BUG: corrupted list in dquot_disable
4 views
Skip to first unread message
syzbot
Dec 8, 2020, 9:01:11 PM12/8/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 47cbf4cc Linux 4.14.211
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=111bdcbd500000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdd708417c3f7d5b
dashboard link: https://syzkaller.appspot.com/bug?extid=a32b97fee7676905ca03
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a612cb500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=137aaf9b500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a32b97...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 32768 vs 25 free clusters
Quota error (device loop0): write_blk: dquota write failed
Quota error (device loop0): qtree_write_dquot: Error -28 occurred while creating quota
list_del corruption. prev->next should be ffff88808dfc4e20, but was ffffffff8903d2e0
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:51!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7991 Comm: syz-executor330 Not tainted 4.14.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b335e540 task.stack: ffff8880b2978000
RIP: 0010:__list_del_entry_valid.cold+0xf/0x55 lib/list_debug.c:51
RSP: 0018:ffff8880b297fb30 EFLAGS: 00010282
RAX: 0000000000000054 RBX: ffff88808dfc4c40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff878bbac0 RDI: ffffed101652ff5c
RBP: ffff88808dfc4e20 R08: 0000000000000054 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8995316f
R13: ffff88808dfc4c60 R14: ffff88808dfc4e20 R15: dffffc0000000000
FS: 0000000002628880(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000026318b8 CR3: 0000000098fdb000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_del_entry include/linux/list.h:117 [inline]
list_del_init include/linux/list.h:159 [inline]
remove_free_dquot fs/quota/dquot.c:307 [inline]
invalidate_dquots fs/quota/dquot.c:566 [inline]
dquot_disable+0xd72/0x1810 fs/quota/dquot.c:2217
ext4_quota_off+0xd8/0x3a0 fs/ext4/super.c:5780
ext4_quota_off_umount fs/ext4/super.c:880 [inline]
ext4_put_super+0x86/0xf00 fs/ext4/super.c:910
generic_shutdown_super+0x144/0x370 fs/super.c:446
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x4481f7
RSP: 002b:00007ffdd042bca8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007ffdd042ce20 RCX: 00000000004481f7
RDX: 0000000000400bb0 RSI: 0000000000000002 RDI: 00007ffdd042bd50
RBP: 0000000000009595 R08: 0000000000000000 R09: 0000000000000009
R10: 0000000000000005 R11: 0000000000000202 R12: 00007ffdd042cdc0
R13: 0000000002629880 R14: 0000000000000000 R15: 0000000000000000
Code: 87 e8 9c f8 23 fe 0f 0b 48 89 f1 48 c7 c7 e0 d1 cc 87 4c 89 e6 e8 88 f8 23 fe 0f 0b 48 89 ee 48 c7 c7 80 d3 cc 87 e8 77 f8 23 fe <0f> 0b 4c 89 ea 48 89 ee 48 c7 c7 c0 d2 cc 87 e8 63 f8 23 fe 0f
RIP: __list_del_entry_valid.cold+0xf/0x55 lib/list_debug.c:51 RSP: ffff8880b297fb30
---[ end trace 3584cc6ac8feaf23 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 47cbf4cc Linux 4.14.211
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=111bdcbd500000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdd708417c3f7d5b
dashboard link: https://syzkaller.appspot.com/bug?extid=a32b97fee7676905ca03
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a612cb500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=137aaf9b500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a32b97...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 32768 vs 25 free clusters
Quota error (device loop0): write_blk: dquota write failed
Quota error (device loop0): qtree_write_dquot: Error -28 occurred while creating quota
list_del corruption. prev->next should be ffff88808dfc4e20, but was ffffffff8903d2e0
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:51!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7991 Comm: syz-executor330 Not tainted 4.14.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b335e540 task.stack: ffff8880b2978000
RIP: 0010:__list_del_entry_valid.cold+0xf/0x55 lib/list_debug.c:51
RSP: 0018:ffff8880b297fb30 EFLAGS: 00010282
RAX: 0000000000000054 RBX: ffff88808dfc4c40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff878bbac0 RDI: ffffed101652ff5c
RBP: ffff88808dfc4e20 R08: 0000000000000054 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8995316f
R13: ffff88808dfc4c60 R14: ffff88808dfc4e20 R15: dffffc0000000000
FS: 0000000002628880(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000026318b8 CR3: 0000000098fdb000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_del_entry include/linux/list.h:117 [inline]
list_del_init include/linux/list.h:159 [inline]
remove_free_dquot fs/quota/dquot.c:307 [inline]
invalidate_dquots fs/quota/dquot.c:566 [inline]
dquot_disable+0xd72/0x1810 fs/quota/dquot.c:2217
ext4_quota_off+0xd8/0x3a0 fs/ext4/super.c:5780
ext4_quota_off_umount fs/ext4/super.c:880 [inline]
ext4_put_super+0x86/0xf00 fs/ext4/super.c:910
generic_shutdown_super+0x144/0x370 fs/super.c:446
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x4481f7
RSP: 002b:00007ffdd042bca8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007ffdd042ce20 RCX: 00000000004481f7
RDX: 0000000000400bb0 RSI: 0000000000000002 RDI: 00007ffdd042bd50
RBP: 0000000000009595 R08: 0000000000000000 R09: 0000000000000009
R10: 0000000000000005 R11: 0000000000000202 R12: 00007ffdd042cdc0
R13: 0000000002629880 R14: 0000000000000000 R15: 0000000000000000
Code: 87 e8 9c f8 23 fe 0f 0b 48 89 f1 48 c7 c7 e0 d1 cc 87 4c 89 e6 e8 88 f8 23 fe 0f 0b 48 89 ee 48 c7 c7 80 d3 cc 87 e8 77 f8 23 fe <0f> 0b 4c 89 ea 48 89 ee 48 c7 c7 c0 d2 cc 87 e8 63 f8 23 fe 0f
RIP: __list_del_entry_valid.cold+0xf/0x55 lib/list_debug.c:51 RSP: ffff8880b297fb30
---[ end trace 3584cc6ac8feaf23 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Jan 7, 2021, 11:32:14 PM1/7/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit a9c625fcddc078624e1e7a673443b29c71be3431
Author: Jan Kara <ja...@suse.cz>
Date: Mon Nov 2 15:16:29 2020 +0000
quota: Sanity-check quota file headers on load
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=150480af500000
start commit: 47cbf4cc Linux 4.14.211
git tree: linux-4.14.y
#syz fix: quota: Sanity-check quota file headers on load
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit a9c625fcddc078624e1e7a673443b29c71be3431
Author: Jan Kara <ja...@suse.cz>
Date: Mon Nov 2 15:16:29 2020 +0000
quota: Sanity-check quota file headers on load
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=150480af500000
start commit: 47cbf4cc Linux 4.14.211
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=fdd708417c3f7d5b
dashboard link: https://syzkaller.appspot.com/bug?extid=a32b97fee7676905ca03
dashboard link: https://syzkaller.appspot.com/bug?extid=a32b97fee7676905ca03
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a612cb500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=137aaf9b500000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=137aaf9b500000
#syz fix: quota: Sanity-check quota file headers on load
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages