KASAN: user-memory-access Write in nilfs_bmap_lookup_at_level
4 views
Skip to first unread message
syzbot
Oct 3, 2022, 9:53:35 AM10/3/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=148cb7c0880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=2b9bdebf6a534556b7e1
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2b9bde...@syzkaller.appspotmail.com
NILFS (loop4): broken superblock, retrying with spare superblock (blocksize = 1024)
==================================================================
NILFS (loop4): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
BUG: KASAN: user-memory-access in atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
BUG: KASAN: user-memory-access in __lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3308
Write of size 4 at addr 0000000100000137 by task syz-executor.4/19536
CPU: 1 PID: 19536 Comm: syz-executor.4 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
kasan_report_error.cold+0x15b/0x1b9 mm/kasan/report.c:352
kasan_report+0x8f/0xa0 mm/kasan/report.c:412
atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
__lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3308
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
down_read+0x36/0x80 kernel/locking/rwsem.c:24
nilfs_bmap_lookup_at_level+0x7b/0x3e0 fs/nilfs2/bmap.c:68
nilfs_bmap_lookup fs/nilfs2/bmap.h:170 [inline]
nilfs_mdt_submit_block.constprop.0+0x1a5/0xaa0 fs/nilfs2/mdt.c:142
nilfs_mdt_read_block+0x96/0x3e0 fs/nilfs2/mdt.c:175
nilfs_mdt_get_block+0xe6/0xd40 fs/nilfs2/mdt.c:250
nilfs_palloc_get_block+0xc4/0x2b0 fs/nilfs2/alloc.c:216
nilfs_palloc_get_entry_block+0x17b/0x230 fs/nilfs2/alloc.c:318
nilfs_ifile_get_inode_block+0xbf/0x170 fs/nilfs2/ifile.c:143
__nilfs_read_inode fs/nilfs2/inode.c:483 [inline]
nilfs_iget+0x204/0x860 fs/nilfs2/inode.c:592
nilfs_get_root_dentry+0x26/0x250 fs/nilfs2/super.c:908
nilfs_fill_super fs/nilfs2/super.c:1082 [inline]
nilfs_mount+0xac8/0xe70 fs/nilfs2/super.c:1321
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f2d1a572ada
Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2d18ee4f88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f2d1a572ada
RDX: 0000000020000000 RSI: 0000000020000080 RDI: 00007f2d18ee4fe0
RBP: 00007f2d18ee5020 R08: 00007f2d18ee5020 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000080 R14: 00007f2d18ee4fe0 R15: 00000000200131c0
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=148cb7c0880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=2b9bdebf6a534556b7e1
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2b9bde...@syzkaller.appspotmail.com
NILFS (loop4): broken superblock, retrying with spare superblock (blocksize = 1024)
==================================================================
NILFS (loop4): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
BUG: KASAN: user-memory-access in atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
BUG: KASAN: user-memory-access in __lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3308
Write of size 4 at addr 0000000100000137 by task syz-executor.4/19536
CPU: 1 PID: 19536 Comm: syz-executor.4 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
kasan_report_error.cold+0x15b/0x1b9 mm/kasan/report.c:352
kasan_report+0x8f/0xa0 mm/kasan/report.c:412
atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
__lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3308
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
down_read+0x36/0x80 kernel/locking/rwsem.c:24
nilfs_bmap_lookup_at_level+0x7b/0x3e0 fs/nilfs2/bmap.c:68
nilfs_bmap_lookup fs/nilfs2/bmap.h:170 [inline]
nilfs_mdt_submit_block.constprop.0+0x1a5/0xaa0 fs/nilfs2/mdt.c:142
nilfs_mdt_read_block+0x96/0x3e0 fs/nilfs2/mdt.c:175
nilfs_mdt_get_block+0xe6/0xd40 fs/nilfs2/mdt.c:250
nilfs_palloc_get_block+0xc4/0x2b0 fs/nilfs2/alloc.c:216
nilfs_palloc_get_entry_block+0x17b/0x230 fs/nilfs2/alloc.c:318
nilfs_ifile_get_inode_block+0xbf/0x170 fs/nilfs2/ifile.c:143
__nilfs_read_inode fs/nilfs2/inode.c:483 [inline]
nilfs_iget+0x204/0x860 fs/nilfs2/inode.c:592
nilfs_get_root_dentry+0x26/0x250 fs/nilfs2/super.c:908
nilfs_fill_super fs/nilfs2/super.c:1082 [inline]
nilfs_mount+0xac8/0xe70 fs/nilfs2/super.c:1321
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f2d1a572ada
Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2d18ee4f88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f2d1a572ada
RDX: 0000000020000000 RSI: 0000000020000080 RDI: 00007f2d18ee4fe0
RBP: 00007f2d18ee5020 R08: 00007f2d18ee5020 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000080 R14: 00007f2d18ee4fe0 R15: 00000000200131c0
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 11, 2023, 8:34:36 PM3/11/23
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages