From: syzbot <syzbot+aafb3f37cfeb6534c4ac@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] WARNING in rmqueue
Date: Tue, 29 Nov 2022 09:08:33 -0800 [thread overview]
Message-ID: <000000000000b2d21905ee9f0944@google.com> (raw)
In-Reply-To: <000000000000ec75b005ee97fbaa@google.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in z_erofs_decompress_queue
BUG: unable to handle page fault for address: fffff5210193fffa
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffed067 P4D 23ffed067 PUD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 48 Comm: kworker/u5:0 Not tainted 6.1.0-rc7-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: erofs_unzipd z_erofs_decompressqueue_work
RIP: 0010:z_erofs_do_decompressed_bvec fs/erofs/zdata.c:896 [inline]
RIP: 0010:z_erofs_parse_out_bvecs fs/erofs/zdata.c:969 [inline]
RIP: 0010:z_erofs_decompress_pcluster fs/erofs/zdata.c:1056 [inline]
RIP: 0010:z_erofs_decompress_queue+0xad1/0x2c30 fs/erofs/zdata.c:1155
Code: a8 00 00 00 42 80 3c 20 00 74 0a 48 8b 7c 24 70 e8 d4 1c f6 fd 89 db 48 c1 e3 03 48 03 9c 24 40 03 00 00 49 89 de 49 c1 ee 03 <43> 80 3c 26 00 74 08 48 89 df e8 b0 1c f6 fd 48 83 3b 00 0f 84 bd
RSP: 0018:ffffc90000b97780 EFLAGS: 00010a06
RAX: 1ffff92000172f58 RBX: ffffc9080c9fffd0 RCX: 0000000000000000
RDX: ffff888018b2d7c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000b97b90 R08: ffffffff83e894a8 R09: fffff52001940000
R10: fffffbfff23bc68d R11: 1ffffffff23bc68c R12: dffffc0000000000
R13: 00000000ffff9f00 R14: 1ffff9210193fffa R15: ffff8880717b71f0
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff5210193fffa CR3: 00000000277fc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
z_erofs_decompressqueue_work+0x95/0xe0 fs/erofs/zdata.c:1167
process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Modules linked in:
CR2: fffff5210193fffa
---[ end trace 0000000000000000 ]---
RIP: 0010:z_erofs_do_decompressed_bvec fs/erofs/zdata.c:896 [inline]
RIP: 0010:z_erofs_parse_out_bvecs fs/erofs/zdata.c:969 [inline]
RIP: 0010:z_erofs_decompress_pcluster fs/erofs/zdata.c:1056 [inline]
RIP: 0010:z_erofs_decompress_queue+0xad1/0x2c30 fs/erofs/zdata.c:1155
Code: a8 00 00 00 42 80 3c 20 00 74 0a 48 8b 7c 24 70 e8 d4 1c f6 fd 89 db 48 c1 e3 03 48 03 9c 24 40 03 00 00 49 89 de 49 c1 ee 03 <43> 80 3c 26 00 74 08 48 89 df e8 b0 1c f6 fd 48 83 3b 00 0f 84 bd
RSP: 0018:ffffc90000b97780 EFLAGS: 00010a06
RAX: 1ffff92000172f58 RBX: ffffc9080c9fffd0 RCX: 0000000000000000
RDX: ffff888018b2d7c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000b97b90 R08: ffffffff83e894a8 R09: fffff52001940000
R10: fffffbfff23bc68d R11: 1ffffffff23bc68c R12: dffffc0000000000
R13: 00000000ffff9f00 R14: 1ffff9210193fffa R15: ffff8880717b71f0
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff5210193fffa CR3: 00000000277fc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: a8 00 test $0x0,%al
2: 00 00 add %al,(%rax)
4: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
9: 74 0a je 0x15
b: 48 8b 7c 24 70 mov 0x70(%rsp),%rdi
10: e8 d4 1c f6 fd callq 0xfdf61ce9
15: 89 db mov %ebx,%ebx
17: 48 c1 e3 03 shl $0x3,%rbx
1b: 48 03 9c 24 40 03 00 add 0x340(%rsp),%rbx
22: 00
23: 49 89 de mov %rbx,%r14
26: 49 c1 ee 03 shr $0x3,%r14
* 2a: 43 80 3c 26 00 cmpb $0x0,(%r14,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 b0 1c f6 fd callq 0xfdf61ce9
39: 48 83 3b 00 cmpq $0x0,(%rbx)
3d: 0f .byte 0xf
3e: 84 .byte 0x84
3f: bd .byte 0xbd
Tested on:
commit: b7b275e6 Linux 6.1-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15bd42a7880000
kernel config: https://syzkaller.appspot.com/x/.config?x=2325e409a9a893e1
dashboard link: https://syzkaller.appspot.com/bug?extid=aafb3f37cfeb6534c4ac
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=11028fed880000
next prev parent reply other threads:[~2022-11-29 17:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-29 8:43 [syzbot] WARNING in rmqueue syzbot
2022-11-29 17:08 ` syzbot [this message]
2023-04-10 9:03 ` Gao Xiang
2023-04-10 9:26 ` [syzbot] [erofs?] " syzbot
2023-04-11 7:43 ` Gao Xiang
2023-04-11 7:45 ` syzbot
2023-04-11 7:45 ` Gao Xiang
2023-04-11 8:13 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000b2d21905ee9f0944@google.com \
--to=syzbot+aafb3f37cfeb6534c4ac@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.