Re: [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, lizhi.xu@windriver.com,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
Date: Wed, 24 Jul 2024 23:54:03 -0700	[thread overview]
Message-ID: <000000000000349950061e0cdcdd@google.com> (raw)
In-Reply-To: <20240725050750.3007233-1-lizhi.xu@windriver.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in f2fs_start_gc_thread

F2FS-fs (loop0): Stopped filesystem due to reason: 0
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 7528 Comm: syz.0.131 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:f2fs_start_gc_thread+0x33a/0x570 fs/f2fs/gc.c:191
Code: 00 00 e8 39 21 a5 fd 4c 89 f7 e8 01 9a 74 fd 43 80 7c 3d 00 00 74 08 4c 89 e7 e8 61 16 08 fe 49 8b 1c 24 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 37 17 08 fe 4c 89 33 48 89 e8 48
RSP: 0018:ffffc9000b0a79d0 EFLAGS: 00010246

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: ffffffff8bcacd20 RDI: 0000000000000001
RBP: ffff8880233dfd00 R08: ffffffff92fd071f R09: 1ffffffff25fa0e3
R10: dffffc0000000000 R11: fffffbfff25fa0e4 R12: ffff88807ed6d2c8
R13: 1ffff1100fdada59 R14: ffff88801a3bda00 R15: dffffc0000000000
FS:  00007f8ea496c6c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c003b37000 CR3: 000000002cdaa000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 f2fs_remount+0x14eb/0x1c20 fs/f2fs/super.c:2440
 reconfigure_super+0x445/0x880 fs/super.c:1072
 vfs_cmd_reconfigure fs/fsopen.c:263 [inline]
 vfs_fsconfig_locked fs/fsopen.c:292 [inline]
 __do_sys_fsconfig fs/fsopen.c:473 [inline]
 __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8ea3b75b59
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8ea496c048 EFLAGS: 00000246
 ORIG_RAX: 00000000000001af
RAX: ffffffffffffffda RBX: 00007f8ea3d05f60 RCX: 00007f8ea3b75b59
RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006
RBP: 00007f8ea3be4e5d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f8ea3d05f60 R15: 00007fffaa6511a8
 </TASK>
Modules linked in:
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	e8 39 21 a5 fd       	call   0xfda52140
   7:	4c 89 f7             	mov    %r14,%rdi
   a:	e8 01 9a 74 fd       	call   0xfd749a10
   f:	43 80 7c 3d 00 00    	cmpb   $0x0,0x0(%r13,%r15,1)
  15:	74 08                	je     0x1f
  17:	4c 89 e7             	mov    %r12,%rdi
  1a:	e8 61 16 08 fe       	call   0xfe081680
  1f:	49 8b 1c 24          	mov    (%r12),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 37 17 08 fe       	call   0xfe081770
  39:	4c 89 33             	mov    %r14,(%rbx)
  3c:	48 89 e8             	mov    %rbp,%rax
  3f:	48                   	rex.W


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15fbadb1980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=1a8e2b31f2ac9bd3d148
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16adb055980000

next      parent reply	other threads:[~2024-07-25  6:54 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20240725050750.3007233-1-lizhi.xu@windriver.com>
2024-07-25  6:54 ` syzbot [this message]
     [not found] <20240725135334.4018863-1-lizhi.xu@windriver.com>
2024-07-25 14:30 ` [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread syzbot
     [not found] <20240725131923.3802594-1-lizhi.xu@windriver.com>
2024-07-25 13:47 ` syzbot
     [not found] <20240725124919.3618893-1-lizhi.xu@windriver.com>
2024-07-25 13:06 ` syzbot
     [not found] <20240725080829.841010-1-lizhi.xu@windriver.com>
2024-07-25 12:27 ` syzbot
     [not found] <20240725072746.503703-1-lizhi.xu@windriver.com>
2024-07-25  8:04 ` syzbot
     [not found] <20240725022132.965591-1-lizhi.xu@windriver.com>
2024-07-25  3:30 ` syzbot
     [not found] <20240725013244.474343-1-lizhi.xu@windriver.com>
2024-07-25  1:54 ` syzbot
2024-07-24 19:20 syzbot
2024-07-26 11:08 ` Edward Adam Davis
2024-07-26 17:02   ` syzbot
2024-07-27  2:08 ` Edward Adam Davis
2024-07-27  2:48   ` syzbot
2024-07-27  3:38 ` Edward Adam Davis
2024-07-27  4:01   ` syzbot
2024-07-27  4:07 ` Edward Adam Davis
2024-07-27  5:13   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000349950061e0cdcdd@google.com \
    --to=syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizhi.xu@windriver.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.