From: syzbot <syzbot+cdee56dbcdf0096ef605@syzkaller.appspotmail.com>
To: adilger.kernel@dilger.ca, jack@suse.com,
linux-ext4@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
tytso@mit.edu
Subject: [syzbot] [ext4?] general protection fault in jbd2__journal_start
Date: Fri, 26 Jan 2024 01:05:28 -0800 [thread overview]
Message-ID: <000000000000e98460060fd59831@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 7a396820222d Merge tag 'v6.8-rc-part2-smb-client' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15fca78fe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7059b09d0488022
dashboard link: https://syzkaller.appspot.com/bug?extid=cdee56dbcdf0096ef605
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/da73c2c8f5fe/disk-7a396820.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/10d2d2be8831/vmlinux-7a396820.xz
kernel image: https://storage.googleapis.com/syzbot-assets/939406fd4919/bzImage-7a396820.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdee56dbcdf0096ef605@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000a8a4829: 0000 [#1] PREEMPT SMP KASAN
KASAN: probably user-memory-access in range [0x0000000054524148-0x000000005452414f]
CPU: 0 PID: 3394 Comm: syz-executor.5 Not tainted 6.7.0-syzkaller-12991-g7a396820222d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:jbd2__journal_start+0x87/0x5d0 fs/jbd2/transaction.c:496
Code: 74 63 48 8b 1b 48 85 db 74 79 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 23 46 8f ff 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 0a 46 8f ff 4c 39 65 00 0f 85 1a
RSP: 0018:ffffc900154d65c8 EFLAGS: 00010203
RAX: 000000000a8a4829 RBX: ffff8880234e7618 RCX: 0000000000040000
RDX: ffffc9000a3a1000 RSI: 000000000000195c RDI: 000000000000195d
RBP: 000000005452414e R08: 0000000000000c40 R09: 0000000000000001
R10: dffffc0000000000 R11: ffffed1005541071 R12: ffff88802aa0a000
R13: dffffc0000000000 R14: 0000000000000c40 R15: 0000000000000002
FS: 00007fbf47a2a6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020020000 CR3: 0000000030c1a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__ext4_journal_start_sb+0x215/0x5b0 fs/ext4/ext4_jbd2.c:112
__ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline]
ext4_dirty_inode+0x92/0x110 fs/ext4/inode.c:5969
__mark_inode_dirty+0x305/0xda0 fs/fs-writeback.c:2452
generic_update_time fs/inode.c:1905 [inline]
inode_update_time fs/inode.c:1918 [inline]
__file_update_time fs/inode.c:2106 [inline]
file_update_time+0x39b/0x3e0 fs/inode.c:2136
ext4_page_mkwrite+0x207/0xdf0 fs/ext4/inode.c:6090
do_page_mkwrite+0x197/0x470 mm/memory.c:2966
wp_page_shared mm/memory.c:3353 [inline]
do_wp_page+0x20e3/0x4c80 mm/memory.c:3493
handle_pte_fault mm/memory.c:5160 [inline]
__handle_mm_fault+0x26a3/0x72b0 mm/memory.c:5285
handle_mm_fault+0x27e/0x770 mm/memory.c:5450
do_user_addr_fault arch/x86/mm/fault.c:1415 [inline]
handle_page_fault arch/x86/mm/fault.c:1507 [inline]
exc_page_fault+0x2ad/0x870 arch/x86/mm/fault.c:1563
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0010:rep_movs_alternative+0x4a/0x70 arch/x86/lib/copy_user_64.S:71
Code: 75 f1 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 8b 06 48 89 07 48 83 c6 08 48 83 c7 08 83 e9 08 74 df 83 f9 08 73 e8 eb c9 <f3> a4 c3 48 89 c8 48 c1 e9 03 83 e0 07 f3 48 a5 89 c1 85 c9 75 b3
RSP: 0018:ffffc900154d70f8 EFLAGS: 00050202
RAX: ffffffff848bfd01 RBX: 0000000020020040 RCX: 0000000000000040
RDX: 0000000000000000 RSI: ffff88802cded190 RDI: 0000000020020000
RBP: 1ffff92002a9af26 R08: ffff88802cded1cf R09: 1ffff110059bda39
R10: dffffc0000000000 R11: ffffed10059bda3a R12: 00000000000000c0
R13: dffffc0000000000 R14: 000000002001ff80 R15: ffff88802cded110
copy_user_generic arch/x86/include/asm/uaccess_64.h:112 [inline]
raw_copy_to_user arch/x86/include/asm/uaccess_64.h:133 [inline]
_copy_to_user+0x86/0xa0 lib/usercopy.c:41
copy_to_user include/linux/uaccess.h:191 [inline]
xfs_bulkstat_fmt+0x4f/0x120 fs/xfs/xfs_ioctl.c:744
xfs_bulkstat_one_int+0xd8b/0x12e0 fs/xfs/xfs_itable.c:161
xfs_bulkstat_iwalk+0x72/0xb0 fs/xfs/xfs_itable.c:239
xfs_iwalk_ag_recs+0x4c3/0x820 fs/xfs/xfs_iwalk.c:220
xfs_iwalk_run_callbacks+0x25b/0x490 fs/xfs/xfs_iwalk.c:376
xfs_iwalk_ag+0xad6/0xbd0 fs/xfs/xfs_iwalk.c:482
xfs_iwalk+0x360/0x6f0 fs/xfs/xfs_iwalk.c:584
xfs_bulkstat+0x4f8/0x6c0 fs/xfs/xfs_itable.c:308
xfs_ioc_bulkstat+0x3d0/0x450 fs/xfs/xfs_ioctl.c:867
xfs_file_ioctl+0x6a5/0x1980 fs/xfs/xfs_ioctl.c:1994
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fbf46c7cda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbf47a2a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fbf46dabf80 RCX: 00007fbf46c7cda9
RDX: 000000002001fc40 RSI: 000000008040587f RDI: 0000000000000006
RBP: 00007fbf46cc947a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fbf46dabf80 R15: 00007ffee39fcd08
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:jbd2__journal_start+0x87/0x5d0 fs/jbd2/transaction.c:496
Code: 74 63 48 8b 1b 48 85 db 74 79 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 23 46 8f ff 48 8b 2b 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 0a 46 8f ff 4c 39 65 00 0f 85 1a
RSP: 0018:ffffc900154d65c8 EFLAGS: 00010203
RAX: 000000000a8a4829 RBX: ffff8880234e7618 RCX: 0000000000040000
RDX: ffffc9000a3a1000 RSI: 000000000000195c RDI: 000000000000195d
RBP: 000000005452414e R08: 0000000000000c40 R09: 0000000000000001
R10: dffffc0000000000 R11: ffffed1005541071 R12: ffff88802aa0a000
R13: dffffc0000000000 R14: 0000000000000c40 R15: 0000000000000002
FS: 00007fbf47a2a6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020020000 CR3: 0000000030c1a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 74 63 je 0x65
2: 48 8b 1b mov (%rbx),%rbx
5: 48 85 db test %rbx,%rbx
8: 74 79 je 0x83
a: 48 89 d8 mov %rbx,%rax
d: 48 c1 e8 03 shr $0x3,%rax
11: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
16: 74 08 je 0x20
18: 48 89 df mov %rbx,%rdi
1b: e8 23 46 8f ff call 0xff8f4643
20: 48 8b 2b mov (%rbx),%rbp
23: 48 89 e8 mov %rbp,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 ef mov %rbp,%rdi
34: e8 0a 46 8f ff call 0xff8f4643
39: 4c 39 65 00 cmp %r12,0x0(%rbp)
3d: 0f .byte 0xf
3e: 85 1a test %ebx,(%rdx)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2024-01-26 9:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 9:05 syzbot [this message]
2024-01-30 14:52 ` [syzbot] [xfs?] [ext4?] general protection fault in jbd2__journal_start syzbot
2024-01-30 23:37 ` current->journal_info got nested! (was Re: [syzbot] [xfs?] [ext4?] general protection fault in jbd2__journal_start) Dave Chinner
2024-01-31 3:46 ` Darrick J. Wong
2024-01-31 4:58 ` Theodore Ts'o
2024-01-31 5:20 ` Matthew Wilcox
2024-01-31 5:47 ` Christoph Hellwig
2024-01-31 6:02 ` Dave Chinner
2024-01-31 6:17 ` Christoph Hellwig
2024-01-31 12:02 ` Jan Kara
2024-01-31 7:40 ` [syzbot] [xfs?] [ext4?] general protection fault in jbd2__journal_start Edward Adam Davis
2024-01-31 11:17 ` syzbot
2024-01-31 12:04 ` [PATCH] jbd2: user-memory-access " Edward Adam Davis
2024-01-31 15:41 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000e98460060fd59831@google.com \
--to=syzbot+cdee56dbcdf0096ef605@syzkaller.appspotmail.com \
--cc=adilger.kernel@dilger.ca \
--cc=jack@suse.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.