syzbot has found a reproducer for the following crash on:
HEAD commit: 78778071 Linux 4.19.55
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=1021f669a00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=3bb067df352bfe4b
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=1603dfbea00000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=14bbbfe6a00000
audit: type=1804 audit(1561282951.109:1843): pid=9479 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=ToMToU comm="syz-executor809" name="/root/bus"
dev="sda1" ino=16485 res=1
audit: type=1804 audit(1561282951.109:1844): pid=9485 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor809" name="/root/bus"
dev="sda1" ino=16485 res=1
WARNING: CPU: 0 PID: 9514 at fs/ext4/inode.c:3898
ext4_set_page_dirty+0x30b/0x430 fs/ext4/inode.c:3898
audit: type=1804 audit(1561282951.109:1845): pid=9488 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor809" name="/root/bus"
dev="sda1" ino=16485 res=1
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 9514 Comm: syz-executor809 Not tainted 4.19.55 #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x263/0x507 kernel/panic.c:185
audit: type=1804 audit(1561282951.109:1846): pid=9483 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=ToMToU comm="syz-executor809" name="/root/bus"
dev="sda1" ino=16485 res=1
audit: type=1804 audit(1561282951.109:1847): pid=9486 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor809" name="/root/bus"
dev="sda1" ino=16485 res=1
__warn.cold+0x20/0x4a kernel/panic.c:540
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1013
RIP: 0010:ext4_set_page_dirty+0x30b/0x430 fs/ext4/inode.c:3898
Code: ff e8 d9 59 83 ff 49 8d 5f ff e9 e5 fd ff ff e8 cb 59 83 ff 48 c7 c6
60 9a 5a 87 4c 89 e7 e8 8c 59 ab ff 0f 0b e8 b5 59 83 ff <0f> 0b e9 56 ff
ff ff e8 a9 59 83 ff 4c 89 ea 48 b8 00 00 00 00 00
RSP: 0018:ffff8880a14cf9e0 EFLAGS: 00010293
RAX: ffff8880973c8000 RBX: 0000000000000000 RCX: ffffffff81e7bc50
RDX: 0000000000000000 RSI: ffffffff81e7bcfb RDI: 0000000000000001
RBP: ffff8880a14cfa08 R08: ffff8880973c8000 R09: 0000000000000000
R10: ffffed10016795ff R11: ffff88800b3cafff R12: ffffea00002cf280
R13: ffffea00002cf288 R14: 0000000000000000 R15: ffffea0001e845c8
set_page_dirty+0x2e7/0x820 mm/page-writeback.c:2572
set_page_dirty_lock+0x88/0xc0 mm/page-writeback.c:2597
process_vm_rw_pages mm/process_vm_access.c:51 [inline]
process_vm_rw_single_vec mm/process_vm_access.c:124 [inline]
process_vm_rw_core.isra.0+0x527/0xb20 mm/process_vm_access.c:220
process_vm_rw+0x21f/0x240 mm/process_vm_access.c:288
__do_sys_process_vm_writev mm/process_vm_access.c:310 [inline]
__se_sys_process_vm_writev mm/process_vm_access.c:305 [inline]
__x64_sys_process_vm_writev+0xe3/0x1a0 mm/process_vm_access.c:305
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4468d9
Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8d03d5fda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000137
RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004468d9
RDX: 0000000000000001 RSI: 0000000020000540 RDI: 0000000000002520
RBP: 00000000006dbc50 R08: 0000000000000001 R09: 0000000000000000
R10: 00000000200003c0 R11: 0000000000000246 R12: 00000000006dbc5c
R13: 00007ffef9bdfbff R14: 00007f8d03d609c0 R15: 0000000000000001