Re: kernel BUG at fs/inode.c:LINE!

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@zeniv.linux.org.uk>
To: syzbot <syzbot+5399ed0832693e29f392@syzkaller.appspotmail.com>
Cc: akpm@linux-foundation.org, amir73il@gmail.com,
	dvyukov@google.com, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, penguin-kernel@i-love.sakura.ne.jp,
	raven@themaw.net, syzkaller-bugs@googlegroups.com
Subject: Re: kernel BUG at fs/inode.c:LINE!
Date: Wed, 10 Apr 2019 01:26:03 +0100	[thread overview]
Message-ID: <20190410002603.GS2217@ZenIV.linux.org.uk> (raw)
In-Reply-To: <00000000000036a4a9058619dff3@google.com>

On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> Bisection is inconclusive: the first bad commit could be any of:

[snip the useless pile]

> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b200000
> start commit:   [unknown
> git tree:       linux-next
> dashboard link: https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=101032b3400000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16534063400000
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If I'm not misreading the "crash report" there, it has injected an allocation
failure in dentry allocation in d_make_root() from autofs_fill_super() (
        root_inode = autofs_get_inode(s, S_IFDIR | 0755);
        root = d_make_root(root_inode);
) which has triggered iput() on the inode passed to d_make_root() (as it ought
to).  At which point it stepped into some BUG_ON() in fs/inode.c, but I've
no idea which one it is - line numbers do not match anything in linux-next
or in mainline.  Reported line 1566 is
                if (inode->i_nlink && (inode->i_state & I_DIRTY_TIME)) {   
in all of them; as the matter of fact, the diff in fs/inode.c between
-next and mainline is empty.

There is a BUG_ON() several lines prior, and in 4.20 it used to be line 1566,
so _probably_ that's what it is.  With that assumption, it's
	BUG_ON(inode->i_state & I_CLEAR);
IOW, we'd got I_CLEAR in the inode passed to d_make_root() there.  Which
should not happen - the inode must have come from new_inode(), which
gets it from new_inode_pseudo(), which zeroes ->i_state.  And I_CLEAR
is set only in clear_inode().  For autofs inodes that can come only
from autofs_evict_inode(), called as ->evict() from evict_inode().
Which should never ever be called for inode with positive ->i_count...

It might be memory corruption; it might be a dangling inode pointer
somewhere, it might be something else.

To get any further we really need a confirmation of the identity of
triggered BUG_ON().

As an aside, your "sample crash reports" would've been much more useful if
they went with commit SHA1 in question, especially when they contain line
numbers.

next prev parent reply	other threads:[~2019-04-10  0:26 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-17  6:11 kernel BUG at fs/inode.c:LINE! syzbot
2018-12-17  7:21 ` Al Viro
2018-12-17 10:08   ` Dmitry Vyukov
2018-12-18 10:40     ` Tetsuo Handa
2018-12-18 10:42   ` Ian Kent
2018-12-18 11:01     ` Amir Goldstein
2018-12-18 11:52       ` Ian Kent
2018-12-18 11:34     ` Ian Kent
2018-12-18 12:27       ` Dmitry Vyukov
2018-12-18 12:42         ` Ian Kent
2018-12-18 13:19           ` Dmitry Vyukov
2018-12-18 14:40             ` Ian Kent
2018-12-18 21:09       ` Andrew Morton
2018-12-19  0:05         ` Ian Kent
2018-12-18 13:51     ` Al Viro
2019-04-09 14:36 ` syzbot
2019-04-10  0:26   ` Al Viro [this message]
2019-04-10  8:27     ` Dmitry Vyukov
2019-04-10 10:35       ` Ian Kent
2019-04-10 11:40         ` Dmitry Vyukov
2019-04-10 11:57           ` Ian Kent
2019-04-10 12:02             ` Dmitry Vyukov
2019-04-10 12:03               ` Dmitry Vyukov
2019-04-10 12:07             ` Ian Kent
2019-04-10 12:11               ` Al Viro
2019-04-10 12:41                 ` Dmitry Vyukov
2019-04-11  0:50                   ` Ian Kent
2019-04-11  2:22                     ` Al Viro
2019-04-12 11:04                       ` Dmitry Vyukov
2019-04-12 19:46                         ` Eric Biggers
2019-04-12 10:59                     ` Dmitry Vyukov
2019-04-12 19:19                       ` Al Viro
2019-04-10 12:39               ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190410002603.GS2217@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=akpm@linux-foundation.org \
    --cc=amir73il@gmail.com \
    --cc=dvyukov@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=raven@themaw.net \
    --cc=syzbot+5399ed0832693e29f392@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.