BUG: unable to handle kernel paging request in dquot_add_space
7 views
Skip to first unread message
syzbot
Sep 30, 2020, 8:21:21 AM9/30/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: cbfa1702 Linux 4.14.198
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=134c7af3900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3990958d85b55e59
dashboard link: https://syzkaller.appspot.com/bug?extid=1085dec0e2097c537d0b
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10cb639d900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17762af3900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1085de...@syzkaller.appspotmail.com
audit: type=1400 audit(1601468350.152:8): avc: denied { execmem } for pid=6365 comm="syz-executor918" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
Quota error (device loop0): qtree_write_dquot: Error -927940090 occurred while creating quota
BUG: unable to handle kernel paging request at fffffbfff9161860
IP: dquot_add_space+0x45/0xfb0 fs/quota/dquot.c:1303
PGD 21ffec067 P4D 21ffec067 PUD 21ffeb067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 6365 Comm: syz-executor918 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880899b4080 task.stack: ffff8880985e0000
RIP: 0010:dquot_add_space+0x45/0xfb0 fs/quota/dquot.c:1303
RSP: 0018:ffff8880985e7318 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: ffff8880985e7428 RCX: 0000000000000001
RDX: 1ffffffff9161860 RSI: 0000000000000400 RDI: ffffffffc8b0c206
RBP: 0000000000000000 R08: ffff8880985e7428 R09: 0000000000000000
R10: 0000000000000002 R11: ffff8880899b4080 R12: ffff888082670998
R13: ffffffffc8b0c206 R14: ffffffffc8b0c206 R15: ffff8880985e7428
FS: 0000000001851880(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff9161860 CR3: 00000000a5478000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__dquot_alloc_space+0x461/0x7b0 fs/quota/dquot.c:1668
dquot_alloc_space_nodirty include/linux/quotaops.h:295 [inline]
dquot_alloc_space include/linux/quotaops.h:308 [inline]
dquot_alloc_block include/linux/quotaops.h:332 [inline]
ext4_mb_new_blocks+0x4ac/0x3db0 fs/ext4/mballoc.c:4561
ext4_new_meta_blocks+0x197/0x2e0 fs/ext4/balloc.c:677
ext4_xattr_block_set+0xd2b/0x2af0 fs/ext4/xattr.c:2074
ext4_xattr_set_handle+0x839/0xd20 fs/ext4/xattr.c:2410
ext4_xattr_set+0x118/0x230 fs/ext4/xattr.c:2510
__vfs_setxattr+0xdc/0x130 fs/xattr.c:150
__vfs_setxattr_noperm+0xfd/0x3d0 fs/xattr.c:181
__vfs_setxattr_locked+0x14d/0x250 fs/xattr.c:239
vfs_setxattr+0xcf/0x230 fs/xattr.c:256
setxattr+0x1a9/0x300 fs/xattr.c:523
path_setxattr+0x118/0x130 fs/xattr.c:542
SYSC_setxattr fs/xattr.c:557 [inline]
SyS_setxattr+0x36/0x50 fs/xattr.c:553
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x444709
RSP: 002b:00007ffc70d13908 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000444709
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000020000040
RBP: 00000000006cf018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004022f0
R13: 0000000000402380 R14: 0000000000000000 R15: 0000000000000000
Code: 89 4c 24 3c 4c 89 44 24 28 e8 58 e2 b6 ff 49 8d 85 00 01 00 00 48 89 c2 48 89 44 24 30 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 c6 0b 00 00 4d 8d a5 c0 00 00 00 49 8b 9d 00
RIP: dquot_add_space+0x45/0xfb0 fs/quota/dquot.c:1303 RSP: ffff8880985e7318
CR2: fffffbfff9161860
---[ end trace c419967b1cda59f7 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: cbfa1702 Linux 4.14.198
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=134c7af3900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3990958d85b55e59
dashboard link: https://syzkaller.appspot.com/bug?extid=1085dec0e2097c537d0b
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10cb639d900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17762af3900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1085de...@syzkaller.appspotmail.com
audit: type=1400 audit(1601468350.152:8): avc: denied { execmem } for pid=6365 comm="syz-executor918" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
Quota error (device loop0): qtree_write_dquot: Error -927940090 occurred while creating quota
BUG: unable to handle kernel paging request at fffffbfff9161860
IP: dquot_add_space+0x45/0xfb0 fs/quota/dquot.c:1303
PGD 21ffec067 P4D 21ffec067 PUD 21ffeb067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 6365 Comm: syz-executor918 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880899b4080 task.stack: ffff8880985e0000
RIP: 0010:dquot_add_space+0x45/0xfb0 fs/quota/dquot.c:1303
RSP: 0018:ffff8880985e7318 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: ffff8880985e7428 RCX: 0000000000000001
RDX: 1ffffffff9161860 RSI: 0000000000000400 RDI: ffffffffc8b0c206
RBP: 0000000000000000 R08: ffff8880985e7428 R09: 0000000000000000
R10: 0000000000000002 R11: ffff8880899b4080 R12: ffff888082670998
R13: ffffffffc8b0c206 R14: ffffffffc8b0c206 R15: ffff8880985e7428
FS: 0000000001851880(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff9161860 CR3: 00000000a5478000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__dquot_alloc_space+0x461/0x7b0 fs/quota/dquot.c:1668
dquot_alloc_space_nodirty include/linux/quotaops.h:295 [inline]
dquot_alloc_space include/linux/quotaops.h:308 [inline]
dquot_alloc_block include/linux/quotaops.h:332 [inline]
ext4_mb_new_blocks+0x4ac/0x3db0 fs/ext4/mballoc.c:4561
ext4_new_meta_blocks+0x197/0x2e0 fs/ext4/balloc.c:677
ext4_xattr_block_set+0xd2b/0x2af0 fs/ext4/xattr.c:2074
ext4_xattr_set_handle+0x839/0xd20 fs/ext4/xattr.c:2410
ext4_xattr_set+0x118/0x230 fs/ext4/xattr.c:2510
__vfs_setxattr+0xdc/0x130 fs/xattr.c:150
__vfs_setxattr_noperm+0xfd/0x3d0 fs/xattr.c:181
__vfs_setxattr_locked+0x14d/0x250 fs/xattr.c:239
vfs_setxattr+0xcf/0x230 fs/xattr.c:256
setxattr+0x1a9/0x300 fs/xattr.c:523
path_setxattr+0x118/0x130 fs/xattr.c:542
SYSC_setxattr fs/xattr.c:557 [inline]
SyS_setxattr+0x36/0x50 fs/xattr.c:553
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x444709
RSP: 002b:00007ffc70d13908 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000444709
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000020000040
RBP: 00000000006cf018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004022f0
R13: 0000000000402380 R14: 0000000000000000 R15: 0000000000000000
Code: 89 4c 24 3c 4c 89 44 24 28 e8 58 e2 b6 ff 49 8d 85 00 01 00 00 48 89 c2 48 89 44 24 30 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 c6 0b 00 00 4d 8d a5 c0 00 00 00 49 8b 9d 00
RIP: dquot_add_space+0x45/0xfb0 fs/quota/dquot.c:1303 RSP: ffff8880985e7318
CR2: fffffbfff9161860
---[ end trace c419967b1cda59f7 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 29, 2020, 6:24:06 PM12/29/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit a9c625fcddc078624e1e7a673443b29c71be3431
Author: Jan Kara <ja...@suse.cz>
Date: Mon Nov 2 15:16:29 2020 +0000
quota: Sanity-check quota file headers on load
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10f0cc47500000
start commit: cbfa1702 Linux 4.14.198
git tree: linux-4.14.y
#syz fix: quota: Sanity-check quota file headers on load
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit a9c625fcddc078624e1e7a673443b29c71be3431
Author: Jan Kara <ja...@suse.cz>
Date: Mon Nov 2 15:16:29 2020 +0000
quota: Sanity-check quota file headers on load
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10f0cc47500000
start commit: cbfa1702 Linux 4.14.198
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=3990958d85b55e59
dashboard link: https://syzkaller.appspot.com/bug?extid=1085dec0e2097c537d0b
dashboard link: https://syzkaller.appspot.com/bug?extid=1085dec0e2097c537d0b
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10cb639d900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17762af3900000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17762af3900000
#syz fix: quota: Sanity-check quota file headers on load
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages