline]
lookup_open fs/namei.c:3387 [inline]
open_last_lookups fs/namei.c:3484 [inline]
path_openat+0x103c/0x3170 fs/namei.c:3712
do_filp_open+0x234/0x490 fs/namei.c:3742
do_sys_openat2+0x13f/0x500 fs/open.c:1348
do_sys_open fs/open.c:1364 [inline]
__do_sys_open fs/open.c:1372 [inline]
__se_sys_open fs/open.c:1368 [inline]
__x64_sys_open+0x225/0x270 fs/open.c:1368
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff0f3f00b39
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff0f3ea4208 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ff0f3f90788 RCX: 00007ff0f3f00b39
RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280
RBP: 00007ff0f3f90780 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff0f3f9078c
R13: 00007fffdfd2a3af R14: 00007ff0f3ea4300 R15: 0000000000022000
</TASK>
Memory state around the buggy address:
ffffc90005957600: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90005957680: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90005957700: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90005957780: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90005957800: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: f915322fe014 Merge tag 'v6.3-p2' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16f297b0c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=dc0f7cfe5b32efe2
dashboard link: https://syzkaller.appspot.com/bug?extid=427fed3295e9a7e887f2
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a8b9bcc80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11955f54c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad716bf3cfc2/disk-f915322f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3dda0fefb7a2/vmlinux-f915322f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/009b2977ab37/bzImage-f915322f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6c7bfd847dac/mount_2.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+427fed...@syzkaller.appspotmail.com
gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:6113 [syz-executor409] __gfs2_lookup+0xa4/0x270 fs/gfs2/inode.c:888
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in gfs2_dump_glock+0x14b3/0x1ad0
Read of size 8 at addr ffffc90005957720 by task syz-executor409/6095
CPU: 0 PID: 6095 Comm: syz-executor409 Not tainted 6.2.0-syzkaller-13563-gf915322fe014 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:319 [inline]
print_report+0x163/0x540 mm/kasan/report.c:430
kasan_report+0x176/0x1b0 mm/kasan/report.c:536
gfs2_dump_glock+0x14b3/0x1ad0
gfs2_consist_inode_i+0xf5/0x110 fs/gfs2/util.c:465
gfs2_dirent_scan+0x512/0x640 fs/gfs2/dir.c:602
gfs2_dirent_search+0x30e/0x8c0 fs/gfs2/dir.c:850
gfs2_dir_search+0xb2/0x2f0 fs/gfs2/dir.c:1650
gfs2_lookupi+0x460/0x5d0 fs/gfs2/inode.c:332
__gfs2_lookup+0xa4/0x270 fs/gfs2/inode.c:888
gfs2_atomic_open+0x9e/0x230 fs/gfs2/inode.c:1292
atomic_open fs/namei.c:3279 [inline]
lookup_open fs/namei.c:3387 [inline]
open_last_lookups fs/namei.c:3484 [inline]
path_openat+0x103c/0x3170 fs/namei.c:3712
do_filp_open+0x234/0x490 fs/namei.c:3742
do_sys_openat2+0x13f/0x500 fs/open.c:1348
do_sys_open fs/open.c:1364 [inline]
__do_sys_open fs/open.c:1372 [inline]
__se_sys_open fs/open.c:1368 [inline]
__x64_sys_open+0x225/0x270 fs/open.c:1368
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff0f3f00b39
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff0f3ea4208 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ff0f3f90788 RCX: 00007ff0f3f00b39
RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280
RBP: 00007ff0f3f90780 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff0f3f9078c
R13: 00007fffdfd2a3af R14: 00007ff0f3ea4300 R15: 0000000000022000
</TASK>
Memory state around the buggy address:
ffffc90005957600: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90005957680: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90005957700: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90005957780: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90005957800: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Sep 4, 2023, 9:55:33 PM9/4/23
to agru...@redhat.com, cluste...@redhat.com, el...@google.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, pet...@infradead.org, rpet...@redhat.com, syzkall...@googlegroups.com, valentin....@arm.com
syzbot has bisected this issue to:
commit a8b76910e465d718effce0cad306a21fa4f3526b
Author: Valentin Schneider <valentin....@arm.com>
Date: Wed Nov 10 20:24:44 2021 +0000
preempt: Restore preemption model selection configs
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1633aaf0680000
start commit: 58390c8ce1bd Merge tag 'iommu-updates-v6.4' of git://git.k..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1533aaf0680000
console output: https://syzkaller.appspot.com/x/log.txt?x=1133aaf0680000
kernel config: https://syzkaller.appspot.com/x/.config?x=5eadbf0d3c2ece89
dashboard link: https://syzkaller.appspot.com/bug?extid=427fed3295e9a7e887f2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172bead8280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d01d08280000
Reported-by: syzbot+427fed...@syzkaller.appspotmail.com
Fixes: a8b76910e465 ("preempt: Restore preemption model selection configs")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit a8b76910e465d718effce0cad306a21fa4f3526b
Author: Valentin Schneider <valentin....@arm.com>
Date: Wed Nov 10 20:24:44 2021 +0000
preempt: Restore preemption model selection configs
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1633aaf0680000
start commit: 58390c8ce1bd Merge tag 'iommu-updates-v6.4' of git://git.k..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1533aaf0680000
console output: https://syzkaller.appspot.com/x/log.txt?x=1133aaf0680000
kernel config: https://syzkaller.appspot.com/x/.config?x=5eadbf0d3c2ece89
dashboard link: https://syzkaller.appspot.com/bug?extid=427fed3295e9a7e887f2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172bead8280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d01d08280000
Reported-by: syzbot+427fed...@syzkaller.appspotmail.com
Fixes: a8b76910e465 ("preempt: Restore preemption model selection configs")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Sep 5, 2023, 5:30:28 AM9/5/23
to nog...@google.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
scripts/extract-cert.c:46:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/extract-cert.c:59:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free]
subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free]
check.c:2836:58: error: '%d' directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
Tested on:
commit: a8b76910 preempt: Restore preemption model selection c..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=1b32f62c755c3a9c
dashboard link: https://syzkaller.appspot.com/bug?extid=427fed3295e9a7e887f2
compiler: Debian clang version 15.0.6
Note: no patches were applied.
syzbot tried to test the proposed patch but the build/boot failed:
scripts/extract-cert.c:46:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/extract-cert.c:59:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free]
subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free]
check.c:2836:58: error: '%d' directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
Tested on:
commit: a8b76910 preempt: Restore preemption model selection c..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=1b32f62c755c3a9c
dashboard link: https://syzkaller.appspot.com/bug?extid=427fed3295e9a7e887f2
compiler: Debian clang version 15.0.6
Note: no patches were applied.
syzbot
Sep 5, 2023, 5:30:28 AM9/5/23
to nog...@google.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
scripts/extract-cert.c:46:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/extract-cert.c:59:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free]
subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free]
check.c:2836:58: error: '%d' directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
Tested on:
commit: 4cc4cc28 arch_topology: Fix missing clear cluster_cpum..
syzbot tried to test the proposed patch but the build/boot failed:
scripts/extract-cert.c:46:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/extract-cert.c:59:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free]
subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free]
check.c:2836:58: error: '%d' directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
Tested on:
Aleksandr Nogikh
Sep 5, 2023, 5:57:34 AM9/5/23
to syzbot, agru...@redhat.com, cluste...@redhat.com, el...@google.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, pet...@infradead.org, rpet...@redhat.com, syzkall...@googlegroups.com, valentin....@arm.com
Hmm, no, it might theoretically be that preemption affected bug
reproducibility, but this commit itself definitely has nothing to do
with the gfs2 problem.
reproducibility, but this commit itself definitely has nothing to do
with the gfs2 problem.
syzbot
Feb 19, 2024, 6:58:07 AMFeb 19
to agru...@redhat.com, ax...@kernel.dk, bra...@kernel.org, cluste...@redhat.com, el...@google.com, gf...@lists.linux.dev, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, pet...@infradead.org, rpet...@redhat.com, syzkall...@googlegroups.com, valentin....@arm.com
syzbot suspects this issue was fixed by commit:
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <ja...@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000
fs: Block writes to mounted block devices
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14238a3c180000
#syz fix: fs: Block writes to mounted block devices
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <ja...@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000
fs: Block writes to mounted block devices
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14238a3c180000
start commit: 58390c8ce1bd Merge tag 'iommu-updates-v6.4' of git://git.k..
git tree: upstream
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=5eadbf0d3c2ece89
dashboard link: https://syzkaller.appspot.com/bug?extid=427fed3295e9a7e887f2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172bead8280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d01d08280000
If the result looks correct, please mark the issue as fixed by replying with:
dashboard link: https://syzkaller.appspot.com/bug?extid=427fed3295e9a7e887f2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172bead8280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d01d08280000
#syz fix: fs: Block writes to mounted block devices
Jan Kara
Feb 19, 2024, 7:56:06 AMFeb 19
to syzbot, agru...@redhat.com, ax...@kernel.dk, bra...@kernel.org, cluste...@redhat.com, el...@google.com, gf...@lists.linux.dev, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, pet...@infradead.org, rpet...@redhat.com, syzkall...@googlegroups.com, valentin....@arm.com
working reproducer anymore. So I'm leaving this upto gfs2 maintainers to
decide.
Honza
--
Jan Kara <ja...@suse.com>
SUSE Labs, CR
syzbot
Apr 8, 2024, 12:28:10 AMApr 8
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages