[v5.15] BUG: unable to handle kernel paging request in __xfs_free_extent
0 views
Skip to first unread message
syzbot
May 28, 2023, 4:56:58 AM5/28/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1fe619a7d252 Linux 5.15.113
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=110a823e280000
kernel config: https://syzkaller.appspot.com/x/.config?x=8f10ee30ae29b021
dashboard link: https://syzkaller.appspot.com/bug?extid=ab7fe58a24a6451d7ca7
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1b707a1e1816/disk-1fe619a7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/19cc598a8bbe/vmlinux-1fe619a7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a6cf7269bae5/Image-1fe619a7.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab7fe5...@syzkaller.appspotmail.com
loop3: detected capacity change from 0 to 32768
XFS (loop3): Mounting V5 Filesystem
XFS (loop3): Ending clean mount
XFS (loop3): Quotacheck needed: Please wait.
XFS (loop3): Quotacheck: Done.
Unable to handle kernel paging request at virtual address dfff800000000001
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 9346 Comm: syz-executor.3 Not tainted 5.15.113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3304 [inline]
pc : __xfs_free_extent+0x180/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
lr : xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3301 [inline]
lr : __xfs_free_extent+0x12c/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
sp : ffff800021a77220
x29: ffff800021a77380 x28: 000000000000000c x27: 0000000000000001
x26: dfff800000000000 x25: 0000000000000000 x24: ffff000124f2e000
x23: ffff000124f2e000 x22: ffff800021a77290 x21: ffff800021a77280
x20: 0000000000000008 x19: ffff70000434ee4c x18: ffff800021a76b60
x17: 1fffe000368ff78e x16: ffff800011950fac x15: ffff8000089ba408
x14: 1ffff0000291c06a x13: ffffffffffffffff x12: 0000000000000010
x11: 1ffff0000434ee52 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000001 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : fffffffffffffff0 x3 : 0000000000000010
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800021a77288
Call trace:
xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3304 [inline]
__xfs_free_extent+0x180/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
xfs_free_extent fs/xfs/libxfs/xfs_alloc.h:186 [inline]
xfs_ag_extend_space+0x304/0x490 fs/xfs/libxfs/xfs_ag.c:931
xfs_resizefs_init_new_ags+0x29c/0x328 fs/xfs/xfs_fsops.c:75
xfs_growfs_data_private fs/xfs/xfs_fsops.c:148 [inline]
xfs_growfs_data+0x7e8/0xe3c fs/xfs/xfs_fsops.c:295
xfs_file_ioctl+0x1b98/0x297c fs/xfs/xfs_ioctl.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:860
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 97bd8f4e 91002334 f90037f7 d343fe88 (38fa6908)
---[ end trace d10c996d75577c16 ]---
----------------
Code disassembly (best guess):
0: 97bd8f4e bl 0xfffffffffef63d38
4: 91002334 add x20, x25, #0x8
8: f90037f7 str x23, [sp, #104]
c: d343fe88 lsr x8, x20, #3
* 10: 38fa6908 ldrsb w8, [x8, x26] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 1fe619a7d252 Linux 5.15.113
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=110a823e280000
kernel config: https://syzkaller.appspot.com/x/.config?x=8f10ee30ae29b021
dashboard link: https://syzkaller.appspot.com/bug?extid=ab7fe58a24a6451d7ca7
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1b707a1e1816/disk-1fe619a7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/19cc598a8bbe/vmlinux-1fe619a7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a6cf7269bae5/Image-1fe619a7.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab7fe5...@syzkaller.appspotmail.com
loop3: detected capacity change from 0 to 32768
XFS (loop3): Mounting V5 Filesystem
XFS (loop3): Ending clean mount
XFS (loop3): Quotacheck needed: Please wait.
XFS (loop3): Quotacheck: Done.
Unable to handle kernel paging request at virtual address dfff800000000001
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 9346 Comm: syz-executor.3 Not tainted 5.15.113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3304 [inline]
pc : __xfs_free_extent+0x180/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
lr : xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3301 [inline]
lr : __xfs_free_extent+0x12c/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
sp : ffff800021a77220
x29: ffff800021a77380 x28: 000000000000000c x27: 0000000000000001
x26: dfff800000000000 x25: 0000000000000000 x24: ffff000124f2e000
x23: ffff000124f2e000 x22: ffff800021a77290 x21: ffff800021a77280
x20: 0000000000000008 x19: ffff70000434ee4c x18: ffff800021a76b60
x17: 1fffe000368ff78e x16: ffff800011950fac x15: ffff8000089ba408
x14: 1ffff0000291c06a x13: ffffffffffffffff x12: 0000000000000010
x11: 1ffff0000434ee52 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000001 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : fffffffffffffff0 x3 : 0000000000000010
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800021a77288
Call trace:
xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3304 [inline]
__xfs_free_extent+0x180/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
xfs_free_extent fs/xfs/libxfs/xfs_alloc.h:186 [inline]
xfs_ag_extend_space+0x304/0x490 fs/xfs/libxfs/xfs_ag.c:931
xfs_resizefs_init_new_ags+0x29c/0x328 fs/xfs/xfs_fsops.c:75
xfs_growfs_data_private fs/xfs/xfs_fsops.c:148 [inline]
xfs_growfs_data+0x7e8/0xe3c fs/xfs/xfs_fsops.c:295
xfs_file_ioctl+0x1b98/0x297c fs/xfs/xfs_ioctl.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:860
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 97bd8f4e 91002334 f90037f7 d343fe88 (38fa6908)
---[ end trace d10c996d75577c16 ]---
----------------
Code disassembly (best guess):
0: 97bd8f4e bl 0xfffffffffef63d38
4: 91002334 add x20, x25, #0x8
8: f90037f7 str x23, [sp, #104]
c: d343fe88 lsr x8, x20, #3
* 10: 38fa6908 ldrsb w8, [x8, x26] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
May 28, 2023, 5:14:54 AM5/28/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 1fe619a7d252 Linux 5.15.113
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13683536280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162ce536280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1b707a1e1816/disk-1fe619a7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/19cc598a8bbe/vmlinux-1fe619a7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a6cf7269bae5/Image-1fe619a7.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/78d118f35e8c/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab7fe5...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
XFS (loop0): Mounting V5 Filesystem
XFS (loop0): Ending clean mount
XFS (loop0): Quotacheck needed: Please wait.
XFS (loop0): Quotacheck: Done.
x29: ffff80001a267380 x28: 000000000000000c x27: 0000000000000001
x26: dfff800000000000 x25: 0000000000000000 x24: ffff0000c9842000
x23: ffff0000c9842000 x22: ffff80001a267290 x21: ffff80001a267280
x20: 0000000000000008 x19: ffff70000344ce4c x18: ffff80001a266e60
x17: ff80800009a58930 x16: ffff800011950fac x15: ffff8000089ba408
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 1fe619a7d252 Linux 5.15.113
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=8f10ee30ae29b021
dashboard link: https://syzkaller.appspot.com/bug?extid=ab7fe58a24a6451d7ca7
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=179293d5280000
dashboard link: https://syzkaller.appspot.com/bug?extid=ab7fe58a24a6451d7ca7
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162ce536280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1b707a1e1816/disk-1fe619a7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/19cc598a8bbe/vmlinux-1fe619a7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a6cf7269bae5/Image-1fe619a7.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab7fe5...@syzkaller.appspotmail.com
XFS (loop0): Mounting V5 Filesystem
XFS (loop0): Ending clean mount
XFS (loop0): Quotacheck needed: Please wait.
XFS (loop0): Quotacheck: Done.
Unable to handle kernel paging request at virtual address dfff800000000001
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3961 Comm: syz-executor352 Not tainted 5.15.113-syzkaller #0
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3304 [inline]
pc : __xfs_free_extent+0x180/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
lr : xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3301 [inline]
lr : __xfs_free_extent+0x12c/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
sp : ffff80001a267220
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3304 [inline]
pc : __xfs_free_extent+0x180/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
lr : xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3301 [inline]
lr : __xfs_free_extent+0x12c/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
x29: ffff80001a267380 x28: 000000000000000c x27: 0000000000000001
x26: dfff800000000000 x25: 0000000000000000 x24: ffff0000c9842000
x23: ffff0000c9842000 x22: ffff80001a267290 x21: ffff80001a267280
x20: 0000000000000008 x19: ffff70000344ce4c x18: ffff80001a266e60
x17: ff80800009a58930 x16: ffff800011950fac x15: ffff8000089ba408
x14: 1ffff0000291c06a x13: ffffffffffffffff x12: 0000000000000010
x11: 1ffff0000344ce52 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000001 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : fffffffffffffff0 x3 : 0000000000000010
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff80001a267288
x5 : 0000000000000040 x4 : fffffffffffffff0 x3 : 0000000000000010
Call trace:
xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3304 [inline]
__xfs_free_extent+0x180/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
xfs_free_extent fs/xfs/libxfs/xfs_alloc.h:186 [inline]
xfs_ag_extend_space+0x304/0x490 fs/xfs/libxfs/xfs_ag.c:931
xfs_resizefs_init_new_ags+0x29c/0x328 fs/xfs/xfs_fsops.c:75
xfs_growfs_data_private fs/xfs/xfs_fsops.c:148 [inline]
xfs_growfs_data+0x7e8/0xe3c fs/xfs/xfs_fsops.c:295
xfs_file_ioctl+0x1b98/0x297c fs/xfs/xfs_ioctl.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:860
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 97bd8f4e 91002334 f90037f7 d343fe88 (38fa6908)
---[ end trace 6a48da83e83df586 ]---
xfs_free_extent_fix_freelist fs/xfs/libxfs/xfs_alloc.c:3304 [inline]
__xfs_free_extent+0x180/0x500 fs/xfs/libxfs/xfs_alloc.c:3353
xfs_free_extent fs/xfs/libxfs/xfs_alloc.h:186 [inline]
xfs_ag_extend_space+0x304/0x490 fs/xfs/libxfs/xfs_ag.c:931
xfs_resizefs_init_new_ags+0x29c/0x328 fs/xfs/xfs_fsops.c:75
xfs_growfs_data_private fs/xfs/xfs_fsops.c:148 [inline]
xfs_growfs_data+0x7e8/0xe3c fs/xfs/xfs_fsops.c:295
xfs_file_ioctl+0x1b98/0x297c fs/xfs/xfs_ioctl.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:860
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 97bd8f4e 91002334 f90037f7 d343fe88 (38fa6908)
----------------
Code disassembly (best guess):
0: 97bd8f4e bl 0xfffffffffef63d38
4: 91002334 add x20, x25, #0x8
8: f90037f7 str x23, [sp, #104]
c: d343fe88 lsr x8, x20, #3
* 10: 38fa6908 ldrsb w8, [x8, x26] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
Code disassembly (best guess):
0: 97bd8f4e bl 0xfffffffffef63d38
4: 91002334 add x20, x25, #0x8
8: f90037f7 str x23, [sp, #104]
c: d343fe88 lsr x8, x20, #3
* 10: 38fa6908 ldrsb w8, [x8, x26] <-- trapping instruction
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages