[syzbot] kernel BUG in ext4_get_group_info
32 views
Skip to first unread message
syzbot
Aug 19, 2021, 4:21:25 AM8/19/21
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, ty...@mit.edu
Hello,
syzbot found the following issue on:
HEAD commit: 614cb2751d31 Merge tag 'trace-v5.14-rc6' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=128cfb31300000
kernel config: https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
dashboard link: https://syzkaller.appspot.com/bug?extid=e2efa3efc15a1c9e95c3
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122a0161300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e2efa3...@syzkaller.appspotmail.com
EXT4-fs error (device loop1): ext4_map_blocks:718: inode #17: block 424: comm syz-executor.1: lblock 296 mapped to illegal pblock 424 (length 1)
------------[ cut here ]------------
kernel BUG at fs/ext4/ext4.h:3295!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 10426 Comm: syz-executor.1 Not tainted 5.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ext4_get_group_info+0x34d/0x350 fs/ext4/ext4.h:3295
Code: 5c ff 8b 74 24 04 48 c7 c7 40 77 88 8c 4c 89 f2 e8 08 9f 05 02 43 80 3c 2c 00 0f 85 6d fd ff ff e9 70 fd ff ff e8 a3 46 5c ff <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 41 89 d5 89 f5
RSP: 0018:ffffc9000c49f320 EFLAGS: 00010293
RAX: ffffffff8223f12d RBX: 00000000fffff95a RCX: ffff88802d923880
RDX: 0000000000000000 RSI: 00000000fffff95a RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff8223ee48 R09: ffffed1008f9ac2c
R10: ffffed1008f9ac2c R11: 0000000000000000 R12: 1ffff110073d74cf
R13: dffffc0000000000 R14: ffff8880328dc000 R15: ffff888039eba678
FS: 00007fe3035a4700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000002112848 CR3: 0000000033f2d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_mb_load_buddy_gfp+0xc7/0x1370 fs/ext4/mballoc.c:1490
ext4_discard_preallocations+0x811/0x16a0 fs/ext4/mballoc.c:4940
ext4_truncate+0xa1a/0xec0 fs/ext4/inode.c:4259
ext4_truncate_failed_write fs/ext4/truncate.h:20 [inline]
ext4_write_begin+0xa7b/0x1350 fs/ext4/inode.c:1234
ext4_da_write_begin+0x384/0x10c0 fs/ext4/inode.c:2960
generic_perform_write+0x262/0x580 mm/filemap.c:3656
ext4_buffered_write_iter+0x41c/0x590 fs/ext4/file.c:269
ext4_file_write_iter+0x8f7/0x1b90 fs/ext4/file.c:519
call_write_iter include/linux/fs.h:2114 [inline]
new_sync_write fs/read_write.c:518 [inline]
vfs_write+0xa39/0xc90 fs/read_write.c:605
ksys_write+0x171/0x2a0 fs/read_write.c:658
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe3035a4188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9
RDX: 000000000d4ba0ff RSI: 00000000200009c0 RDI: 0000000000000007
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffd1a1dd7ef R14: 00007fe3035a4300 R15: 0000000000022000
Modules linked in:
---[ end trace 6608a809acf19a79 ]---
RIP: 0010:ext4_get_group_info+0x34d/0x350 fs/ext4/ext4.h:3295
Code: 5c ff 8b 74 24 04 48 c7 c7 40 77 88 8c 4c 89 f2 e8 08 9f 05 02 43 80 3c 2c 00 0f 85 6d fd ff ff e9 70 fd ff ff e8 a3 46 5c ff <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 41 89 d5 89 f5
RSP: 0018:ffffc9000c49f320 EFLAGS: 00010293
RAX: ffffffff8223f12d RBX: 00000000fffff95a RCX: ffff88802d923880
RDX: 0000000000000000 RSI: 00000000fffff95a RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff8223ee48 R09: ffffed1008f9ac2c
R10: ffffed1008f9ac2c R11: 0000000000000000 R12: 1ffff110073d74cf
R13: dffffc0000000000 R14: ffff8880328dc000 R15: ffff888039eba678
FS: 00007fe3035a4700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000033f2d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 5c pop %rsp
1: ff 8b 74 24 04 48 decl 0x48042474(%rbx)
7: c7 c7 40 77 88 8c mov $0x8c887740,%edi
d: 4c 89 f2 mov %r14,%rdx
10: e8 08 9f 05 02 callq 0x2059f1d
15: 43 80 3c 2c 00 cmpb $0x0,(%r12,%r13,1)
1a: 0f 85 6d fd ff ff jne 0xfffffd8d
20: e9 70 fd ff ff jmpq 0xfffffd95
25: e8 a3 46 5c ff callq 0xff5c46cd
2a: 0f 0b ud2 <-- trapping instruction
2c: 90 nop
2d: 55 push %rbp
2e: 41 57 push %r15
30: 41 56 push %r14
32: 41 55 push %r13
34: 41 54 push %r12
36: 53 push %rbx
37: 48 83 ec 20 sub $0x20,%rsp
3b: 41 89 d5 mov %edx,%r13d
3e: 89 f5 mov %esi,%ebp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 614cb2751d31 Merge tag 'trace-v5.14-rc6' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=128cfb31300000
kernel config: https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
dashboard link: https://syzkaller.appspot.com/bug?extid=e2efa3efc15a1c9e95c3
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122a0161300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e2efa3...@syzkaller.appspotmail.com
EXT4-fs error (device loop1): ext4_map_blocks:718: inode #17: block 424: comm syz-executor.1: lblock 296 mapped to illegal pblock 424 (length 1)
------------[ cut here ]------------
kernel BUG at fs/ext4/ext4.h:3295!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 10426 Comm: syz-executor.1 Not tainted 5.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ext4_get_group_info+0x34d/0x350 fs/ext4/ext4.h:3295
Code: 5c ff 8b 74 24 04 48 c7 c7 40 77 88 8c 4c 89 f2 e8 08 9f 05 02 43 80 3c 2c 00 0f 85 6d fd ff ff e9 70 fd ff ff e8 a3 46 5c ff <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 41 89 d5 89 f5
RSP: 0018:ffffc9000c49f320 EFLAGS: 00010293
RAX: ffffffff8223f12d RBX: 00000000fffff95a RCX: ffff88802d923880
RDX: 0000000000000000 RSI: 00000000fffff95a RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff8223ee48 R09: ffffed1008f9ac2c
R10: ffffed1008f9ac2c R11: 0000000000000000 R12: 1ffff110073d74cf
R13: dffffc0000000000 R14: ffff8880328dc000 R15: ffff888039eba678
FS: 00007fe3035a4700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000002112848 CR3: 0000000033f2d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_mb_load_buddy_gfp+0xc7/0x1370 fs/ext4/mballoc.c:1490
ext4_discard_preallocations+0x811/0x16a0 fs/ext4/mballoc.c:4940
ext4_truncate+0xa1a/0xec0 fs/ext4/inode.c:4259
ext4_truncate_failed_write fs/ext4/truncate.h:20 [inline]
ext4_write_begin+0xa7b/0x1350 fs/ext4/inode.c:1234
ext4_da_write_begin+0x384/0x10c0 fs/ext4/inode.c:2960
generic_perform_write+0x262/0x580 mm/filemap.c:3656
ext4_buffered_write_iter+0x41c/0x590 fs/ext4/file.c:269
ext4_file_write_iter+0x8f7/0x1b90 fs/ext4/file.c:519
call_write_iter include/linux/fs.h:2114 [inline]
new_sync_write fs/read_write.c:518 [inline]
vfs_write+0xa39/0xc90 fs/read_write.c:605
ksys_write+0x171/0x2a0 fs/read_write.c:658
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe3035a4188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9
RDX: 000000000d4ba0ff RSI: 00000000200009c0 RDI: 0000000000000007
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffd1a1dd7ef R14: 00007fe3035a4300 R15: 0000000000022000
Modules linked in:
---[ end trace 6608a809acf19a79 ]---
RIP: 0010:ext4_get_group_info+0x34d/0x350 fs/ext4/ext4.h:3295
Code: 5c ff 8b 74 24 04 48 c7 c7 40 77 88 8c 4c 89 f2 e8 08 9f 05 02 43 80 3c 2c 00 0f 85 6d fd ff ff e9 70 fd ff ff e8 a3 46 5c ff <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 41 89 d5 89 f5
RSP: 0018:ffffc9000c49f320 EFLAGS: 00010293
RAX: ffffffff8223f12d RBX: 00000000fffff95a RCX: ffff88802d923880
RDX: 0000000000000000 RSI: 00000000fffff95a RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff8223ee48 R09: ffffed1008f9ac2c
R10: ffffed1008f9ac2c R11: 0000000000000000 R12: 1ffff110073d74cf
R13: dffffc0000000000 R14: ffff8880328dc000 R15: ffff888039eba678
FS: 00007fe3035a4700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000033f2d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 5c pop %rsp
1: ff 8b 74 24 04 48 decl 0x48042474(%rbx)
7: c7 c7 40 77 88 8c mov $0x8c887740,%edi
d: 4c 89 f2 mov %r14,%rdx
10: e8 08 9f 05 02 callq 0x2059f1d
15: 43 80 3c 2c 00 cmpb $0x0,(%r12,%r13,1)
1a: 0f 85 6d fd ff ff jne 0xfffffd8d
20: e9 70 fd ff ff jmpq 0xfffffd95
25: e8 a3 46 5c ff callq 0xff5c46cd
2a: 0f 0b ud2 <-- trapping instruction
2c: 90 nop
2d: 55 push %rbp
2e: 41 57 push %r15
30: 41 56 push %r14
32: 41 55 push %r13
34: 41 54 push %r12
36: 53 push %rbx
37: 48 83 ec 20 sub $0x20,%rsp
3b: 41 89 d5 mov %edx,%r13d
3e: 89 f5 mov %esi,%ebp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Aug 5, 2022, 7:46:33 AM8/5/22
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, ty...@mit.edu
syzbot has found a reproducer for the following issue on:
HEAD commit: 200e340f2196 Merge tag 'pull-work.dcache' of git://git.ker..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15a655b6080000
kernel config: https://syzkaller.appspot.com/x/.config?x=a3f4d6985d3164cd
dashboard link: https://syzkaller.appspot.com/bug?extid=e2efa3efc15a1c9e95c3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b248e1080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ba3e3e080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e2efa3...@syzkaller.appspotmail.com
EXT4-fs (loop0): ext4_check_descriptors: Checksum for group 0 failed (14603!=0)
EXT4-fs (loop0): orphan cleanup on readonly fs
EXT4-fs error (device loop0): ext4_mb_clear_bb:5962: comm syz-executor137: Freeing blocks in system zone - Block = 16, count = 16
EXT4-fs (loop0): Remounting filesystem read-only
------------[ cut here ]------------
kernel BUG at fs/ext4/ext4.h:3319!
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
RIP: 0010:ext4_get_group_info+0x36e/0x3d0 fs/ext4/ext4.h:3319
Code: ff 48 c7 c2 a0 b5 e2 89 be c3 02 00 00 48 c7 c7 00 b6 e2 89 c6 05 39 e3 89 0b 01 e8 fc 1d 16 07 e9 d9 fd ff ff e8 22 af 5d ff <0f> 0b e8 9b 76 aa ff e9 ea fc ff ff e8 91 76 aa ff e9 24 fd ff ff
RSP: 0018:ffffc90002fcf210 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff888024b99d80 RSI: ffffffff821d2a9e RDI: 0000000000000004
RBP: ffff888021e86000 R08: 0000000000000004 R09: 0000000000000001
R10: 00000000ffffffff R11: 0000000000000001 R12: ffff888021ee2000
R13: ffff888021ee2678 R14: 0000000000000001 R15: dffffc0000000000
FS: 00005555570a1300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
Call Trace:
<TASK>
ext4_mb_clear_bb fs/ext4/mballoc.c:5935 [inline]
ext4_free_blocks+0x4a2/0x2060 fs/ext4/mballoc.c:6185
ext4_clear_blocks+0x329/0x430 fs/ext4/indirect.c:880
ext4_free_data+0x1a3/0x3e0 fs/ext4/indirect.c:954
ext4_ind_truncate+0x6a2/0x950 fs/ext4/indirect.c:1146
ext4_truncate+0x696/0x1440 fs/ext4/inode.c:4244
ext4_evict_inode+0xa5f/0x1970 fs/ext4/inode.c:284
evict+0x2ed/0x6b0 fs/inode.c:664
iput_final fs/inode.c:1744 [inline]
iput.part.0+0x562/0x820 fs/inode.c:1770
iput+0x58/0x70 fs/inode.c:1760
ext4_quota_enable fs/ext4/super.c:6781 [inline]
ext4_enable_quotas+0x5c4/0xb70 fs/ext4/super.c:6804
ext4_orphan_cleanup+0xde1/0x10f0 fs/ext4/orphan.c:432
__ext4_fill_super fs/ext4/super.c:5368 [inline]
ext4_fill_super+0xac9a/0xe830 fs/ext4/super.c:5507
get_tree_bdev+0x440/0x760 fs/super.c:1292
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa6cfe974da
Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc803cf6f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc803cf750 RCX: 00007fa6cfe974da
RDX: 0000000020000000 RSI: 0000000020000040 RDI: 00007ffc803cf710
RBP: 00007ffc803cf710 R08: 00007ffc803cf750 R09: 0000000800000015
R10: 0000000000000081 R11: 0000000000000206 R12: 0000000000000004
R13: 0000000000000003 R14: 0000000000000003 R15: 0000000000000010
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_get_group_info+0x36e/0x3d0 fs/ext4/ext4.h:3319
Code: ff 48 c7 c2 a0 b5 e2 89 be c3 02 00 00 48 c7 c7 00 b6 e2 89 c6 05 39 e3 89 0b 01 e8 fc 1d 16 07 e9 d9 fd ff ff e8 22 af 5d ff <0f> 0b e8 9b 76 aa ff e9 ea fc ff ff e8 91 76 aa ff e9 24 fd ff ff
RSP: 0018:ffffc90002fcf210 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff888024b99d80 RSI: ffffffff821d2a9e RDI: 0000000000000004
RBP: ffff888021e86000 R08: 0000000000000004 R09: 0000000000000001
R10: 00000000ffffffff R11: 0000000000000001 R12: ffff888021ee2000
R13: ffff888021ee2678 R14: 0000000000000001 R15: dffffc0000000000
FS: 00005555570a1300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
HEAD commit: 200e340f2196 Merge tag 'pull-work.dcache' of git://git.ker..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15a655b6080000
kernel config: https://syzkaller.appspot.com/x/.config?x=a3f4d6985d3164cd
dashboard link: https://syzkaller.appspot.com/bug?extid=e2efa3efc15a1c9e95c3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b248e1080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ba3e3e080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e2efa3...@syzkaller.appspotmail.com
EXT4-fs (loop0): orphan cleanup on readonly fs
EXT4-fs error (device loop0): ext4_mb_clear_bb:5962: comm syz-executor137: Freeing blocks in system zone - Block = 16, count = 16
EXT4-fs (loop0): Remounting filesystem read-only
------------[ cut here ]------------
kernel BUG at fs/ext4/ext4.h:3319!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 3607 Comm: syz-executor137 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
RIP: 0010:ext4_get_group_info+0x36e/0x3d0 fs/ext4/ext4.h:3319
Code: ff 48 c7 c2 a0 b5 e2 89 be c3 02 00 00 48 c7 c7 00 b6 e2 89 c6 05 39 e3 89 0b 01 e8 fc 1d 16 07 e9 d9 fd ff ff e8 22 af 5d ff <0f> 0b e8 9b 76 aa ff e9 ea fc ff ff e8 91 76 aa ff e9 24 fd ff ff
RSP: 0018:ffffc90002fcf210 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff888024b99d80 RSI: ffffffff821d2a9e RDI: 0000000000000004
RBP: ffff888021e86000 R08: 0000000000000004 R09: 0000000000000001
R10: 00000000ffffffff R11: 0000000000000001 R12: ffff888021ee2000
R13: ffff888021ee2678 R14: 0000000000000001 R15: dffffc0000000000
FS: 00005555570a1300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005ded08 CR3: 0000000025559000 CR4: 0000000000350ee0
Call Trace:
<TASK>
ext4_mb_clear_bb fs/ext4/mballoc.c:5935 [inline]
ext4_free_blocks+0x4a2/0x2060 fs/ext4/mballoc.c:6185
ext4_clear_blocks+0x329/0x430 fs/ext4/indirect.c:880
ext4_free_data+0x1a3/0x3e0 fs/ext4/indirect.c:954
ext4_ind_truncate+0x6a2/0x950 fs/ext4/indirect.c:1146
ext4_truncate+0x696/0x1440 fs/ext4/inode.c:4244
ext4_evict_inode+0xa5f/0x1970 fs/ext4/inode.c:284
evict+0x2ed/0x6b0 fs/inode.c:664
iput_final fs/inode.c:1744 [inline]
iput.part.0+0x562/0x820 fs/inode.c:1770
iput+0x58/0x70 fs/inode.c:1760
ext4_quota_enable fs/ext4/super.c:6781 [inline]
ext4_enable_quotas+0x5c4/0xb70 fs/ext4/super.c:6804
ext4_orphan_cleanup+0xde1/0x10f0 fs/ext4/orphan.c:432
__ext4_fill_super fs/ext4/super.c:5368 [inline]
ext4_fill_super+0xac9a/0xe830 fs/ext4/super.c:5507
get_tree_bdev+0x440/0x760 fs/super.c:1292
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa6cfe974da
Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc803cf6f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc803cf750 RCX: 00007fa6cfe974da
RDX: 0000000020000000 RSI: 0000000020000040 RDI: 00007ffc803cf710
RBP: 00007ffc803cf710 R08: 00007ffc803cf750 R09: 0000000800000015
R10: 0000000000000081 R11: 0000000000000206 R12: 0000000000000004
R13: 0000000000000003 R14: 0000000000000003 R15: 0000000000000010
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_get_group_info+0x36e/0x3d0 fs/ext4/ext4.h:3319
Code: ff 48 c7 c2 a0 b5 e2 89 be c3 02 00 00 48 c7 c7 00 b6 e2 89 c6 05 39 e3 89 0b 01 e8 fc 1d 16 07 e9 d9 fd ff ff e8 22 af 5d ff <0f> 0b e8 9b 76 aa ff e9 ea fc ff ff e8 91 76 aa ff e9 24 fd ff ff
RSP: 0018:ffffc90002fcf210 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff888024b99d80 RSI: ffffffff821d2a9e RDI: 0000000000000004
RBP: ffff888021e86000 R08: 0000000000000004 R09: 0000000000000001
R10: 00000000ffffffff R11: 0000000000000001 R12: ffff888021ee2000
R13: ffff888021ee2678 R14: 0000000000000001 R15: dffffc0000000000
FS: 00005555570a1300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc803d0000 CR3: 0000000025559000 CR4: 0000000000350ef0
Theodore Ts'o
Apr 29, 2023, 12:12:02 AM4/29/23
to syzkaller-bugs
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git test
Theodore Ts'o
Apr 29, 2023, 12:17:24 AM4/29/23
to syzbot, ty...@mit.edu, syzkall...@googlegroups.com
Let's see if this actually gets to the syzbot....
syzbot
Apr 29, 2023, 12:39:31 AM4/29/23
to syzkall...@googlegroups.com, ty...@mit.edu
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_get_group_info
EXT4-fs warning (device loop1): ext4_discard_preallocations:5230: pa_pstart 224 invalid max 2989446808 group 4294960881
------------[ cut here ]------------
kernel BUG at fs/ext4/ext4.h:3241!
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:ext4_get_group_info+0x399/0x3a0 fs/ext4/ext4.h:3241
Code: 4f ff 8b 74 24 04 48 c7 c7 c0 aa 0b 8d 4c 89 f2 e8 bc d3 2d 02 43 80 3c 2c 00 0f 85 23 fd ff ff e9 26 fd ff ff e8 b7 55 4f ff <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 54 53 48 89 fb 49 bf 00 00
RSP: 0018:ffffc9000509f3b8 EFLAGS: 00010293
RAX: ffffffff823b1769 RBX: 00000000ffffe6f1 RCX: ffff88801dec57c0
RDX: 0000000000000000 RSI: 00000000ffffe6f1 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff823b1439 R09: fffff52000a13e21
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1100d8b84cf
R13: dffffc0000000000 R14: ffff88806c5c4000 R15: ffff88806c5c2678
FS: 00007f53d0758700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
ext4_mb_load_buddy_gfp+0xc6/0x850 fs/ext4/mballoc.c:1446
ext4_discard_preallocations+0x925/0x12e0 fs/ext4/mballoc.c:5233
ext4_truncate+0x98b/0x1150 fs/ext4/inode.c:4148
ext4_truncate_failed_write fs/ext4/truncate.h:22 [inline]
ext4_write_begin+0xa14/0x10a0 fs/ext4/inode.c:1231
ext4_da_write_begin+0x300/0xa40 fs/ext4/inode.c:2891
generic_perform_write+0x300/0x5e0 mm/filemap.c:3926
ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:289
ext4_file_write_iter+0x1d6/0x1930
call_write_iter include/linux/fs.h:1851 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7b2/0xbb0 fs/read_write.c:584
ksys_write+0x1a0/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f53cfa8c0f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f53d0758168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f53cfbabf80 RCX: 00007f53cfa8c0f9
RDX: 000000000208e24b RSI: 0000000020000000 RDI: 0000000000000006
RBP: 00007f53cfae7b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdc1d0e74f R14: 00007f53d0758300 R15: 0000000000022000
Code: 4f ff 8b 74 24 04 48 c7 c7 c0 aa 0b 8d 4c 89 f2 e8 bc d3 2d 02 43 80 3c 2c 00 0f 85 23 fd ff ff e9 26 fd ff ff e8 b7 55 4f ff <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 54 53 48 89 fb 49 bf 00 00
RSP: 0018:ffffc9000509f3b8 EFLAGS: 00010293
RAX: ffffffff823b1769 RBX: 00000000ffffe6f1 RCX: ffff88801dec57c0
RDX: 0000000000000000 RSI: 00000000ffffe6f1 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff823b1439 R09: fffff52000a13e21
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1100d8b84cf
R13: dffffc0000000000 R14: ffff88806c5c4000 R15: ffff88806c5c2678
FS: 00007f53d0758700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
commit: b8df5bf2 ext4: DO NOT MERGE
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git test
console output: https://syzkaller.appspot.com/x/log.txt?x=123c4610280000
kernel config: https://syzkaller.appspot.com/x/.config?x=acdb62bf488a8fe5
dashboard link: https://syzkaller.appspot.com/bug?extid=e2efa3efc15a1c9e95c3
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_get_group_info
EXT4-fs warning (device loop1): ext4_discard_preallocations:5230: pa_pstart 224 invalid max 2989446808 group 4294960881
------------[ cut here ]------------
kernel BUG at fs/ext4/ext4.h:3241!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5634 Comm: syz-executor.1 Not tainted 6.3.0-rc3-syzkaller-00112-gb8df5bf2ef81 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:ext4_get_group_info+0x399/0x3a0 fs/ext4/ext4.h:3241
Code: 4f ff 8b 74 24 04 48 c7 c7 c0 aa 0b 8d 4c 89 f2 e8 bc d3 2d 02 43 80 3c 2c 00 0f 85 23 fd ff ff e9 26 fd ff ff e8 b7 55 4f ff <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 54 53 48 89 fb 49 bf 00 00
RSP: 0018:ffffc9000509f3b8 EFLAGS: 00010293
RAX: ffffffff823b1769 RBX: 00000000ffffe6f1 RCX: ffff88801dec57c0
RDX: 0000000000000000 RSI: 00000000ffffe6f1 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff823b1439 R09: fffff52000a13e21
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1100d8b84cf
R13: dffffc0000000000 R14: ffff88806c5c4000 R15: ffff88806c5c2678
FS: 00007f53d0758700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562317cfa131 CR3: 0000000023695000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_mb_load_buddy_gfp+0xc6/0x850 fs/ext4/mballoc.c:1446
ext4_discard_preallocations+0x925/0x12e0 fs/ext4/mballoc.c:5233
