[moderation] [btrfs?] general protection fault in detach_extent_buffer_page (4)
6 views
Skip to first unread message
syzbot
Oct 22, 2023, 2:49:53 PM10/22/23
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: dd72f9c7e512 Merge tag 'spi-fix-v6-6-rc4' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=157b646d680000
kernel config: https://syzkaller.appspot.com/x/.config?x=3c2b0838e2a16cba
dashboard link: https://syzkaller.appspot.com/bug?extid=786888bb382bd81b4210
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
CC: [c...@fb.com dst...@suse.com jo...@toxicpanda.com linux...@vger.kernel.org linux-...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-dd72f9c7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/30abf5a47e29/vmlinux-dd72f9c7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a43cfd1fb052/bzImage-dd72f9c7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+786888...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000003d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001e8-0x00000000000001ef]
CPU: 2 PID: 108 Comm: kswapd0 Not tainted 6.6.0-rc6-syzkaller-00043-gdd72f9c7e512 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004
Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 01 2f 42 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 69 62 90 0f 84 96 0d 00
RSP: 0000:ffffc90000e6eff8 EFLAGS: 00010002
RAX: ffff888018610000 RBX: 1ffff920001cde2f RCX: 000000000000003d
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000001e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 00000000000001e8 R11: 0000000000000273 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcc0750ea90 CR3: 00000000226f1000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
detach_extent_buffer_page+0x792/0x1180 fs/btrfs/extent_io.c:3086
btrfs_release_extent_buffer_pages+0xe9/0x3c0 fs/btrfs/extent_io.c:3155
release_extent_buffer+0x23a/0x2b0 fs/btrfs/extent_io.c:3646
try_release_extent_buffer+0x602/0x810 fs/btrfs/extent_io.c:4613
btree_release_folio+0xbb/0xf0 fs/btrfs/disk-io.c:500
filemap_release_folio+0x1f1/0x270 mm/filemap.c:4127
shrink_folio_list+0x2917/0x3e30 mm/vmscan.c:2068
evict_folios+0x6bf/0x1940 mm/vmscan.c:5195
try_to_shrink_lruvec+0x769/0xb00 mm/vmscan.c:5371
shrink_one+0x45f/0x700 mm/vmscan.c:5415
shrink_many mm/vmscan.c:5469 [inline]
lru_gen_shrink_node mm/vmscan.c:5586 [inline]
shrink_node+0x20d4/0x37a0 mm/vmscan.c:6526
kswapd_shrink_node mm/vmscan.c:7331 [inline]
balance_pgdat+0xa32/0x1b80 mm/vmscan.c:7521
kswapd+0x5be/0xbf0 mm/vmscan.c:7781
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004
Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 01 2f 42 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 69 62 90 0f 84 96 0d 00
RSP: 0000:ffffc90000e6eff8 EFLAGS: 00010002
RAX: ffff888018610000 RBX: 1ffff920001cde2f RCX: 000000000000003d
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000001e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 00000000000001e8 R11: 0000000000000273 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcc0750ea90 CR3: 00000000226f1000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 45 85 c9 test %r9d,%r9d
3: 0f 84 cc 0e 00 00 je 0xed5
9: 44 8b 05 01 2f 42 0b mov 0xb422f01(%rip),%r8d # 0xb422f11
10: 45 85 c0 test %r8d,%r8d
13: 0f 84 be 0d 00 00 je 0xdd7
19: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
20: fc ff df
23: 4c 89 d1 mov %r10,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
* 2a: 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) <-- trapping instruction
2e: 0f 85 e8 40 00 00 jne 0x411c
34: 49 81 3a a0 69 62 90 cmpq $0xffffffff906269a0,(%r10)
3b: 0f .byte 0xf
3c: 84 .byte 0x84
3d: 96 xchg %eax,%esi
3e: 0d .byte 0xd
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: dd72f9c7e512 Merge tag 'spi-fix-v6-6-rc4' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=157b646d680000
kernel config: https://syzkaller.appspot.com/x/.config?x=3c2b0838e2a16cba
dashboard link: https://syzkaller.appspot.com/bug?extid=786888bb382bd81b4210
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
CC: [c...@fb.com dst...@suse.com jo...@toxicpanda.com linux...@vger.kernel.org linux-...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-dd72f9c7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/30abf5a47e29/vmlinux-dd72f9c7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a43cfd1fb052/bzImage-dd72f9c7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+786888...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000003d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001e8-0x00000000000001ef]
CPU: 2 PID: 108 Comm: kswapd0 Not tainted 6.6.0-rc6-syzkaller-00043-gdd72f9c7e512 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004
Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 01 2f 42 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 69 62 90 0f 84 96 0d 00
RSP: 0000:ffffc90000e6eff8 EFLAGS: 00010002
RAX: ffff888018610000 RBX: 1ffff920001cde2f RCX: 000000000000003d
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000001e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 00000000000001e8 R11: 0000000000000273 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcc0750ea90 CR3: 00000000226f1000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
detach_extent_buffer_page+0x792/0x1180 fs/btrfs/extent_io.c:3086
btrfs_release_extent_buffer_pages+0xe9/0x3c0 fs/btrfs/extent_io.c:3155
release_extent_buffer+0x23a/0x2b0 fs/btrfs/extent_io.c:3646
try_release_extent_buffer+0x602/0x810 fs/btrfs/extent_io.c:4613
btree_release_folio+0xbb/0xf0 fs/btrfs/disk-io.c:500
filemap_release_folio+0x1f1/0x270 mm/filemap.c:4127
shrink_folio_list+0x2917/0x3e30 mm/vmscan.c:2068
evict_folios+0x6bf/0x1940 mm/vmscan.c:5195
try_to_shrink_lruvec+0x769/0xb00 mm/vmscan.c:5371
shrink_one+0x45f/0x700 mm/vmscan.c:5415
shrink_many mm/vmscan.c:5469 [inline]
lru_gen_shrink_node mm/vmscan.c:5586 [inline]
shrink_node+0x20d4/0x37a0 mm/vmscan.c:6526
kswapd_shrink_node mm/vmscan.c:7331 [inline]
balance_pgdat+0xa32/0x1b80 mm/vmscan.c:7521
kswapd+0x5be/0xbf0 mm/vmscan.c:7781
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004
Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 01 2f 42 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 69 62 90 0f 84 96 0d 00
RSP: 0000:ffffc90000e6eff8 EFLAGS: 00010002
RAX: ffff888018610000 RBX: 1ffff920001cde2f RCX: 000000000000003d
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000001e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 00000000000001e8 R11: 0000000000000273 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcc0750ea90 CR3: 00000000226f1000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 45 85 c9 test %r9d,%r9d
3: 0f 84 cc 0e 00 00 je 0xed5
9: 44 8b 05 01 2f 42 0b mov 0xb422f01(%rip),%r8d # 0xb422f11
10: 45 85 c0 test %r8d,%r8d
13: 0f 84 be 0d 00 00 je 0xdd7
19: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
20: fc ff df
23: 4c 89 d1 mov %r10,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
* 2a: 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) <-- trapping instruction
2e: 0f 85 e8 40 00 00 jne 0x411c
34: 49 81 3a a0 69 62 90 cmpq $0xffffffff906269a0,(%r10)
3b: 0f .byte 0xf
3c: 84 .byte 0x84
3d: 96 xchg %eax,%esi
3e: 0d .byte 0xd
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 28, 2024, 12:32:14 AMJan 28
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages