Re: WARNING in request_end

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+ef054c4d3f64cd7f7cec@syzkaller.appspotmail.com>
To: dvyukov@google.com, ebiederm@xmission.com, ktkhai@virtuozzo.com,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	miklos@szeredi.hu, mszeredi@redhat.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: WARNING in request_end
Date: Sat, 23 Mar 2019 13:16:00 -0700	[thread overview]
Message-ID: <000000000000d9f9ac0584c8a309@google.com> (raw)
In-Reply-To: <CAOssrKcsXPqH-s-YLYdao3REpD=iQAeX9UvasB3n6RK84PuP=Q@mail.gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
WARNING in request_end

WARNING: CPU: 0 PID: 16992 at fs/fuse/dev.c:390 request_end+0x836/0xac0  
fs/fuse/dev.c:390
kobject: '0:49' (000000001562c524): kobject_uevent_env
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 16992 Comm: syz-executor3 Not tainted 4.19.0-rc5+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1db/0x2ce lib/dump_stack.c:113
  panic+0x263/0x51a kernel/panic.c:184
kobject: 'loop5' (0000000073db98f3): kobject_uevent_env
  __warn.cold+0x13b/0x1ba kernel/panic.c:536
  report_bug+0x263/0x2b0 lib/bug.c:186
kobject: 'loop5' (0000000073db98f3): fill_kobj_path: path  
= '/devices/virtual/block/loop5'
  fixup_bug arch/x86/kernel/traps.c:178 [inline]
  fixup_bug arch/x86/kernel/traps.c:173 [inline]
  do_error_trap+0x200/0x4e0 arch/x86/kernel/traps.c:296
kobject: '0:49' (000000001562c524): fill_kobj_path: path  
= '/devices/virtual/bdi/0:49'
  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
  invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993
kobject: '0:49' (000000001562c524): kobject_cleanup, parent           (null)
RIP: 0010:request_end+0x836/0xac0 fs/fuse/dev.c:390
Code: 3c 03 0f 8f 7d fe ff ff 48 8b bd 30 ff ff ff e8 b0 b4 3b ff e9 6c fe  
ff ff e8 a6 ad f8 fe 0f 0b e9 be fa ff ff e8 9a ad f8 fe <0f> 0b e9 fc fa  
ff ff e8 4e c7 c2 fe e8 a9 b4 3b ff e9 6a fb ff ff
RSP: 0018:ffff8801c099f5a8 EFLAGS: 00010293
RAX: ffff8801be90e040 RBX: 1ffff10038133eba RCX: ffffffff82858ce9
RDX: 0000000000000000 RSI: ffffffff828591f6 RDI: 0000000000000007
RBP: ffff8801c099f698 R08: ffff8801be90e040 R09: ffffed0037bc2c18
R10: ffffed0037bc2c17 R11: ffff8801bde160bb R12: ffff8801a5ca9800
R13: ffff8801bde16040 R14: ffff8801c099f670 R15: ffff8801a5ca9830
kobject: '0:49' (000000001562c524): calling ktype release
  fuse_dev_do_write+0x1888/0x3730 fs/fuse/dev.c:1917
kobject: '0:49': free name
kobject: '0:49' (000000005b47baa2): kobject_add_internal: parent: 'bdi',  
set: 'devices'
kobject: '0:49' (000000005b47baa2): kobject_uevent_env
  fuse_dev_write+0x191/0x240 fs/fuse/dev.c:1941
kobject: '0:49' (000000005b47baa2): fill_kobj_path: path  
= '/devices/virtual/bdi/0:49'
  call_write_iter include/linux/fs.h:1808 [inline]
  new_sync_write fs/read_write.c:474 [inline]
  __vfs_write+0x6e5/0xa80 fs/read_write.c:487
kobject: '0:56' (00000000a2a816b6): kobject_add_internal: parent: 'bdi',  
set: 'devices'
kobject: '0:56' (00000000a2a816b6): kobject_uevent_env
  vfs_write+0x20c/0x560 fs/read_write.c:549
  ksys_write+0x105/0x260 fs/read_write.c:598
kobject: '0:56' (00000000a2a816b6): fill_kobj_path: path  
= '/devices/virtual/bdi/0:56'
  __do_sys_write fs/read_write.c:610 [inline]
  __se_sys_write fs/read_write.c:607 [inline]
  __ia32_sys_write+0x71/0xb0 fs/read_write.c:607
  do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
  do_fast_syscall_32+0x333/0xf98 arch/x86/entry/common.c:397
kobject: '0:57' (000000002c3163ad): kobject_add_internal: parent: 'bdi',  
set: 'devices'
kobject: '0:57' (000000002c3163ad): kobject_uevent_env
  entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fa0cb9
Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90  
90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90  
90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f7f5a0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200002c0
RDX: 0000000000000050 RSI: 0000000000000000 RDI: 0000000000000000
kobject: '0:57' (000000002c3163ad): fill_kobj_path: path  
= '/devices/virtual/bdi/0:57'
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit:         bc78abbd fuse: Fix use-after-free in fuse_dev_do_read()
git tree:        
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=175a556d200000
kernel config:  https://syzkaller.appspot.com/x/.config?x=eb49a17588446b34
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386

next prev parent reply	other threads:[~2019-03-23 20:16 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-24 12:29 WARNING in request_end syzbot
2018-09-24 14:44 ` Miklos Szeredi
2018-09-25  9:18   ` Kirill Tkhai
2018-09-25  9:38     ` Dmitry Vyukov
2018-09-25  9:49       ` Kirill Tkhai
2018-10-08  9:38 ` syzbot
2019-03-23  7:50 ` syzbot
2019-03-23 15:51   ` Eric W. Biederman
2019-03-23 19:48     ` Miklos Szeredi
2019-03-23 20:16       ` syzbot [this message]
2019-11-07 13:42 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000d9f9ac0584c8a309@google.com \
    --to=syzbot+ef054c4d3f64cd7f7cec@syzkaller.appspotmail.com \
    --cc=dvyukov@google.com \
    --cc=ebiederm@xmission.com \
    --cc=ktkhai@virtuozzo.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=mszeredi@redhat.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.