From: syzbot <syzbot+cdee56dbcdf0096ef605@syzkaller.appspotmail.com>
To: adilger.kernel@dilger.ca, chandan.babu@oracle.com, jack@suse.com,
linux-ext4@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org,
syzkaller-bugs@googlegroups.com, tytso@mit.edu
Subject: Re: [syzbot] [xfs?] [ext4?] general protection fault in jbd2__journal_start
Date: Tue, 30 Jan 2024 06:52:21 -0800 [thread overview]
Message-ID: <000000000000d6e06d06102ae80b@google.com> (raw)
In-Reply-To: <000000000000e98460060fd59831@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 861c0981648f Merge tag 'jfs-6.8-rc3' of github.com:kleikam..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13ca8d97e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b0b9993d7d6d1990
dashboard link: https://syzkaller.appspot.com/bug?extid=cdee56dbcdf0096ef605
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104393efe80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1393b90fe80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7c6cc521298d/disk-861c0981.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6203c94955db/vmlinux-861c0981.xz
kernel image: https://storage.googleapis.com/syzbot-assets/17e76e12b58c/bzImage-861c0981.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d31d4eed2912/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdee56dbcdf0096ef605@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000a8a4829: 0000 [#1] PREEMPT SMP KASAN
KASAN: probably user-memory-access in range [0x0000000054524148-0x000000005452414f]
CPU: 1 PID: 5065 Comm: syz-executor260 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:jbd2__journal_start+0x87/0x5d0 fs/jbd2/transaction.c:496
Code: 74 63 48 8b 1b 48 85 db 74 79 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 63 4d 8f ff 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 4a 4d 8f ff 4c 39 65 00 0f 85 1a
RSP: 0018:ffffc900043265c8 EFLAGS: 00010203
RAX: 000000000a8a4829 RBX: ffff8880205fa3a8 RCX: ffff8880235dbb80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88801c1a6000
RBP: 000000005452414e R08: 0000000000000c40 R09: 0000000000000001
R10: dffffc0000000000 R11: ffffed1003834871 R12: ffff88801c1a6000
R13: dffffc0000000000 R14: 0000000000000c40 R15: 0000000000000002
FS: 0000555556f90380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020020000 CR3: 0000000021fed000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__ext4_journal_start_sb+0x215/0x5b0 fs/ext4/ext4_jbd2.c:112
__ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline]
ext4_dirty_inode+0x92/0x110 fs/ext4/inode.c:5969
__mark_inode_dirty+0x305/0xda0 fs/fs-writeback.c:2452
generic_update_time fs/inode.c:1905 [inline]
inode_update_time fs/inode.c:1918 [inline]
__file_update_time fs/inode.c:2106 [inline]
file_update_time+0x39b/0x3e0 fs/inode.c:2136
ext4_page_mkwrite+0x207/0xdf0 fs/ext4/inode.c:6090
do_page_mkwrite+0x197/0x470 mm/memory.c:2966
wp_page_shared mm/memory.c:3353 [inline]
do_wp_page+0x20e3/0x4c80 mm/memory.c:3493
handle_pte_fault mm/memory.c:5160 [inline]
__handle_mm_fault+0x26a3/0x72b0 mm/memory.c:5285
handle_mm_fault+0x27e/0x770 mm/memory.c:5450
do_user_addr_fault arch/x86/mm/fault.c:1415 [inline]
handle_page_fault arch/x86/mm/fault.c:1507 [inline]
exc_page_fault+0x2ad/0x870 arch/x86/mm/fault.c:1563
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0010:rep_movs_alternative+0x4a/0x70 arch/x86/lib/copy_user_64.S:71
Code: 75 f1 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 8b 06 48 89 07 48 83 c6 08 48 83 c7 08 83 e9 08 74 df 83 f9 08 73 e8 eb c9 <f3> a4 c3 48 89 c8 48 c1 e9 03 83 e0 07 f3 48 a5 89 c1 85 c9 75 b3
RSP: 0018:ffffc900043270f8 EFLAGS: 00050202
RAX: ffffffff848cda01 RBX: 0000000020020040 RCX: 0000000000000040
RDX: 0000000000000000 RSI: ffff8880131873b0 RDI: 0000000020020000
RBP: 1ffff92000864f26 R08: ffff8880131873ef R09: 1ffff11002630e7d