ext4_truncate+0x98b/0x1150 fs/ext4/inode.c:4148
ext4_truncate_failed_write fs/ext4/truncate.h:22 [inline]
ext4_write_begin+0xa14/0x10a0 fs/ext4/inode.c:1231
ext4_da_write_begin+0x300/0xa40 fs/ext4/inode.c:2891
generic_perform_write+0x300/0x5e0 mm/filemap.c:3926
ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:289
ext4_file_write_iter+0x1d6/0x1930
call_write_iter include/linux/fs.h:1851 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7b2/0xbb0 fs/read_write.c:584
ksys_write+0x1a0/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f53cfa8c0f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f53d0758168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f53cfbabf80 RCX: 00007f53cfa8c0f9
RDX: 000000000208e24b RSI: 0000000020000000 RDI: 0000000000000006
RBP: 00007f53cfae7b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdc1d0e74f R14: 00007f53d0758300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_get_group_info+0x399/0x3a0 fs/ext4/ext4.h:3241
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 4f ff 8b 74 24 04 48 c7 c7 c0 aa 0b 8d 4c 89 f2 e8 bc d3 2d 02 43 80 3c 2c 00 0f 85 23 fd ff ff e9 26 fd ff ff e8 b7 55 4f ff <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 54 53 48 89 fb 49 bf 00 00
RSP: 0018:ffffc9000509f3b8 EFLAGS: 00010293
RAX: ffffffff823b1769 RBX: 00000000ffffe6f1 RCX: ffff88801dec57c0
RDX: 0000000000000000 RSI: 00000000ffffe6f1 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff823b1439 R09: fffff52000a13e21
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1100d8b84cf
R13: dffffc0000000000 R14: ffff88806c5c4000 R15: ffff88806c5c2678
FS: 00007f53d0758700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f153d6403b0 CR3: 0000000023695000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
commit: b8df5bf2 ext4: DO NOT MERGE
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git test
console output: https://syzkaller.appspot.com/x/log.txt?x=123c4610280000
kernel config: https://syzkaller.appspot.com/x/.config?x=acdb62bf488a8fe5
dashboard link: https://syzkaller.appspot.com/bug?extid=e2efa3efc15a1c9e95c3
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Theodore Ts'o
Apr 29, 2023, 1:14:58 AM4/29/23
to syzbot, syzkall...@googlegroups.com
For the record, this doesn't reproduce under KVM; it only reproduces
via the syzbot's own testing (or presumably, in GCE, but I'm lazy and
it's easier just to use #syz test :-).
via the syzbot's own testing (or presumably, in GCE, but I'm lazy and
it's easier just to use #syz test :-).
syzbot
Apr 29, 2023, 1:38:17 AM4/29/23
to syzkall...@googlegroups.com, ty...@mit.edu
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_get_group_info
EXT4-fs warning (device loop1): ext4_discard_preallocations:5231: pa_pstart 224 invalid max 2989446808 first_data_block 3363080518 group 4294960881
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_get_group_info
------------[ cut here ]------------
kernel BUG at fs/ext4/ext4.h:3241!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5588 Comm: syz-executor.1 Not tainted 6.3.0-rc3-syzkaller-00112-gf27e371f2ea8 #0
kernel BUG at fs/ext4/ext4.h:3241!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:ext4_get_group_info+0x399/0x3a0 fs/ext4/ext4.h:3241
Code: 4f ff 8b 74 24 04 48 c7 c7 c0 aa 0b 8d 4c 89 f2 e8 3c d4 2d 02 43 80 3c 2c 00 0f 85 23 fd ff ff e9 26 fd ff ff e8 b7 55 4f ff <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 54 53 48 89 fb 49 bf 00 00
RIP: 0010:ext4_get_group_info+0x399/0x3a0 fs/ext4/ext4.h:3241
RSP: 0018:ffffc900060273b8 EFLAGS: 00010293
RAX: ffffffff823b1769 RBX: 00000000ffffe6f1 RCX: ffff888024491d40
RDX: 0000000000000000 RSI: 00000000ffffe6f1 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff823b1439 R09: fffffbfff205c04c
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1100e1bdccf
R13: dffffc0000000000 R14: ffff888070d38000 R15: ffff888070dee678
FS: 00007fbab93cf700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f568ca290a0 CR3: 000000007d138000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_mb_load_buddy_gfp+0xc6/0x850 fs/ext4/mballoc.c:1446
ext4_discard_preallocations+0x94d/0x1330 fs/ext4/mballoc.c:5234
<TASK>
ext4_mb_load_buddy_gfp+0xc6/0x850 fs/ext4/mballoc.c:1446
ext4_truncate+0x98b/0x1150 fs/ext4/inode.c:4148
ext4_truncate_failed_write fs/ext4/truncate.h:22 [inline]
ext4_write_begin+0xa14/0x10a0 fs/ext4/inode.c:1231
ext4_da_write_begin+0x300/0xa40 fs/ext4/inode.c:2891
generic_perform_write+0x300/0x5e0 mm/filemap.c:3926
ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:289
ext4_file_write_iter+0x1d6/0x1930
call_write_iter include/linux/fs.h:1851 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7b2/0xbb0 fs/read_write.c:584
ksys_write+0x1a0/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fbab868c0f9
ext4_truncate_failed_write fs/ext4/truncate.h:22 [inline]
ext4_write_begin+0xa14/0x10a0 fs/ext4/inode.c:1231
ext4_da_write_begin+0x300/0xa40 fs/ext4/inode.c:2891
generic_perform_write+0x300/0x5e0 mm/filemap.c:3926
ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:289
ext4_file_write_iter+0x1d6/0x1930
call_write_iter include/linux/fs.h:1851 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7b2/0xbb0 fs/read_write.c:584
ksys_write+0x1a0/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbab93cf168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fbab87ac050 RCX: 00007fbab868c0f9
RDX: 000000000208e24b RSI: 0000000020000000 RDI: 0000000000000006
RBP: 00007fbab86e7b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff00177e4f R14: 00007fbab93cf300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_get_group_info+0x399/0x3a0 fs/ext4/ext4.h:3241
Code: 4f ff 8b 74 24 04 48 c7 c7 c0 aa 0b 8d 4c 89 f2 e8 3c d4 2d 02 43 80 3c 2c 00 0f 85 23 fd ff ff e9 26 fd ff ff e8 b7 55 4f ff <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 54 53 48 89 fb 49 bf 00 00
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_get_group_info+0x399/0x3a0 fs/ext4/ext4.h:3241
RSP: 0018:ffffc900060273b8 EFLAGS: 00010293
RAX: ffffffff823b1769 RBX: 00000000ffffe6f1 RCX: ffff888024491d40
RDX: 0000000000000000 RSI: 00000000ffffe6f1 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff823b1439 R09: fffffbfff205c04c
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1100e1bdccf
R13: dffffc0000000000 R14: ffff888070d38000 R15: ffff888070dee678
FS: 00007fbab93cf700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f568ca290a0 CR3: 000000007d138000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: f27e371f ext4: DO NOT MERGE
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
console output: https://syzkaller.appspot.com/x/log.txt?x=10c7a594280000
Theodore Ts'o
Apr 29, 2023, 12:37:42 PM4/29/23
to syzbot, syzkall...@googlegroups.com
OK, I think I've figured out what is going on. The reproducer is
writing garbage into the ext4 superblock via the loop device while the
file system is mounted, and when when s_first_data_block gets set to a
large number, this can result in a group number which is out of range,a
and this trips the BUG() in ext4_get_group_info().
If you are actively modifying a mounted file system, you will get to
keep both pieces, and in general, this will require root access, or at
least write access to the block device.
We can try to add some sanity checks to prevent this particular
problem, but in general, if you can write to the block device, you can
set the setuid bit on /bin/bash, or do any number of "interesting"
things to the file system. Doctor, doctor, it hurts when I do that...
writing garbage into the ext4 superblock via the loop device while the
file system is mounted, and when when s_first_data_block gets set to a
large number, this can result in a group number which is out of range,a
and this trips the BUG() in ext4_get_group_info().
If you are actively modifying a mounted file system, you will get to
keep both pieces, and in general, this will require root access, or at
least write access to the block device.
We can try to add some sanity checks to prevent this particular
problem, but in general, if you can write to the block device, you can
set the setuid bit on /bin/bash, or do any number of "interesting"
things to the file system. Doctor, doctor, it hurts when I do that...
syzbot
Apr 29, 2023, 1:14:23 PM4/29/23
to syzkall...@googlegroups.com, ty...@mit.edu
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_mb_release_group_pa
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
kernel BUG at fs/ext4/mballoc.c:5050!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 11423 Comm: syz-executor.3 Not tainted 6.3.0-rc3-syzkaller-00112-gb9d6ed27a284 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:ext4_mb_release_group_pa+0x5ff/0x660 fs/ext4/mballoc.c:5050
Code: 89 df e8 14 11 a2 ff 48 8b 3b 48 8b 74 24 18 4c 89 ea e8 14 7c 04 00 eb 22 e8 6d 5f 4c ff 0f 0b e8 86 2e 62 08 e8 61 5f 4c ff <0f> 0b e8 5a 5f 4c ff e9 71 fb ff ff e8 50 5f 4c ff 31 db 65 ff 0d
RSP: 0018:ffffc900045ceac0 EFLAGS: 00010293
RAX: ffffffff823e0dbf RBX: 0000000000000003 RCX: ffff8880784f1d40
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000000
RBP: ffffc900045ceb90 R08: ffffffff823e0a0e R09: fffffbfff1ca6fbe
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc900045ceb20
R13: ffff88806aac4ae0 R14: dffffc0000000000 R15: 00000000ffffe6f1
FS: 00007f99bc010700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f99bbfef718 CR3: 000000001e4f1000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_mb_discard_group_preallocations+0xd79/0x1080 fs/ext4/mballoc.c:5151
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_mb_discard_preallocations fs/ext4/mballoc.c:5706 [inline]
ext4_mb_discard_preallocations_should_retry+0x245/0x940 fs/ext4/mballoc.c:5727
ext4_mb_new_blocks+0x3163/0x44a0 fs/ext4/mballoc.c:5861
ext4_ext_map_blocks+0x1973/0x7210 fs/ext4/extents.c:4286
ext4_map_blocks+0xa4c/0x1cf0 fs/ext4/inode.c:623
_ext4_get_block+0x238/0x6a0 fs/ext4/inode.c:779
ext4_block_write_begin+0x53e/0x15a0 fs/ext4/inode.c:1059
ext4_write_begin+0x60a/0x10a0
ext4_da_write_begin+0x300/0xa40 fs/ext4/inode.c:2891
generic_perform_write+0x300/0x5e0 mm/filemap.c:3926
ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:289
ext4_file_write_iter+0x1d6/0x1930
call_write_iter include/linux/fs.h:1851 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7b2/0xbb0 fs/read_write.c:584
ksys_write+0x1a0/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f99bb28c0f9
generic_perform_write+0x300/0x5e0 mm/filemap.c:3926
ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:289
ext4_file_write_iter+0x1d6/0x1930
call_write_iter include/linux/fs.h:1851 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7b2/0xbb0 fs/read_write.c:584
ksys_write+0x1a0/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f99bc010168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f99bb3abf80 RCX: 00007f99bb28c0f9
RDX: 000000000208e24b RSI: 0000000020000000 RDI: 0000000000000006
RBP: 00007f99bb2e7b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcd038143f R14: 00007f99bc010300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_mb_release_group_pa+0x5ff/0x660 fs/ext4/mballoc.c:5050
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 89 df e8 14 11 a2 ff 48 8b 3b 48 8b 74 24 18 4c 89 ea e8 14 7c 04 00 eb 22 e8 6d 5f 4c ff 0f 0b e8 86 2e 62 08 e8 61 5f 4c ff <0f> 0b e8 5a 5f 4c ff e9 71 fb ff ff e8 50 5f 4c ff 31 db 65 ff 0d
RSP: 0018:ffffc900045ceac0 EFLAGS: 00010293
RAX: ffffffff823e0dbf RBX: 0000000000000003 RCX: ffff8880784f1d40
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000000
RBP: ffffc900045ceb90 R08: ffffffff823e0a0e R09: fffffbfff1ca6fbe
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc900045ceb20
R13: ffff88806aac4ae0 R14: dffffc0000000000 R15: 00000000ffffe6f1
FS: 00007f99bc010700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f99bbfef718 CR3: 000000001e4f1000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: b9d6ed27 ext4: DO NOT MERGE: allow ext4_get_group_info..
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
console output: https://syzkaller.appspot.com/x/log.txt?x=140e93b4280000
Theodore Ts'o
Apr 29, 2023, 4:26:37 PM4/29/23
to syzbot, syzkall...@googlegroups.com
Found another BUG_ON when you scribble on a mounted file system via
the block device....
the block device....
syzbot
Apr 29, 2023, 5:41:27 PM4/29/23
to syzkall...@googlegroups.com, ty...@mit.edu
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e2efa3...@syzkaller.appspotmail.com
Tested on:
commit: 493cc71f ext4: DO NOT MERGE: replace BUG_ON with an ex..
console output: https://syzkaller.appspot.com/x/log.txt?x=16bc7508280000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e2efa3...@syzkaller.appspotmail.com
Tested on:
commit: 493cc71f ext4: DO NOT MERGE: replace BUG_ON with an ex..
console output: https://syzkaller.appspot.com/x/log.txt?x=16bc7508280000
kernel config: https://syzkaller.appspot.com/x/.config?x=acdb62bf488a8fe5
dashboard link: https://syzkaller.appspot.com/bug?extid=e2efa3efc15a1c9e95c3
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
dashboard link: https://syzkaller.appspot.com/bug?extid=e2efa3efc15a1c9e95c3
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Reply all
Reply to author
Forward
0 new messages