[moderation] [bcachefs?] BUG: unable to handle kernel paging request in srcu_check_nmi_safety
1 view
Skip to first unread message
syzbot
May 7, 2024, 10:23:22 PMMay 7
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 78186bd77b47 Merge branch 'for-next/mm-ryan-staging' into ..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14c94b1f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=5ee4da92608aba71
dashboard link: https://syzkaller.appspot.com/bug?extid=1742065186fdadeb56ec
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
CC: [bfo...@redhat.com kent.ov...@linux.dev linux-b...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6645ec7d501b/disk-78186bd7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0d272001bc0f/vmlinux-78186bd7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/95e2c70cba6e/Image-78186bd7.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+174206...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address ffff7000249ff204
KASAN: probably wild-memory-access in range [0xffff800124ff9020-0xffff800124ff9027]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000001ad5df000
[ffff7000249ff204] pgd=0000000000000000, p4d=000000023e882003, pud=000000023e880003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 6452 Comm: syz-executor.0 Not tainted 6.9.0-rc6-syzkaller-g78186bd77b47 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : srcu_check_nmi_safety+0x94/0x1b0 kernel/rcu/srcutree.c:697
lr : srcu_read_lock include/linux/srcu.h:213 [inline]
lr : bch2_btree_key_cache_scan+0x9c/0x1144 fs/bcachefs/btree_key_cache.c:838
sp : ffff800098546f50
x29: ffff800098546f60 x28: 000000000000002e x27: 000000000000002e
x26: 1fffe0001a30d001 x25: dfff800000000000 x24: ffff8000985472b0
x23: 000000000000002e x22: 0000000000000001 x21: 0000000000000000
x20: dfff800000000000 x19: ffff800124ff9020 x18: 1fffe000367bd596
x17: ffff80008ee9d000 x16: ffff800080334a70 x15: 0000000000000001
x14: 1fffe000367c0190 x13: 0000000000000000 x12: 0000000000000003
x11: 0000000000000003 x10: 0000000000000003 x9 : 1ffff000249ff204
x8 : ffff800124ff9000 x7 : ffff8000802aa3b4 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000001
x2 : 0000000000000006 x1 : 0000000000000000 x0 : ffff0000f2484240
Call trace:
srcu_check_nmi_safety+0x94/0x1b0 kernel/rcu/srcutree.c:697
srcu_read_lock include/linux/srcu.h:213 [inline]
bch2_btree_key_cache_scan+0x9c/0x1144 fs/bcachefs/btree_key_cache.c:838
do_shrink_slab+0x650/0x129c mm/shrinker.c:435
shrink_slab+0xe9c/0x124c mm/shrinker.c:662
drop_slab_node mm/vmscan.c:393 [inline]
drop_slab+0x124/0x26c mm/vmscan.c:411
drop_caches_sysctl_handler+0x17c/0x398 fs/drop_caches.c:68
proc_sys_call_handler+0x4cc/0x7cc fs/proc/proc_sysctl.c:595
proc_sys_write+0x2c/0x3c fs/proc/proc_sysctl.c:621
call_write_iter include/linux/fs.h:2110 [inline]
iter_file_splice_write+0x894/0xfc0 fs/splice.c:743
do_splice_from fs/splice.c:941 [inline]
direct_splice_actor+0xec/0x1d8 fs/splice.c:1164
splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108
do_splice_direct_actor fs/splice.c:1207 [inline]
do_splice_direct+0x1e4/0x304 fs/splice.c:1233
do_sendfile+0x460/0xb3c fs/read_write.c:1295
__do_sys_sendfile64 fs/read_write.c:1356 [inline]
__se_sys_sendfile64 fs/read_write.c:1348 [inline]
__arm64_sys_sendfile64+0x23c/0x3b4 fs/read_write.c:1348
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: 91008113 d343fe69 12000a6b 11000d6b (38f4692a)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 91008113 add x19, x8, #0x20
4: d343fe69 lsr x9, x19, #3
8: 12000a6b and w11, w19, #0x7
c: 11000d6b add w11, w11, #0x3
* 10: 38f4692a ldrsb w10, [x9, x20] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 78186bd77b47 Merge branch 'for-next/mm-ryan-staging' into ..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14c94b1f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=5ee4da92608aba71
dashboard link: https://syzkaller.appspot.com/bug?extid=1742065186fdadeb56ec
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
CC: [bfo...@redhat.com kent.ov...@linux.dev linux-b...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6645ec7d501b/disk-78186bd7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0d272001bc0f/vmlinux-78186bd7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/95e2c70cba6e/Image-78186bd7.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+174206...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address ffff7000249ff204
KASAN: probably wild-memory-access in range [0xffff800124ff9020-0xffff800124ff9027]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000001ad5df000
[ffff7000249ff204] pgd=0000000000000000, p4d=000000023e882003, pud=000000023e880003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 6452 Comm: syz-executor.0 Not tainted 6.9.0-rc6-syzkaller-g78186bd77b47 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : srcu_check_nmi_safety+0x94/0x1b0 kernel/rcu/srcutree.c:697
lr : srcu_read_lock include/linux/srcu.h:213 [inline]
lr : bch2_btree_key_cache_scan+0x9c/0x1144 fs/bcachefs/btree_key_cache.c:838
sp : ffff800098546f50
x29: ffff800098546f60 x28: 000000000000002e x27: 000000000000002e
x26: 1fffe0001a30d001 x25: dfff800000000000 x24: ffff8000985472b0
x23: 000000000000002e x22: 0000000000000001 x21: 0000000000000000
x20: dfff800000000000 x19: ffff800124ff9020 x18: 1fffe000367bd596
x17: ffff80008ee9d000 x16: ffff800080334a70 x15: 0000000000000001
x14: 1fffe000367c0190 x13: 0000000000000000 x12: 0000000000000003
x11: 0000000000000003 x10: 0000000000000003 x9 : 1ffff000249ff204
x8 : ffff800124ff9000 x7 : ffff8000802aa3b4 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000001
x2 : 0000000000000006 x1 : 0000000000000000 x0 : ffff0000f2484240
Call trace:
srcu_check_nmi_safety+0x94/0x1b0 kernel/rcu/srcutree.c:697
srcu_read_lock include/linux/srcu.h:213 [inline]
bch2_btree_key_cache_scan+0x9c/0x1144 fs/bcachefs/btree_key_cache.c:838
do_shrink_slab+0x650/0x129c mm/shrinker.c:435
shrink_slab+0xe9c/0x124c mm/shrinker.c:662
drop_slab_node mm/vmscan.c:393 [inline]
drop_slab+0x124/0x26c mm/vmscan.c:411
drop_caches_sysctl_handler+0x17c/0x398 fs/drop_caches.c:68
proc_sys_call_handler+0x4cc/0x7cc fs/proc/proc_sysctl.c:595
proc_sys_write+0x2c/0x3c fs/proc/proc_sysctl.c:621
call_write_iter include/linux/fs.h:2110 [inline]
iter_file_splice_write+0x894/0xfc0 fs/splice.c:743
do_splice_from fs/splice.c:941 [inline]
direct_splice_actor+0xec/0x1d8 fs/splice.c:1164
splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108
do_splice_direct_actor fs/splice.c:1207 [inline]
do_splice_direct+0x1e4/0x304 fs/splice.c:1233
do_sendfile+0x460/0xb3c fs/read_write.c:1295
__do_sys_sendfile64 fs/read_write.c:1356 [inline]
__se_sys_sendfile64 fs/read_write.c:1348 [inline]
__arm64_sys_sendfile64+0x23c/0x3b4 fs/read_write.c:1348
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: 91008113 d343fe69 12000a6b 11000d6b (38f4692a)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 91008113 add x19, x8, #0x20
4: d343fe69 lsr x9, x19, #3
8: 12000a6b and w11, w19, #0x7
c: 11000d6b add w11, w11, #0x3
* 10: 38f4692a ldrsb w10, [x9, x20] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages