[syzbot] [mm?] general protection fault in shmem_get_next_id
19 views
Skip to first unread message
syzbot
Apr 2, 2024, 2:58:22 AMApr 2
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10c90795180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=05e63c0981a31f35f3fa
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f51129180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=150d3cee180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0f7abe4afac7/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/82598d09246c/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efa23788c875/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+05e63c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5070 Comm: syz-executor253 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:shmem_get_next_id+0x92/0x5c0 mm/shmem_quota.c:119
Code: 04 db 49 8d 9c c6 90 02 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 f8 66 1b 00 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 df 66 1b 00 4c 8b 23 48 8d 5d 07
RSP: 0018:ffffc900043a7be0 EFLAGS: 00010256
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880266c8000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000004
RBP: ffffc900043a7d00 R08: ffffffff81dcdd47 R09: ffffffff822e7d5a
R10: 0000000000000003 R11: ffffffff81dcdcf0 R12: 1ffff92000874fa0
R13: ffff888022110000 R14: ffff888022110000 R15: dffffc0000000000
FS: 0000555578677380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 000000007a384000 CR4: 0000000000350ef0
Call Trace:
<TASK>
dquot_get_next_dqblk+0x75/0x3a0 fs/quota/dquot.c:2705
quota_getnextquota+0x2c7/0x6c0 fs/quota/quota.c:250
__do_sys_quotactl_fd fs/quota/quota.c:1002 [inline]
__se_sys_quotactl_fd+0x2a1/0x440 fs/quota/quota.c:973
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f5c0349b329
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc39d71138 EFLAGS: 00000246 ORIG_RAX: 00000000000001bb
RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007f5c0349b329
RDX: 0000000000000000 RSI: ffffffff80000901 RDI: 0000000000000003
RBP: 00007f5c0350e610 R08: 0000000000000000 R09: 00007ffc39d71308
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc39d712f8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:shmem_get_next_id+0x92/0x5c0 mm/shmem_quota.c:119
Code: 04 db 49 8d 9c c6 90 02 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 f8 66 1b 00 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 df 66 1b 00 4c 8b 23 48 8d 5d 07
RSP: 0018:ffffc900043a7be0 EFLAGS: 00010256
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880266c8000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000004
RBP: ffffc900043a7d00 R08: ffffffff81dcdd47 R09: ffffffff822e7d5a
R10: 0000000000000003 R11: ffffffff81dcdcf0 R12: 1ffff92000874fa0
R13: ffff888022110000 R14: ffff888022110000 R15: dffffc0000000000
FS: 0000555578677380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 000000007a384000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
0: 04 db add $0xdb,%al
2: 49 8d 9c c6 90 02 00 lea 0x290(%r14,%rax,8),%rbx
9: 00
a: 48 89 d8 mov %rbx,%rax
d: 48 c1 e8 03 shr $0x3,%rax
11: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
16: 74 08 je 0x20
18: 48 89 df mov %rbx,%rdi
1b: e8 f8 66 1b 00 call 0x1b6718
20: 48 8b 1b mov (%rbx),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 df 66 1b 00 call 0x1b6718
39: 4c 8b 23 mov (%rbx),%r12
3c: 48 8d 5d 07 lea 0x7(%rbp),%rbx
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10c90795180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=05e63c0981a31f35f3fa
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f51129180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=150d3cee180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0f7abe4afac7/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/82598d09246c/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efa23788c875/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+05e63c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5070 Comm: syz-executor253 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:shmem_get_next_id+0x92/0x5c0 mm/shmem_quota.c:119
Code: 04 db 49 8d 9c c6 90 02 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 f8 66 1b 00 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 df 66 1b 00 4c 8b 23 48 8d 5d 07
RSP: 0018:ffffc900043a7be0 EFLAGS: 00010256
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880266c8000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000004
RBP: ffffc900043a7d00 R08: ffffffff81dcdd47 R09: ffffffff822e7d5a
R10: 0000000000000003 R11: ffffffff81dcdcf0 R12: 1ffff92000874fa0
R13: ffff888022110000 R14: ffff888022110000 R15: dffffc0000000000
FS: 0000555578677380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 000000007a384000 CR4: 0000000000350ef0
Call Trace:
<TASK>
dquot_get_next_dqblk+0x75/0x3a0 fs/quota/dquot.c:2705
quota_getnextquota+0x2c7/0x6c0 fs/quota/quota.c:250
__do_sys_quotactl_fd fs/quota/quota.c:1002 [inline]
__se_sys_quotactl_fd+0x2a1/0x440 fs/quota/quota.c:973
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f5c0349b329
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc39d71138 EFLAGS: 00000246 ORIG_RAX: 00000000000001bb
RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007f5c0349b329
RDX: 0000000000000000 RSI: ffffffff80000901 RDI: 0000000000000003
RBP: 00007f5c0350e610 R08: 0000000000000000 R09: 00007ffc39d71308
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc39d712f8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:shmem_get_next_id+0x92/0x5c0 mm/shmem_quota.c:119
Code: 04 db 49 8d 9c c6 90 02 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 f8 66 1b 00 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 df 66 1b 00 4c 8b 23 48 8d 5d 07
RSP: 0018:ffffc900043a7be0 EFLAGS: 00010256
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880266c8000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000004
RBP: ffffc900043a7d00 R08: ffffffff81dcdd47 R09: ffffffff822e7d5a
R10: 0000000000000003 R11: ffffffff81dcdcf0 R12: 1ffff92000874fa0
R13: ffff888022110000 R14: ffff888022110000 R15: dffffc0000000000
FS: 0000555578677380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 000000007a384000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
0: 04 db add $0xdb,%al
2: 49 8d 9c c6 90 02 00 lea 0x290(%r14,%rax,8),%rbx
9: 00
a: 48 89 d8 mov %rbx,%rax
d: 48 c1 e8 03 shr $0x3,%rax
11: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
16: 74 08 je 0x20
18: 48 89 df mov %rbx,%rdi
1b: e8 f8 66 1b 00 call 0x1b6718
20: 48 8b 1b mov (%rbx),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 df 66 1b 00 call 0x1b6718
39: 4c 8b 23 mov (%rbx),%r12
3c: 48 8d 5d 07 lea 0x7(%rbp),%rbx
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Apr 2, 2024, 9:01:02 AMApr 2
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Mon, 01 Apr 2024 23:58:20 -0700
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/mm/shmem_quota.c
+++ y/mm/shmem_quota.c
@@ -116,7 +116,7 @@ static int shmem_free_file_info(struct s
static int shmem_get_next_id(struct super_block *sb, struct kqid *qid)
{
struct mem_dqinfo *info = sb_dqinfo(sb, qid->type);
- struct rb_node *node = ((struct rb_root *)info->dqi_priv)->rb_node;
+ struct rb_node *node;
qid_t id = from_kqid(&init_user_ns, *qid);
struct quota_info *dqopt = sb_dqopt(sb);
struct quota_id *entry = NULL;
@@ -126,6 +126,11 @@ static int shmem_get_next_id(struct supe
return -ESRCH;
down_read(&dqopt->dqio_sem);
+ if (!info->dqi_priv) {
+ ret = -ENOENT;
+ goto out_unlock;
+ }
+ node = ((struct rb_root *)info->dqi_priv)->rb_node;
while (node) {
entry = rb_entry(node, struct quota_id, node);
--
> syzbot found the following issue on:
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=150d3cee180000
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/mm/shmem_quota.c
+++ y/mm/shmem_quota.c
@@ -116,7 +116,7 @@ static int shmem_free_file_info(struct s
static int shmem_get_next_id(struct super_block *sb, struct kqid *qid)
{
struct mem_dqinfo *info = sb_dqinfo(sb, qid->type);
- struct rb_node *node = ((struct rb_root *)info->dqi_priv)->rb_node;
+ struct rb_node *node;
qid_t id = from_kqid(&init_user_ns, *qid);
struct quota_info *dqopt = sb_dqopt(sb);
struct quota_id *entry = NULL;
@@ -126,6 +126,11 @@ static int shmem_get_next_id(struct supe
return -ESRCH;
down_read(&dqopt->dqio_sem);
+ if (!info->dqi_priv) {
+ ret = -ENOENT;
+ goto out_unlock;
+ }
+ node = ((struct rb_root *)info->dqi_priv)->rb_node;
while (node) {
entry = rb_entry(node, struct quota_id, node);
--
syzbot
Apr 3, 2024, 6:16:04 AMApr 3
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+05e63c...@syzkaller.appspotmail.com
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12cb9d29180000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+05e63c...@syzkaller.appspotmail.com
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12cb9d29180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=05e63c0981a31f35f3fa
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1156321d180000
dashboard link: https://syzkaller.appspot.com/bug?extid=05e63c0981a31f35f3fa
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Andrew Morton
Apr 3, 2024, 9:33:44 PMApr 3
to syzbot, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Carlos Maiolino, Christian Brauner
On Mon, 01 Apr 2024 23:58:20 -0700 syzbot <syzbot+05e63c...@syzkaller.appspotmail.com> wrote:
> Hello,
Hello.
Seems that the new TMPFS_QUOTA code has blown up. Cc's added, thanks
for the report and the reproducer!
> Hello,
Hello.
Seems that the new TMPFS_QUOTA code has blown up. Cc's added, thanks
for the report and the reproducer!
Carlos Maiolino
Apr 8, 2024, 5:19:28 AMApr 8
to Andrew Morton, syzbot, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Christian Brauner
On Wed, Apr 03, 2024 at 06:33:39PM -0700, Andrew Morton wrote:
> On Mon, 01 Apr 2024 23:58:20 -0700 syzbot <syzbot+05e63c...@syzkaller.appspotmail.com> wrote:
>
> > Hello,
>
> Hello.
>
> Seems that the new TMPFS_QUOTA code has blown up. Cc's added, thanks
> for the report and the reproducer!
Thanks Andrew,
> On Mon, 01 Apr 2024 23:58:20 -0700 syzbot <syzbot+05e63c...@syzkaller.appspotmail.com> wrote:
>
> > Hello,
>
> Hello.
>
> Seems that the new TMPFS_QUOTA code has blown up. Cc's added, thanks
> for the report and the reproducer!
I'm adding it to my todo list, and will take a look on it ASAP.
Carlos
Carlos Maiolino
Apr 12, 2024, 9:21:22 AMApr 12
to Andrew Morton, syzbot, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Christian Brauner
On Wed, Apr 03, 2024 at 06:33:39PM -0700, Andrew Morton wrote:
> On Mon, 01 Apr 2024 23:58:20 -0700 syzbot <syzbot+05e63c...@syzkaller.appspotmail.com> wrote:
>
> > Hello,
>
> Hello.
>
> Seems that the new TMPFS_QUOTA code has blown up. Cc's added, thanks
> for the report and the reproducer!
This seem to just have been hit the same race I fixed before, the HEAD commit described here didn't
>
> > Hello,
>
> Hello.
>
> Seems that the new TMPFS_QUOTA code has blown up. Cc's added, thanks
> for the report and the reproducer!
have the fix applied yet, I'll try to reproduce it locally just to confirm.
Carlos
Carlos Maiolino
Apr 12, 2024, 12:24:05 PMApr 12
to Andrew Morton, syzbot, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Christian Brauner
On Wed, Apr 03, 2024 at 06:33:39PM -0700, Andrew Morton wrote:
> On Mon, 01 Apr 2024 23:58:20 -0700 syzbot <syzbot+05e63c...@syzkaller.appspotmail.com> wrote:
>
> > Hello,
>
> Hello.
>
> Seems that the new TMPFS_QUOTA code has blown up. Cc's added, thanks
> for the report and the reproducer!
Yes, this is easily reproducible here. I can't reproduce it with my earlier fix of the RB tree race.
>
> > Hello,
>
> Hello.
>
> Seems that the new TMPFS_QUOTA code has blown up. Cc's added, thanks
> for the report and the reproducer!
We can ignore this report, this has been reproduced before the race fix has been applied to the main
tree.
Carlos
Reply all
Reply to author
Forward
0 new messages