Hello,
syzbot found the following issue on:
HEAD commit: 2ddbd0f967b3 Linux 5.15.102
git tree: linux-5.15.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=1053950cc80000
kernel config:
https://syzkaller.appspot.com/x/.config?x=fec083380faceb1e
dashboard link:
https://syzkaller.appspot.com/bug?extid=c708d902646b38b761e8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/156d2aa91f3c/disk-2ddbd0f9.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/f0e97f5be5fb/vmlinux-2ddbd0f9.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/20d0a55a041d/bzImage-2ddbd0f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+c708d9...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 3632 Comm: syz-executor.3 Not tainted 5.15.102-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x80d/0xec0 fs/jfs/jfs_logmgr.c:1581
Code: c1 fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 91 4b e4 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 74 4b e4 fe 48 8b 3b e8 2c ec c1
RSP: 0018:ffffc90002dcfbc0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: 288cb886440c0300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002dcfcf0 R08: ffffffff81a7a1e6 R09: ffffc90002dcfb28
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920005b9f84
R13: dffffc0000000000 R14: ffff88807c202800 R15: ffff88814a755038
FS: 00005555564b0400(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe15dbaef8 CR3: 00000000273f8000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
jfs_umount+0xf4/0x370 fs/jfs/jfs_umount.c:58
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
generic_shutdown_super+0x136/0x2c0 fs/super.c:466
kill_block_super+0x7a/0xe0 fs/super.c:1396
deactivate_locked_super+0xa0/0x110 fs/super.c:335
cleanup_mnt+0x44e/0x500 fs/namespace.c:1143
task_work_run+0x129/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:175
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x5d/0x2b0 kernel/entry/common.c:300
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f289a98b567
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe15dbb638 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f289a98b567
RDX: 00007ffe15dbb70b RSI: 000000000000000a RDI: 00007ffe15dbb700
RBP: 00007ffe15dbb700 R08: 00000000ffffffff R09: 00007ffe15dbb4d0
R10: 00005555564b18b3 R11: 0000000000000246 R12: 00007f289a9e4b74
R13: 00007ffe15dbc7c0 R14: 00005555564b1810 R15: 00007ffe15dbc800
</TASK>
Modules linked in:
---[ end trace 4aa060bc7c896bac ]---
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x80d/0xec0 fs/jfs/jfs_logmgr.c:1581
Code: c1 fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 91 4b e4 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 74 4b e4 fe 48 8b 3b e8 2c ec c1
RSP: 0018:ffffc90002dcfbc0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: 288cb886440c0300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002dcfcf0 R08: ffffffff81a7a1e6 R09: ffffc90002dcfb28
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920005b9f84
R13: dffffc0000000000 R14: ffff88807c202800 R15: ffff88814a755038
FS: 00005555564b0400(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f96723b9988 CR3: 00000000273f8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: c1 fe 49 sar $0x49,%esi
3: 8d 5f f0 lea -0x10(%rdi),%ebx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 91 4b e4 fe callq 0xfee44bad
1c: 48 8b 1b mov (%rbx),%rbx
1f: 48 83 c3 30 add $0x30,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 74 4b e4 fe callq 0xfee44bad
39: 48 8b 3b mov (%rbx),%rdi
3c: e8 .byte 0xe8
3d: 2c ec sub $0xec,%al
3f: c1 .byte 0xc1
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.