kernel BUG at fs/buffer.c:LINE!

50 views

Skip to first unread message

syzbot

unread,

Apr 27, 2019, 3:47:07 PM4/27/19

to syzkaller...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: fa5941f4 Linux 4.14.114
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=148dd75ca00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7780000df8e070e
dashboard link: https://syzkaller.appspot.com/bug?extid=f7cb69e1859d0347797f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f7cb69...@syzkaller.appspotmail.com

protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
------------[ cut here ]------------
kernel BUG at fs/buffer.c:605!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
Modules linked in:
CPU: 1 PID: 5242 Comm: syz-executor.3 Not tainted 4.14.114 #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff88805b05e480 task.stack: ffff888061088000
CPU: 0 PID: 5260 Comm: syz-executor.4 Not tainted 4.14.114 #4
RIP: 0010:mark_buffer_dirty_inode fs/buffer.c:605 [inline]
RIP: 0010:mark_buffer_dirty_inode+0x2ea/0x3e0 fs/buffer.c:596
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RSP: 0018:ffff88806108f678 EFLAGS: 00010216
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
RAX: 0000000000040000 RBX: ffff88805e2992a0 RCX: ffffc90007c4c000
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
RDX: 00000000000308fa RSI: ffffffff8199673a RDI: ffff88805e3949b8
should_failslab+0xdb/0x130 mm/failslab.c:32
RBP: ffff88806108f6b0 R08: ffff88805b05e480 R09: 0000000000000004
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc_trace+0x2ec/0x790 mm/slab.c:3616
R10: 0000000000000000 R11: ffff88805b05e480 R12: ffff88805e394858
kmalloc include/linux/slab.h:488 [inline]
perf_event_mmap_event kernel/events/core.c:7010 [inline]
perf_event_mmap+0x413/0xbb0 kernel/events/core.c:7204
R13: 0000000000000000 R14: ffff8880a77c44a0 R15: 0000000000000aee
FS: 00007effc455e700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004e65e0 CR3: 00000000a90c3000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
mmap_region+0x29b/0x1030 mm/mmap.c:1754
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
do_mmap+0x5b8/0xcd0 mm/mmap.c:1501
Call Trace:
do_mmap_pgoff include/linux/mm.h:2165 [inline]
vm_mmap_pgoff+0x17a/0x1d0 mm/util.c:333
fat16_ent_put+0xc5/0x100 fs/fat/fatent.c:181
fat_free_clusters+0x36f/0x810 fs/fat/fatent.c:593
SYSC_mmap_pgoff mm/mmap.c:1551 [inline]
SyS_mmap_pgoff+0x3ca/0x520 mm/mmap.c:1509
fat_free fs/fat/file.c:346 [inline]
fat_truncate_blocks+0x693/0xae0 fs/fat/file.c:364
SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
fat_setattr+0x6c1/0xae0 fs/fat/file.c:508
RIP: 0033:0x458da9
RSP: 002b:00007f4878713c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f4878713c90 RCX: 0000000000458da9
notify_change+0x8d4/0xd10 fs/attr.c:313
RDX: 0000000000000000 RSI: 0000000000002000 RDI: 0000000020ffe000
do_truncate+0x124/0x1c0 fs/open.c:63
RBP: 000000000073bf00 R08: 0000000000000003 R09: 0000000000000000
R10: 0440000000202011 R11: 0000000000000246 R12: 00007f48787146d4
handle_truncate fs/namei.c:3009 [inline]
do_last fs/namei.c:3434 [inline]
path_openat+0x2788/0x3f70 fs/namei.c:3566
R13: 00000000004c4ced R14: 00000000004d8900 R15: 0000000000000005
kobject: 'loop5' (ffff8880a4b032e0): kobject_uevent_env
do_filp_open+0x18e/0x250 fs/namei.c:3600
do_sys_open+0x2c5/0x430 fs/open.c:1065
SYSC_open fs/open.c:1083 [inline]
SyS_open fs/open.c:1078 [inline]
SYSC_creat fs/open.c:1123 [inline]
SyS_creat+0x27/0x30 fs/open.c:1121
kobject: 'loop5' (ffff8880a4b032e0): fill_kobj_path: path
= '/devices/virtual/block/loop5'
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458da9
RSP: 002b:00007effc455dc78 EFLAGS: 00000246
kobject: 'loop4' (ffff8880a4a889e0): kobject_uevent_env
ORIG_RAX: 0000000000000055
kobject: 'loop4' (ffff8880a4a889e0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000458da9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080
RBP: 000000000073c040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007effc455e6d4
R13: 00000000004bf304 R14: 00000000004d0488 R15: 00000000ffffffff
Code: fa 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 4d 4c 89
63 58 4c 89 ef e8 10 a8 81 04 e9 13 fe ff ff e8 76 81 c3 ff <0f> 0b 4c 89
ff e8 dc 26 ed ff e9 f8 fd ff ff e8 d2 26 ed ff e9
RIP: mark_buffer_dirty_inode fs/buffer.c:605 [inline] RSP: ffff88806108f678
RIP: mark_buffer_dirty_inode+0x2ea/0x3e0 fs/buffer.c:596 RSP:
ffff88806108f678
---[ end trace 68da6acde5c2e573 ]---

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,

May 6, 2019, 2:56:07 PM5/6/19

to syzkaller...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 1656b145 Linux 4.19.40
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16fd0410a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d87ef9272ca3a1
dashboard link: https://syzkaller.appspot.com/bug?extid=0b3fae6fc3c4feb104a4

compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:

Reported-by: syzbot+0b3fae...@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/buffer.c:553!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 13013 Comm: syz-executor.0 Not tainted 4.19.40 #8
kobject: 'loop4' (0000000096f9265d): kobject_uevent_env

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

RIP: 0010:mark_buffer_dirty_inode fs/buffer.c:553 [inline]
RIP: 0010:mark_buffer_dirty_inode+0x30f/0x410 fs/buffer.c:544
Code: 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 4d 4c 89 63
58 4c 89 ef e8 8b 03 38 05 e9 ee fd ff ff e8 91 ab b2 ff <0f> 0b 4c 89 ff
e8 f7 21 e9 ff e9 d3 fd ff ff e8 ed 21 e9 ff e9 5b
loop_reread_partitions: partition scan of loop0 (p ��|��' $� �>B�� T� ՜�)
failed (rc=-16)
RSP: 0018:ffff888055266d28 EFLAGS: 00010246
RAX: 0000000000040000 RBX: ffff88805d27b7e0 RCX: ffffc90005e77000
RDX: 0000000000040000 RSI: ffffffff81b8d50f RDI: ffff88805d1a3ee0
RBP: ffff888055266d68 R08: ffff888056422100 R09: 0000000000000003
R10: ffffed1015d24732 R11: ffff8880ae923993 R12: ffff88805d1a3d80
R13: 0000000000000000 R14: ffff8880a6cc73d8 R15: ffff888055267010
FS: 00007f5fcc6d9700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000001b32d23000 CR3: 00000000a0ad5000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

kobject: 'loop4' (0000000096f9265d): fill_kobj_path: path
= '/devices/virtual/block/loop4'

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Call Trace:
fat16_ent_put+0xd2/0x110 fs/fat/fatent.c:182
fat_alloc_clusters+0x63e/0xf40 fs/fat/fatent.c:500
fat_add_cluster+0x6f/0x100 fs/fat/inode.c:101
kobject: 'loop1' (0000000046e97258): kobject_uevent_env
kobject: 'loop1' (0000000046e97258): fill_kobj_path: path
= '/devices/virtual/block/loop1'
__fat_get_block fs/fat/inode.c:148 [inline]
fat_get_block+0x344/0x970 fs/fat/inode.c:183
__block_write_begin_int+0x4e0/0x1920 fs/buffer.c:1967
kobject: 'loop3' (00000000f349b21d): kobject_uevent_env
kobject: 'loop3' (00000000f349b21d): fill_kobj_path: path
= '/devices/virtual/block/loop3'
__block_write_begin fs/buffer.c:2017 [inline]
block_write_begin+0x5f/0x1e0 fs/buffer.c:2076
cont_write_begin+0x4fa/0x8c0 fs/buffer.c:2429
fat_write_begin+0x8d/0x120 fs/fat/inode.c:229
generic_perform_write+0x231/0x530 mm/filemap.c:3139
__generic_file_write_iter+0x25e/0x630 mm/filemap.c:3264
generic_file_write_iter+0x383/0x730 mm/filemap.c:3292
call_write_iter include/linux/fs.h:1817 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x58e/0x820 fs/read_write.c:487
__kernel_write+0x110/0x390 fs/read_write.c:506
write_pipe_buf+0x15d/0x1f0 fs/splice.c:798
splice_from_pipe_feed fs/splice.c:503 [inline]
__splice_from_pipe+0x39a/0x7e0 fs/splice.c:627
splice_from_pipe+0x108/0x170 fs/splice.c:662
default_file_splice_write+0x3c/0x90 fs/splice.c:810
do_splice_from fs/splice.c:852 [inline]
direct_splice_actor+0x126/0x1a0 fs/splice.c:1019
splice_direct_to_actor+0x2ea/0x890 fs/splice.c:974
do_splice_direct+0x1da/0x2a0 fs/splice.c:1062
do_sendfile+0x597/0xce0 fs/read_write.c:1446
__do_sys_sendfile64 fs/read_write.c:1501 [inline]
__se_sys_sendfile64 fs/read_write.c:1493 [inline]
__x64_sys_sendfile64+0x15a/0x220 fs/read_write.c:1493
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458da9
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5fcc6d8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458da9
RDX: 0000000020000000 RSI: 0000000000000004 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 00008080fffffffe R11: 0000000000000246 R12: 00007f5fcc6d96d4
R13: 00000000004c5fa3 R14: 00000000004da748 R15: 00000000ffffffff
Modules linked in:
---[ end trace 61665b5cc1d41589 ]---
RIP: 0010:mark_buffer_dirty_inode fs/buffer.c:553 [inline]
RIP: 0010:mark_buffer_dirty_inode+0x30f/0x410 fs/buffer.c:544
Code: 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 4d 4c 89 63
58 4c 89 ef e8 8b 03 38 05 e9 ee fd ff ff e8 91 ab b2 ff <0f> 0b 4c 89 ff
e8 f7 21 e9 ff e9 d3 fd ff ff e8 ed 21 e9 ff e9 5b
RSP: 0018:ffff888055266d28 EFLAGS: 00010246
RAX: 0000000000040000 RBX: ffff88805d27b7e0 RCX: ffffc90005e77000
RDX: 0000000000040000 RSI: ffffffff81b8d50f RDI: ffff88805d1a3ee0
kobject: 'loop2' (00000000631dce8b): kobject_uevent_env
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
kobject: 'loop2' (00000000631dce8b): fill_kobj_path: path
= '/devices/virtual/block/loop2'
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
kobject: 'loop1' (0000000046e97258): kobject_uevent_env
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
kobject: 'loop1' (0000000046e97258): fill_kobj_path: path
= '/devices/virtual/block/loop1'
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
RBP: ffff888055266d68 R08: ffff888056422100 R09: 0000000000000003
Buffer I/O error on dev loop0, logical block 0, async page read
R10: ffffed1015d24732 R11: ffff8880ae923993 R12: ffff88805d1a3d80
R13: 0000000000000000 R14: ffff8880a6cc73d8 R15: ffff888055267010
kobject: 'loop5' (000000006040a904): kobject_uevent_env
FS: 00007f5fcc6d9700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

kobject: 'loop5' (000000006040a904): fill_kobj_path: path
= '/devices/virtual/block/loop5'
CR2: 000000000070d158 CR3: 00000000a0ad5000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

syzbot

unread,

Dec 18, 2019, 3:45:11 AM12/18/19

to syzkaller...@googlegroups.com

syzbot has found a reproducer for the following crash on:

HEAD commit: 7d120bf2 Linux 4.19.90
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11e3ca8ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2e1b6005f88478d9

dashboard link: https://syzkaller.appspot.com/bug?extid=0b3fae6fc3c4feb104a4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13961f2ee00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0b3fae...@syzkaller.appspotmail.com

8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
------------[ cut here ]------------
kernel BUG at fs/buffer.c:3054!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 0 PID: 7574 Comm: syz-executor.0 Not tainted 4.19.90-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

RIP: 0010:submit_bh_wbc+0x61d/0x790 fs/buffer.c:3054
Code: 45 d0 48 8d 43 10 48 89 45 c0 e9 1b fc ff ff e8 c9 09 b0 ff f0 80 63
01 f7 e9 1f fb ff ff e8 ba 09 b0 ff 0f 0b e8 b3 09 b0 ff <0f> 0b e8 ac 09
b0 ff 0f 0b e8 a5 09 b0 ff 0f 0b e8 9e 09 b0 ff 0f
RSP: 0018:ffff88808d80fc28 EFLAGS: 00010293
RAX: ffff8880a0298500 RBX: ffff888093713a80 RCX: ffffffff81bb34e8
RDX: 0000000000000000 RSI: ffffffff81bb3a8d RDI: 0000000000000001
RBP: ffff88808d80fc70 R08: ffff8880a0298500 R09: ffffed10126e275d
R10: ffffed10126e275c R11: ffff888093713ae3 R12: 0000000000000000
R13: 0000000000000800 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000002592940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000000625208 CR3: 00000000a63e9000 CR4: 00000000001406f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Call Trace:
submit_bh fs/buffer.c:3101 [inline]
__sync_dirty_buffer+0x111/0x2e0 fs/buffer.c:3187
sync_dirty_buffer+0x1b/0x20 fs/buffer.c:3200
fat_set_state+0x242/0x330 fs/fat/inode.c:702
fat_put_super+0x46/0xd0 fs/fat/inode.c:728
generic_shutdown_super+0x14c/0x370 fs/super.c:456
kill_block_super+0xa0/0x100 fs/super.c:1185
deactivate_locked_super+0x95/0x100 fs/super.c:329
deactivate_super fs/super.c:360 [inline]
deactivate_super+0x1bd/0x1e0 fs/super.c:356
cleanup_mnt+0xbf/0x150 fs/namespace.c:1098
__cleanup_mnt+0x16/0x20 fs/namespace.c:1105
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d347
Code: 64 89 04 25 d0 02 00 00 58 5f ff d0 48 89 c7 e8 2f be ff ff 66 2e 0f
1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 0f 83 4d 8c fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc16ae6728 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000045d347
RDX: 0000000000403720 RSI: 0000000000000002 RDI: 00007ffc16ae67d0
RBP: 0000000000000010 R08: 0000000000000000 R09: 0000000000000009
R10: 0000000000000005 R11: 0000000000000206 R12: 00007ffc16ae7860
R13: 0000000002593940 R14: 0000000000000000 R15: 00007ffc16ae7860
Modules linked in:
---[ end trace b48e53607f982495 ]---
RIP: 0010:submit_bh_wbc+0x61d/0x790 fs/buffer.c:3054
Code: 45 d0 48 8d 43 10 48 89 45 c0 e9 1b fc ff ff e8 c9 09 b0 ff f0 80 63
01 f7 e9 1f fb ff ff e8 ba 09 b0 ff 0f 0b e8 b3 09 b0 ff <0f> 0b e8 ac 09
b0 ff 0f 0b e8 a5 09 b0 ff 0f 0b e8 9e 09 b0 ff 0f
RSP: 0018:ffff88808d80fc28 EFLAGS: 00010293
RAX: ffff8880a0298500 RBX: ffff888093713a80 RCX: ffffffff81bb34e8
RDX: 0000000000000000 RSI: ffffffff81bb3a8d RDI: 0000000000000001
kobject: 'loop4' (00000000c06a4345): kobject_uevent_env
RBP: ffff88808d80fc70 R08: ffff8880a0298500 R09: ffffed10126e275d
kobject: 'loop4' (00000000c06a4345): fill_kobj_path: path
= '/devices/virtual/block/loop4'
R10: ffffed10126e275c R11: ffff888093713ae3 R12: 0000000000000000
R13: 0000000000000800 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000002592940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
kobject: 'loop2' (00000000bff69909): kobject_uevent_env

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

kobject: 'loop2' (00000000bff69909): fill_kobj_path: path
= '/devices/virtual/block/loop2'
CR2: 00000000011a6188 CR3: 00000000a63e9000 CR4: 00000000001406e0

syzbot

unread,

Dec 18, 2019, 3:46:09 AM12/18/19

to syzkaller...@googlegroups.com

syzbot has found a reproducer for the following crash on:

HEAD commit: bfb9e5c0 Linux 4.14.159
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16f47c71e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d21836ba19f34914

dashboard link: https://syzkaller.appspot.com/bug?extid=f7cb69e1859d0347797f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175b98b9e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=102052fee00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f7cb69...@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/buffer.c:3111!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

kobject: 'loop5' (ffff8880a4200ee0): fill_kobj_path: path
= '/devices/virtual/block/loop5'
Modules linked in:
CPU: 1 PID: 7099 Comm: syz-executor073 Not tainted 4.14.159-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

task: ffff88809bed6640 task.stack: ffff888099b58000
RIP: 0010:submit_bh_wbc+0x5a0/0x720 fs/buffer.c:3111
RSP: 0018:ffff888099b5fa38 EFLAGS: 00010297
RAX: ffff88809bed6640 RBX: ffff88808ff60930 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000000000000001
RBP: ffff888099b5fa80 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: ffff88809bed6640 R12: ffff88808ff60930

R13: 0000000000000800 R14: 0000000000000000 R15: 0000000000000001

FS: 0000000001e39940(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000001f8d008 CR3: 00000000a9b9f000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Call Trace:
submit_bh fs/buffer.c:3158 [inline]
__sync_dirty_buffer fs/buffer.c:3244 [inline]
__sync_dirty_buffer+0xcf/0x260 fs/buffer.c:3235
sync_dirty_buffer+0x1b/0x20 fs/buffer.c:3257
fat_set_state+0x1f5/0x2e0 fs/fat/inode.c:695
fat_fill_super+0x1e90/0x3560 fs/fat/inode.c:1861
vfat_fill_super+0x32/0x40 fs/fat/namei_vfat.c:1059
mount_bdev+0x2be/0x370 fs/super.c:1134
vfat_mount+0x35/0x40 fs/fat/namei_vfat.c:1066
mount_fs+0x97/0x2a1 fs/super.c:1237
vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046
vfs_kern_mount fs/namespace.c:1036 [inline]
do_new_mount fs/namespace.c:2549 [inline]
do_mount+0x417/0x27d0 fs/namespace.c:2879
SYSC_mount fs/namespace.c:3095 [inline]
SyS_mount+0xab/0x120 fs/namespace.c:3072
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4487aa
RSP: 002b:00007ffe2d6cff58 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004487aa
RDX: 00007ffe2d6cffa0 RSI: 00000000200002c0 RDI: 00007ffe2d6cffc0
RBP: 0000000000000000 R08: 00007ffe2d6d0000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000402f60
R13: 0000000000402ff0 R14: 0000000000000000 R15: 0000000000000000
Code: f0 80 63 01 f7 e9 3d fb ff ff 48 8d 43 20 48 89 45 d0 48 8d 43 10 48
89 45 c0 e9 34 fc ff ff e8 87 3a c1 ff 0f 0b e8 80 3a c1 ff <0f> 0b e8 79
3a c1 ff 0f 0b e8 72 3a c1 ff 0f 0b e8 6b 3a c1 ff
RIP: submit_bh_wbc+0x5a0/0x720 fs/buffer.c:3111 RSP: ffff888099b5fa38
---[ end trace eb01e1d9005bc5c1 ]---

syzbot

unread,

Sep 1, 2020, 1:35:06 AM9/1/20

to syzkaller...@googlegroups.com

syzbot suspects this issue was fixed by commit:

commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d
Author: Eric Biggers <ebig...@google.com>
Date: Wed Aug 12 01:35:30 2020 +0000

fs/minix: reject too-large maximum file size

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=156756c1900000
start commit: 399849e4 Linux 4.19.131
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=eada6d424d8bae1d
dashboard link: https://syzkaller.appspot.com/bug?extid=0b3fae6fc3c4feb104a4
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1018969d100000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: fs/minix: reject too-large maximum file size

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Reply all

Reply to author

Forward

0 new messages