Hello,
syzbot found the following crash on:
HEAD commit: e1f7d50a Linux 4.14.160
git tree: linux-4.14.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=17f896c1e00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=46599517442ad9fb
dashboard link:
https://syzkaller.appspot.com/bug?extid=f3c6a35e3859372ab734
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+f3c6a3...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
EXT4-fs (loop1): ext4_check_descriptors: Block bitmap for group 0 overlaps
block group descriptors
proc: unrecognized mount option "appraise" or missing value
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 13685 Comm: blkid Not tainted 4.14.160-syzkaller #0
proc: unrecognized mount option "appraise" or missing value
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff888091f363c0 task.stack: ffff888045f38000
RIP: 0010:__phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27
RSP: 0018:ffff888045f3f798 EFLAGS: 00010297
RAX: ffff888091f363c0 RBX: 0808080808080808 RCX: 1ffff110123e6d8c
RDX: 0000000000000000 RSI: 0808080808080808 RDI: 0808080808080808
RBP: ffff888045f3f7b0 R08: ffff888091f363c0 R09: ffff888091f36c60
R10: 0000000000000000 R11: 0000000000000000 R12: 08087f8808080808
R13: 0808080888080808 R14: ffff888045f3f800 R15: 0000000000000000
FS: 00007f448392e7a0(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff8a952918 CR3: 000000007b924000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:600 [inline]
qlink_to_cache mm/kasan/quarantine.c:127 [inline]
qlist_free_all+0xc7/0x150 mm/kasan/quarantine.c:163
quarantine_reduce+0x147/0x180 mm/kasan/quarantine.c:259
kasan_kmalloc+0xa0/0xf0 mm/kasan/kasan.c:536
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc mm/slab.c:3390 [inline]
kmem_cache_alloc+0x11b/0x780 mm/slab.c:3550
ptlock_alloc mm/memory.c:4741 [inline]
ptlock_init include/linux/mm.h:1752 [inline]
pgtable_pmd_page_ctor include/linux/mm.h:1844 [inline]
pmd_alloc_one arch/x86/include/asm/pgalloc.h:105 [inline]
__pmd_alloc+0xbd/0x410 mm/memory.c:4229
pmd_alloc include/linux/mm.h:1702 [inline]
alloc_new_pmd mm/mremap.c:75 [inline]
move_page_tables+0xffc/0x1740 mm/mremap.c:223
shift_arg_pages+0x1a6/0x460 fs/exec.c:647
setup_arg_pages+0x5b2/0x740 fs/exec.c:759
load_elf_binary+0xa68/0x4d60 fs/binfmt_elf.c:873
search_binary_handler fs/exec.c:1638 [inline]
search_binary_handler+0x149/0x6f0 fs/exec.c:1616
exec_binprm fs/exec.c:1680 [inline]
do_execveat_common.isra.0+0x1000/0x1dd0 fs/exec.c:1802
do_execve fs/exec.c:1847 [inline]
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x39/0x50 fs/exec.c:1923
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f4483012207
RSP: 002b:00007ffdb45be598 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f4483012207
RDX: 00000000024bbe90 RSI: 00007ffdb45be690 RDI: 00007ffdb45bf6a0
RBP: 0000000000625500 R08: 0000000000003464 R09: 0000000000003464
R10: 0000000000000000 R11: 0000000000000202 R12: 00000000024bbe90
R13: 0000000000000007 R14: 0000000002472030 R15: 0000000000000005
Code: 04 84 d2 75 28 0f b6 0d d1 41 87 07 4c 89 e0 48 d3 e8 48 85 c0 75 0f
e8 a8 61 32 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 99 61 32 00 <0f> 0b 48 c7
c7 89 2f b2 88 e8 ab ee 5c 00 eb ca e8 84 61 32 00
RIP: __phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27 RSP: ffff888045f3f798
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
EXT4-fs (loop1): ext4_check_descriptors: Inode table for group 0 overlaps
superblock
invalid opcode: 0000 [#2] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 3610 Comm: udevd Tainted: G D 4.14.160-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff88809677e6c0 task.stack: ffff888096780000
RIP: 0010:__phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27
RSP: 0018:ffff888096787bd0 EFLAGS: 00010297
kobject: 'loop1' (ffff88808e5c0dc8): kobject_add_internal: parent: 'ext4',
set: 'ext4'
RAX: ffff88809677e6c0 RBX: 0808080808080808 RCX: 1ffffffff1066fb0
RDX: 0000000000000000 RSI: 0808080808080808 RDI: 0808080808080808
RBP: ffff888096787be8 R08: ffff88809677e6c0 R09: 0000000000000000
R10: 0000000000000000 R11: ffff88809677e6c0 R12: 08087f8808080808
R13: 0808080888080808 R14: ffff888096787c38 R15: 0000000000000000
FS: 00007f448392e7a0(0000) GS:ffff8880aec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e929000 CR3: 00000000966d7000 CR4: 00000000001426f0
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:600 [inline]
qlink_to_cache mm/kasan/quarantine.c:127 [inline]
qlist_free_all+0xc7/0x150 mm/kasan/quarantine.c:163
quarantine_reduce+0x147/0x180 mm/kasan/quarantine.c:259
kasan_kmalloc+0xa0/0xf0 mm/kasan/kasan.c:536
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc mm/slab.c:3390 [inline]
kmem_cache_alloc_trace+0x13b/0x790 mm/slab.c:3616
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
kernfs_iop_get_link fs/kernfs/symlink.c:127 [inline]
kernfs_iop_get_link+0x6a/0x650 fs/kernfs/symlink.c:118
generic_readlink fs/namei.c:4727 [inline]
vfs_readlink+0x1ac/0x410 fs/namei.c:4762
audit: type=1804 audit(1577325651.483:145): pid=13698 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op="invalid_pcr" cause="open_writers" comm="syz-executor.2"
name="/root/syzkaller-testdir249924112/syzkaller.NZ54Wt/19/bus" dev="sda1"
ino=16657 res=1
SYSC_readlinkat fs/stat.c:406 [inline]
SyS_readlinkat fs/stat.c:382 [inline]
SYSC_readlink fs/stat.c:421 [inline]
SyS_readlink+0x218/0x290 fs/stat.c:418
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f4483037577
RSP: 002b:00007ffdb45c4088 EFLAGS: 00000246 ORIG_RAX: 0000000000000059
RAX: ffffffffffffffda RBX: 0000000002472030 RCX: 00007f4483037577
RDX: 0000000000000400 RSI: 00007ffdb45c4090 RDI: 00007ffdb45c4570
RBP: 00007ffdb45c4dd0 R08: 00007ffdb45c4dd0 R09: 00007f448308bde0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb45c4570
audit: type=1804 audit(1577325651.483:146): pid=13698 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op="invalid_pcr" cause="open_writers" comm="syz-executor.2"
name="/root/syzkaller-testdir249924112/syzkaller.NZ54Wt/19/bus" dev="sda1"
ino=16657 res=1
R13: 0000000000000400 R14: 00000000024c6100 R15: 0000000002472030
Code: 04 84 d2 75 28 0f b6 0d d1 41 87 07 4c 89 e0 48 d3 e8 48 85 c0 75 0f
e8 a8 61 32 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 99 61 32 00 <0f> 0b 48 c7
c7 89 2f b2 88 e8 ab ee 5c 00 eb ca e8 84 61 32 00
RIP: __phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27 RSP: ffff888096787bd0
---[ end trace d7390c370cfc5df7 ]---