From: syzbot <syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
Date: Fri, 26 Jul 2024 22:13:02 -0700 [thread overview]
Message-ID: <000000000000a461e1061e33ae11@google.com> (raw)
In-Reply-To: <tencent_411BA74B731B5425C2BA5ABB2C33119EE808@qq.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in f2fs_stop_gc_thread
INFO: task syz.1.294:8828 blocked for more than 143 seconds.
Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.294 state:D stack:23808 pid:8828 tgid:8827 ppid:5828 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5188 [inline]
__schedule+0x17ae/0x4a10 kernel/sched/core.c:6529
__schedule_loop kernel/sched/core.c:6606 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6621
schedule_timeout+0xb0/0x310 kernel/time/timer.c:2557
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common kernel/sched/completion.c:116 [inline]
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion+0x355/0x620 kernel/sched/completion.c:148
kthread_stop+0x19e/0x630 kernel/kthread.c:710
f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210
f2fs_do_shutdown+0x258/0x550 fs/f2fs/file.c:2284
f2fs_ioc_shutdown fs/f2fs/file.c:2327 [inline]
__f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4327
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6582b75b59
RSP: 002b:00007f65825ff048 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6582d05f60 RCX: 00007f6582b75b59
RDX: 0000000020000140 RSI: 000000008004587d RDI: 0000000000000005
RBP: 00007f6582be4e5d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6582d05f60 R15: 00007fff126c76c8
</TASK>
INFO: task syz.1.294:8849 blocked for more than 144 seconds.
Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.294 state:D stack:26464 pid:8849 tgid:8827 ppid:5828 flags:0x00000004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5188 [inline]
__schedule+0x17ae/0x4a10 kernel/sched/core.c:6529
__schedule_loop kernel/sched/core.c:6606 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6621
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6678
rwsem_down_write_slowpath+0xeeb/0x13b0 kernel/locking/rwsem.c:1178
__down_write_common kernel/locking/rwsem.c:1306 [inline]
__down_write kernel/locking/rwsem.c:1315 [inline]
down_write+0x1d7/0x220 kernel/locking/rwsem.c:1580
vfs_cmd_reconfigure fs/fsopen.c:262 [inline]
vfs_fsconfig_locked fs/fsopen.c:292 [inline]
__do_sys_fsconfig fs/fsopen.c:473 [inline]
__se_sys_fsconfig+0xb64/0xf80 fs/fsopen.c:345
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6582b75b59
RSP: 002b:00007f65825de048 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
RAX: ffffffffffffffda RBX: 00007f6582d06038 RCX: 00007f6582b75b59
RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006
RBP: 00007f6582be4e5d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6582d06038 R15: 00007fff126c76c8
</TASK>
Showing all locks held in the system:
1 lock held by khungtaskd/30:
#0: ffffffff8e336e60 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:327 [inline]
#0: ffffffff8e336e60 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:839 [inline]
#0: ffffffff8e336e60 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6620
3 locks held by kworker/u8:5/144:
2 locks held by getty/4844:
#0: ffff88802afe40a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc900031332f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6b5/0x1e10 drivers/tty/n_tty.c:2211
2 locks held by syz.1.294/8828:
#0: ffff88801fb32420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write_file+0x61/0x200 fs/namespace.c:559
#1: ffff88801fb320e0 (&type->s_umount_key#53){++++}-{3:3}, at: f2fs_do_shutdown+0x250/0x550 fs/f2fs/file.c:2283
2 locks held by syz.1.294/8849:
#0: ffff88807eccac70 (&fc->uapi_mutex){+.+.}-{3:3}, at: __do_sys_fsconfig fs/fsopen.c:471 [inline]
#0: ffff88807eccac70 (&fc->uapi_mutex){+.+.}-{3:3}, at: __se_sys_fsconfig+0x9a7/0xf80 fs/fsopen.c:345
#1: ffff88801fb320e0 (&type->s_umount_key#53){++++}-{3:3}, at: vfs_cmd_reconfigure fs/fsopen.c:262 [inline]
#1: ffff88801fb320e0 (&type->s_umount_key#53){++++}-{3:3}, at: vfs_fsconfig_locked fs/fsopen.c:292 [inline]
#1: ffff88801fb320e0 (&type->s_umount_key#53){++++}-{3:3}, at: __do_sys_fsconfig fs/fsopen.c:473 [inline]
#1: ffff88801fb320e0 (&type->s_umount_key#53){++++}-{3:3}, at: __se_sys_fsconfig+0xb64/0xf80 fs/fsopen.c:345
2 locks held by syz.4.517/10408:
#0: ffff88802a168420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write_file+0x61/0x200 fs/namespace.c:559
#1: ffff88802a1680e0 (&type->s_umount_key#53){++++}-{3:3}, at: f2fs_do_shutdown+0x250/0x550 fs/f2fs/file.c:2283
2 locks held by syz.4.517/10432:
#0: ffff88801e248470 (&fc->uapi_mutex){+.+.}-{3:3}, at: __do_sys_fsconfig fs/fsopen.c:471 [inline]
#0: ffff88801e248470 (&fc->uapi_mutex){+.+.}-{3:3}, at: __se_sys_fsconfig+0x9a7/0xf80 fs/fsopen.c:345
#1: ffff88802a1680e0 (&type->s_umount_key#53){++++}-{3:3}, at: vfs_cmd_reconfigure fs/fsopen.c:262 [inline]
#1: ffff88802a1680e0 (&type->s_umount_key#53){++++}-{3:3}, at: vfs_fsconfig_locked fs/fsopen.c:292 [inline]
#1: ffff88802a1680e0 (&type->s_umount_key#53){++++}-{3:3}, at: __do_sys_fsconfig fs/fsopen.c:473 [inline]
#1: ffff88802a1680e0 (&type->s_umount_key#53){++++}-{3:3}, at: __se_sys_fsconfig+0xb64/0xf80 fs/fsopen.c:345
2 locks held by syz.2.560/10729:
#0: ffff88807866e420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write_file+0x61/0x200 fs/namespace.c:559
#1: ffff88807866e0e0 (&type->s_umount_key#53){++++}-{3:3}, at: f2fs_do_shutdown+0x250/0x550 fs/f2fs/file.c:2283
2 locks held by syz.2.560/10730:
#0: ffff88801cfb5870 (&fc->uapi_mutex){+.+.}-{3:3}, at: __do_sys_fsconfig fs/fsopen.c:471 [inline]
#0: ffff88801cfb5870 (&fc->uapi_mutex){+.+.}-{3:3}, at: __se_sys_fsconfig+0x9a7/0xf80 fs/fsopen.c:345
#1: ffff88807866e0e0 (&type->s_umount_key#53){++++}-{3:3}, at: vfs_cmd_reconfigure fs/fsopen.c:262 [inline]
#1: ffff88807866e0e0 (&type->s_umount_key#53){++++}-{3:3}, at: vfs_fsconfig_locked fs/fsopen.c:292 [inline]
#1: ffff88807866e0e0 (&type->s_umount_key#53){++++}-{3:3}, at: __do_sys_fsconfig fs/fsopen.c:473 [inline]
#1: ffff88807866e0e0 (&type->s_umount_key#53){++++}-{3:3}, at: __se_sys_fsconfig+0xb64/0xf80 fs/fsopen.c:345
2 locks held by syz.3.637/11108:
2 locks held by syz.0.640/11110:
2 locks held by syz.2.643/11116:
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 30 Comm: khungtaskd Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xfde/0x1020 kernel/hung_task.c:379
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:get_current arch/x86/include/asm/current.h:49 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x70 kernel/kcov.c:206
Code: 8b 3d 4c 70 4a 0c 48 89 de 5b e9 73 7c 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 04 24 <65> 48 8b 0c 25 40 d5 03 00 65 8b 15 70 92 70 7e f7 c2 00 01 ff 00
RSP: 0018:ffffc90000117790 EFLAGS: 00000297
RAX: ffffffff8b03874a RBX: 0000000000000008 RCX: ffff8880172bda00
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000002
RBP: 0000000000000014 R08: ffffffff8b03873b R09: 1ffffffff1f5d135
R10: dffffc0000000000 R11: fffffbfff1f5d136 R12: dffffc0000000000
R13: 0000000000000008 R14: ffff88807e0c30d0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1c7a489000 CR3: 000000001f196000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
ieee80211_sta_get_rates+0x20a/0x660 net/mac80211/util.c:1540
ieee80211_update_sta_info net/mac80211/ibss.c:989 [inline]
ieee80211_rx_bss_info net/mac80211/ibss.c:1098 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1579 [inline]
ieee80211_ibss_rx_queued_mgmt+0x11e1/0x2d70 net/mac80211/ibss.c:1606
ieee80211_iface_process_skb net/mac80211/iface.c:1588 [inline]
ieee80211_iface_work+0x8a5/0xf20 net/mac80211/iface.c:1642
cfg80211_wiphy_work+0x2db/0x490 net/wireless/core.c:440
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Tested on:
commit: 2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14b2bea1980000
kernel config: https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=1a8e2b31f2ac9bd3d148
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=146ecebd980000
next prev parent reply other threads:[~2024-07-27 5:13 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-24 19:20 [f2fs-dev] [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread syzbot
2024-07-24 19:20 ` syzbot
2024-07-25 1:32 ` [syzbot] " syzbot
2024-07-25 2:21 ` syzbot
2024-07-25 5:08 ` syzbot
2024-07-25 7:27 ` syzbot
2024-07-25 8:08 ` syzbot
2024-07-25 12:49 ` syzbot
2024-07-25 13:19 ` syzbot
2024-07-25 13:53 ` syzbot
2024-07-26 11:08 ` Edward Adam Davis
2024-07-26 17:02 ` syzbot
2024-07-27 2:08 ` Edward Adam Davis
2024-07-27 2:48 ` syzbot
2024-07-27 3:38 ` Edward Adam Davis
2024-07-27 4:01 ` syzbot
2024-07-27 4:07 ` Edward Adam Davis
2024-07-27 5:13 ` syzbot [this message]
2024-07-27 5:56 ` [f2fs-dev] [PATCH] f2fs: Add mutex to prevent gc task from being accessed before initialization Edward Adam Davis via Linux-f2fs-devel
2024-07-27 5:56 ` Edward Adam Davis
[not found] <20240725013244.474343-1-lizhi.xu@windriver.com>
2024-07-25 1:54 ` [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread syzbot
[not found] <20240725022132.965591-1-lizhi.xu@windriver.com>
2024-07-25 3:30 ` syzbot
[not found] <20240725050750.3007233-1-lizhi.xu@windriver.com>
2024-07-25 6:54 ` syzbot
[not found] <20240725072746.503703-1-lizhi.xu@windriver.com>
2024-07-25 8:04 ` syzbot
[not found] <20240725080829.841010-1-lizhi.xu@windriver.com>
2024-07-25 12:27 ` syzbot
[not found] <20240725124919.3618893-1-lizhi.xu@windriver.com>
2024-07-25 13:06 ` syzbot
[not found] <20240725131923.3802594-1-lizhi.xu@windriver.com>
2024-07-25 13:47 ` syzbot
[not found] <20240725135334.4018863-1-lizhi.xu@windriver.com>
2024-07-25 14:30 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000a461e1061e33ae11@google.com \
--to=syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com \
--cc=eadavis@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.