[moderation] [btrfs?] general protection fault in put_pwq_unlocked
0 views
Skip to first unread message
syzbot
May 13, 2024, 5:43:40 PMMay 13
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a38297e3fb01 Linux 6.9
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1124d884980000
kernel config: https://syzkaller.appspot.com/x/.config?x=df13071aee1d0001
dashboard link: https://syzkaller.appspot.com/bug?extid=ff37e7c5fdff6b91d821
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
CC: [c...@fb.com dst...@suse.com jo...@toxicpanda.com linux...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/173cd7583182/disk-a38297e3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8eb1d49910fb/vmlinux-a38297e3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9c0fd2f11af0/bzImage-a38297e3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ff37e7...@syzkaller.appspotmail.com
BTRFS info (device loop4): last unmount of filesystem c9fe44da-de57-406a-8241-57ec7d4412cf
general protection fault, probably for non-canonical address 0xfff10c049e1d0022: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0xff888024f0e80110-0xff888024f0e80117]
CPU: 0 PID: 11956 Comm: syz-executor.4 Not tainted 6.9.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:__lock_acquire+0x6a/0x1fd0 kernel/locking/lockdep.c:5005
Code: df 0f b6 04 30 84 c0 0f 85 4b 16 00 00 83 3d a8 75 35 0e 00 0f 84 1c 11 00 00 83 3d 4f 8c ad 0c 00 74 2c 4c 89 e0 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 e7 e8 c8 d9 84 00 48 be 00 00 00 00 00 fc
RSP: 0018:ffffc900043df7d0 EFLAGS: 00010807
RAX: 1ff110049e1d0022 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ff888024f0e80117
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: dffffc0000000000 R11: fffffbfff1f4f99e R12: ff888024f0e80117
R13: 0000000000000001 R14: ffff88804d6c5a00 R15: 0000000000000000
FS: 0000555582289480(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000005762e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xd3/0x120 kernel/locking/spinlock.c:170
put_pwq_unlocked+0x42/0x190 kernel/workqueue.c:1671
destroy_workqueue+0x9a4/0xc40 kernel/workqueue.c:5739
btrfs_stop_all_workers+0xbb/0x2a0 fs/btrfs/disk-io.c:1788
close_ctree+0x664/0xd40 fs/btrfs/disk-io.c:4371
generic_shutdown_super+0x136/0x2d0 fs/super.c:641
kill_anon_super+0x3b/0x70 fs/super.c:1225
btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2091
deactivate_locked_super+0xc4/0x130 fs/super.c:472
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1267
task_work_run+0x24f/0x310 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218
do_syscall_64+0x102/0x240 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6d26a7f097
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffee0025398 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f6d26a7f097
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffee0025450
RBP: 00007ffee0025450 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffee0026510
R13: 00007f6d26ac9336 R14: 0000000000097675 R15: 0000000000000005
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x6a/0x1fd0 kernel/locking/lockdep.c:5005
Code: df 0f b6 04 30 84 c0 0f 85 4b 16 00 00 83 3d a8 75 35 0e 00 0f 84 1c 11 00 00 83 3d 4f 8c ad 0c 00 74 2c 4c 89 e0 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 e7 e8 c8 d9 84 00 48 be 00 00 00 00 00 fc
RSP: 0018:ffffc900043df7d0 EFLAGS: 00010807
RAX: 1ff110049e1d0022 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ff888024f0e80117
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: dffffc0000000000 R11: fffffbfff1f4f99e R12: ff888024f0e80117
R13: 0000000000000001 R14: ffff88804d6c5a00 R15: 0000000000000000
FS: 0000555582289480(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000005762e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df 0f fisttps (%rdi)
2: b6 04 mov $0x4,%dh
4: 30 84 c0 0f 85 4b 16 xor %al,0x164b850f(%rax,%rax,8)
b: 00 00 add %al,(%rax)
d: 83 3d a8 75 35 0e 00 cmpl $0x0,0xe3575a8(%rip) # 0xe3575bc
14: 0f 84 1c 11 00 00 je 0x1136
1a: 83 3d 4f 8c ad 0c 00 cmpl $0x0,0xcad8c4f(%rip) # 0xcad8c70
21: 74 2c je 0x4f
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 30 00 cmpb $0x0,(%rax,%rsi,1) <-- trapping instruction
2e: 74 12 je 0x42
30: 4c 89 e7 mov %r12,%rdi
33: e8 c8 d9 84 00 call 0x84da00
38: 48 rex.W
39: be 00 00 00 00 mov $0x0,%esi
3e: 00 fc add %bh,%ah
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: a38297e3fb01 Linux 6.9
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1124d884980000
kernel config: https://syzkaller.appspot.com/x/.config?x=df13071aee1d0001
dashboard link: https://syzkaller.appspot.com/bug?extid=ff37e7c5fdff6b91d821
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
CC: [c...@fb.com dst...@suse.com jo...@toxicpanda.com linux...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/173cd7583182/disk-a38297e3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8eb1d49910fb/vmlinux-a38297e3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9c0fd2f11af0/bzImage-a38297e3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ff37e7...@syzkaller.appspotmail.com
BTRFS info (device loop4): last unmount of filesystem c9fe44da-de57-406a-8241-57ec7d4412cf
general protection fault, probably for non-canonical address 0xfff10c049e1d0022: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0xff888024f0e80110-0xff888024f0e80117]
CPU: 0 PID: 11956 Comm: syz-executor.4 Not tainted 6.9.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:__lock_acquire+0x6a/0x1fd0 kernel/locking/lockdep.c:5005
Code: df 0f b6 04 30 84 c0 0f 85 4b 16 00 00 83 3d a8 75 35 0e 00 0f 84 1c 11 00 00 83 3d 4f 8c ad 0c 00 74 2c 4c 89 e0 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 e7 e8 c8 d9 84 00 48 be 00 00 00 00 00 fc
RSP: 0018:ffffc900043df7d0 EFLAGS: 00010807
RAX: 1ff110049e1d0022 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ff888024f0e80117
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: dffffc0000000000 R11: fffffbfff1f4f99e R12: ff888024f0e80117
R13: 0000000000000001 R14: ffff88804d6c5a00 R15: 0000000000000000
FS: 0000555582289480(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000005762e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xd3/0x120 kernel/locking/spinlock.c:170
put_pwq_unlocked+0x42/0x190 kernel/workqueue.c:1671
destroy_workqueue+0x9a4/0xc40 kernel/workqueue.c:5739
btrfs_stop_all_workers+0xbb/0x2a0 fs/btrfs/disk-io.c:1788
close_ctree+0x664/0xd40 fs/btrfs/disk-io.c:4371
generic_shutdown_super+0x136/0x2d0 fs/super.c:641
kill_anon_super+0x3b/0x70 fs/super.c:1225
btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2091
deactivate_locked_super+0xc4/0x130 fs/super.c:472
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1267
task_work_run+0x24f/0x310 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218
do_syscall_64+0x102/0x240 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6d26a7f097
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffee0025398 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f6d26a7f097
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffee0025450
RBP: 00007ffee0025450 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffee0026510
R13: 00007f6d26ac9336 R14: 0000000000097675 R15: 0000000000000005
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x6a/0x1fd0 kernel/locking/lockdep.c:5005
Code: df 0f b6 04 30 84 c0 0f 85 4b 16 00 00 83 3d a8 75 35 0e 00 0f 84 1c 11 00 00 83 3d 4f 8c ad 0c 00 74 2c 4c 89 e0 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 e7 e8 c8 d9 84 00 48 be 00 00 00 00 00 fc
RSP: 0018:ffffc900043df7d0 EFLAGS: 00010807
RAX: 1ff110049e1d0022 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ff888024f0e80117
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: dffffc0000000000 R11: fffffbfff1f4f99e R12: ff888024f0e80117
R13: 0000000000000001 R14: ffff88804d6c5a00 R15: 0000000000000000
FS: 0000555582289480(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000005762e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df 0f fisttps (%rdi)
2: b6 04 mov $0x4,%dh
4: 30 84 c0 0f 85 4b 16 xor %al,0x164b850f(%rax,%rax,8)
b: 00 00 add %al,(%rax)
d: 83 3d a8 75 35 0e 00 cmpl $0x0,0xe3575a8(%rip) # 0xe3575bc
14: 0f 84 1c 11 00 00 je 0x1136
1a: 83 3d 4f 8c ad 0c 00 cmpl $0x0,0xcad8c4f(%rip) # 0xcad8c70
21: 74 2c je 0x4f
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 30 00 cmpb $0x0,(%rax,%rsi,1) <-- trapping instruction
2e: 74 12 je 0x42
30: 4c 89 e7 mov %r12,%rdi
33: e8 c8 d9 84 00 call 0x84da00
38: 48 rex.W
39: be 00 00 00 00 mov $0x0,%esi
3e: 00 fc add %bh,%ah
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
May 21, 2024, 8:02:41 AM (8 days ago) May 21
to syzkaller-upst...@googlegroups.com
Sending this report to the next reporting stage.
Reply all
Reply to author
Forward
0 new messages