[reiserfs?] [fat?] general protection fault in prepare_for_delete_or_cut
9 views
Skip to first unread message
syzbot
Dec 30, 2022, 1:10:40 AM12/30/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c4215ee4771b Linux 4.14.302
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15e8ea88480000
kernel config: https://syzkaller.appspot.com/x/.config?x=4a9988fe055c9527
dashboard link: https://syzkaller.appspot.com/bug?extid=ed64b374d2cdc63e247e
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1235d4f4480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136b3d9c480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c93ba055d204/disk-c4215ee4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bfbc929a33c1/vmlinux-c4215ee4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/444658051770/bzImage-c4215ee4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d9cd4a065d17/mount_1.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ed64b3...@syzkaller.appspotmail.com
REISERFS error (device loop0): vs-13050 reiserfs_update_sd_size: i/o failure occurred trying to update [2 2 0x0 SD] stat data
REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 4029, free_space(entry_count) 2
REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 532. Fsck?
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7969 Comm: syz-executor399 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
task: ffff8880b38741c0 task.stack: ffff88808d090000
RIP: 0010:reiserfs_node_data fs/reiserfs/reiserfs.h:2186 [inline]
RIP: 0010:item_head fs/reiserfs/reiserfs.h:2202 [inline]
RIP: 0010:tp_item_head fs/reiserfs/reiserfs.h:2228 [inline]
RIP: 0010:prepare_for_delete_or_cut+0x115/0x18c0 fs/reiserfs/stree.c:1060
RSP: 0018:ffff88808d0973f0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88808d0975b0 RCX: ffff88808d097a10
RDX: 0000000000000005 RSI: ffff88808df0b788 RDI: 0000000000000028
RBP: 0000000000000000 R08: ffff88808d0975c0 R09: ffff88808d0975b0
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000002 R14: 1ffff11011a12f4a R15: ffff88808d0975c0
FS: 000055555582a300(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0fdb7c0ec8 CR3: 00000000a1ce4000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
reiserfs_cut_from_item+0x1ca/0x1570 fs/reiserfs/stree.c:1692
reiserfs_do_truncate+0x53f/0xf50 fs/reiserfs/stree.c:1983
reiserfs_truncate_file+0x17e/0xdb0 fs/reiserfs/inode.c:2319
reiserfs_file_release+0x758/0xaf0 fs/reiserfs/file.c:115
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
SYSC_exit_group kernel/exit.c:976 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:974
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f0fdb77ccd9
RSP: 002b:00007ffee90522c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f0fdb7f2430 RCX: 00007f0fdb77ccd9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0fdb7f2430
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 1a 17 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6d 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 16 00 00 4c 8b 6d 28 49 63 c4 48 8d 44 40
RIP: reiserfs_node_data fs/reiserfs/reiserfs.h:2186 [inline] RSP: ffff88808d0973f0
RIP: item_head fs/reiserfs/reiserfs.h:2202 [inline] RSP: ffff88808d0973f0
RIP: tp_item_head fs/reiserfs/reiserfs.h:2228 [inline] RSP: ffff88808d0973f0
RIP: prepare_for_delete_or_cut+0x115/0x18c0 fs/reiserfs/stree.c:1060 RSP: ffff88808d0973f0
---[ end trace 8ee71140481a2388 ]---
----------------
Code disassembly (best guess), 4 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 1a 17 00 00 jne 0x1728
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 48 8b 6d 00 mov 0x0(%rbp),%rbp
1c: 48 8d 7d 28 lea 0x28(%rbp),%rdi
20: 48 89 fa mov %rdi,%rdx
23: 48 c1 ea 03 shr $0x3,%rdx
* 27: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2b: 0f 85 ed 16 00 00 jne 0x171e
31: 4c 8b 6d 28 mov 0x28(%rbp),%r13
35: 49 63 c4 movslq %r12d,%rax
38: 48 rex.W
39: 8d .byte 0x8d
3a: 44 rex.R
3b: 40 rex
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: c4215ee4771b Linux 4.14.302
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15e8ea88480000
kernel config: https://syzkaller.appspot.com/x/.config?x=4a9988fe055c9527
dashboard link: https://syzkaller.appspot.com/bug?extid=ed64b374d2cdc63e247e
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1235d4f4480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136b3d9c480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c93ba055d204/disk-c4215ee4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bfbc929a33c1/vmlinux-c4215ee4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/444658051770/bzImage-c4215ee4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d9cd4a065d17/mount_1.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ed64b3...@syzkaller.appspotmail.com
REISERFS error (device loop0): vs-13050 reiserfs_update_sd_size: i/o failure occurred trying to update [2 2 0x0 SD] stat data
REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 4029, free_space(entry_count) 2
REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 532. Fsck?
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7969 Comm: syz-executor399 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
task: ffff8880b38741c0 task.stack: ffff88808d090000
RIP: 0010:reiserfs_node_data fs/reiserfs/reiserfs.h:2186 [inline]
RIP: 0010:item_head fs/reiserfs/reiserfs.h:2202 [inline]
RIP: 0010:tp_item_head fs/reiserfs/reiserfs.h:2228 [inline]
RIP: 0010:prepare_for_delete_or_cut+0x115/0x18c0 fs/reiserfs/stree.c:1060
RSP: 0018:ffff88808d0973f0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88808d0975b0 RCX: ffff88808d097a10
RDX: 0000000000000005 RSI: ffff88808df0b788 RDI: 0000000000000028
RBP: 0000000000000000 R08: ffff88808d0975c0 R09: ffff88808d0975b0
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000002 R14: 1ffff11011a12f4a R15: ffff88808d0975c0
FS: 000055555582a300(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0fdb7c0ec8 CR3: 00000000a1ce4000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
reiserfs_cut_from_item+0x1ca/0x1570 fs/reiserfs/stree.c:1692
reiserfs_do_truncate+0x53f/0xf50 fs/reiserfs/stree.c:1983
reiserfs_truncate_file+0x17e/0xdb0 fs/reiserfs/inode.c:2319
reiserfs_file_release+0x758/0xaf0 fs/reiserfs/file.c:115
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
SYSC_exit_group kernel/exit.c:976 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:974
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f0fdb77ccd9
RSP: 002b:00007ffee90522c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f0fdb7f2430 RCX: 00007f0fdb77ccd9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0fdb7f2430
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 1a 17 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6d 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 16 00 00 4c 8b 6d 28 49 63 c4 48 8d 44 40
RIP: reiserfs_node_data fs/reiserfs/reiserfs.h:2186 [inline] RSP: ffff88808d0973f0
RIP: item_head fs/reiserfs/reiserfs.h:2202 [inline] RSP: ffff88808d0973f0
RIP: tp_item_head fs/reiserfs/reiserfs.h:2228 [inline] RSP: ffff88808d0973f0
RIP: prepare_for_delete_or_cut+0x115/0x18c0 fs/reiserfs/stree.c:1060 RSP: ffff88808d0973f0
---[ end trace 8ee71140481a2388 ]---
----------------
Code disassembly (best guess), 4 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 1a 17 00 00 jne 0x1728
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 48 8b 6d 00 mov 0x0(%rbp),%rbp
1c: 48 8d 7d 28 lea 0x28(%rbp),%rdi
20: 48 89 fa mov %rdi,%rdx
23: 48 c1 ea 03 shr $0x3,%rdx
* 27: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2b: 0f 85 ed 16 00 00 jne 0x171e
31: 4c 8b 6d 28 mov 0x28(%rbp),%r13
35: 49 63 c4 movslq %r12d,%rax
38: 48 rex.W
39: 8d .byte 0x8d
3a: 44 rex.R
3b: 40 rex
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Jan 1, 2023, 4:41:48 PM1/1/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
syzbot found the following issue on:
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13d38fb0480000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=9eac28cc0c86d33be42f
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16298dac480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c0ee98480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/30f175b54130/mount_1.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
REISERFS error (device loop0): vs-13050 reiserfs_update_sd_size: i/o failure occurred trying to update [2 2 0x0 SD] stat data
REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 4029, free_space(entry_count) 2
REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 532. Fsck?
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:reiserfs_node_data fs/reiserfs/reiserfs.h:2186 [inline]
RIP: 0010:item_head fs/reiserfs/reiserfs.h:2202 [inline]
RIP: 0010:tp_item_head fs/reiserfs/reiserfs.h:2228 [inline]
RIP: 0010:prepare_for_delete_or_cut+0x12a/0x1b00 fs/reiserfs/stree.c:1060
RIP: 0010:item_head fs/reiserfs/reiserfs.h:2202 [inline]
RIP: 0010:tp_item_head fs/reiserfs/reiserfs.h:2228 [inline]
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 57 19 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 1b 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 69 18 00 00 48 8b 4b 28 49 63 c4 48 8d 44 40 03
RSP: 0018:ffff8880aeec7318 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8880aeec7998
RDX: 0000000000000005 RSI: ffffffff81d4eb6f RDI: 0000000000000028
RBP: ffff8880aeec7518 R08: ffff8880aeec7528 R09: ffff8880aeec7518
R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88808ac47780 R14: 1ffff11015dd8f3b R15: ffff8880aeec7528
FS: 0000555556e61300(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2280a96ec8 CR3: 0000000009e6d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
reiserfs_cut_from_item+0x1ef/0x1960 fs/reiserfs/stree.c:1692
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
reiserfs_do_truncate+0x64a/0x10c0 fs/reiserfs/stree.c:1983
reiserfs_truncate_file+0x1b1/0x1030 fs/reiserfs/inode.c:2320
reiserfs_file_release+0x982/0xd90 fs/reiserfs/file.c:115
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f2280a52cd9
Code: Bad RIP value.
RSP: 002b:00007fffd563e1c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f2280ac8430 RCX: 00007f2280a52cd9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2280ac8430
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Modules linked in:
---[ end trace 40c03b297533e20e ]---
RIP: 0010:reiserfs_node_data fs/reiserfs/reiserfs.h:2186 [inline]
RIP: 0010:item_head fs/reiserfs/reiserfs.h:2202 [inline]
RIP: 0010:tp_item_head fs/reiserfs/reiserfs.h:2228 [inline]
RIP: 0010:prepare_for_delete_or_cut+0x12a/0x1b00 fs/reiserfs/stree.c:1060
RIP: 0010:item_head fs/reiserfs/reiserfs.h:2202 [inline]
RIP: 0010:tp_item_head fs/reiserfs/reiserfs.h:2228 [inline]
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 57 19 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 1b 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 69 18 00 00 48 8b 4b 28 49 63 c4 48 8d 44 40 03
RSP: 0018:ffff8880aeec7318 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8880aeec7998
RDX: 0000000000000005 RSI: ffffffff81d4eb6f RDI: 0000000000000028
RBP: ffff8880aeec7518 R08: ffff8880aeec7528 R09: ffff8880aeec7518
R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88808ac47780 R14: 1ffff11015dd8f3b R15: ffff8880aeec7528
FS: 0000555556e61300(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2280a52caf CR3: 0000000009e6d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 4 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 57 19 00 00 jne 0x1965
Code disassembly (best guess), 4 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 48 8b 1b mov (%rbx),%rbx
15: fc ff df
1b: 48 8d 7b 28 lea 0x28(%rbx),%rdi
1f: 48 89 fa mov %rdi,%rdx
22: 48 c1 ea 03 shr $0x3,%rdx
* 26: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2a: 0f 85 69 18 00 00 jne 0x1899
30: 48 8b 4b 28 mov 0x28(%rbx),%rcx
34: 49 63 c4 movslq %r12d,%rax
37: 48 8d 44 40 03 lea 0x3(%rax,%rax,2),%rax
Reply all
Reply to author
Forward
0 new messages