[v6.1] BUG: unable to handle kernel paging request in prepare_error_buf
0 views
Skip to first unread message
syzbot
Aug 17, 2024, 1:42:32 PMAug 17
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 117ac406ba90 Linux 6.1.105
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=177f8c5b980000
kernel config: https://syzkaller.appspot.com/x/.config?x=31819bebb872e117
dashboard link: https://syzkaller.appspot.com/bug?extid=99bf584fb5f18d82cba5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/068c237a7ce9/disk-117ac406.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3136d1147adb/vmlinux-117ac406.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dfcdd2f95d78/Image-117ac406.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+99bf58...@syzkaller.appspotmail.com
REISERFS warning (device loop4): vs-13060 reiserfs_update_sd_size: stat data of object [2 5 0x0 SD] (nlink == 1) not found (pos 1)
REISERFS warning (device loop4): vs-13060 reiserfs_update_sd_size: stat data of object [2 5 0x0 SD] (nlink == 1) not found (pos 1)
Unable to handle kernel paging request at virtual address 00000000ffffffff
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000000011a3a9000
[00000000ffffffff] pgd=0800000118a61003, p4d=0800000118a61003, pud=0000000000000000
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4471 Comm: syz.4.28 Not tainted 6.1.105-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : scnprintf_cpu_key fs/reiserfs/prints.c:95 [inline]
pc : prepare_error_buf+0x6dc/0x157c fs/reiserfs/prints.c:229
lr : prepare_error_buf+0x430/0x157c fs/reiserfs/prints.c:230
sp : ffff80001dbc7180
x29: ffff80001dbc7300 x28: ffff800019be39be x27: ffff800019be2abe
x26: ffff80001dbc73f8 x25: ffff80001dbc73e0 x24: ffff80001dbc7260
x23: ffff800019be2aa0 x22: 00000000ffffffff x21: ffffffffffffffe2
x20: 00000000000003e2 x19: dfff800000000000 x18: 1ffff00003c71205
x17: ffff8000159cd000 x16: ffff8000084fb4fc x15: 0000000000000002
x14: 000000000000007a x13: ffff0000ced28000 x12: 0000000000040000
x11: 000000000003ffff x10: ffff8000232ac000 x9 : ffff800008d90078
x8 : 0000000000000000 x7 : 20726f6620686372 x6 : 7261657320666f20
x5 : ffff800019be2abe x4 : ffff800019be39be x3 : ffff800012248294
x2 : 000000000000000f x1 : 00000000ffffffe0 x0 : 00000000ffffffff
Call trace:
scnprintf_cpu_key fs/reiserfs/prints.c:95 [inline]
prepare_error_buf+0x6dc/0x157c fs/reiserfs/prints.c:229
__reiserfs_error+0xe8/0x2ac fs/reiserfs/prints.c:396
reiserfs_do_truncate+0x2c0/0x11c8 fs/reiserfs/stree.c:1930
reiserfs_truncate_file+0x510/0xb1c fs/reiserfs/inode.c:2310
reiserfs_truncate_failed_write fs/reiserfs/inode.c:2743 [inline]
reiserfs_write_begin+0x544/0x71c fs/reiserfs/inode.c:2808
generic_perform_write+0x278/0x55c mm/filemap.c:3817
__generic_file_write_iter+0x168/0x388 mm/filemap.c:3945
generic_file_write_iter+0xb8/0x2b4 mm/filemap.c:3977
call_write_iter include/linux/fs.h:2265 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x610/0x91c fs/read_write.c:584
ksys_write+0x15c/0x26c fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:646
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: d343fec8 38f36908 35005548 aa1603e0 (b8404418)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: d343fec8 lsr x8, x22, #3
4: 38f36908 ldrsb w8, [x8, x19]
8: 35005548 cbnz w8, 0xab0
c: aa1603e0 mov x0, x22
* 10: b8404418 ldr w24, [x0], #4 <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 117ac406ba90 Linux 6.1.105
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=177f8c5b980000
kernel config: https://syzkaller.appspot.com/x/.config?x=31819bebb872e117
dashboard link: https://syzkaller.appspot.com/bug?extid=99bf584fb5f18d82cba5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/068c237a7ce9/disk-117ac406.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3136d1147adb/vmlinux-117ac406.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dfcdd2f95d78/Image-117ac406.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+99bf58...@syzkaller.appspotmail.com
REISERFS warning (device loop4): vs-13060 reiserfs_update_sd_size: stat data of object [2 5 0x0 SD] (nlink == 1) not found (pos 1)
REISERFS warning (device loop4): vs-13060 reiserfs_update_sd_size: stat data of object [2 5 0x0 SD] (nlink == 1) not found (pos 1)
Unable to handle kernel paging request at virtual address 00000000ffffffff
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000000011a3a9000
[00000000ffffffff] pgd=0800000118a61003, p4d=0800000118a61003, pud=0000000000000000
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4471 Comm: syz.4.28 Not tainted 6.1.105-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : scnprintf_cpu_key fs/reiserfs/prints.c:95 [inline]
pc : prepare_error_buf+0x6dc/0x157c fs/reiserfs/prints.c:229
lr : prepare_error_buf+0x430/0x157c fs/reiserfs/prints.c:230
sp : ffff80001dbc7180
x29: ffff80001dbc7300 x28: ffff800019be39be x27: ffff800019be2abe
x26: ffff80001dbc73f8 x25: ffff80001dbc73e0 x24: ffff80001dbc7260
x23: ffff800019be2aa0 x22: 00000000ffffffff x21: ffffffffffffffe2
x20: 00000000000003e2 x19: dfff800000000000 x18: 1ffff00003c71205
x17: ffff8000159cd000 x16: ffff8000084fb4fc x15: 0000000000000002
x14: 000000000000007a x13: ffff0000ced28000 x12: 0000000000040000
x11: 000000000003ffff x10: ffff8000232ac000 x9 : ffff800008d90078
x8 : 0000000000000000 x7 : 20726f6620686372 x6 : 7261657320666f20
x5 : ffff800019be2abe x4 : ffff800019be39be x3 : ffff800012248294
x2 : 000000000000000f x1 : 00000000ffffffe0 x0 : 00000000ffffffff
Call trace:
scnprintf_cpu_key fs/reiserfs/prints.c:95 [inline]
prepare_error_buf+0x6dc/0x157c fs/reiserfs/prints.c:229
__reiserfs_error+0xe8/0x2ac fs/reiserfs/prints.c:396
reiserfs_do_truncate+0x2c0/0x11c8 fs/reiserfs/stree.c:1930
reiserfs_truncate_file+0x510/0xb1c fs/reiserfs/inode.c:2310
reiserfs_truncate_failed_write fs/reiserfs/inode.c:2743 [inline]
reiserfs_write_begin+0x544/0x71c fs/reiserfs/inode.c:2808
generic_perform_write+0x278/0x55c mm/filemap.c:3817
__generic_file_write_iter+0x168/0x388 mm/filemap.c:3945
generic_file_write_iter+0xb8/0x2b4 mm/filemap.c:3977
call_write_iter include/linux/fs.h:2265 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x610/0x91c fs/read_write.c:584
ksys_write+0x15c/0x26c fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:646
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: d343fec8 38f36908 35005548 aa1603e0 (b8404418)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: d343fec8 lsr x8, x22, #3
4: 38f36908 ldrsb w8, [x8, x19]
8: 35005548 cbnz w8, 0xab0
c: aa1603e0 mov x0, x22
* 10: b8404418 ldr w24, [x0], #4 <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages