general protection fault in dqput
5 views
Skip to first unread message
syzbot
Dec 27, 2020, 7:50:20 PM12/27/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f2ecb86 Linux 4.14.212
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11729447500000
kernel config: https://syzkaller.appspot.com/x/.config?x=80549830ca6ffbb2
dashboard link: https://syzkaller.appspot.com/bug?extid=78fc828363d71447725d
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b5c4c0d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1540afa7500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+78fc82...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 32768 vs 25 free clusters
Quota error (device loop0): write_blk: dquota write failed
Quota error (device loop0): qtree_write_dquot: Error -28 occurred while creating quota
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7997 Comm: syz-executor422 Not tainted 4.14.212-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b2928300 task.stack: ffff888095560000
RIP: 0010:dqput.part.0+0x198/0x750 fs/quota/dquot.c:775
RSP: 0018:ffff888095567980 EFLAGS: 00010a03
RAX: e8a8eb082444b60f RBX: ffffffff85874df4 RCX: 0000000000000000
RDX: 1d151d61048896c8 RSI: 0000000000000002 RDI: e8a8eb082444b647
RBP: dffffc0000000000 R08: ffffffff8b99a738 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880b2928300 R12: 0000000000000007
R13: fffffbfff0b0e9dd R14: ffffffff85874f0c R15: ffffffff85874eec
FS: 0000000001add880(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c4008 CR3: 0000000008e6a000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
dqput fs/quota/dquot.c:748 [inline]
dqput_all fs/quota/dquot.c:391 [inline]
__dquot_drop+0x193/0x250 fs/quota/dquot.c:1564
dquot_drop fs/quota/dquot.c:1589 [inline]
dquot_drop+0x13e/0x190 fs/quota/dquot.c:1567
ext4_clear_inode+0x31/0x1d0 fs/ext4/super.c:1110
ext4_evict_inode+0x1f1/0x1500 fs/ext4/inode.c:347
evict+0x2c8/0x700 fs/inode.c:555
dispose_list+0x109/0x1e0 fs/inode.c:590
evict_inodes+0x2cd/0x3a0 fs/inode.c:640
generic_shutdown_super+0xb3/0x370 fs/super.c:438
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
SYSC_exit_group kernel/exit.c:976 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:974
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x443a28
RSP: 002b:00007fffb5d640a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000443a28
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 00000000004c3fd0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d6180 R14: 0000000000000000 R15: 0000000000000000
Code: 48 8d 83 00 01 00 00 48 89 04 24 48 c1 e8 03 80 3c 28 00 0f 85 54 04 00 00 48 8b 83 00 01 00 00 48 8d 78 38 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 24 04 00 00 48 8b 40 38 48 89 c2 48 c1 ea 03
RIP: dqput.part.0+0x198/0x750 fs/quota/dquot.c:775 RSP: ffff888095567980
---[ end trace 98b1817e42190939 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 3f2ecb86 Linux 4.14.212
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11729447500000
kernel config: https://syzkaller.appspot.com/x/.config?x=80549830ca6ffbb2
dashboard link: https://syzkaller.appspot.com/bug?extid=78fc828363d71447725d
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b5c4c0d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1540afa7500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+78fc82...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 32768 vs 25 free clusters
Quota error (device loop0): write_blk: dquota write failed
Quota error (device loop0): qtree_write_dquot: Error -28 occurred while creating quota
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7997 Comm: syz-executor422 Not tainted 4.14.212-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b2928300 task.stack: ffff888095560000
RIP: 0010:dqput.part.0+0x198/0x750 fs/quota/dquot.c:775
RSP: 0018:ffff888095567980 EFLAGS: 00010a03
RAX: e8a8eb082444b60f RBX: ffffffff85874df4 RCX: 0000000000000000
RDX: 1d151d61048896c8 RSI: 0000000000000002 RDI: e8a8eb082444b647
RBP: dffffc0000000000 R08: ffffffff8b99a738 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880b2928300 R12: 0000000000000007
R13: fffffbfff0b0e9dd R14: ffffffff85874f0c R15: ffffffff85874eec
FS: 0000000001add880(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c4008 CR3: 0000000008e6a000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
dqput fs/quota/dquot.c:748 [inline]
dqput_all fs/quota/dquot.c:391 [inline]
__dquot_drop+0x193/0x250 fs/quota/dquot.c:1564
dquot_drop fs/quota/dquot.c:1589 [inline]
dquot_drop+0x13e/0x190 fs/quota/dquot.c:1567
ext4_clear_inode+0x31/0x1d0 fs/ext4/super.c:1110
ext4_evict_inode+0x1f1/0x1500 fs/ext4/inode.c:347
evict+0x2c8/0x700 fs/inode.c:555
dispose_list+0x109/0x1e0 fs/inode.c:590
evict_inodes+0x2cd/0x3a0 fs/inode.c:640
generic_shutdown_super+0xb3/0x370 fs/super.c:438
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
SYSC_exit_group kernel/exit.c:976 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:974
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x443a28
RSP: 002b:00007fffb5d640a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000443a28
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 00000000004c3fd0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d6180 R14: 0000000000000000 R15: 0000000000000000
Code: 48 8d 83 00 01 00 00 48 89 04 24 48 c1 e8 03 80 3c 28 00 0f 85 54 04 00 00 48 8b 83 00 01 00 00 48 8d 78 38 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 24 04 00 00 48 8b 40 38 48 89 c2 48 c1 ea 03
RIP: dqput.part.0+0x198/0x750 fs/quota/dquot.c:775 RSP: ffff888095567980
---[ end trace 98b1817e42190939 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Jan 26, 2021, 11:42:08 PM1/26/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit a9c625fcddc078624e1e7a673443b29c71be3431
Author: Jan Kara <ja...@suse.cz>
Date: Mon Nov 2 15:16:29 2020 +0000
quota: Sanity-check quota file headers on load
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11729d44d00000
start commit: 3f2ecb86 Linux 4.14.212
git tree: linux-4.14.y
#syz fix: quota: Sanity-check quota file headers on load
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit a9c625fcddc078624e1e7a673443b29c71be3431
Author: Jan Kara <ja...@suse.cz>
Date: Mon Nov 2 15:16:29 2020 +0000
quota: Sanity-check quota file headers on load
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11729d44d00000
start commit: 3f2ecb86 Linux 4.14.212
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=80549830ca6ffbb2
dashboard link: https://syzkaller.appspot.com/bug?extid=78fc828363d71447725d
dashboard link: https://syzkaller.appspot.com/bug?extid=78fc828363d71447725d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b5c4c0d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1540afa7500000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1540afa7500000
#syz fix: quota: Sanity-check quota file headers on load
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages