[syzbot] [mm?] BUG: unable to handle kernel paging request in list_lru_add
32 views
Skip to first unread message
syzbot
Sep 4, 2023, 12:00:05āÆPM9/4/23
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 708283abf896 Merge tag 'dmaengine-6.6-rc1' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17424cd0680000
kernel config: https://syzkaller.appspot.com/x/.config?x=15f37e053f1602f8
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-708283ab.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae645c88b07f/vmlinux-708283ab.xz
kernel image: https://storage.googleapis.com/syzbot-assets/32d5997bb055/Image-708283ab.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2403e3...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff800000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 2922 Comm: udevd Not tainted 6.5.0-syzkaller-11329-g708283abf896 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : list_add_tail include/linux/list.h:183 [inline]
pc : list_lru_add+0x174/0x464 mm/list_lru.c:129
lr : list_lru_from_memcg_idx mm/list_lru.c:56 [inline]
lr : list_lru_from_memcg_idx mm/list_lru.c:53 [inline]
lr : list_lru_from_kmem mm/list_lru.c:78 [inline]
lr : list_lru_add+0x354/0x464 mm/list_lru.c:128
sp : ffff80008dd57520
x29: ffff80008dd57520 x28: 0000000000000008 x27: ffff0000378c4000
x26: 0000000000000001 x25: 0000000000000000 x24: 0000000000000000
x23: 1fffe0000293550a x22: 0000000000000000 x21: ffff000012d1c7a0
x20: ffff0000149aa850 x19: ffff0000146f7a00 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: ffff800080915234
x14: ffff800080914c58 x13: ffff800080914c58 x12: 000000000000f1f1
x11: dfff800000000000 x10: 00000000f3000000 x9 : 00000000f3f3f3f3
x8 : ffff700011baae76 x7 : 00000000f1f1f1f1 x6 : dfff800000000000
x5 : ffff700011baae7a x4 : 00000000f204f1f1 x3 : 1fffe0000d51ff28
x2 : 0000000000000000 x1 : 0000000000000000 x0 : dfff800000000000
Call trace:
list_add_tail include/linux/list.h:183 [inline]
list_lru_add+0x174/0x464 mm/list_lru.c:129
d_lru_add+0x180/0x31c fs/dcache.c:431
retain_dentry fs/dcache.c:685 [inline]
dput+0x4ac/0x96c fs/dcache.c:908
handle_mounts fs/namei.c:1554 [inline]
step_into+0xc18/0x16c4 fs/namei.c:1839
walk_component+0xa8/0x484 fs/namei.c:2007
link_path_walk.part.0.constprop.0+0x4cc/0x970 fs/namei.c:2328
link_path_walk fs/namei.c:2253 [inline]
path_openat+0x1bc/0x2058 fs/namei.c:3792
do_filp_open+0x16c/0x330 fs/namei.c:3823
do_sys_openat2+0x12c/0x160 fs/open.c:1422
do_sys_open fs/open.c:1437 [inline]
__do_sys_openat fs/open.c:1453 [inline]
__se_sys_openat fs/open.c:1448 [inline]
__arm64_sys_openat+0x12c/0x1b8 fs/open.c:1448
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x58/0x140 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Code: 9100231c d2d00000 f2fbffe0 d343ff9a (38e06b40)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 9100231c add x28, x24, #0x8
4: d2d00000 mov x0, #0x800000000000 // #140737488355328
8: f2fbffe0 movk x0, #0xdfff, lsl #48
c: d343ff9a lsr x26, x28, #3
* 10: 38e06b40 ldrsb w0, [x26, x0] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 708283abf896 Merge tag 'dmaengine-6.6-rc1' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17424cd0680000
kernel config: https://syzkaller.appspot.com/x/.config?x=15f37e053f1602f8
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-708283ab.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae645c88b07f/vmlinux-708283ab.xz
kernel image: https://storage.googleapis.com/syzbot-assets/32d5997bb055/Image-708283ab.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2403e3...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff800000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 2922 Comm: udevd Not tainted 6.5.0-syzkaller-11329-g708283abf896 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : list_add_tail include/linux/list.h:183 [inline]
pc : list_lru_add+0x174/0x464 mm/list_lru.c:129
lr : list_lru_from_memcg_idx mm/list_lru.c:56 [inline]
lr : list_lru_from_memcg_idx mm/list_lru.c:53 [inline]
lr : list_lru_from_kmem mm/list_lru.c:78 [inline]
lr : list_lru_add+0x354/0x464 mm/list_lru.c:128
sp : ffff80008dd57520
x29: ffff80008dd57520 x28: 0000000000000008 x27: ffff0000378c4000
x26: 0000000000000001 x25: 0000000000000000 x24: 0000000000000000
x23: 1fffe0000293550a x22: 0000000000000000 x21: ffff000012d1c7a0
x20: ffff0000149aa850 x19: ffff0000146f7a00 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: ffff800080915234
x14: ffff800080914c58 x13: ffff800080914c58 x12: 000000000000f1f1
x11: dfff800000000000 x10: 00000000f3000000 x9 : 00000000f3f3f3f3
x8 : ffff700011baae76 x7 : 00000000f1f1f1f1 x6 : dfff800000000000
x5 : ffff700011baae7a x4 : 00000000f204f1f1 x3 : 1fffe0000d51ff28
x2 : 0000000000000000 x1 : 0000000000000000 x0 : dfff800000000000
Call trace:
list_add_tail include/linux/list.h:183 [inline]
list_lru_add+0x174/0x464 mm/list_lru.c:129
d_lru_add+0x180/0x31c fs/dcache.c:431
retain_dentry fs/dcache.c:685 [inline]
dput+0x4ac/0x96c fs/dcache.c:908
handle_mounts fs/namei.c:1554 [inline]
step_into+0xc18/0x16c4 fs/namei.c:1839
walk_component+0xa8/0x484 fs/namei.c:2007
link_path_walk.part.0.constprop.0+0x4cc/0x970 fs/namei.c:2328
link_path_walk fs/namei.c:2253 [inline]
path_openat+0x1bc/0x2058 fs/namei.c:3792
do_filp_open+0x16c/0x330 fs/namei.c:3823
do_sys_openat2+0x12c/0x160 fs/open.c:1422
do_sys_open fs/open.c:1437 [inline]
__do_sys_openat fs/open.c:1453 [inline]
__se_sys_openat fs/open.c:1448 [inline]
__arm64_sys_openat+0x12c/0x1b8 fs/open.c:1448
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x58/0x140 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Code: 9100231c d2d00000 f2fbffe0 d343ff9a (38e06b40)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 9100231c add x28, x24, #0x8
4: d2d00000 mov x0, #0x800000000000 // #140737488355328
8: f2fbffe0 movk x0, #0xdfff, lsl #48
c: d343ff9a lsr x26, x28, #3
* 10: 38e06b40 ldrsb w0, [x26, x0] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Dec 27, 2023, 10:50:22āÆAM12/27/23
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10dc0065e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c29fe98c88e5c7ae
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-fbafc3e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/44afd70ba00e/vmlinux-fbafc3e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2812e972b4b2/Image-fbafc3e6.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2403e3...@syzkaller.appspotmail.com
netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
Mem abort info:
ESR = 0x0000000097d88004
Data abort info:
Access size = 8 byte(s)
SSE = 0, SRT = 24
SF = 1, AR = 0
[0000000000000008] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000097d88004 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3148 Comm: syz-executor.1 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
Hardware name: linux,dummy-virt (DT)
pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
sp : ffff800082c23ce0
x29: ffff800082c23ce0 x28: f7ff0000034f2f40 x27: 0000000000000000
x26: 0000000000000000 x25: faff000004d30000 x24: f0ff000005702340
x23: 0000000000000000 x22: 0000000000000000 x21: f8ff000005e0ac58
x20: f0ff000005702340 x19: f4ff000005b05d40 x18: 0000000000000001
x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000803180f8
x14: 0000000000000000 x13: 000000000000039c x12: 0000000000005800
x11: 0000000000000040 x10: 000000000000002e x9 : 0000000000000001
x8 : ffff800082c23af8 x7 : 00000000001fffff x6 : 0000000055555556
x5 : f1ff000002c38b00 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
list_lru_from_kmem mm/list_lru.c:68 [inline]
list_lru_add+0xa4/0x188 mm/list_lru.c:128
d_lru_add+0x98/0x14c fs/dcache.c:431
retain_dentry fs/dcache.c:685 [inline]
dput+0x194/0x31c fs/dcache.c:908
done_path_create fs/namei.c:3925 [inline]
do_mkdirat+0x90/0x16c fs/namei.c:4132
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__arm64_sys_mkdirat+0x50/0x7c fs/namei.c:4142
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
el0_svc+0x34/0xd8 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595
Code: 8b160316 d2800019 910022d6 aa1603fa (f94006d8)
4: d2800019 mov x25, #0x0 // #0
8: 910022d6 add x22, x22, #0x8
c: aa1603fa mov x26, x22
* 10: f94006d8 ldr x24, [x22, #8] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10dc0065e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c29fe98c88e5c7ae
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1217a445e80000
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-fbafc3e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/44afd70ba00e/vmlinux-fbafc3e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2812e972b4b2/Image-fbafc3e6.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2403e3...@syzkaller.appspotmail.com
netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
Mem abort info:
ESR = 0x0000000097d88004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
Access size = 8 byte(s)
SSE = 0, SRT = 24
SF = 1, AR = 0
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000045d88000
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[0000000000000008] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000097d88004 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3148 Comm: syz-executor.1 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
Hardware name: linux,dummy-virt (DT)
pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : list_add_tail include/linux/list.h:183 [inline]
pc : list_lru_add+0xa4/0x188 mm/list_lru.c:129
lr : list_lru_from_memcg_idx mm/list_lru.c:56 [inline]
lr : list_lru_from_memcg_idx mm/list_lru.c:53 [inline]
lr : list_lru_from_kmem mm/list_lru.c:78 [inline]
lr : list_lru_add+0x16c/0x188 mm/list_lru.c:128
lr : list_lru_from_memcg_idx mm/list_lru.c:53 [inline]
lr : list_lru_from_kmem mm/list_lru.c:78 [inline]
sp : ffff800082c23ce0
x29: ffff800082c23ce0 x28: f7ff0000034f2f40 x27: 0000000000000000
x26: 0000000000000000 x25: faff000004d30000 x24: f0ff000005702340
x23: 0000000000000000 x22: 0000000000000000 x21: f8ff000005e0ac58
x20: f0ff000005702340 x19: f4ff000005b05d40 x18: 0000000000000001
x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000803180f8
x14: 0000000000000000 x13: 000000000000039c x12: 0000000000005800
x11: 0000000000000040 x10: 000000000000002e x9 : 0000000000000001
x8 : ffff800082c23af8 x7 : 00000000001fffff x6 : 0000000055555556
x5 : f1ff000002c38b00 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
list_lru_from_kmem mm/list_lru.c:68 [inline]
list_lru_add+0xa4/0x188 mm/list_lru.c:128
d_lru_add+0x98/0x14c fs/dcache.c:431
retain_dentry fs/dcache.c:685 [inline]
dput+0x194/0x31c fs/dcache.c:908
done_path_create fs/namei.c:3925 [inline]
do_mkdirat+0x90/0x16c fs/namei.c:4132
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__arm64_sys_mkdirat+0x50/0x7c fs/namei.c:4142
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
el0_svc+0x34/0xd8 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595
Code: 8b160316 d2800019 910022d6 aa1603fa (f94006d8)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 8b160316 add x22, x24, x22
----------------
Code disassembly (best guess):
4: d2800019 mov x25, #0x0 // #0
8: 910022d6 add x22, x22, #0x8
c: aa1603fa mov x26, x22
* 10: f94006d8 ldr x24, [x22, #8] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Jul 12, 2024, 1:11:27āÆPMĀ (12 days ago)Ā Jul 12
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 43db1e03c086 Merge tag 'for-6.10/dm-fixes-2' of git://git...
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16f39ee1980000
kernel config: https://syzkaller.appspot.com/x/.config?x=42a432cfd0e579e0
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141c864e980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b1da7e980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/709e8f085073/disk-43db1e03.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ab1fd5e8c1c/vmlinux-43db1e03.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dc7484cb3765/bzImage-43db1e03.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/40d14eae864b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2403e3...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:list_add_tail include/linux/list.h:183 [inline]
RIP: 0010:list_lru_add+0x1b1/0x390 mm/list_lru.c:97
Code: 89 ef e8 e2 06 1c 00 48 8b 45 00 48 8b 4c 24 30 48 8d 6c 08 40 4c 8d 6d 08 4d 89 ec 49 c1 ec 03 48 b8 00 00 00 00 00 fc ff df <41> 80 3c 04 00 74 08 4c 89 ef e8 b0 06 1c 00 4c 8b 7d 08 4c 89 f7
RSP: 0018:ffffc90003bbfa78 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff1100fada037 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffffffff8bcaccc0 RDI: ffffffff8c1f54c0
RBP: 0000000000000000 R08: ffffffff8fac686f R09: 1ffffffff1f58d0d
R10: dffffc0000000000 R11: fffffbfff1f58d0e R12: 0000000000000001
R13: 0000000000000008 R14: ffff88807d6d01b8 R15: 0000000000000000
FS: 000055557a070380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045bdd0 CR3: 0000000023864000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__inode_add_lru fs/inode.c:467 [inline]
iput_final fs/inode.c:1718 [inline]
iput+0x87a/0x930 fs/inode.c:1767
__dentry_kill+0x20d/0x630 fs/dcache.c:607
dput+0x19f/0x2b0 fs/dcache.c:849
shrink_dcache_for_umount+0x7d/0x130 fs/dcache.c:1559
generic_shutdown_super+0x6a/0x2d0 fs/super.c:620
bch2_kill_sb+0x41/0x50 fs/bcachefs/fs.c:2052
deactivate_locked_super+0xc4/0x130 fs/super.c:473
cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1267
task_work_run+0x24f/0x310 kernel/task_work.c:180
ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
ptrace_report_syscall include/linux/ptrace.h:415 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
syscall_exit_to_user_mode+0x273/0x360 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f232c4c5e77
Code: 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fffde2e9f38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f232c4c5e77
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fffde2e9ff0
RBP: 00007fffde2e9ff0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fffde2eb060
R13: 000055557a0716c0 R14: 00007fffde2eb05c R15: 431bde82d7b634db
</TASK>
Modules linked in:
RIP: 0010:list_lru_add+0x1b1/0x390 mm/list_lru.c:97
Code: 89 ef e8 e2 06 1c 00 48 8b 45 00 48 8b 4c 24 30 48 8d 6c 08 40 4c 8d 6d 08 4d 89 ec 49 c1 ec 03 48 b8 00 00 00 00 00 fc ff df <41> 80 3c 04 00 74 08 4c 89 ef e8 b0 06 1c 00 4c 8b 7d 08 4c 89 f7
RSP: 0018:ffffc90003bbfa78 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff1100fada037 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffffffff8bcaccc0 RDI: ffffffff8c1f54c0
RBP: 0000000000000000 R08: ffffffff8fac686f R09: 1ffffffff1f58d0d
R10: dffffc0000000000 R11: fffffbfff1f58d0e R12: 0000000000000001
R13: 0000000000000008 R14: ffff88807d6d01b8 R15: 0000000000000000
FS: 000055557a070380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045bdd0 CR3: 0000000023864000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
2: e8 e2 06 1c 00 call 0x1c06e9
7: 48 8b 45 00 mov 0x0(%rbp),%rax
b: 48 8b 4c 24 30 mov 0x30(%rsp),%rcx
10: 48 8d 6c 08 40 lea 0x40(%rax,%rcx,1),%rbp
15: 4c 8d 6d 08 lea 0x8(%rbp),%r13
19: 4d 89 ec mov %r13,%r12
1c: 49 c1 ec 03 shr $0x3,%r12
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 41 80 3c 04 00 cmpb $0x0,(%r12,%rax,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 ef mov %r13,%rdi
34: e8 b0 06 1c 00 call 0x1c06e9
39: 4c 8b 7d 08 mov 0x8(%rbp),%r15
3d: 4c 89 f7 mov %r14,%rdi
HEAD commit: 43db1e03c086 Merge tag 'for-6.10/dm-fixes-2' of git://git...
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16f39ee1980000
kernel config: https://syzkaller.appspot.com/x/.config?x=42a432cfd0e579e0
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141c864e980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b1da7e980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/709e8f085073/disk-43db1e03.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ab1fd5e8c1c/vmlinux-43db1e03.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dc7484cb3765/bzImage-43db1e03.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/40d14eae864b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2403e3...@syzkaller.appspotmail.com
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 5077 Comm: syz-executor294 Not tainted 6.10.0-rc7-syzkaller-00141-g43db1e03c086 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:list_add_tail include/linux/list.h:183 [inline]
RIP: 0010:list_lru_add+0x1b1/0x390 mm/list_lru.c:97
Code: 89 ef e8 e2 06 1c 00 48 8b 45 00 48 8b 4c 24 30 48 8d 6c 08 40 4c 8d 6d 08 4d 89 ec 49 c1 ec 03 48 b8 00 00 00 00 00 fc ff df <41> 80 3c 04 00 74 08 4c 89 ef e8 b0 06 1c 00 4c 8b 7d 08 4c 89 f7
RSP: 0018:ffffc90003bbfa78 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff1100fada037 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffffffff8bcaccc0 RDI: ffffffff8c1f54c0
RBP: 0000000000000000 R08: ffffffff8fac686f R09: 1ffffffff1f58d0d
R10: dffffc0000000000 R11: fffffbfff1f58d0e R12: 0000000000000001
R13: 0000000000000008 R14: ffff88807d6d01b8 R15: 0000000000000000
FS: 000055557a070380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045bdd0 CR3: 0000000023864000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__inode_add_lru fs/inode.c:467 [inline]
iput_final fs/inode.c:1718 [inline]
iput+0x87a/0x930 fs/inode.c:1767
__dentry_kill+0x20d/0x630 fs/dcache.c:607
dput+0x19f/0x2b0 fs/dcache.c:849
shrink_dcache_for_umount+0x7d/0x130 fs/dcache.c:1559
generic_shutdown_super+0x6a/0x2d0 fs/super.c:620
bch2_kill_sb+0x41/0x50 fs/bcachefs/fs.c:2052
deactivate_locked_super+0xc4/0x130 fs/super.c:473
cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1267
task_work_run+0x24f/0x310 kernel/task_work.c:180
ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
ptrace_report_syscall include/linux/ptrace.h:415 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
syscall_exit_to_user_mode+0x273/0x360 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f232c4c5e77
Code: 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fffde2e9f38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f232c4c5e77
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fffde2e9ff0
RBP: 00007fffde2e9ff0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fffde2eb060
R13: 000055557a0716c0 R14: 00007fffde2eb05c R15: 431bde82d7b634db
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:list_add_tail include/linux/list.h:183 [inline]
RIP: 0010:list_lru_add+0x1b1/0x390 mm/list_lru.c:97
Code: 89 ef e8 e2 06 1c 00 48 8b 45 00 48 8b 4c 24 30 48 8d 6c 08 40 4c 8d 6d 08 4d 89 ec 49 c1 ec 03 48 b8 00 00 00 00 00 fc ff df <41> 80 3c 04 00 74 08 4c 89 ef e8 b0 06 1c 00 4c 8b 7d 08 4c 89 f7
RSP: 0018:ffffc90003bbfa78 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff1100fada037 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffffffff8bcaccc0 RDI: ffffffff8c1f54c0
RBP: 0000000000000000 R08: ffffffff8fac686f R09: 1ffffffff1f58d0d
R10: dffffc0000000000 R11: fffffbfff1f58d0e R12: 0000000000000001
R13: 0000000000000008 R14: ffff88807d6d01b8 R15: 0000000000000000
FS: 000055557a070380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045bdd0 CR3: 0000000023864000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 ef mov %ebp,%edi
Code disassembly (best guess):
2: e8 e2 06 1c 00 call 0x1c06e9
7: 48 8b 45 00 mov 0x0(%rbp),%rax
b: 48 8b 4c 24 30 mov 0x30(%rsp),%rcx
10: 48 8d 6c 08 40 lea 0x40(%rax,%rcx,1),%rbp
15: 4c 8d 6d 08 lea 0x8(%rbp),%r13
19: 4d 89 ec mov %r13,%r12
1c: 49 c1 ec 03 shr $0x3,%r12
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 41 80 3c 04 00 cmpb $0x0,(%r12,%rax,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 ef mov %r13,%rdi
34: e8 b0 06 1c 00 call 0x1c06e9
39: 4c 8b 7d 08 mov 0x8(%rbp),%r15
3d: 4c 89 f7 mov %r14,%rdi
syzbot
Jul 12, 2024, 9:14:03āÆPMĀ (12 days ago)Ā Jul 12
to ak...@linux-foundation.org, kent.ov...@linux.dev, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, tangy...@kylinos.cn
syzbot has bisected this issue to:
commit 86d81ec5f5f05846c7c6e48ffb964b24cba2e669
Author: Youling Tang <tangy...@kylinos.cn>
Date: Wed Jul 3 07:09:55 2024 +0000
bcachefs: Mark bch_inode_info as SLAB_ACCOUNT
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=113f4bed980000
start commit: 43db1e03c086 Merge tag 'for-6.10/dm-fixes-2' of git://git...
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=133f4bed980000
console output: https://syzkaller.appspot.com/x/log.txt?x=153f4bed980000
Fixes: 86d81ec5f5f0 ("bcachefs: Mark bch_inode_info as SLAB_ACCOUNT")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 86d81ec5f5f05846c7c6e48ffb964b24cba2e669
Author: Youling Tang <tangy...@kylinos.cn>
Date: Wed Jul 3 07:09:55 2024 +0000
bcachefs: Mark bch_inode_info as SLAB_ACCOUNT
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=113f4bed980000
start commit: 43db1e03c086 Merge tag 'for-6.10/dm-fixes-2' of git://git...
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=133f4bed980000
console output: https://syzkaller.appspot.com/x/log.txt?x=153f4bed980000
kernel config: https://syzkaller.appspot.com/x/.config?x=42a432cfd0e579e0
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141c864e980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b1da7e980000
Reported-by: syzbot+2403e3...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b1da7e980000
Fixes: 86d81ec5f5f0 ("bcachefs: Mark bch_inode_info as SLAB_ACCOUNT")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Hillf Danton
Jul 12, 2024, 9:49:11āÆPMĀ (12 days ago)Ā Jul 12
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, 12 Jul 2024 10:11:25 -0700
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 43db1e03c086
--- x/mm/list_lru.c
+++ y/mm/list_lru.c
@@ -94,6 +94,8 @@ bool list_lru_add(struct list_lru *lru,
spin_lock(&nlru->lock);
if (list_empty(item)) {
l = list_lru_from_memcg_idx(lru, nid, memcg_kmem_id(memcg));
+ if (NULL == l)
+ l = &lru->node[nid].lru;
list_add_tail(item, &l->list);
/* Set shrinker bit if the first element was added */
if (!l->nr_items++)
--
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 43db1e03c086 Merge tag 'for-6.10/dm-fixes-2' of git://git...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b1da7e980000
>
> HEAD commit: 43db1e03c086 Merge tag 'for-6.10/dm-fixes-2' of git://git...
> git tree: upstream
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 43db1e03c086
--- x/mm/list_lru.c
+++ y/mm/list_lru.c
@@ -94,6 +94,8 @@ bool list_lru_add(struct list_lru *lru,
spin_lock(&nlru->lock);
if (list_empty(item)) {
l = list_lru_from_memcg_idx(lru, nid, memcg_kmem_id(memcg));
+ if (NULL == l)
+ l = &lru->node[nid].lru;
list_add_tail(item, &l->list);
/* Set shrinker bit if the first element was added */
if (!l->nr_items++)
--
syzbot
Jul 12, 2024, 10:15:03āÆPMĀ (12 days ago)Ā Jul 12
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in list_lru_del
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 5638 Comm: syz-executor Not tainted 6.10.0-rc7-syzkaller-00141-g43db1e03c086-dirty #0
Code: 1c 00 4d 89 3f 49 8d 7f 08 48 89 f8 48 c1 e8 03 80 3c 28 00 74 05 e8 88 02 1c 00 4d 89 7f 08 48 83 c3 10 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 7b 01 1c 00 48 ff 0b 48 8b 44 24 28
RSP: 0018:ffffc9000405fbd8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffffff8bcaccc0 RDI: ffff88806ced81c0
RBP: dffffc0000000000 R08: ffffffff8fac686f R09: 1ffffffff1f58d0d
R10: dffffc0000000000 R11: fffffbfff1f58d0e R12: ffff88801fb75240
R13: ffff88801fb75200 R14: ffff88801fb75240 R15: ffff88806ced81b8
FS: 000055555b96b500(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
evict_inodes+0x22d/0x690 fs/inode.c:732
generic_shutdown_super+0x9d/0x2d0 fs/super.c:627
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x168/0x360 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9fb9b76f07
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffcfeb94e78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f9fb9b76f07
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffcfeb94f30
RBP: 00007ffcfeb94f30 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffcfeb95ff0
R13: 00007f9fb9be3515 R14: 000000000001ce83 R15: 000000000001cd13
Code: 1c 00 4d 89 3f 49 8d 7f 08 48 89 f8 48 c1 e8 03 80 3c 28 00 74 05 e8 88 02 1c 00 4d 89 7f 08 48 83 c3 10 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 7b 01 1c 00 48 ff 0b 48 8b 44 24 28
RSP: 0018:ffffc9000405fbd8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffffff8bcaccc0 RDI: ffff88806ced81c0
RBP: dffffc0000000000 R08: ffffffff8fac686f R09: 1ffffffff1f58d0d
R10: dffffc0000000000 R11: fffffbfff1f58d0e R12: ffff88801fb75240
R13: ffff88801fb75200 R14: ffff88801fb75240 R15: ffff88806ced81b8
FS: 000055555b96b500(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
2: 4d 89 3f mov %r15,(%r15)
5: 49 8d 7f 08 lea 0x8(%r15),%rdi
9: 48 89 f8 mov %rdi,%rax
c: 48 c1 e8 03 shr $0x3,%rax
10: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1)
14: 74 05 je 0x1b
16: e8 88 02 1c 00 call 0x1c02a3
1b: 4d 89 7f 08 mov %r15,0x8(%r15)
1f: 48 83 c3 10 add $0x10,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 7b 01 1c 00 call 0x1c01b3
38: 48 ff 0b decq (%rbx)
3b: 48 8b 44 24 28 mov 0x28(%rsp),%rax
Tested on:
commit: 43db1e03 Merge tag 'for-6.10/dm-fixes-2' of git://git...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1566ca21980000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in list_lru_del
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 5638 Comm: syz-executor Not tainted 6.10.0-rc7-syzkaller-00141-g43db1e03c086-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:list_lru_del+0x247/0x310 mm/list_lru.c:132
Code: 1c 00 4d 89 3f 49 8d 7f 08 48 89 f8 48 c1 e8 03 80 3c 28 00 74 05 e8 88 02 1c 00 4d 89 7f 08 48 83 c3 10 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 7b 01 1c 00 48 ff 0b 48 8b 44 24 28
RSP: 0018:ffffc9000405fbd8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffffff8bcaccc0 RDI: ffff88806ced81c0
RBP: dffffc0000000000 R08: ffffffff8fac686f R09: 1ffffffff1f58d0d
R10: dffffc0000000000 R11: fffffbfff1f58d0e R12: ffff88801fb75240
R13: ffff88801fb75200 R14: ffff88801fb75240 R15: ffff88806ced81b8
FS: 000055555b96b500(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d5667df000 CR3: 000000007b826000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
inode_lru_list_del fs/inode.c:485 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
evict_inodes+0x22d/0x690 fs/inode.c:732
generic_shutdown_super+0x9d/0x2d0 fs/super.c:627
bch2_kill_sb+0x41/0x50 fs/bcachefs/fs.c:2052
deactivate_locked_super+0xc4/0x130 fs/super.c:473
cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1267
task_work_run+0x24f/0x310 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
deactivate_locked_super+0xc4/0x130 fs/super.c:473
cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1267
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x168/0x360 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9fb9b76f07
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffcfeb94e78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f9fb9b76f07
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffcfeb94f30
RBP: 00007ffcfeb94f30 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffcfeb95ff0
R13: 00007f9fb9be3515 R14: 000000000001ce83 R15: 000000000001cd13
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:list_lru_del+0x247/0x310 mm/list_lru.c:132
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 1c 00 4d 89 3f 49 8d 7f 08 48 89 f8 48 c1 e8 03 80 3c 28 00 74 05 e8 88 02 1c 00 4d 89 7f 08 48 83 c3 10 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 7b 01 1c 00 48 ff 0b 48 8b 44 24 28
RSP: 0018:ffffc9000405fbd8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffffff8bcaccc0 RDI: ffff88806ced81c0
RBP: dffffc0000000000 R08: ffffffff8fac686f R09: 1ffffffff1f58d0d
R10: dffffc0000000000 R11: fffffbfff1f58d0e R12: ffff88801fb75240
R13: ffff88801fb75200 R14: ffff88801fb75240 R15: ffff88806ced81b8
FS: 000055555b96b500(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d5667df000 CR3: 000000007b826000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 1c 00 sbb $0x0,%al
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
2: 4d 89 3f mov %r15,(%r15)
5: 49 8d 7f 08 lea 0x8(%r15),%rdi
9: 48 89 f8 mov %rdi,%rax
c: 48 c1 e8 03 shr $0x3,%rax
10: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1)
14: 74 05 je 0x1b
16: e8 88 02 1c 00 call 0x1c02a3
1b: 4d 89 7f 08 mov %r15,0x8(%r15)
1f: 48 83 c3 10 add $0x10,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 7b 01 1c 00 call 0x1c01b3
38: 48 ff 0b decq (%rbx)
3b: 48 8b 44 24 28 mov 0x28(%rsp),%rax
Tested on:
commit: 43db1e03 Merge tag 'for-6.10/dm-fixes-2' of git://git...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1566ca21980000
kernel config: https://syzkaller.appspot.com/x/.config?x=42a432cfd0e579e0
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16185766980000
Hillf Danton
Jul 13, 2024, 5:05:31āÆAMĀ (12 days ago)Ā Jul 13
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, 12 Jul 2024 10:11:25 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 43db1e03c086 Merge tag 'for-6.10/dm-fixes-2' of git://git...
> git tree: upstream
>
> HEAD commit: 43db1e03c086 Merge tag 'for-6.10/dm-fixes-2' of git://git...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b1da7e980000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 43db1e03c086
--- x/mm/list_lru.c
+++ y/mm/list_lru.c
@@ -55,7 +55,8 @@ list_lru_from_memcg_idx(struct list_lru
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 43db1e03c086
--- x/mm/list_lru.c
+++ y/mm/list_lru.c
if (list_lru_memcg_aware(lru) && idx >= 0) {
struct list_lru_memcg *mlru = xa_load(&lru->xa, idx);
- return mlru ? &mlru->node[nid] : NULL;
+ if (mlru)
+ return &mlru->node[nid];
}
return &lru->node[nid].lru;
}
--
syzbot
Jul 13, 2024, 5:35:04āÆAMĀ (12 days ago)Ā Jul 13
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2403e3...@syzkaller.appspotmail.com
Tested on:
commit: 43db1e03 Merge tag 'for-6.10/dm-fixes-2' of git://git...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1691e4f6980000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2403e3...@syzkaller.appspotmail.com
Tested on:
commit: 43db1e03 Merge tag 'for-6.10/dm-fixes-2' of git://git...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=42a432cfd0e579e0
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11b022e9980000
dashboard link: https://syzkaller.appspot.com/bug?extid=2403e3909382fbdeaf6c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages