[syzbot] [jfs?] general protection fault in lbmStartIO
9 views
Skip to first unread message
syzbot
Oct 7, 2023, 6:24:52 PM10/7/23
to ax...@kernel.dk, bra...@kernel.org, dave.k...@oracle.com, ha...@suse.de, h...@lst.de, ja...@suse.cz, jfs-dis...@lists.sourceforge.net, johannes....@wdc.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c9f2baaa18b5 Add linux-next specific files for 20231003
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1319f981680000
kernel config: https://syzkaller.appspot.com/x/.config?x=3fe9c462fee1649f
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16204836680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b62ee6680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5361e41384fe/disk-c9f2baaa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7028b209124d/vmlinux-c9f2baaa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a167dc667ee5/bzImage-c9f2baaa.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ef5dd9fc6a1b/mount_0.gz
The issue was bisected to:
commit bacfceeda53ea9ee9af714245e6c67aa70632b63
Author: Jan Kara <ja...@suse.cz>
Date: Wed Sep 27 09:34:30 2023 +0000
jfs: Convert to bdev_open_by_dev()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13a06d8a680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10606d8a680000
console output: https://syzkaller.appspot.com/x/log.txt?x=17a06d8a680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23bc20...@syzkaller.appspotmail.com
Fixes: bacfceeda53e ("jfs: Convert to bdev_open_by_dev()")
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5058 Comm: syz-executor352 Not tainted 6.6.0-rc4-next-20231003-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc90003a5fa90 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82fd8ed3
RDX: 0000000000000000 RSI: ffffffff82fd8ee1 RDI: ffff88807bb07020
RBP: ffff88801764d800 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910eb4a0 R12: ffff88807bb07000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 0000555555ed5380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffc6e0506c CR3: 000000007c5c6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lbmWrite+0x32e/0x470 fs/jfs/jfs_logmgr.c:2067
lmNextPage.isra.0+0x278/0x700 fs/jfs/jfs_logmgr.c:616
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
kill_block_super+0x3b/0x90 fs/super.c:1652
deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
ptrace_notify+0x10c/0x130 kernel/signal.c:2399
ptrace_report_syscall include/linux/ptrace.h:411 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
syscall_exit_work kernel/entry/common.c:251 [inline]
syscall_exit_to_user_mode_prepare+0x120/0x220 kernel/entry/common.c:278
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0xd/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff1e4cd5547
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fffc6e05058 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff1e4cd5547
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007fffc6e05110
RBP: 00007fffc6e05110 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fffc6e06180
R13: 0000555555ed66c0 R14: 431bde82d7b634db R15: 00007fffc6e061a0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc90003a5fa90 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82fd8ed3
RDX: 0000000000000000 RSI: ffffffff82fd8ee1 RDI: ffff88807bb07020
RBP: ffff88801764d800 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910eb4a0 R12: ffff88807bb07000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 0000555555ed5380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555ede6f8 CR3: 000000007c5c6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
c: 0f 85 cf 02 00 00 jne 0x2e1
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
21: 48 89 da mov %rbx,%rdx
24: 48 c1 ea 03 shr $0x3,%rdx
* 28: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2c: 0f 85 86 02 00 00 jne 0x2b8
32: 48 8b 3b mov (%rbx),%rdi
35: ba 01 08 00 00 mov $0x801,%edx
3a: b9 .byte 0xb9
3b: 40 0c 00 rex or $0x0,%al
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c9f2baaa18b5 Add linux-next specific files for 20231003
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1319f981680000
kernel config: https://syzkaller.appspot.com/x/.config?x=3fe9c462fee1649f
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16204836680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b62ee6680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5361e41384fe/disk-c9f2baaa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7028b209124d/vmlinux-c9f2baaa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a167dc667ee5/bzImage-c9f2baaa.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ef5dd9fc6a1b/mount_0.gz
The issue was bisected to:
commit bacfceeda53ea9ee9af714245e6c67aa70632b63
Author: Jan Kara <ja...@suse.cz>
Date: Wed Sep 27 09:34:30 2023 +0000
jfs: Convert to bdev_open_by_dev()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13a06d8a680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10606d8a680000
console output: https://syzkaller.appspot.com/x/log.txt?x=17a06d8a680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23bc20...@syzkaller.appspotmail.com
Fixes: bacfceeda53e ("jfs: Convert to bdev_open_by_dev()")
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5058 Comm: syz-executor352 Not tainted 6.6.0-rc4-next-20231003-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc90003a5fa90 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82fd8ed3
RDX: 0000000000000000 RSI: ffffffff82fd8ee1 RDI: ffff88807bb07020
RBP: ffff88801764d800 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910eb4a0 R12: ffff88807bb07000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 0000555555ed5380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffc6e0506c CR3: 000000007c5c6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lbmWrite+0x32e/0x470 fs/jfs/jfs_logmgr.c:2067
lmNextPage.isra.0+0x278/0x700 fs/jfs/jfs_logmgr.c:616
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
kill_block_super+0x3b/0x90 fs/super.c:1652
deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
ptrace_notify+0x10c/0x130 kernel/signal.c:2399
ptrace_report_syscall include/linux/ptrace.h:411 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
syscall_exit_work kernel/entry/common.c:251 [inline]
syscall_exit_to_user_mode_prepare+0x120/0x220 kernel/entry/common.c:278
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0xd/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff1e4cd5547
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fffc6e05058 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff1e4cd5547
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007fffc6e05110
RBP: 00007fffc6e05110 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fffc6e06180
R13: 0000555555ed66c0 R14: 431bde82d7b634db R15: 00007fffc6e061a0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc90003a5fa90 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82fd8ed3
RDX: 0000000000000000 RSI: ffffffff82fd8ee1 RDI: ffff88807bb07020
RBP: ffff88801764d800 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910eb4a0 R12: ffff88807bb07000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 0000555555ed5380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555ede6f8 CR3: 000000007c5c6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
c: 0f 85 cf 02 00 00 jne 0x2e1
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
21: 48 89 da mov %rbx,%rdx
24: 48 c1 ea 03 shr $0x3,%rdx
* 28: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2c: 0f 85 86 02 00 00 jne 0x2b8
32: 48 8b 3b mov (%rbx),%rdi
35: ba 01 08 00 00 mov $0x801,%edx
3a: b9 .byte 0xb9
3b: 40 0c 00 rex or $0x0,%al
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Lizhi Xu
Oct 8, 2023, 9:24:35 PM10/8/23
to syzbot+23bc20...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git c9f2baaa18b5
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index c911d838b8ec..2a1cffc8e7be 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1102,7 +1102,7 @@ int lmLogOpen(struct super_block *sb)
bdev_handle = bdev_open_by_dev(sbi->logdev,
BLK_OPEN_READ | BLK_OPEN_WRITE, log, NULL);
- if (IS_ERR(bdev_handle)) {
+ if (IS_ERR_OR_NULL(bdev_handle)) {
rc = PTR_ERR(bdev_handle);
goto free;
}
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index c911d838b8ec..2a1cffc8e7be 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1102,7 +1102,7 @@ int lmLogOpen(struct super_block *sb)
bdev_handle = bdev_open_by_dev(sbi->logdev,
BLK_OPEN_READ | BLK_OPEN_WRITE, log, NULL);
- if (IS_ERR(bdev_handle)) {
+ if (IS_ERR_OR_NULL(bdev_handle)) {
rc = PTR_ERR(bdev_handle);
goto free;
}
syzbot
Oct 8, 2023, 9:40:32 PM10/8/23
to lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5411 Comm: syz-executor.0 Not tainted 6.6.0-rc4-next-20231003-syzkaller-dirty #0
RBP: ffff888140accf00 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910d9a18 R12: ffff88807b192000
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8ded27de17
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffee20dbc08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f8ded27de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffee20dbcc0
RBP: 00007ffee20dbcc0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffee20dcd80
R13: 00007f8ded2c73b9 R14: 0000000000020fc9 R15: 0000000000000001
RBP: ffff888140accf00 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910d9a18 R12: ffff88807b192000
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=179a2645680000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc90004f87ab8 EFLAGS: 00010246
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82fd8ed3
RDX: 0000000000000000 RSI: ffffffff82fd8ee1 RDI: ffff88807b192020
RBP: ffff888140accf00 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910d9a18 R12: ffff88807b192000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 0000555556f96480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555556f9f938 CR3: 000000007b52f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lbmWrite+0x32e/0x470 fs/jfs/jfs_logmgr.c:2067
lmNextPage.isra.0+0x278/0x700 fs/jfs/jfs_logmgr.c:616
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
kill_block_super+0x3b/0x90 fs/super.c:1652
deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lbmWrite+0x32e/0x470 fs/jfs/jfs_logmgr.c:2067
lmNextPage.isra.0+0x278/0x700 fs/jfs/jfs_logmgr.c:616
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
kill_block_super+0x3b/0x90 fs/super.c:1652
deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8ded27de17
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffee20dbc08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f8ded27de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffee20dbcc0
RBP: 00007ffee20dbcc0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffee20dcd80
R13: 00007f8ded2c73b9 R14: 0000000000020fc9 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc90004f87ab8 EFLAGS: 00010246
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82fd8ed3
RDX: 0000000000000000 RSI: ffffffff82fd8ee1 RDI: ffff88807b192020
RBP: ffff888140accf00 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910d9a18 R12: ffff88807b192000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 0000555556f96480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8ded398000 CR3: 000000007b52f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
c: 0f 85 cf 02 00 00 jne 0x2e1
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
21: 48 89 da mov %rbx,%rdx
24: 48 c1 ea 03 shr $0x3,%rdx
* 28: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2c: 0f 85 86 02 00 00 jne 0x2b8
32: 48 8b 3b mov (%rbx),%rdi
35: ba 01 08 00 00 mov $0x801,%edx
3a: b9 .byte 0xb9
3b: 40 0c 00 rex or $0x0,%al
Tested on:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
c: 0f 85 cf 02 00 00 jne 0x2e1
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
21: 48 89 da mov %rbx,%rdx
24: 48 c1 ea 03 shr $0x3,%rdx
* 28: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2c: 0f 85 86 02 00 00 jne 0x2b8
32: 48 8b 3b mov (%rbx),%rdi
35: ba 01 08 00 00 mov $0x801,%edx
3a: b9 .byte 0xb9
3b: 40 0c 00 rex or $0x0,%al
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=179a2645680000
kernel config: https://syzkaller.appspot.com/x/.config?x=3fe9c462fee1649f
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15fb7179680000
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Lizhi Xu
Oct 8, 2023, 10:07:08 PM10/8/23
to syzbot+23bc20...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
index 4628dcb1da8a..8665657c28e7 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -840,7 +840,7 @@ struct bdev_handle *bdev_open_by_dev(dev_t dev, blk_mode_t mode, void *holder,
bdev = blkdev_get_by_dev(dev, mode, holder, hops);
if (IS_ERR(bdev)) {
kfree(handle);
- return ERR_CAST(bdev);
+ return NULL;
}
handle->bdev = bdev;
handle->holder = holder;
syzbot
Oct 8, 2023, 10:23:30 PM10/8/23
to lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5414 Comm: syz-executor.0 Not tainted 6.6.0-rc4-next-20231003-syzkaller-dirty #0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc90004c87ab8 EFLAGS: 00010246
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82fd8ed3
RDX: 0000000000000000 RSI: ffffffff82fd8ee1 RDI: ffff888021473820
RBP: ffff888020523800 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910d9a18 R12: ffff888021473800
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 00005555555ac480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c000161000 CR3: 000000001c24d000 CR4: 00000000003506f0
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffed7521d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f33bc67de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffed7521e00
RBP: 00007ffed7521e00 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffed7522ec0
R13: 00007f33bc6c73b9 R14: 00000000000213c7 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc90004c87ab8 EFLAGS: 00010246
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lbmStartIO+0xb7/0x3a0 fs/jfs/jfs_logmgr.c:2116
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 86 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82fd8ed3
RDX: 0000000000000000 RSI: ffffffff82fd8ee1 RDI: ffff888021473820
RBP: ffff888020523800 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000002 R11: ffffffff910d9a18 R12: ffff888021473800
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 00005555555ac480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c000161000 CR3: 000000001c24d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
c: 0f 85 cf 02 00 00 jne 0x2e1
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
21: 48 89 da mov %rbx,%rdx
24: 48 c1 ea 03 shr $0x3,%rdx
* 28: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2c: 0f 85 86 02 00 00 jne 0x2b8
32: 48 8b 3b mov (%rbx),%rdi
35: ba 01 08 00 00 mov $0x801,%edx
3a: b9 .byte 0xb9
3b: 40 0c 00 rex or $0x0,%al
Tested on:
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1332bc45680000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
c: 0f 85 cf 02 00 00 jne 0x2e1
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
21: 48 89 da mov %rbx,%rdx
24: 48 c1 ea 03 shr $0x3,%rdx
* 28: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2c: 0f 85 86 02 00 00 jne 0x2b8
32: 48 8b 3b mov (%rbx),%rdi
35: ba 01 08 00 00 mov $0x801,%edx
3a: b9 .byte 0xb9
3b: 40 0c 00 rex or $0x0,%al
Tested on:
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=3fe9c462fee1649f
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1017a911680000
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Lizhi Xu
Oct 8, 2023, 11:19:40 PM10/8/23
to syzbot+23bc20...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
diff --git a/block/bdev.c b/block/bdev.c
index 4628dcb1da8a..80ce9e10828e 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -839,8 +839,9 @@ struct bdev_handle *bdev_open_by_dev(dev_t dev, blk_mode_t mode, void *holder,
return ERR_PTR(-ENOMEM);
void bdev_release(struct bdev_handle *handle)
{
+ printk("%p, %s\n", handle, __func__);
blkdev_put(handle->bdev, handle->holder);
kfree(handle);
}
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index c911d838b8ec..1507bab58549 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1102,7 +1102,8 @@ int lmLogOpen(struct super_block *sb)
bdev_handle = bdev_open_by_dev(sbi->logdev,
BLK_OPEN_READ | BLK_OPEN_WRITE, log, NULL);
- if (IS_ERR(bdev_handle)) {
+ printk("%p, %s\n", bdev_handle, __func__);
jfs_info("lbmStartIO");
+ printk("%p, %s\n", log->bdev_handle, __func__);
bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_WRITE | REQ_SYNC,
GFP_NOFS);
bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9);
index 4628dcb1da8a..80ce9e10828e 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -839,8 +839,9 @@ struct bdev_handle *bdev_open_by_dev(dev_t dev, blk_mode_t mode, void *holder,
return ERR_PTR(-ENOMEM);
bdev = blkdev_get_by_dev(dev, mode, holder, hops);
if (IS_ERR(bdev)) {
+ printk("%p, %s\n", handle, __func__);
if (IS_ERR(bdev)) {
kfree(handle);
- return ERR_CAST(bdev);
+ return NULL;
}
handle->bdev = bdev;
handle->holder = holder;
@@ -949,6 +950,7 @@ EXPORT_SYMBOL(blkdev_put);
- return ERR_CAST(bdev);
+ return NULL;
}
handle->bdev = bdev;
handle->holder = holder;
void bdev_release(struct bdev_handle *handle)
{
+ printk("%p, %s\n", handle, __func__);
blkdev_put(handle->bdev, handle->holder);
kfree(handle);
}
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index c911d838b8ec..1507bab58549 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1102,7 +1102,8 @@ int lmLogOpen(struct super_block *sb)
bdev_handle = bdev_open_by_dev(sbi->logdev,
BLK_OPEN_READ | BLK_OPEN_WRITE, log, NULL);
- if (IS_ERR(bdev_handle)) {
+ if (IS_ERR_OR_NULL(bdev_handle)) {
rc = PTR_ERR(bdev_handle);
goto free;
}
@@ -2113,6 +2114,7 @@ static void lbmStartIO(struct lbuf * bp)
rc = PTR_ERR(bdev_handle);
goto free;
}
jfs_info("lbmStartIO");
+ printk("%p, %s\n", log->bdev_handle, __func__);
bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_WRITE | REQ_SYNC,
GFP_NOFS);
bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9);
syzbot
Oct 8, 2023, 11:57:27 PM10/8/23
to lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
0000000000000000, lbmStartIO
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5417 Comm: syz-executor.0 Not tainted 6.6.0-rc4-next-20231003-syzkaller-dirty #0
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:lbmStartIO+0xea/0x3e0 fs/jfs/jfs_logmgr.c:2118
Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 a9 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 7c 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc9000523fab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff816b35d9
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
RBP: ffff88801d9d4300 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88807fb94000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 00005555567f8480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc239a7b88 CR3: 000000007673a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lbmWrite+0x32e/0x470 fs/jfs/jfs_logmgr.c:2068
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lmNextPage.isra.0+0x278/0x700 fs/jfs/jfs_logmgr.c:616
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
kill_block_super+0x3b/0x90 fs/super.c:1652
deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0de167de17
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
kill_block_super+0x3b/0x90 fs/super.c:1652
deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffc239a8338 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f0de167de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffc239a83f0
RBP: 00007ffc239a83f0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffc239a94b0
R13: 00007f0de16c73b9 R14: 0000000000020ba2 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lbmStartIO+0xea/0x3e0 fs/jfs/jfs_logmgr.c:2118
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 a9 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 7c 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc9000523fab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff816b35d9
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
RBP: ffff88801d9d4300 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88807fb94000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 00005555567f8480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0dd95fe000 CR3: 000000007673a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 6 bytes skipped:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 a9 02 00 00 jne 0x2b7
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
1d: 48 89 da mov %rbx,%rdx
20: 48 c1 ea 03 shr $0x3,%rdx
* 24: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
28: 0f 85 7c 02 00 00 jne 0x2aa
2e: 48 8b 3b mov (%rbx),%rdi
31: ba 01 08 00 00 mov $0x801,%edx
36: b9 .byte 0xb9
37: 40 0c 00 rex or $0x0,%al
Tested on:
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=3fe9c462fee1649f
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10b6afa5680000
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Lizhi Xu
Oct 9, 2023, 12:03:58 AM10/9/23
to syzbot+23bc20...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git c9f2baaa18b5
diff --git a/block/bdev.c b/block/bdev.c
index 4628dcb1da8a..80ce9e10828e 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -839,8 +839,9 @@ struct bdev_handle *bdev_open_by_dev(dev_t dev, blk_mode_t mode, void *holder,
return ERR_PTR(-ENOMEM);
bdev = blkdev_get_by_dev(dev, mode, holder, hops);
if (IS_ERR(bdev)) {
+ printk("%p, %s\n", handle, __func__);
kfree(handle);
- return ERR_CAST(bdev);
+ return NULL;
}
handle->bdev = bdev;
handle->holder = holder;
@@ -949,6 +950,7 @@ EXPORT_SYMBOL(blkdev_put);
void bdev_release(struct bdev_handle *handle)
{
+ printk("%p, %s\n", handle, __func__);
blkdev_put(handle->bdev, handle->holder);
kfree(handle);
}
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index c911d838b8ec..1d9634c18532 100644
diff --git a/block/bdev.c b/block/bdev.c
index 4628dcb1da8a..80ce9e10828e 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -839,8 +839,9 @@ struct bdev_handle *bdev_open_by_dev(dev_t dev, blk_mode_t mode, void *holder,
return ERR_PTR(-ENOMEM);
bdev = blkdev_get_by_dev(dev, mode, holder, hops);
if (IS_ERR(bdev)) {
+ printk("%p, %s\n", handle, __func__);
kfree(handle);
- return ERR_CAST(bdev);
+ return NULL;
}
handle->bdev = bdev;
handle->holder = holder;
@@ -949,6 +950,7 @@ EXPORT_SYMBOL(blkdev_put);
void bdev_release(struct bdev_handle *handle)
{
+ printk("%p, %s\n", handle, __func__);
blkdev_put(handle->bdev, handle->holder);
kfree(handle);
}
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1102,7 +1102,8 @@ int lmLogOpen(struct super_block *sb)
bdev_handle = bdev_open_by_dev(sbi->logdev,
BLK_OPEN_READ | BLK_OPEN_WRITE, log, NULL);
- if (IS_ERR(bdev_handle)) {
+ printk("%p, %s\n", bdev_handle, __func__);
+ if (IS_ERR_OR_NULL(bdev_handle)) {
rc = PTR_ERR(bdev_handle);
goto free;
}
@@ -1141,6 +1142,7 @@ int lmLogOpen(struct super_block *sb)
+++ b/fs/jfs/jfs_logmgr.c
@@ -1102,7 +1102,8 @@ int lmLogOpen(struct super_block *sb)
bdev_handle = bdev_open_by_dev(sbi->logdev,
BLK_OPEN_READ | BLK_OPEN_WRITE, log, NULL);
- if (IS_ERR(bdev_handle)) {
+ printk("%p, %s\n", bdev_handle, __func__);
+ if (IS_ERR_OR_NULL(bdev_handle)) {
rc = PTR_ERR(bdev_handle);
goto free;
}
lbmLogShutdown(log);
close: /* close external log device */
+ printk("%p, %p, %s\n", log, bdev_handle, __func__);
bdev_release(bdev_handle);
free: /* free log descriptor */
@@ -1485,6 +1487,7 @@ int lmLogClose(struct super_block *sb)
bdev_handle = log->bdev_handle;
rc = lmLogShutdown(log);
+ printk("%p, %p, %s\n", log, bdev_handle, __func__);
bdev_release(bdev_handle);
kfree(log);
@@ -2113,6 +2116,7 @@ static void lbmStartIO(struct lbuf * bp)
syzbot
Oct 9, 2023, 12:57:27 AM10/9/23
to lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
0000000000000000, lbmStartIO
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5411 Comm: syz-executor.0 Not tainted 6.6.0-rc4-next-20231003-syzkaller-dirty #0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
0000000000000000, lbmStartIO
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:lbmStartIO+0xea/0x3e0 fs/jfs/jfs_logmgr.c:2120
Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 a9 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 7c 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc900050ffab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff816b35d9
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
RBP: ffff8880156e3700 R08: 0000000000000005 R09: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88807f28c800
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 0000555555bb8480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555bc1938 CR3: 000000001ce2a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lbmWrite+0x32e/0x470 fs/jfs/jfs_logmgr.c:2070
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lmNextPage.isra.0+0x278/0x700 fs/jfs/jfs_logmgr.c:616
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
kill_block_super+0x3b/0x90 fs/super.c:1652
deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fdead47de17
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
kill_block_super+0x3b/0x90 fs/super.c:1652
deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffc8860dfd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fdead47de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffc8860e090
RBP: 00007ffc8860e090 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffc8860f150
R13: 00007fdead4c73b9 R14: 0000000000020bef R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lbmStartIO+0xea/0x3e0 fs/jfs/jfs_logmgr.c:2120
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 a9 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 7c 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc900050ffab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff816b35d9
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
RBP: ffff8880156e3700 R08: 0000000000000005 R09: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88807f28c800
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 0000555555bb8480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555bc1938 CR3: 000000001ce2a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 6 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 a9 02 00 00 jne 0x2b7
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
1d: 48 89 da mov %rbx,%rdx
20: 48 c1 ea 03 shr $0x3,%rdx
* 24: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
28: 0f 85 7c 02 00 00 jne 0x2aa
2e: 48 8b 3b mov (%rbx),%rdi
31: ba 01 08 00 00 mov $0x801,%edx
36: b9 .byte 0xb9
37: 40 0c 00 rex or $0x0,%al
Tested on:
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10b81d36680000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 6 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 a9 02 00 00 jne 0x2b7
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
1d: 48 89 da mov %rbx,%rdx
20: 48 c1 ea 03 shr $0x3,%rdx
* 24: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
28: 0f 85 7c 02 00 00 jne 0x2aa
2e: 48 8b 3b mov (%rbx),%rdi
31: ba 01 08 00 00 mov $0x801,%edx
36: b9 .byte 0xb9
37: 40 0c 00 rex or $0x0,%al
Tested on:
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=3fe9c462fee1649f
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=164813ee680000
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Lizhi Xu
Oct 9, 2023, 2:46:52 AM10/9/23
to syzbot+23bc20...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git c9f2baaa18b5
diff --git a/block/bdev.c b/block/bdev.c
index 4628dcb1da8a..80ce9e10828e 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -839,8 +839,9 @@ struct bdev_handle *bdev_open_by_dev(dev_t dev, blk_mode_t mode, void *holder,
return ERR_PTR(-ENOMEM);
bdev = blkdev_get_by_dev(dev, mode, holder, hops);
if (IS_ERR(bdev)) {
+ printk("%p, %s\n", handle, __func__);
kfree(handle);
- return ERR_CAST(bdev);
+ return NULL;
}
handle->bdev = bdev;
handle->holder = holder;
@@ -949,6 +950,7 @@ EXPORT_SYMBOL(blkdev_put);
void bdev_release(struct bdev_handle *handle)
{
+ printk("%p, %s\n", handle, __func__);
blkdev_put(handle->bdev, handle->holder);
kfree(handle);
}
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index c911d838b8ec..098bf3330590 100644
diff --git a/block/bdev.c b/block/bdev.c
index 4628dcb1da8a..80ce9e10828e 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -839,8 +839,9 @@ struct bdev_handle *bdev_open_by_dev(dev_t dev, blk_mode_t mode, void *holder,
return ERR_PTR(-ENOMEM);
bdev = blkdev_get_by_dev(dev, mode, holder, hops);
if (IS_ERR(bdev)) {
+ printk("%p, %s\n", handle, __func__);
kfree(handle);
- return ERR_CAST(bdev);
+ return NULL;
}
handle->bdev = bdev;
handle->holder = holder;
@@ -949,6 +950,7 @@ EXPORT_SYMBOL(blkdev_put);
void bdev_release(struct bdev_handle *handle)
{
+ printk("%p, %s\n", handle, __func__);
blkdev_put(handle->bdev, handle->holder);
kfree(handle);
}
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1062,12 +1062,14 @@ int lmLogOpen(struct super_block *sb)
struct jfs_log *log;
struct jfs_sb_info *sbi = JFS_SBI(sb);
+ printk("%p, %s\n", sb, __func__);
if (sbi->flag & JFS_NOINTEGRITY)
return open_dummy_log(sb);
if (sbi->mntflag & JFS_INLINELOG)
return open_inline_log(sb);
+ printk("%p, %s\n", sb, __func__);
mutex_lock(&jfs_log_mutex);
list_for_each_entry(log, &jfs_external_logs, journal_list) {
if (log->bdev_handle->bdev->bd_dev == sbi->logdev) {
@@ -1102,7 +1104,8 @@ int lmLogOpen(struct super_block *sb)
bdev_handle = bdev_open_by_dev(sbi->logdev,
BLK_OPEN_READ | BLK_OPEN_WRITE, log, NULL);
- if (IS_ERR(bdev_handle)) {
+ printk("%p, %s\n", bdev_handle, __func__);
+ if (IS_ERR_OR_NULL(bdev_handle)) {
rc = PTR_ERR(bdev_handle);
goto free;
}
lbmLogShutdown(log);
close: /* close external log device */
+ printk("%p, %p, %s\n", log, bdev_handle, __func__);
bdev_release(bdev_handle);
free: /* free log descriptor */
@@ -1163,6 +1167,7 @@ static int open_inline_log(struct super_block *sb)
close: /* close external log device */
+ printk("%p, %p, %s\n", log, bdev_handle, __func__);
bdev_release(bdev_handle);
free: /* free log descriptor */
set_bit(log_INLINELOG, &log->flag);
log->bdev_handle = sb->s_bdev_handle;
+ printk("%p, %s\n", log->bdev_handle, __func__);
log->base = addressPXD(&JFS_SBI(sb)->logpxd);
log->size = lengthPXD(&JFS_SBI(sb)->logpxd) >>
(L2LOGPSIZE - sb->s_blocksize_bits);
@@ -1485,6 +1490,7 @@ int lmLogClose(struct super_block *sb)
bdev_handle = log->bdev_handle;
rc = lmLogShutdown(log);
+ printk("%p, %p, %s\n", log, bdev_handle, __func__);
bdev_release(bdev_handle);
kfree(log);
@@ -2113,6 +2119,7 @@ static void lbmStartIO(struct lbuf * bp)
rc = lmLogShutdown(log);
+ printk("%p, %p, %s\n", log, bdev_handle, __func__);
bdev_release(bdev_handle);
kfree(log);
jfs_info("lbmStartIO");
+ printk("%p, %s\n", log->bdev_handle, __func__);
bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_WRITE | REQ_SYNC,
GFP_NOFS);
bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9);
index 79f8125da573..e157e260f9e4 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1652,6 +1652,7 @@ void kill_block_super(struct super_block *sb)
generic_shutdown_super(sb);
if (bdev) {
sync_blockdev(bdev);
+ printk("%p, %s\n", sb->s_bdev_handle, __func__);
bdev_release(sb->s_bdev_handle);
}
}
syzbot
Oct 9, 2023, 3:09:35 AM10/9/23
to lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
0000000000000000, lbmStartIO
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5418 Comm: syz-executor.0 Not tainted 6.6.0-rc4-next-20231003-syzkaller-dirty #0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lbmStartIO
0000000000000000, lbmStartIO
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:lbmStartIO+0xea/0x3e0 fs/jfs/jfs_logmgr.c:2123
Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 a9 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 7c 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc900048f7ab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff816b35d9
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
RBP: ffff88801c9c4000 R08: 0000000000000005 R09: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88801c8d6800
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 00005555574aa480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555574b3938 CR3: 0000000029b76000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lbmWrite+0x32e/0x470 fs/jfs/jfs_logmgr.c:2073
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lmNextPage.isra.0+0x278/0x700 fs/jfs/jfs_logmgr.c:616
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
kill_block_super+0x3f/0xe0 fs/super.c:1652
lmWriteRecord+0xb6d/0x12a0 fs/jfs/jfs_logmgr.c:529
lmLogSync+0x182/0x820 fs/jfs/jfs_logmgr.c:969
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1041
jfs_sync_fs+0x83/0xa0 fs/jfs/super.c:685
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x109/0x280 fs/sync.c:30
generic_shutdown_super+0x7e/0x3c0 fs/super.c:669
deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc637e7de17
deactivate_super+0xde/0x100 fs/super.c:517
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1256
task_work_run+0x14d/0x240 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffcd9a8d058 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc637e7de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffcd9a8d110
RBP: 00007ffcd9a8d110 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffcd9a8e1d0
R13: 00007fc637ec73b9 R14: 000000000002d0c5 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lbmStartIO+0xea/0x3e0 fs/jfs/jfs_logmgr.c:2123
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 a9 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c 24 20 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 7c 02 00 00 48 8b 3b ba 01 08 00 00 b9 40 0c 00
RSP: 0018:ffffc900048f7ab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff816b35d9
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
RBP: ffff88801c9c4000 R08: 0000000000000005 R09: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816bc9e2 RDI: 0000000000000005
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88801c8d6800
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
FS: 00005555574aa480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555574b3938 CR3: 0000000029b76000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 6 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 a9 02 00 00 jne 0x2b7
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
1d: 48 89 da mov %rbx,%rdx
20: 48 c1 ea 03 shr $0x3,%rdx
* 24: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
28: 0f 85 7c 02 00 00 jne 0x2aa
2e: 48 8b 3b mov (%rbx),%rdi
31: ba 01 08 00 00 mov $0x801,%edx
36: b9 .byte 0xb9
37: 40 0c 00 rex or $0x0,%al
Tested on:
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14fb8741680000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 6 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 a9 02 00 00 jne 0x2b7
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 49 8b 5c 24 20 mov 0x20(%r12),%rbx
1d: 48 89 da mov %rbx,%rdx
20: 48 c1 ea 03 shr $0x3,%rdx
* 24: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
28: 0f 85 7c 02 00 00 jne 0x2aa
2e: 48 8b 3b mov (%rbx),%rdi
31: ba 01 08 00 00 mov $0x801,%edx
36: b9 .byte 0xb9
37: 40 0c 00 rex or $0x0,%al
Tested on:
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=3fe9c462fee1649f
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10a33679680000
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Lizhi Xu
Oct 9, 2023, 3:41:22 AM10/9/23
to syzbot+23bc20...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index c911d838b8ec..cf73b5b06ac3 100644
@@ -2110,10 +2116,15 @@ static void lbmStartIO(struct lbuf * bp)
{
struct bio *bio;
struct jfs_log *log = bp->l_log;
+ struct block_device *bdev = NULL;
jfs_info("lbmStartIO");
- bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_WRITE | REQ_SYNC,
+ printk("%d, %p, %s\n", log->no_integrity, log->bdev_handle, __func__);
+ if (!log->no_integrity)
+ bdev = log->bdev_handle->bdev;
+
+ bio = bio_alloc(bdev, 1, REQ_OP_WRITE | REQ_SYNC,
index c911d838b8ec..cf73b5b06ac3 100644
{
struct bio *bio;
struct jfs_log *log = bp->l_log;
+ struct block_device *bdev = NULL;
jfs_info("lbmStartIO");
- bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_WRITE | REQ_SYNC,
+ printk("%d, %p, %s\n", log->no_integrity, log->bdev_handle, __func__);
+ if (!log->no_integrity)
+ bdev = log->bdev_handle->bdev;
+
+ bio = bio_alloc(bdev, 1, REQ_OP_WRITE | REQ_SYNC,
GFP_NOFS);
bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9);
__bio_add_page(bio, bp->l_page, LOGPSIZE, bp->l_offset);
bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9);
syzbot
Oct 9, 2023, 5:34:33 AM10/9/23
to lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+23bc20...@syzkaller.appspotmail.com
Tested on:
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=145df559680000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+23bc20...@syzkaller.appspotmail.com
Tested on:
commit: c9f2baaa Add linux-next specific files for 20231003
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=3fe9c462fee1649f
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16405565680000
dashboard link: https://syzkaller.appspot.com/bug?extid=23bc20037854bb335d59
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Lizhi Xu
Oct 9, 2023, 5:46:09 AM10/9/23
to syzbot+23bc20...@syzkaller.appspotmail.com, ax...@kernel.dk, bra...@kernel.org, dave.k...@oracle.com, ha...@suse.de, h...@lst.de, ja...@suse.cz, jfs-dis...@lists.sourceforge.net, johannes....@wdc.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
When sbi->flag is JFS_NOINTEGRITY in lmLogOpen(), log->bdev_handle can't
be inited, so it value will be NULL.
Therefore, add the "log ->no_integrity=1" judgment in lbmStartIO() to avoid such
problems.
Reported-and-tested-by: syzbot+23bc20...@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/jfs/jfs_logmgr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index c911d838b8ec..c41a76164f84 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -2110,10 +2110,14 @@ static void lbmStartIO(struct lbuf * bp)
2.25.1
be inited, so it value will be NULL.
Therefore, add the "log ->no_integrity=1" judgment in lbmStartIO() to avoid such
problems.
Reported-and-tested-by: syzbot+23bc20...@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/jfs/jfs_logmgr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index c911d838b8ec..c41a76164f84 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -2110,10 +2110,14 @@ static void lbmStartIO(struct lbuf * bp)
{
struct bio *bio;
struct jfs_log *log = bp->l_log;
+ struct block_device *bdev = NULL;
jfs_info("lbmStartIO");
- bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_WRITE | REQ_SYNC,
struct bio *bio;
struct jfs_log *log = bp->l_log;
+ struct block_device *bdev = NULL;
jfs_info("lbmStartIO");
- bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_WRITE | REQ_SYNC,
+ if (!log->no_integrity)
+ bdev = log->bdev_handle->bdev;
+
+ bio = bio_alloc(bdev, 1, REQ_OP_WRITE | REQ_SYNC,
GFP_NOFS);
bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9);
__bio_add_page(bio, bp->l_page, LOGPSIZE, bp->l_offset);
--
+ bdev = log->bdev_handle->bdev;
+
+ bio = bio_alloc(bdev, 1, REQ_OP_WRITE | REQ_SYNC,
GFP_NOFS);
bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9);
__bio_add_page(bio, bp->l_page, LOGPSIZE, bp->l_offset);
2.25.1
Jan Kara
Oct 9, 2023, 6:08:29 AM10/9/23
to Lizhi Xu, syzbot+23bc20...@syzkaller.appspotmail.com, ax...@kernel.dk, bra...@kernel.org, dave.k...@oracle.com, ha...@suse.de, h...@lst.de, ja...@suse.cz, jfs-dis...@lists.sourceforge.net, johannes....@wdc.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
On Mon 09-10-23 17:45:57, Lizhi Xu wrote:
> When sbi->flag is JFS_NOINTEGRITY in lmLogOpen(), log->bdev_handle can't
> be inited, so it value will be NULL.
> Therefore, add the "log ->no_integrity=1" judgment in lbmStartIO() to avoid such
> problems.
>
> Reported-and-tested-by: syzbot+23bc20...@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizh...@windriver.com>
Ah, good catch. Who would think someone creates bios for NULL bdev only to
> When sbi->flag is JFS_NOINTEGRITY in lmLogOpen(), log->bdev_handle can't
> be inited, so it value will be NULL.
> Therefore, add the "log ->no_integrity=1" judgment in lbmStartIO() to avoid such
> problems.
>
> Reported-and-tested-by: syzbot+23bc20...@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizh...@windriver.com>
release them shortly afterwards ;). Anyway the fix looks good. Feel free to
add:
Reviewed-by: Jan Kara <ja...@suse.cz>
Christian, please pick up this fixup into your tree. Thanks!
Honza
> ---
> fs/jfs/jfs_logmgr.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
> index c911d838b8ec..c41a76164f84 100644
> --- a/fs/jfs/jfs_logmgr.c
> +++ b/fs/jfs/jfs_logmgr.c
> @@ -2110,10 +2110,14 @@ static void lbmStartIO(struct lbuf * bp)
> {
> struct bio *bio;
> struct jfs_log *log = bp->l_log;
> + struct block_device *bdev = NULL;
>
> jfs_info("lbmStartIO");
>
> - bio = bio_alloc(log->bdev_handle->bdev, 1, REQ_OP_WRITE | REQ_SYNC,
> + if (!log->no_integrity)
> + bdev = log->bdev_handle->bdev;
> +
> + bio = bio_alloc(bdev, 1, REQ_OP_WRITE | REQ_SYNC,
> GFP_NOFS);
> bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9);
> __bio_add_page(bio, bp->l_page, LOGPSIZE, bp->l_offset);
> --
> 2.25.1
>
Jan Kara <ja...@suse.com>
SUSE Labs, CR
Christian Brauner
Oct 9, 2023, 9:54:47 AM10/9/23
to ja...@suse.cz, syzbot+23bc20...@syzkaller.appspotmail.com, Lizhi Xu, Christian Brauner, ax...@kernel.dk, dave.k...@oracle.com, ha...@suse.de, h...@lst.de, jfs-dis...@lists.sourceforge.net, johannes....@wdc.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
On Mon, 09 Oct 2023 17:45:57 +0800, Lizhi Xu wrote:
> When sbi->flag is JFS_NOINTEGRITY in lmLogOpen(), log->bdev_handle can't
> be inited, so it value will be NULL.
> Therefore, add the "log ->no_integrity=1" judgment in lbmStartIO() to avoid such
> problems.
>
>
Applied to the vfs.super branch of the vfs/vfs.git tree.
> When sbi->flag is JFS_NOINTEGRITY in lmLogOpen(), log->bdev_handle can't
> be inited, so it value will be NULL.
> Therefore, add the "log ->no_integrity=1" judgment in lbmStartIO() to avoid such
> problems.
>
>
Patches in the vfs.super branch should appear in linux-next soon.
Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.
It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.
Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.super
[1/1] jfs: fix log->bdev_handle null ptr deref in lbmStartIO
https://git.kernel.org/vfs/vfs/c/dc869ef84f26
Christian Brauner
Oct 9, 2023, 9:55:49 AM10/9/23
to Jan Kara, Lizhi Xu, syzbot+23bc20...@syzkaller.appspotmail.com, ax...@kernel.dk, dave.k...@oracle.com, ha...@suse.de, h...@lst.de, jfs-dis...@lists.sourceforge.net, johannes....@wdc.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
> Christian, please pick up this fixup into your tree. Thanks!
Done!
Reply all
Reply to author
Forward
0 new messages