R10: dffffc0000000000 R11: ffffed1002630e7e R12: 00000000000000c0
R13: dffffc0000000000 R14: 000000002001ff80 R15: ffff888013187330
copy_user_generic arch/x86/include/asm/uaccess_64.h:112 [inline]
raw_copy_to_user arch/x86/include/asm/uaccess_64.h:133 [inline]
_copy_to_user+0x86/0xa0 lib/usercopy.c:41
copy_to_user include/linux/uaccess.h:191 [inline]
xfs_bulkstat_fmt+0x4f/0x120 fs/xfs/xfs_ioctl.c:744
xfs_bulkstat_one_int+0xd8b/0x12e0 fs/xfs/xfs_itable.c:161
xfs_bulkstat_iwalk+0x72/0xb0 fs/xfs/xfs_itable.c:239
xfs_iwalk_ag_recs+0x4c3/0x820 fs/xfs/xfs_iwalk.c:220
xfs_iwalk_run_callbacks+0x25b/0x490 fs/xfs/xfs_iwalk.c:376
xfs_iwalk_ag+0xad6/0xbd0 fs/xfs/xfs_iwalk.c:482
xfs_iwalk+0x360/0x6f0 fs/xfs/xfs_iwalk.c:584
xfs_bulkstat+0x4f8/0x6c0 fs/xfs/xfs_itable.c:308
xfs_ioc_bulkstat+0x3d0/0x450 fs/xfs/xfs_ioctl.c:867
xfs_file_ioctl+0x6a5/0x1980 fs/xfs/xfs_ioctl.c:1994
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f02d4018b59
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdbe0deb98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f02d4018b59
RDX: 000000002001fc40 RSI: 000000008040587f RDI: 0000000000000004
RBP: 00000000000116e3 R08: 0000000000000000 R09: 0000555556f914c0
R10: 0000000020000300 R11: 0000000000000246 R12: 00007ffdbe0debc0
R13: 00007ffdbe0debac R14: 431bde82d7b634db R15: 00007f02d406103b
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:jbd2__journal_start+0x87/0x5d0 fs/jbd2/transaction.c:496
Code: 74 63 48 8b 1b 48 85 db 74 79 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 63 4d 8f ff 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 4a 4d 8f ff 4c 39 65 00 0f 85 1a
RSP: 0018:ffffc900043265c8 EFLAGS: 00010203
RAX: 000000000a8a4829 RBX: ffff8880205fa3a8 RCX: ffff8880235dbb80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88801c1a6000
RBP: 000000005452414e R08: 0000000000000c40 R09: 0000000000000001
R10: dffffc0000000000 R11: ffffed1003834871 R12: ffff88801c1a6000
R13: dffffc0000000000 R14: 0000000000000c40 R15: 0000000000000002
FS: 0000555556f90380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020020000 CR3: 0000000021fed000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 74 63 je 0x65
2: 48 8b 1b mov (%rbx),%rbx
5: 48 85 db test %rbx,%rbx
8: 74 79 je 0x83
a: 48 89 d8 mov %rbx,%rax
d: 48 c1 e8 03 shr $0x3,%rax
11: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
16: 74 08 je 0x20
18: 48 89 df mov %rbx,%rdi
1b: e8 63 4d 8f ff call 0xff8f4d83
20: 48 8b 2b mov (%rbx),%rbp
23: 48 89 e8 mov %rbp,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 ef mov %rbp,%rdi
34: e8 4a 4d 8f ff call 0xff8f4d83
39: 4c 39 65 00 cmp %r12,0x0(%rbp)
3d: 0f .byte 0xf
3e: 85 1a test %ebx,(%rdx)
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
next prev parent reply other threads:[~2024-01-30 14:52 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 9:05 [syzbot] [ext4?] general protection fault in jbd2__journal_start syzbot
2024-01-30 14:52 ` syzbot [this message]
2024-01-30 23:37 ` current->journal_info got nested! (was Re: [syzbot] [xfs?] [ext4?] general protection fault in jbd2__journal_start) Dave Chinner
2024-01-31 3:46 ` Darrick J. Wong
2024-01-31 4:58 ` Theodore Ts'o
2024-01-31 5:20 ` Matthew Wilcox
2024-01-31 5:47 ` Christoph Hellwig
2024-01-31 6:02 ` Dave Chinner
2024-01-31 6:17 ` Christoph Hellwig
2024-01-31 12:02 ` Jan Kara
2024-01-31 7:40 ` [syzbot] [xfs?] [ext4?] general protection fault in jbd2__journal_start Edward Adam Davis
2024-01-31 11:17 ` syzbot
2024-01-31 12:04 ` [PATCH] jbd2: user-memory-access " Edward Adam Davis
2024-01-31 15:41 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000d6e06d06102ae80b@google.com \
--to=syzbot+cdee56dbcdf0096ef605@syzkaller.appspotmail.com \
--cc=adilger.kernel@dilger.ca \
--cc=chandan.babu@oracle.com \
--cc=jack@suse.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.