[v5.15] BUG: Bad page state
15 views
Skip to first unread message
syzbot
Apr 16, 2023, 7:16:42 AM4/16/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4fdad925aa1a Linux 5.15.107
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1272b4e7c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d67d6c9042bf5bb9
dashboard link: https://syzkaller.appspot.com/bug?extid=d0394eeeb4816974b389
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a4ecac695096/disk-4fdad925.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3362687e1660/vmlinux-4fdad925.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e588c974210/Image-4fdad925.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0394e...@syzkaller.appspotmail.com
BUG: Bad page state in process jfsCommit pfn:10a3c4
page:00000000eaae362d refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x10a3c4
flags: 0x5ffc00000002005(locked|uptodate|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff00013a944ba0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Modules linked in:
CPU: 0 PID: 239 Comm: jfsCommit Not tainted 5.15.107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
bad_page+0x1a4/0x1c4 mm/page_alloc.c:652
check_free_page_bad mm/page_alloc.c:1199 [inline]
check_free_page mm/page_alloc.c:1209 [inline]
free_pages_prepare mm/page_alloc.c:1334 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0x4ec/0xe30 mm/page_alloc.c:3317
free_unref_page+0x78/0x204 mm/page_alloc.c:3396
__put_single_page mm/swap.c:98 [inline]
__put_page+0xf8/0x134 mm/swap.c:129
put_page include/linux/mm.h:1247 [inline]
_metapage_homeok+0x138/0x288 fs/jfs/jfs_metapage.h:119
txUnlock+0x264/0xbb0 fs/jfs/jfs_txnmgr.c:927
txLazyCommit fs/jfs/jfs_txnmgr.c:2711 [inline]
jfs_lazycommit+0x4a0/0xa40 fs/jfs/jfs_txnmgr.c:2761
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
page:00000000eaae362d refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x10a3c4
flags: 0x5ffc00000002005(locked|uptodate|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff00013a944ba0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1213!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 239 Comm: jfsCommit Tainted: G B 5.15.107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : get_page include/linux/mm.h:1213 [inline]
pc : put_metapage+0x280/0x2e4 fs/jfs/jfs_metapage.c:722
lr : get_page include/linux/mm.h:1213 [inline]
lr : put_metapage+0x280/0x2e4 fs/jfs/jfs_metapage.c:722
sp : ffff80001ae67b80
x29: ffff80001ae67b80 x28: dfff800000000000 x27: 1fffe00027528979
x26: 1fffe00027528986 x25: dfff800000000000 x24: 000000000000007f
x23: fffffc000328f134 x22: fffffc000328f100 x21: ffff00013a944bc8
x20: ffff00013a944c30 x19: ffff00013a944ba0 x18: 1fffe000368ffd8e
x17: 1fffe000368ffd8e x16: ffff800011943d44 x15: ffff80001496eda0
x14: ffff0001b47fec80 x13: ffffffffffffffff x12: 0000000000000000
x11: ff808000087a2b90 x10: 0000000000000000 x9 : 563499313361d200
x8 : 563499313361d200 x7 : 0000000000000000 x6 : ffff80000826879c
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000854a4a4
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000059
Call trace:
get_page include/linux/mm.h:1213 [inline]
put_metapage+0x280/0x2e4 fs/jfs/jfs_metapage.c:722
txUnlock+0x3e4/0xbb0 fs/jfs/jfs_txnmgr.c:942
txLazyCommit fs/jfs/jfs_txnmgr.c:2711 [inline]
jfs_lazycommit+0x4a0/0xa40 fs/jfs/jfs_txnmgr.c:2761
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: 900428c1 911c8021 aa1603e0 97bb8274 (d4210000)
---[ end trace a260d013d4cb88e6 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 4fdad925aa1a Linux 5.15.107
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1272b4e7c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d67d6c9042bf5bb9
dashboard link: https://syzkaller.appspot.com/bug?extid=d0394eeeb4816974b389
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a4ecac695096/disk-4fdad925.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3362687e1660/vmlinux-4fdad925.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e588c974210/Image-4fdad925.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0394e...@syzkaller.appspotmail.com
BUG: Bad page state in process jfsCommit pfn:10a3c4
page:00000000eaae362d refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x10a3c4
flags: 0x5ffc00000002005(locked|uptodate|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff00013a944ba0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Modules linked in:
CPU: 0 PID: 239 Comm: jfsCommit Not tainted 5.15.107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
bad_page+0x1a4/0x1c4 mm/page_alloc.c:652
check_free_page_bad mm/page_alloc.c:1199 [inline]
check_free_page mm/page_alloc.c:1209 [inline]
free_pages_prepare mm/page_alloc.c:1334 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0x4ec/0xe30 mm/page_alloc.c:3317
free_unref_page+0x78/0x204 mm/page_alloc.c:3396
__put_single_page mm/swap.c:98 [inline]
__put_page+0xf8/0x134 mm/swap.c:129
put_page include/linux/mm.h:1247 [inline]
_metapage_homeok+0x138/0x288 fs/jfs/jfs_metapage.h:119
txUnlock+0x264/0xbb0 fs/jfs/jfs_txnmgr.c:927
txLazyCommit fs/jfs/jfs_txnmgr.c:2711 [inline]
jfs_lazycommit+0x4a0/0xa40 fs/jfs/jfs_txnmgr.c:2761
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
page:00000000eaae362d refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x10a3c4
flags: 0x5ffc00000002005(locked|uptodate|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff00013a944ba0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1213!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 239 Comm: jfsCommit Tainted: G B 5.15.107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : get_page include/linux/mm.h:1213 [inline]
pc : put_metapage+0x280/0x2e4 fs/jfs/jfs_metapage.c:722
lr : get_page include/linux/mm.h:1213 [inline]
lr : put_metapage+0x280/0x2e4 fs/jfs/jfs_metapage.c:722
sp : ffff80001ae67b80
x29: ffff80001ae67b80 x28: dfff800000000000 x27: 1fffe00027528979
x26: 1fffe00027528986 x25: dfff800000000000 x24: 000000000000007f
x23: fffffc000328f134 x22: fffffc000328f100 x21: ffff00013a944bc8
x20: ffff00013a944c30 x19: ffff00013a944ba0 x18: 1fffe000368ffd8e
x17: 1fffe000368ffd8e x16: ffff800011943d44 x15: ffff80001496eda0
x14: ffff0001b47fec80 x13: ffffffffffffffff x12: 0000000000000000
x11: ff808000087a2b90 x10: 0000000000000000 x9 : 563499313361d200
x8 : 563499313361d200 x7 : 0000000000000000 x6 : ffff80000826879c
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000854a4a4
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000059
Call trace:
get_page include/linux/mm.h:1213 [inline]
put_metapage+0x280/0x2e4 fs/jfs/jfs_metapage.c:722
txUnlock+0x3e4/0xbb0 fs/jfs/jfs_txnmgr.c:942
txLazyCommit fs/jfs/jfs_txnmgr.c:2711 [inline]
jfs_lazycommit+0x4a0/0xa40 fs/jfs/jfs_txnmgr.c:2761
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: 900428c1 911c8021 aa1603e0 97bb8274 (d4210000)
---[ end trace a260d013d4cb88e6 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 25, 2023, 11:03:45 PM5/25/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 1fe619a7d252 Linux 5.15.113
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=165749fe280000
kernel config: https://syzkaller.appspot.com/x/.config?x=ab36330fd14820aa
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d392fe280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2d1716ac5a07/disk-1fe619a7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9e9e3ef13603/vmlinux-1fe619a7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/810a025eede3/bzImage-1fe619a7.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5e8d20ec612b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0394e...@syzkaller.appspotmail.com
BUG: Bad page state in process jfsCommit pfn:744e8
page:ffffea0001d13a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x744e8
flags: 0xfff00000002005(locked|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff888023abf9b0 00000000ffffffff 0000000000000000
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xc40(GFP_NOFS), pid 3499, ts 52705979334, free_ts 27796879468
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
__page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
do_read_cache_page+0x1e5/0x1040 mm/filemap.c:3448
read_mapping_page include/linux/pagemap.h:515 [inline]
__get_metapage+0x398/0x1070 fs/jfs/jfs_metapage.c:621
diRead+0x5e9/0xad0 fs/jfs/jfs_imap.c:363
jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
jfs_fill_super+0x826/0xc70 fs/jfs/super.c:585
mount_bdev+0x26d/0x3a0 fs/super.c:1378
legacy_get_tree+0xeb/0x180 fs/fs_context.c:610
vfs_get_tree+0x88/0x270 fs/super.c:1508
do_new_mount+0x28b/0xad0 fs/namespace.c:2994
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3522
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
do_slab_free mm/slub.c:3487 [inline]
___cache_free+0xe3/0x100 mm/slub.c:3506
qlist_free_all+0x36/0x90 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
__kmalloc+0x120/0x300 mm/slub.c:4403
kmalloc include/linux/slab.h:596 [inline]
tomoyo_realpath_from_path+0xd8/0x5e0 security/tomoyo/realpath.c:254
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x273/0x6b0 security/tomoyo/file.c:822
security_inode_getattr+0xcf/0x120 security/security.c:1348
vfs_getattr+0x26/0x360 fs/stat.c:157
vfs_statx+0x18f/0x3b0 fs/stat.c:225
vfs_fstatat fs/stat.c:243 [inline]
__do_sys_newfstatat fs/stat.c:411 [inline]
__se_sys_newfstatat fs/stat.c:405 [inline]
__x64_sys_newfstatat+0x12c/0x1b0 fs/stat.c:405
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Modules linked in:
CPU: 1 PID: 277 Comm: jfsCommit Not tainted 5.15.113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
bad_page+0x14b/0x170 mm/page_alloc.c:652
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
txUnlock+0x282/0xca0 fs/jfs/jfs_txnmgr.c:927
txLazyCommit fs/jfs/jfs_txnmgr.c:2711 [inline]
jfs_lazycommit+0x5cd/0xc30 fs/jfs/jfs_txnmgr.c:2761
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
page:ffffea0001d13a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x744e8
flags: 0xfff00000002005(locked|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff888023abf9b0 00000000ffffffff 0000000000000000
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xc40(GFP_NOFS), pid 3499, ts 52705979334, free_ts 27796879468
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
__page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
do_read_cache_page+0x1e5/0x1040 mm/filemap.c:3448
read_mapping_page include/linux/pagemap.h:515 [inline]
__get_metapage+0x398/0x1070 fs/jfs/jfs_metapage.c:621
diRead+0x5e9/0xad0 fs/jfs/jfs_imap.c:363
jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
jfs_fill_super+0x826/0xc70 fs/jfs/super.c:585
mount_bdev+0x26d/0x3a0 fs/super.c:1378
legacy_get_tree+0xeb/0x180 fs/fs_context.c:610
vfs_get_tree+0x88/0x270 fs/super.c:1508
do_new_mount+0x28b/0xad0 fs/namespace.c:2994
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3522
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
do_slab_free mm/slub.c:3487 [inline]
___cache_free+0xe3/0x100 mm/slub.c:3506
qlist_free_all+0x36/0x90 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
__kmalloc+0x120/0x300 mm/slub.c:4403
kmalloc include/linux/slab.h:596 [inline]
tomoyo_realpath_from_path+0xd8/0x5e0 security/tomoyo/realpath.c:254
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x273/0x6b0 security/tomoyo/file.c:822
security_inode_getattr+0xcf/0x120 security/security.c:1348
vfs_getattr+0x26/0x360 fs/stat.c:157
vfs_statx+0x18f/0x3b0 fs/stat.c:225
vfs_fstatat fs/stat.c:243 [inline]
__do_sys_newfstatat fs/stat.c:411 [inline]
__se_sys_newfstatat fs/stat.c:405 [inline]
__x64_sys_newfstatat+0x12c/0x1b0 fs/stat.c:405
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
CPU: 1 PID: 277 Comm: jfsCommit Tainted: G B 5.15.113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023
RIP: 0010:get_page include/linux/mm.h:1213 [inline]
RIP: 0010:put_metapage+0x283/0x290 fs/jfs/jfs_metapage.c:722
Code: 03 38 c1 0f 8c f8 fe ff ff 4c 89 ff e8 b6 04 e7 fe e9 eb fe ff ff e8 3c a9 9d fe 4c 89 e7 48 c7 c6 60 ce c0 8a e8 ad 7b d3 fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 55 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90002abfcc0 EFLAGS: 00010246
RAX: cb8c42def2e72500 RBX: 000000000000007f RCX: ffff888018f23b80
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff888023abf9b0 R08: ffffffff81d00714 R09: fffff52000557e55
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea0001d13a00
R13: ffff888023abf9d8 R14: 1ffff11004757f3b R15: ffffea0001d13a34
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f53c8be1828 CR3: 000000000c68e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
txUnlock+0x42f/0xca0 fs/jfs/jfs_txnmgr.c:942
txLazyCommit fs/jfs/jfs_txnmgr.c:2711 [inline]
jfs_lazycommit+0x5cd/0xc30 fs/jfs/jfs_txnmgr.c:2761
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Modules linked in:
---[ end trace affe6937f7f2091a ]---
RIP: 0010:get_page include/linux/mm.h:1213 [inline]
RIP: 0010:put_metapage+0x283/0x290 fs/jfs/jfs_metapage.c:722
Code: 03 38 c1 0f 8c f8 fe ff ff 4c 89 ff e8 b6 04 e7 fe e9 eb fe ff ff e8 3c a9 9d fe 4c 89 e7 48 c7 c6 60 ce c0 8a e8 ad 7b d3 fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 55 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90002abfcc0 EFLAGS: 00010246
RAX: cb8c42def2e72500 RBX: 000000000000007f RCX: ffff888018f23b80
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff888023abf9b0 R08: ffffffff81d00714 R09: fffff52000557e55
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea0001d13a00
R13: ffff888023abf9d8 R14: 1ffff11004757f3b R15: ffffea0001d13a34
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f53c8be1828 CR3: 000000000c68e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 1fe619a7d252 Linux 5.15.113
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=165749fe280000
kernel config: https://syzkaller.appspot.com/x/.config?x=ab36330fd14820aa
dashboard link: https://syzkaller.appspot.com/bug?extid=d0394eeeb4816974b389
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f4ab39280000
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d392fe280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2d1716ac5a07/disk-1fe619a7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9e9e3ef13603/vmlinux-1fe619a7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/810a025eede3/bzImage-1fe619a7.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5e8d20ec612b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0394e...@syzkaller.appspotmail.com
page:ffffea0001d13a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x744e8
flags: 0xfff00000002005(locked|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff888023abf9b0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xc40(GFP_NOFS), pid 3499, ts 52705979334, free_ts 27796879468
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
__page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
do_read_cache_page+0x1e5/0x1040 mm/filemap.c:3448
read_mapping_page include/linux/pagemap.h:515 [inline]
__get_metapage+0x398/0x1070 fs/jfs/jfs_metapage.c:621
diRead+0x5e9/0xad0 fs/jfs/jfs_imap.c:363
jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
jfs_fill_super+0x826/0xc70 fs/jfs/super.c:585
mount_bdev+0x26d/0x3a0 fs/super.c:1378
legacy_get_tree+0xeb/0x180 fs/fs_context.c:610
vfs_get_tree+0x88/0x270 fs/super.c:1508
do_new_mount+0x28b/0xad0 fs/namespace.c:2994
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3522
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
do_slab_free mm/slub.c:3487 [inline]
___cache_free+0xe3/0x100 mm/slub.c:3506
qlist_free_all+0x36/0x90 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
__kmalloc+0x120/0x300 mm/slub.c:4403
kmalloc include/linux/slab.h:596 [inline]
tomoyo_realpath_from_path+0xd8/0x5e0 security/tomoyo/realpath.c:254
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x273/0x6b0 security/tomoyo/file.c:822
security_inode_getattr+0xcf/0x120 security/security.c:1348
vfs_getattr+0x26/0x360 fs/stat.c:157
vfs_statx+0x18f/0x3b0 fs/stat.c:225
vfs_fstatat fs/stat.c:243 [inline]
__do_sys_newfstatat fs/stat.c:411 [inline]
__se_sys_newfstatat fs/stat.c:405 [inline]
__x64_sys_newfstatat+0x12c/0x1b0 fs/stat.c:405
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Modules linked in:
CPU: 1 PID: 277 Comm: jfsCommit Not tainted 5.15.113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
bad_page+0x14b/0x170 mm/page_alloc.c:652
check_free_page_bad mm/page_alloc.c:1199 [inline]
check_free_page mm/page_alloc.c:1209 [inline]
free_pages_prepare mm/page_alloc.c:1334 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0x48d/0xcf0 mm/page_alloc.c:3317
check_free_page mm/page_alloc.c:1209 [inline]
free_pages_prepare mm/page_alloc.c:1334 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
txUnlock+0x282/0xca0 fs/jfs/jfs_txnmgr.c:927
txLazyCommit fs/jfs/jfs_txnmgr.c:2711 [inline]
jfs_lazycommit+0x5cd/0xc30 fs/jfs/jfs_txnmgr.c:2761
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
page:ffffea0001d13a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x744e8
flags: 0xfff00000002005(locked|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff888023abf9b0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xc40(GFP_NOFS), pid 3499, ts 52705979334, free_ts 27796879468
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
__page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
do_read_cache_page+0x1e5/0x1040 mm/filemap.c:3448
read_mapping_page include/linux/pagemap.h:515 [inline]
__get_metapage+0x398/0x1070 fs/jfs/jfs_metapage.c:621
diRead+0x5e9/0xad0 fs/jfs/jfs_imap.c:363
jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
jfs_fill_super+0x826/0xc70 fs/jfs/super.c:585
mount_bdev+0x26d/0x3a0 fs/super.c:1378
legacy_get_tree+0xeb/0x180 fs/fs_context.c:610
vfs_get_tree+0x88/0x270 fs/super.c:1508
do_new_mount+0x28b/0xad0 fs/namespace.c:2994
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3522
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
do_slab_free mm/slub.c:3487 [inline]
___cache_free+0xe3/0x100 mm/slub.c:3506
qlist_free_all+0x36/0x90 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
__kmalloc+0x120/0x300 mm/slub.c:4403
kmalloc include/linux/slab.h:596 [inline]
tomoyo_realpath_from_path+0xd8/0x5e0 security/tomoyo/realpath.c:254
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x273/0x6b0 security/tomoyo/file.c:822
security_inode_getattr+0xcf/0x120 security/security.c:1348
vfs_getattr+0x26/0x360 fs/stat.c:157
vfs_statx+0x18f/0x3b0 fs/stat.c:225
vfs_fstatat fs/stat.c:243 [inline]
__do_sys_newfstatat fs/stat.c:411 [inline]
__se_sys_newfstatat fs/stat.c:405 [inline]
__x64_sys_newfstatat+0x12c/0x1b0 fs/stat.c:405
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1213!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
kernel BUG at include/linux/mm.h:1213!
CPU: 1 PID: 277 Comm: jfsCommit Tainted: G B 5.15.113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023
RIP: 0010:get_page include/linux/mm.h:1213 [inline]
RIP: 0010:put_metapage+0x283/0x290 fs/jfs/jfs_metapage.c:722
Code: 03 38 c1 0f 8c f8 fe ff ff 4c 89 ff e8 b6 04 e7 fe e9 eb fe ff ff e8 3c a9 9d fe 4c 89 e7 48 c7 c6 60 ce c0 8a e8 ad 7b d3 fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 55 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90002abfcc0 EFLAGS: 00010246
RAX: cb8c42def2e72500 RBX: 000000000000007f RCX: ffff888018f23b80
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff888023abf9b0 R08: ffffffff81d00714 R09: fffff52000557e55
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea0001d13a00
R13: ffff888023abf9d8 R14: 1ffff11004757f3b R15: ffffea0001d13a34
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f53c8be1828 CR3: 000000000c68e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
txUnlock+0x42f/0xca0 fs/jfs/jfs_txnmgr.c:942
txLazyCommit fs/jfs/jfs_txnmgr.c:2711 [inline]
jfs_lazycommit+0x5cd/0xc30 fs/jfs/jfs_txnmgr.c:2761
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Modules linked in:
---[ end trace affe6937f7f2091a ]---
RIP: 0010:get_page include/linux/mm.h:1213 [inline]
RIP: 0010:put_metapage+0x283/0x290 fs/jfs/jfs_metapage.c:722
Code: 03 38 c1 0f 8c f8 fe ff ff 4c 89 ff e8 b6 04 e7 fe e9 eb fe ff ff e8 3c a9 9d fe 4c 89 e7 48 c7 c6 60 ce c0 8a e8 ad 7b d3 fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 55 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90002abfcc0 EFLAGS: 00010246
RAX: cb8c42def2e72500 RBX: 000000000000007f RCX: ffff888018f23b80
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff888023abf9b0 R08: ffffffff81d00714 R09: fffff52000557e55
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea0001d13a00
R13: ffff888023abf9d8 R14: 1ffff11004757f3b R15: ffffea0001d13a34
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f53c8be1828 CR3: 000000000c68e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
May 27, 2023, 6:10:48 AM5/27/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a343b0dd87b4 Linux 6.1.30
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14a4734d280000
kernel config: https://syzkaller.appspot.com/x/.config?x=8ec86bd749598dca
dashboard link: https://syzkaller.appspot.com/bug?extid=508dec8cb5e59afadfb2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11bb7d1e280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=173dc3fe280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aebc00d6f042/disk-a343b0dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7ff0321ebb5a/vmlinux-a343b0dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c928974a56d6/Image-a343b0dd.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5ca5cf7f804b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+508dec...@syzkaller.appspotmail.com
BUG: Bad page state in process jfsCommit pfn:11804a
page:000000006f04fb8e refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x11804a
flags: 0x5ffc00000002047(locked|referenced|uptodate|workingset|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff0000cd3309b0 00000000ffffffff 0000000000000000
CPU: 1 PID: 91 Comm: jfsCommit Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
free_page_is_bad_report mm/page_alloc.c:1297 [inline]
free_page_is_bad mm/page_alloc.c:1307 [inline]
free_pages_prepare mm/page_alloc.c:1453 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0x348/0x1070 mm/page_alloc.c:3388
free_unref_page+0x80/0x444 mm/page_alloc.c:3484
__folio_put_small mm/swap.c:105 [inline]
__folio_put+0xd0/0x12c mm/swap.c:128
folio_put include/linux/mm.h:1165 [inline]
put_page include/linux/mm.h:1217 [inline]
_metapage_homeok+0x130/0x21c fs/jfs/jfs_metapage.h:119
txUnlock+0x264/0xbb0 fs/jfs/jfs_txnmgr.c:927
txLazyCommit fs/jfs/jfs_txnmgr.c:2677 [inline]
jfs_lazycommit+0x490/0x988 fs/jfs/jfs_txnmgr.c:2727
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
page:000000006f04fb8e refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x11804a
flags: 0x5ffc00000002047(locked|referenced|uptodate|workingset|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff0000cd3309b0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_FOLIO(((unsigned int) folio_ref_count(folio) + 127u <= 127u))
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1129!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 91 Comm: jfsCommit Tainted: G B 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : folio_get include/linux/mm.h:1129 [inline]
pc : get_page include/linux/mm.h:1135 [inline]
pc : put_metapage+0x278/0x2c4 fs/jfs/jfs_metapage.c:721
lr : folio_get include/linux/mm.h:1129 [inline]
lr : get_page include/linux/mm.h:1135 [inline]
lr : put_metapage+0x278/0x2c4 fs/jfs/jfs_metapage.c:721
sp : ffff80001bfe7ba0
x29: ffff80001bfe7ba0 x28: dfff800000000000 x27: 1fffe00019a6613b
x26: 1fffe00019a66148 x25: dfff800000000000 x24: 000000000000007f
x23: fffffc00036012b4 x22: fffffc0003601280 x21: ffff0000cd3309d8
x20: ffff0000cd330a40 x19: ffff0000cd3309b0 x18: 1fffe000368b6176
x17: 635f6665725f6f69 x16: ffff80001204a9c0 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001
x11: ff808000088305e0 x10: 0000000000000000 x9 : ffff8000088305e0
x8 : ffff0000c7431bc0 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80001bfe7418 x4 : ffff800015692ac0 x3 : ffff80000834e4d4
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000005c
Call trace:
folio_get include/linux/mm.h:1129 [inline]
get_page include/linux/mm.h:1135 [inline]
put_metapage+0x278/0x2c4 fs/jfs/jfs_metapage.c:721
txUnlock+0x3e4/0xbb0 fs/jfs/jfs_txnmgr.c:942
txLazyCommit fs/jfs/jfs_txnmgr.c:2677 [inline]
jfs_lazycommit+0x490/0x988 fs/jfs/jfs_txnmgr.c:2727
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: b0046001 912b8021 aa1603e0 97ba0cc2 (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: a343b0dd87b4 Linux 6.1.30
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14a4734d280000
kernel config: https://syzkaller.appspot.com/x/.config?x=8ec86bd749598dca
dashboard link: https://syzkaller.appspot.com/bug?extid=508dec8cb5e59afadfb2
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11bb7d1e280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=173dc3fe280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aebc00d6f042/disk-a343b0dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7ff0321ebb5a/vmlinux-a343b0dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c928974a56d6/Image-a343b0dd.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5ca5cf7f804b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
BUG: Bad page state in process jfsCommit pfn:11804a
page:000000006f04fb8e refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x11804a
flags: 0x5ffc00000002047(locked|referenced|uptodate|workingset|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff0000cd3309b0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Modules linked in:
CPU: 1 PID: 91 Comm: jfsCommit Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
bad_page+0x1a4/0x1c4 mm/page_alloc.c:719
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
free_page_is_bad_report mm/page_alloc.c:1297 [inline]
free_page_is_bad mm/page_alloc.c:1307 [inline]
free_pages_prepare mm/page_alloc.c:1453 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0x348/0x1070 mm/page_alloc.c:3388
free_unref_page+0x80/0x444 mm/page_alloc.c:3484
__folio_put_small mm/swap.c:105 [inline]
__folio_put+0xd0/0x12c mm/swap.c:128
folio_put include/linux/mm.h:1165 [inline]
put_page include/linux/mm.h:1217 [inline]
_metapage_homeok+0x130/0x21c fs/jfs/jfs_metapage.h:119
txUnlock+0x264/0xbb0 fs/jfs/jfs_txnmgr.c:927
txLazyCommit fs/jfs/jfs_txnmgr.c:2677 [inline]
jfs_lazycommit+0x490/0x988 fs/jfs/jfs_txnmgr.c:2727
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
page:000000006f04fb8e refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x11804a
flags: 0x5ffc00000002047(locked|referenced|uptodate|workingset|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff0000cd3309b0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_FOLIO(((unsigned int) folio_ref_count(folio) + 127u <= 127u))
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1129!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 91 Comm: jfsCommit Tainted: G B 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : folio_get include/linux/mm.h:1129 [inline]
pc : get_page include/linux/mm.h:1135 [inline]
pc : put_metapage+0x278/0x2c4 fs/jfs/jfs_metapage.c:721
lr : folio_get include/linux/mm.h:1129 [inline]
lr : get_page include/linux/mm.h:1135 [inline]
lr : put_metapage+0x278/0x2c4 fs/jfs/jfs_metapage.c:721
sp : ffff80001bfe7ba0
x29: ffff80001bfe7ba0 x28: dfff800000000000 x27: 1fffe00019a6613b
x26: 1fffe00019a66148 x25: dfff800000000000 x24: 000000000000007f
x23: fffffc00036012b4 x22: fffffc0003601280 x21: ffff0000cd3309d8
x20: ffff0000cd330a40 x19: ffff0000cd3309b0 x18: 1fffe000368b6176
x17: 635f6665725f6f69 x16: ffff80001204a9c0 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001
x11: ff808000088305e0 x10: 0000000000000000 x9 : ffff8000088305e0
x8 : ffff0000c7431bc0 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80001bfe7418 x4 : ffff800015692ac0 x3 : ffff80000834e4d4
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000005c
Call trace:
folio_get include/linux/mm.h:1129 [inline]
get_page include/linux/mm.h:1135 [inline]
put_metapage+0x278/0x2c4 fs/jfs/jfs_metapage.c:721
txUnlock+0x3e4/0xbb0 fs/jfs/jfs_txnmgr.c:942
txLazyCommit fs/jfs/jfs_txnmgr.c:2677 [inline]
jfs_lazycommit+0x490/0x988 fs/jfs/jfs_txnmgr.c:2727
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: b0046001 912b8021 aa1603e0 97ba0cc2 (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages