[syzbot] [kernfs?] [bcachefs?] general protection fault in kernfs_dop_revalidate
9 views
Skip to first unread message
syzbot
Nov 26, 2024, 5:54:25 AM11/26/24
to gre...@linuxfoundation.org, kent.ov...@linux.dev, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: 28eb75e178d3 Merge tag 'drm-next-2024-11-21' of https://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17955b78580000
kernel config: https://syzkaller.appspot.com/x/.config?x=402159daa216c89d
dashboard link: https://syzkaller.appspot.com/bug?extid=e37a1730d63d207fe403
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163706e8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e3c9c97af7d9/disk-28eb75e1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1e22f3d29103/vmlinux-28eb75e1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8ff56ec30fa6/bzImage-28eb75e1.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/92ddc9fa5ec9/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e37a17...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000a: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057]
CPU: 0 UID: 0 PID: 5210 Comm: udevd Not tainted 6.12.0-syzkaller-07749-g28eb75e178d3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
RIP: 0010:kernfs_root fs/kernfs/kernfs-internal.h:70 [inline]
RIP: 0010:kernfs_dop_revalidate+0x8e/0x560 fs/kernfs/dir.c:1158
Code: c5 80 04 00 00 48 89 e8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 ef e8 c1 9e c1 ff 4c 8b 7d 00 4d 8d 67 30 4c 89 e3 48 c1 eb 03 <42> 80 3c 33 00 74 08 4c 89 e7 e8 a3 9e c1 ff 49 8b 6f 30 48 85 ed
RSP: 0018:ffffc900033efa90 EFLAGS: 00010206
RAX: 1ffff1100c748639 RBX: 000000000000000a RCX: ffff88807deada00
RDX: ffff88807deada00 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888063a431c8 R08: ffffffff823b3da8 R09: 1ffffffff20391a6
R10: dffffc0000000000 R11: ffffffff823b3d80 R12: 0000000000000051
R13: ffff88807affb318 R14: dffffc0000000000 R15: 0000000000000021
FS: 00007fa024cb5c80(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe48c1ff000 CR3: 000000007d586000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lookup_fast+0x1f4/0x4a0
walk_component+0x57/0x410 fs/namei.c:2108
lookup_last fs/namei.c:2610 [inline]
path_lookupat+0x16f/0x450 fs/namei.c:2634
filename_lookup+0x2a3/0x670 fs/namei.c:2663
do_readlinkat+0xf0/0x3a0 fs/stat.c:562
__do_sys_readlink fs/stat.c:599 [inline]
__se_sys_readlink fs/stat.c:596 [inline]
__x64_sys_readlink+0x7f/0x90 fs/stat.c:596
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa024917d47
Code: 73 01 c3 48 8b 0d e1 90 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 59 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b1 90 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007ffdac68fa58 EFLAGS: 00000246 ORIG_RAX: 0000000000000059
RAX: ffffffffffffffda RBX: 00007ffdac68fa68 RCX: 00007fa024917d47
RDX: 0000000000000400 RSI: 00007ffdac68fa68 RDI: 00007ffdac68ff48
RBP: 0000000000000400 R08: 000055b53fcce374 R09: 0000000000000000
R10: 0000000000000812 R11: 0000000000000246 R12: 00007ffdac68ff48
R13: 00007ffdac68feb8 R14: 000055b53fcc3910 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kernfs_root fs/kernfs/kernfs-internal.h:70 [inline]
RIP: 0010:kernfs_dop_revalidate+0x8e/0x560 fs/kernfs/dir.c:1158
Code: c5 80 04 00 00 48 89 e8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 ef e8 c1 9e c1 ff 4c 8b 7d 00 4d 8d 67 30 4c 89 e3 48 c1 eb 03 <42> 80 3c 33 00 74 08 4c 89 e7 e8 a3 9e c1 ff 49 8b 6f 30 48 85 ed
RSP: 0018:ffffc900033efa90 EFLAGS: 00010206
RAX: 1ffff1100c748639 RBX: 000000000000000a RCX: ffff88807deada00
RDX: ffff88807deada00 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888063a431c8 R08: ffffffff823b3da8 R09: 1ffffffff20391a6
R10: dffffc0000000000 R11: ffffffff823b3d80 R12: 0000000000000051
R13: ffff88807affb318 R14: dffffc0000000000 R15: 0000000000000021
FS: 00007fa024cb5c80(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ee5ffff CR3: 000000007d586000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 80 04 00 00 addb $0x0,(%rax,%rax,1)
4: 48 89 e8 mov %rbp,%rax
7: 48 c1 e8 03 shr $0x3,%rax
b: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
10: 74 08 je 0x1a
12: 48 89 ef mov %rbp,%rdi
15: e8 c1 9e c1 ff call 0xffc19edb
1a: 4c 8b 7d 00 mov 0x0(%rbp),%r15
1e: 4d 8d 67 30 lea 0x30(%r15),%r12
22: 4c 89 e3 mov %r12,%rbx
25: 48 c1 eb 03 shr $0x3,%rbx
* 29: 42 80 3c 33 00 cmpb $0x0,(%rbx,%r14,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 e7 mov %r12,%rdi
33: e8 a3 9e c1 ff call 0xffc19edb
38: 49 8b 6f 30 mov 0x30(%r15),%rbp
3c: 48 85 ed test %rbp,%rbp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 28eb75e178d3 Merge tag 'drm-next-2024-11-21' of https://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17955b78580000
kernel config: https://syzkaller.appspot.com/x/.config?x=402159daa216c89d
dashboard link: https://syzkaller.appspot.com/bug?extid=e37a1730d63d207fe403
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163706e8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e3c9c97af7d9/disk-28eb75e1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1e22f3d29103/vmlinux-28eb75e1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8ff56ec30fa6/bzImage-28eb75e1.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/92ddc9fa5ec9/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e37a17...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000a: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057]
CPU: 0 UID: 0 PID: 5210 Comm: udevd Not tainted 6.12.0-syzkaller-07749-g28eb75e178d3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
RIP: 0010:kernfs_root fs/kernfs/kernfs-internal.h:70 [inline]
RIP: 0010:kernfs_dop_revalidate+0x8e/0x560 fs/kernfs/dir.c:1158
Code: c5 80 04 00 00 48 89 e8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 ef e8 c1 9e c1 ff 4c 8b 7d 00 4d 8d 67 30 4c 89 e3 48 c1 eb 03 <42> 80 3c 33 00 74 08 4c 89 e7 e8 a3 9e c1 ff 49 8b 6f 30 48 85 ed
RSP: 0018:ffffc900033efa90 EFLAGS: 00010206
RAX: 1ffff1100c748639 RBX: 000000000000000a RCX: ffff88807deada00
RDX: ffff88807deada00 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888063a431c8 R08: ffffffff823b3da8 R09: 1ffffffff20391a6
R10: dffffc0000000000 R11: ffffffff823b3d80 R12: 0000000000000051
R13: ffff88807affb318 R14: dffffc0000000000 R15: 0000000000000021
FS: 00007fa024cb5c80(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe48c1ff000 CR3: 000000007d586000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lookup_fast+0x1f4/0x4a0
walk_component+0x57/0x410 fs/namei.c:2108
lookup_last fs/namei.c:2610 [inline]
path_lookupat+0x16f/0x450 fs/namei.c:2634
filename_lookup+0x2a3/0x670 fs/namei.c:2663
do_readlinkat+0xf0/0x3a0 fs/stat.c:562
__do_sys_readlink fs/stat.c:599 [inline]
__se_sys_readlink fs/stat.c:596 [inline]
__x64_sys_readlink+0x7f/0x90 fs/stat.c:596
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa024917d47
Code: 73 01 c3 48 8b 0d e1 90 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 59 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b1 90 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007ffdac68fa58 EFLAGS: 00000246 ORIG_RAX: 0000000000000059
RAX: ffffffffffffffda RBX: 00007ffdac68fa68 RCX: 00007fa024917d47
RDX: 0000000000000400 RSI: 00007ffdac68fa68 RDI: 00007ffdac68ff48
RBP: 0000000000000400 R08: 000055b53fcce374 R09: 0000000000000000
R10: 0000000000000812 R11: 0000000000000246 R12: 00007ffdac68ff48
R13: 00007ffdac68feb8 R14: 000055b53fcc3910 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kernfs_root fs/kernfs/kernfs-internal.h:70 [inline]
RIP: 0010:kernfs_dop_revalidate+0x8e/0x560 fs/kernfs/dir.c:1158
Code: c5 80 04 00 00 48 89 e8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 ef e8 c1 9e c1 ff 4c 8b 7d 00 4d 8d 67 30 4c 89 e3 48 c1 eb 03 <42> 80 3c 33 00 74 08 4c 89 e7 e8 a3 9e c1 ff 49 8b 6f 30 48 85 ed
RSP: 0018:ffffc900033efa90 EFLAGS: 00010206
RAX: 1ffff1100c748639 RBX: 000000000000000a RCX: ffff88807deada00
RDX: ffff88807deada00 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888063a431c8 R08: ffffffff823b3da8 R09: 1ffffffff20391a6
R10: dffffc0000000000 R11: ffffffff823b3d80 R12: 0000000000000051
R13: ffff88807affb318 R14: dffffc0000000000 R15: 0000000000000021
FS: 00007fa024cb5c80(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ee5ffff CR3: 000000007d586000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 80 04 00 00 addb $0x0,(%rax,%rax,1)
4: 48 89 e8 mov %rbp,%rax
7: 48 c1 e8 03 shr $0x3,%rax
b: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
10: 74 08 je 0x1a
12: 48 89 ef mov %rbp,%rdi
15: e8 c1 9e c1 ff call 0xffc19edb
1a: 4c 8b 7d 00 mov 0x0(%rbp),%r15
1e: 4d 8d 67 30 lea 0x30(%r15),%r12
22: 4c 89 e3 mov %r12,%rbx
25: 48 c1 eb 03 shr $0x3,%rbx
* 29: 42 80 3c 33 00 cmpb $0x0,(%rbx,%r14,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 e7 mov %r12,%rdi
33: e8 a3 9e c1 ff call 0xffc19edb
38: 49 8b 6f 30 mov 0x30(%r15),%rbp
3c: 48 85 ed test %rbp,%rbp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 8, 2025, 11:11:04 PM6/8/25
to bfo...@redhat.com, gre...@linuxfoundation.org, kent.ov...@linux.dev, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
syzbot has bisected this issue to:
commit f7643bc9749f270d487c32dc35b578575bf1adb0
Author: Kent Overstreet <kent.ov...@linux.dev>
Date: Wed Apr 17 05:26:02 2024 +0000
bcachefs: make btree read errors silent during scan
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17abb20c580000
start commit: 28eb75e178d3 Merge tag 'drm-next-2024-11-21' of https://gi..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=146bb20c580000
console output: https://syzkaller.appspot.com/x/log.txt?x=106bb20c580000
Reported-by: syzbot+e37a17...@syzkaller.appspotmail.com
Fixes: f7643bc9749f ("bcachefs: make btree read errors silent during scan")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit f7643bc9749f270d487c32dc35b578575bf1adb0
Author: Kent Overstreet <kent.ov...@linux.dev>
Date: Wed Apr 17 05:26:02 2024 +0000
bcachefs: make btree read errors silent during scan
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17abb20c580000
start commit: 28eb75e178d3 Merge tag 'drm-next-2024-11-21' of https://gi..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=146bb20c580000
console output: https://syzkaller.appspot.com/x/log.txt?x=106bb20c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=402159daa216c89d
dashboard link: https://syzkaller.appspot.com/bug?extid=e37a1730d63d207fe403
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163706e8580000
dashboard link: https://syzkaller.appspot.com/bug?extid=e37a1730d63d207fe403
Reported-by: syzbot+e37a17...@syzkaller.appspotmail.com
Fixes: f7643bc9749f ("bcachefs: make btree read errors silent during scan")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Kent Overstreet
Jun 8, 2025, 11:14:10 PM6/8/25
to syzbot, gre...@linuxfoundation.org, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
I'm not seeing anything connecting this to bcachefs.
Kent Overstreet
Jun 8, 2025, 11:19:01 PM6/8/25
to syzbot, bfo...@redhat.com, gre...@linuxfoundation.org, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
On Sun, Jun 08, 2025 at 08:11:02PM -0700, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit f7643bc9749f270d487c32dc35b578575bf1adb0
> Author: Kent Overstreet <kent.ov...@linux.dev>
> Date: Wed Apr 17 05:26:02 2024 +0000
>
> bcachefs: make btree read errors silent during scan
syzbot bisections have been looking _very_ unreliable
> syzbot has bisected this issue to:
>
> commit f7643bc9749f270d487c32dc35b578575bf1adb0
> Author: Kent Overstreet <kent.ov...@linux.dev>
> Date: Wed Apr 17 05:26:02 2024 +0000
>
> bcachefs: make btree read errors silent during scan
Aleksandr Nogikh
Jun 9, 2025, 3:03:36 AM6/9/25
to Kent Overstreet, syzbot, bfo...@redhat.com, gre...@linuxfoundation.org, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org, syzkaller
bcachefs image) on the original commit 20 times and it has got lots of
very different crash titles. One of those was actually the original
crash:
run #1: crashed: general protection fault in kernfs_dop_revalidate
but the others were in quite different subsystems (net, block,
bcachefs). They look like different manifestations of some memory
corruption caused by the mount of a corrupted bcachefs image.
I don't see where the bisection could have derailed later during the
process - on the tested commits, the kernel either crashed 100% of
repro runs or none of them. So the result very likely is reasonable
w.r.t. to some bcachefs bug, which has apparently been fixed since
then. The reproducer no longer works on syzbot and the last "general
protection fault in kernfs_dop_revalidate" crash was recorded almost
100 days ago.
[1] https://syzkaller.appspot.com/x/bisect.txt?x=17abb20c580000
--
Aleksandr
syzbot
Jun 23, 2025, 3:05:15 AM6/23/25
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages