Re: [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, lizhi.xu@windriver.com,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
Date: Wed, 24 Jul 2024 18:54:04 -0700	[thread overview]
Message-ID: <00000000000069b574061e08abd8@google.com> (raw)
In-Reply-To: <20240725013244.474343-1-lizhi.xu@windriver.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in f2fs_stop_gc_thread

INFO: task syz.3.52:6722 blocked for more than 143 seconds.
      Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.52        state:D stack:26464 pid:6722  tgid:6680  ppid:5910   flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5188 [inline]
 __schedule+0x17ae/0x4a10 kernel/sched/core.c:6529
 __schedule_loop kernel/sched/core.c:6606 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6621
 schedule_timeout+0xb0/0x310 kernel/time/timer.c:2557
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x355/0x620 kernel/sched/completion.c:148
 kthread_stop+0x19e/0x630 kernel/kthread.c:710
 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210
 f2fs_do_shutdown+0x250/0x550 fs/f2fs/file.c:2285
 f2fs_ioc_shutdown fs/f2fs/file.c:2327 [inline]
 __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4327
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f24e1d75b59
RSP: 002b:00007f24e17ff048 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f24e1f06038 RCX: 00007f24e1d75b59
RDX: 0000000020000140 RSI: 000000008004587d RDI: 0000000000000005
RBP: 00007f24e1de4e5d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f24e1f06038 R15: 00007ffdd92ac938
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/30:
 #0: ffffffff8e336e60 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:327 [inline]
 #0: ffffffff8e336e60 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:839 [inline]
 #0: ffffffff8e336e60 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6620
3 locks held by kworker/u8:2/35:
5 locks held by kworker/u8:8/1113:
2 locks held by getty/4843:
 #0: ffff88802aa340a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6b5/0x1e10 drivers/tty/n_tty.c:2211
1 lock held by syz.3.52/6722:
 #0: ffff88807c804420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write_file+0x61/0x200 fs/namespace.c:559
1 lock held by syz.4.98/7235:
 #0: ffff88807d5a2420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write_file+0x61/0x200 fs/namespace.c:559
1 lock held by syz.1.241/8092:
 #0: ffff88802c114420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write_file+0x61/0x200 fs/namespace.c:559
1 lock held by syz.2.274/8239:
 #0: ffff88807b344420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write_file+0x61/0x200 fs/namespace.c:559
1 lock held by syz.4.422/8825:
2 locks held by syz.1.423/8831:

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 30 Comm: khungtaskd Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
 watchdog+0xfde/0x1020 kernel/hung_task.c:379
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 35 Comm: kworker/u8:2 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:__sanitizer_cov_trace_const_cmp4+0x0/0x90 kernel/kcov.c:303
Code: 10 48 89 74 0a 18 4c 89 44 0a 20 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 4c 8b 04 24 65 48 8b 14 25 40 d5 03 00 65 8b 05 30 8e
RSP: 0018:ffffc90000ab7838 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 000000000000004c RCX: ffff88801b293c00
RDX: 0000000000000000 RSI: 000000000000004c RDI: 0000000000000024
RBP: ffffc90000ab7ae8 R08: 0000000000000005 R09: ffffffff8af5c942
R10: 0000000000000006 R11: ffff88801b293c00 R12: dffffc0000000000
R13: ffff8880428fccc0 R14: ffff88802b095e50 R15: 1ffff92000156f20
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f834aa06000 CR3: 000000000e134000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <TASK>
 ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1572 [inline]
 ieee80211_ibss_rx_queued_mgmt+0x3f3/0x2d70 net/mac80211/ibss.c:1606
 ieee80211_iface_process_skb net/mac80211/iface.c:1588 [inline]
 ieee80211_iface_work+0x8a5/0xf20 net/mac80211/iface.c:1642
 cfg80211_wiphy_work+0x2db/0x490 net/wireless/core.c:440
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=101229f1980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=1a8e2b31f2ac9bd3d148
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1204adad980000

next      parent reply	other threads:[~2024-07-25  1:54 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20240725013244.474343-1-lizhi.xu@windriver.com>
2024-07-25  1:54 ` syzbot [this message]
     [not found] <20240725135334.4018863-1-lizhi.xu@windriver.com>
2024-07-25 14:30 ` [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread syzbot
     [not found] <20240725131923.3802594-1-lizhi.xu@windriver.com>
2024-07-25 13:47 ` syzbot
     [not found] <20240725124919.3618893-1-lizhi.xu@windriver.com>
2024-07-25 13:06 ` syzbot
     [not found] <20240725080829.841010-1-lizhi.xu@windriver.com>
2024-07-25 12:27 ` syzbot
     [not found] <20240725072746.503703-1-lizhi.xu@windriver.com>
2024-07-25  8:04 ` syzbot
     [not found] <20240725050750.3007233-1-lizhi.xu@windriver.com>
2024-07-25  6:54 ` syzbot
     [not found] <20240725022132.965591-1-lizhi.xu@windriver.com>
2024-07-25  3:30 ` syzbot
2024-07-24 19:20 syzbot
2024-07-26 11:08 ` Edward Adam Davis
2024-07-26 17:02   ` syzbot
2024-07-27  2:08 ` Edward Adam Davis
2024-07-27  2:48   ` syzbot
2024-07-27  3:38 ` Edward Adam Davis
2024-07-27  4:01   ` syzbot
2024-07-27  4:07 ` Edward Adam Davis
2024-07-27  5:13   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000069b574061e08abd8@google.com \
    --to=syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizhi.xu@windriver.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.