* Re: general protection fault in open_fs_devices
2018-06-06 13:17 general protection fault in open_fs_devices syzbot
@ 2018-06-06 14:41 ` David Sterba
2018-06-06 16:28 ` Anand Jain
` (3 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: David Sterba @ 2018-06-06 14:41 UTC (permalink / raw)
To: syzbot; +Cc: clm, dsterba, jbacik, linux-btrfs, linux-kernel, syzkaller-bugs
On Wed, Jun 06, 2018 at 06:17:02AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: af6c5d5e01ad Merge branch 'for-4.18' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1732a6f7800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=12ff770540994680
> dashboard link: https://syzkaller.appspot.com/bug?extid=909a5177749d7990ffa4
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16ba31f7800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d4ac8f800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+909a5177749d7990ffa4@syzkaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> BTRFS: device fsid ecf6f2a2-2997-48ae-b81e-1b00920efd9a devid 0 transid 0
> /dev/loop0
> print_req_error: I/O error, dev loop1, sector 128
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> CPU: 0 PID: 4540 Comm: syz-executor962 Not tainted 4.17.0+ #86
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:open_fs_devices+0x7e8/0xc60 fs/btrfs/volumes.c:1124
Strange that this got that far, the image reconstructed from the
reproducer misses a lot of structural information that should prevent
mount:
superblock: bytenr=65536, device=zimg
---------------------------------------------------------
csum_type 0 (crc32c)
csum_size 4
csum 0x8da4363a [DON'T MATCH]
bytenr 65536
flags 0x1
( WRITTEN )
magic _BHRfS_M [match]
fsid ecf6f2a2-2997-48ae-b81e-1b00920efd9a
label
generation 0
root 0
sys_array_size 0
chunk_root_generation 0
root_level 0
chunk_root 0
chunk_root_level 0
log_root 0
log_root_transid 0
log_root_level 0
total_bytes 0
bytes_used 0
sectorsize 0
nodesize 0
leafsize (deprecated) 0
stripesize 0
root_dir 0
num_devices 0
compat_flags 0x0
compat_ro_flags 0x0
incompat_flags 0x0
cache_generation 0
uuid_tree_generation 0
dev_item.uuid 00000000-0000-0000-0000-000000000000
dev_item.fsid 00000000-0000-0000-0000-000000000000 [DON'T MATCH]
dev_item.type 0
dev_item.total_bytes 0
dev_item.bytes_used 0
dev_item.io_align 0
dev_item.io_width 0
dev_item.sector_size 0
dev_item.devid 0
dev_item.dev_group 0
dev_item.seek_speed 0
dev_item.bandwidth 0
dev_item.generation 0
sys_chunk_array[2048]:
backup_roots[4]:
Possibly the ioctl (implementing device scan, triggered by udev) was called on
the loop device at some point. The checks there are not that strict as in the
mount path but also don't do anything else than associate the device id
and fsid.
The warning itself catches a state where the counter of devices has an
unexpected value, so that's probably worth further analysis.
We have pending patches to add more sanity checks to the scanning ioctl,
IIRC they were not in the state to be merged but could address the
warning (and also the one from the close_fs_devices).
I was not able to reproduce the warning on current master (that contains
the recent btrfs pull), will try on the exact commit reported.
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: general protection fault in open_fs_devices
2018-06-06 13:17 general protection fault in open_fs_devices syzbot
2018-06-06 14:41 ` David Sterba
@ 2018-06-06 16:28 ` Anand Jain
2018-06-07 17:03 ` Dmitry Vyukov
2018-06-19 18:05 ` David Sterba
` (2 subsequent siblings)
4 siblings, 1 reply; 10+ messages in thread
From: Anand Jain @ 2018-06-06 16:28 UTC (permalink / raw)
To: syzbot, clm, dsterba, jbacik, linux-btrfs, linux-kernel,
syzkaller-bugs
On 06/06/2018 09:17 PM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: af6c5d5e01ad Merge branch 'for-4.18' of
> git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1732a6f7800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=12ff770540994680
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=909a5177749d7990ffa4
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16ba31f7800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d4ac8f800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+909a5177749d7990ffa4@syzkaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> BTRFS: device fsid ecf6f2a2-2997-48ae-b81e-1b00920efd9a devid 0 transid
> 0 /dev/loop0
> print_req_error: I/O error, dev loop1, sector 128
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> CPU: 0 PID: 4540 Comm: syz-executor962 Not tainted 4.17.0+ #86
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:open_fs_devices+0x7e8/0xc60 fs/btrfs/volumes.c:1124
Which means there was some other thread which freed our %fs_devices.
As this thread is still in open_ctree() so the contending thread can't
be the ioctl(). So btrfs_free_stale_devices() is the only thread which
can free our %fs_devices in this case.
This is fixed in [1] in the mailing list.
[1]
[PATCH 3/3] btrfs: fix race between mkfs and mount
Thanks, Anand
> Code: 48 8b 85 e0 fe ff ff 41 c7 87 14 01 00 00 01 00 00 00 48 8d b8 a0
> 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 01 04 00 00 48 8b 85 e0 fe ff ff 49 8d 7f 50 48
> RSP: 0018:ffff8801d06971d8 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff82c386af
> RDX: 0000000000000014 RSI: ffffffff82c386bd RDI: 00000000000000a0
> RBP: ffff8801d0697348 R08: ffff8801ad4fc580 R09: ffff8801d0697240
> R10: ffffed003a0d2e5c R11: ffff8801d06972e7 R12: ffff8801ad4f8158
> R13: ffff8801ad4f80d8 R14: dffffc0000000000 R15: ffff8801ad4f8080
> FS: 00000000017dd880(0000) GS:ffff8801dae00000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000ede000 CR3: 00000001adaac000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> btrfs_open_devices+0xc0/0xd0 fs/btrfs/volumes.c:1155
> btrfs_mount_root+0x91f/0x1e70 fs/btrfs/super.c:1568
> mount_fs+0xae/0x328 fs/super.c:1277
> vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
> vfs_kern_mount+0x40/0x60 fs/namespace.c:1027
> btrfs_mount+0x4a1/0x213e fs/btrfs/super.c:1661
> mount_fs+0xae/0x328 fs/super.c:1277
> vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
> vfs_kern_mount fs/namespace.c:1027 [inline]
> do_new_mount fs/namespace.c:2518 [inline]
> do_mount+0x564/0x30b0 fs/namespace.c:2848
> ksys_mount+0x12d/0x140 fs/namespace.c:3064
> __do_sys_mount fs/namespace.c:3078 [inline]
> __se_sys_mount fs/namespace.c:3075 [inline]
> __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4431fa
> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd e5 fb ff c3 66 2e
> 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
> f0 ff ff 0f 83 da e5 fb ff c3 66 0f 1f 84 00 00 00 00 00
> RSP: 002b:00007ffc2d953358 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004431fa
> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 00007ffc2d953370
> RBP: 0000000000000004 R08: 00000000200000c0 R09: 000000000000000a
> R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d
> R13: 0000000008100000 R14: 0030656c69662f2e R15: fe03f80fe03f80ff
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace d8b96c29a3ffd356 ]---
> RIP: 0010:open_fs_devices+0x7e8/0xc60 fs/btrfs/volumes.c:1124
> Code: 48 8b 85 e0 fe ff ff 41 c7 87 14 01 00 00 01 00 00 00 48 8d b8 a0
> 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 01 04 00 00 48 8b 85 e0 fe ff ff 49 8d 7f 50 48
> RSP: 0018:ffff8801d06971d8 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff82c386af
> RDX: 0000000000000014 RSI: ffffffff82c386bd RDI: 00000000000000a0
> RBP: ffff8801d0697348 R08: ffff8801ad4fc580 R09: ffff8801d0697240
> R10: ffffed003a0d2e5c R11: ffff8801d06972e7 R12: ffff8801ad4f8158
> R13: ffff8801ad4f80d8 R14: dffffc0000000000 R15: ffff8801ad4f8080
> FS: 00000000017dd880(0000) GS:ffff8801dae00000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000ede000 CR3: 00000001adaac000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: general protection fault in open_fs_devices
2018-06-06 16:28 ` Anand Jain
@ 2018-06-07 17:03 ` Dmitry Vyukov
0 siblings, 0 replies; 10+ messages in thread
From: Dmitry Vyukov @ 2018-06-07 17:03 UTC (permalink / raw)
To: Anand Jain
Cc: syzbot, clm, dsterba, Josef Bacik, linux-btrfs, LKML,
syzkaller-bugs
On Wed, Jun 6, 2018 at 6:28 PM, Anand Jain <anand.jain@oracle.com> wrote:
>
>
> On 06/06/2018 09:17 PM, syzbot wrote:
>
>
>
> Which means there was some other thread which freed our %fs_devices.
> As this thread is still in open_ctree() so the contending thread can't
> be the ioctl(). So btrfs_free_stale_devices() is the only thread which
> can free our %fs_devices in this case.
>
> This is fixed in [1] in the mailing list.
>
> [1]
> [PATCH 3/3] btrfs: fix race between mkfs and mount
Let's tell about this syzbot:
#syz fix: btrfs: fix race between mkfs and mount
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: general protection fault in open_fs_devices
2018-06-06 13:17 general protection fault in open_fs_devices syzbot
2018-06-06 14:41 ` David Sterba
2018-06-06 16:28 ` Anand Jain
@ 2018-06-19 18:05 ` David Sterba
2018-06-19 18:27 ` syzbot
2018-07-10 18:43 ` Anand Jain
2018-07-10 18:48 ` Anand Jain
4 siblings, 1 reply; 10+ messages in thread
From: David Sterba @ 2018-06-19 18:05 UTC (permalink / raw)
To: syzbot; +Cc: clm, dsterba, jbacik, linux-btrfs, linux-kernel, syzkaller-bugs
On Wed, Jun 06, 2018 at 06:17:02AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: af6c5d5e01ad Merge branch 'for-4.18' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1732a6f7800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=12ff770540994680
> dashboard link: https://syzkaller.appspot.com/bug?extid=909a5177749d7990ffa4
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16ba31f7800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d4ac8f800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+909a5177749d7990ffa4@syzkaller.appspotmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git test-syzbot-fs-devices
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: general protection fault in open_fs_devices
2018-06-06 13:17 general protection fault in open_fs_devices syzbot
` (2 preceding siblings ...)
2018-06-19 18:05 ` David Sterba
@ 2018-07-10 18:43 ` Anand Jain
2018-07-10 18:40 ` syzbot
2018-07-10 18:48 ` Anand Jain
4 siblings, 1 reply; 10+ messages in thread
From: Anand Jain @ 2018-07-10 18:43 UTC (permalink / raw)
To: syzbot; +Cc: dsterba, linux-btrfs, syzkaller-bugs
#syz test: git://git@github.com:asj/btrfs-devel.git misc-next
On 06/06/2018 09:17 PM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: af6c5d5e01ad Merge branch 'for-4.18' of
> git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1732a6f7800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=12ff770540994680
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=909a5177749d7990ffa4
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16ba31f7800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d4ac8f800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+909a5177749d7990ffa4@syzkaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> BTRFS: device fsid ecf6f2a2-2997-48ae-b81e-1b00920efd9a devid 0 transid
> 0 /dev/loop0
> print_req_error: I/O error, dev loop1, sector 128
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> CPU: 0 PID: 4540 Comm: syz-executor962 Not tainted 4.17.0+ #86
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:open_fs_devices+0x7e8/0xc60 fs/btrfs/volumes.c:1124
> Code: 48 8b 85 e0 fe ff ff 41 c7 87 14 01 00 00 01 00 00 00 48 8d b8 a0
> 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 01 04 00 00 48 8b 85 e0 fe ff ff 49 8d 7f 50 48
> RSP: 0018:ffff8801d06971d8 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff82c386af
> RDX: 0000000000000014 RSI: ffffffff82c386bd RDI: 00000000000000a0
> RBP: ffff8801d0697348 R08: ffff8801ad4fc580 R09: ffff8801d0697240
> R10: ffffed003a0d2e5c R11: ffff8801d06972e7 R12: ffff8801ad4f8158
> R13: ffff8801ad4f80d8 R14: dffffc0000000000 R15: ffff8801ad4f8080
> FS: 00000000017dd880(0000) GS:ffff8801dae00000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000ede000 CR3: 00000001adaac000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> btrfs_open_devices+0xc0/0xd0 fs/btrfs/volumes.c:1155
> btrfs_mount_root+0x91f/0x1e70 fs/btrfs/super.c:1568
> mount_fs+0xae/0x328 fs/super.c:1277
> vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
> vfs_kern_mount+0x40/0x60 fs/namespace.c:1027
> btrfs_mount+0x4a1/0x213e fs/btrfs/super.c:1661
> mount_fs+0xae/0x328 fs/super.c:1277
> vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
> vfs_kern_mount fs/namespace.c:1027 [inline]
> do_new_mount fs/namespace.c:2518 [inline]
> do_mount+0x564/0x30b0 fs/namespace.c:2848
> ksys_mount+0x12d/0x140 fs/namespace.c:3064
> __do_sys_mount fs/namespace.c:3078 [inline]
> __se_sys_mount fs/namespace.c:3075 [inline]
> __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4431fa
> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd e5 fb ff c3 66 2e
> 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
> f0 ff ff 0f 83 da e5 fb ff c3 66 0f 1f 84 00 00 00 00 00
> RSP: 002b:00007ffc2d953358 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004431fa
> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 00007ffc2d953370
> RBP: 0000000000000004 R08: 00000000200000c0 R09: 000000000000000a
> R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d
> R13: 0000000008100000 R14: 0030656c69662f2e R15: fe03f80fe03f80ff
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace d8b96c29a3ffd356 ]---
> RIP: 0010:open_fs_devices+0x7e8/0xc60 fs/btrfs/volumes.c:1124
> Code: 48 8b 85 e0 fe ff ff 41 c7 87 14 01 00 00 01 00 00 00 48 8d b8 a0
> 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 01 04 00 00 48 8b 85 e0 fe ff ff 49 8d 7f 50 48
> RSP: 0018:ffff8801d06971d8 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff82c386af
> RDX: 0000000000000014 RSI: ffffffff82c386bd RDI: 00000000000000a0
> RBP: ffff8801d0697348 R08: ffff8801ad4fc580 R09: ffff8801d0697240
> R10: ffffed003a0d2e5c R11: ffff8801d06972e7 R12: ffff8801ad4f8158
> R13: ffff8801ad4f80d8 R14: dffffc0000000000 R15: ffff8801ad4f8080
> FS: 00000000017dd880(0000) GS:ffff8801dae00000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000ede000 CR3: 00000001adaac000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: Re: general protection fault in open_fs_devices
2018-07-10 18:43 ` Anand Jain
@ 2018-07-10 18:40 ` syzbot
0 siblings, 0 replies; 10+ messages in thread
From: syzbot @ 2018-07-10 18:40 UTC (permalink / raw)
To: Anand Jain; +Cc: anand.jain, dsterba, linux-btrfs, syzkaller-bugs
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes, Size: 5990 bytes --]
> #syz test: git://git@github.com:asj/btrfs-devel.git misc-next
"git://git@github.com:asj/btrfs-devel.git" does not look like a valid git
repo address.
> On 06/06/2018 09:17 PM, syzbot wrote:
>> Hello,
>> syzbot found the following crash on:
>> HEAD commit:Â Â Â af6c5d5e01ad Merge branch 'for-4.18' of
>> git://git.kernel.o..
>> git tree:Â Â Â Â Â Â upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1732a6f7800000
>> kernel config:Â
>> https://syzkaller.appspot.com/x/.config?x=12ff770540994680
>> dashboard link:
>> https://syzkaller.appspot.com/bug?extid=909a5177749d7990ffa4
>> compiler:Â Â Â Â Â Â gcc (GCC) 8.0.1 20180413 (experimental)
>> syzkaller
>> repro:https://syzkaller.appspot.com/x/repro.syz?x=16ba31f7800000
>> C reproducer:Â Â https://syzkaller.appspot.com/x/repro.c?x=16d4ac8f800000
>> IMPORTANT: if you fix the bug, please add the following tag to the
>> commit:
>> Reported-by: syzbot+909a5177749d7990ffa4@syzkaller.appspotmail.com
>> random: sshd: uninitialized urandom read (32 bytes read)
>> BTRFS: device fsid ecf6f2a2-2997-48ae-b81e-1b00920efd9a devid 0 transid
>> 0 /dev/loop0
>> print_req_error: I/O error, dev loop1, sector 128
>> kasan: CONFIG_KASAN_INLINE enabled
>> kasan: GPF could be caused by NULL-ptr deref or user memory access
>> general protection fault: 0000 [#1] SMP KASAN
>> CPU: 0 PID: 4540 Comm: syz-executor962 Not tainted 4.17.0+ #86
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> RIP: 0010:open_fs_devices+0x7e8/0xc60 fs/btrfs/volumes.c:1124
>> Code: 48 8b 85 e0 fe ff ff 41 c7 87 14 01 00 00 01 00 00 00 48 8d b8 a0
>> 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
>> 00 0f 85 01 04 00 00 48 8b 85 e0 fe ff ff 49 8d 7f 50 48
>> RSP: 0018:ffff8801d06971d8 EFLAGS: 00010206
>> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff82c386af
>> RDX: 0000000000000014 RSI: ffffffff82c386bd RDI: 00000000000000a0
>> RBP: ffff8801d0697348 R08: ffff8801ad4fc580 R09: ffff8801d0697240
>> R10: ffffed003a0d2e5c R11: ffff8801d06972e7 R12: ffff8801ad4f8158
>> R13: ffff8801ad4f80d8 R14: dffffc0000000000 R15: ffff8801ad4f8080
>> FS:Â 00000000017dd880(0000) GS:ffff8801dae00000(0000)
>> knlGS:0000000000000000
>> CS:Â 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000000ede000 CR3: 00000001adaac000 CR4: 00000000001406f0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>> Â btrfs_open_devices+0xc0/0xd0 fs/btrfs/volumes.c:1155
>> Â btrfs_mount_root+0x91f/0x1e70 fs/btrfs/super.c:1568
>> Â mount_fs+0xae/0x328 fs/super.c:1277
>> Â vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
>> Â vfs_kern_mount+0x40/0x60 fs/namespace.c:1027
>> Â btrfs_mount+0x4a1/0x213e fs/btrfs/super.c:1661
>> Â mount_fs+0xae/0x328 fs/super.c:1277
>> Â vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
>> Â vfs_kern_mount fs/namespace.c:1027 [inline]
>> Â do_new_mount fs/namespace.c:2518 [inline]
>> Â do_mount+0x564/0x30b0 fs/namespace.c:2848
>> Â ksys_mount+0x12d/0x140 fs/namespace.c:3064
>> Â __do_sys_mount fs/namespace.c:3078 [inline]
>> Â __se_sys_mount fs/namespace.c:3075 [inline]
>> Â __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
>> Â do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>> Â entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x4431fa
>> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd e5 fb ff c3 66 2e
>> 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>> f0 ff ff 0f 83 da e5 fb ff c3 66 0f 1f 84 00 00 00 00 00
>> RSP: 002b:00007ffc2d953358 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
>> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004431fa
>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 00007ffc2d953370
>> RBP: 0000000000000004 R08: 00000000200000c0 R09: 000000000000000a
>> R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d
>> R13: 0000000008100000 R14: 0030656c69662f2e R15: fe03f80fe03f80ff
>> Modules linked in:
>> Dumping ftrace buffer:
>> Â Â (ftrace buffer empty)
>> ---[ end trace d8b96c29a3ffd356 ]---
>> RIP: 0010:open_fs_devices+0x7e8/0xc60 fs/btrfs/volumes.c:1124
>> Code: 48 8b 85 e0 fe ff ff 41 c7 87 14 01 00 00 01 00 00 00 48 8d b8 a0
>> 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
>> 00 0f 85 01 04 00 00 48 8b 85 e0 fe ff ff 49 8d 7f 50 48
>> RSP: 0018:ffff8801d06971d8 EFLAGS: 00010206
>> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff82c386af
>> RDX: 0000000000000014 RSI: ffffffff82c386bd RDI: 00000000000000a0
>> RBP: ffff8801d0697348 R08: ffff8801ad4fc580 R09: ffff8801d0697240
>> R10: ffffed003a0d2e5c R11: ffff8801d06972e7 R12: ffff8801ad4f8158
>> R13: ffff8801ad4f80d8 R14: dffffc0000000000 R15: ffff8801ad4f8080
>> FS:Â 00000000017dd880(0000) GS:ffff8801dae00000(0000)
>> knlGS:0000000000000000
>> CS:Â 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000000ede000 CR3: 00000001adaac000 CR4: 00000000001406f0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
>> syzbot.
>> syzbot can test patches for this bug, for details see:
>> https://goo.gl/tpsmEJ#testing-patches
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
ÿôèº{.nÇ+‰·Ÿ®‰†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±ý»k~ÏâžØ^n‡r¡ö¦zË\x1aëh™¨èÚ&£ûàz¿äz¹Þ—ú+€Ê+zf£¢·hšˆ§~††Ûiÿÿïêÿ‘êçz_è®\x0fæj:+v‰¨þ)ߣøm
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: general protection fault in open_fs_devices
2018-06-06 13:17 general protection fault in open_fs_devices syzbot
` (3 preceding siblings ...)
2018-07-10 18:43 ` Anand Jain
@ 2018-07-10 18:48 ` Anand Jain
2018-07-10 19:08 ` syzbot
4 siblings, 1 reply; 10+ messages in thread
From: Anand Jain @ 2018-07-10 18:48 UTC (permalink / raw)
To: syzbot; +Cc: linux-btrfs, syzkaller-bugs
#syz test: https://github.com/asj/btrfs-devel.git misc-next
On 06/06/2018 09:17 PM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: af6c5d5e01ad Merge branch 'for-4.18' of
> git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1732a6f7800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=12ff770540994680
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=909a5177749d7990ffa4
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16ba31f7800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d4ac8f800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+909a5177749d7990ffa4@syzkaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> BTRFS: device fsid ecf6f2a2-2997-48ae-b81e-1b00920efd9a devid 0 transid
> 0 /dev/loop0
> print_req_error: I/O error, dev loop1, sector 128
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> CPU: 0 PID: 4540 Comm: syz-executor962 Not tainted 4.17.0+ #86
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:open_fs_devices+0x7e8/0xc60 fs/btrfs/volumes.c:1124
> Code: 48 8b 85 e0 fe ff ff 41 c7 87 14 01 00 00 01 00 00 00 48 8d b8 a0
> 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 01 04 00 00 48 8b 85 e0 fe ff ff 49 8d 7f 50 48
> RSP: 0018:ffff8801d06971d8 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff82c386af
> RDX: 0000000000000014 RSI: ffffffff82c386bd RDI: 00000000000000a0
> RBP: ffff8801d0697348 R08: ffff8801ad4fc580 R09: ffff8801d0697240
> R10: ffffed003a0d2e5c R11: ffff8801d06972e7 R12: ffff8801ad4f8158
> R13: ffff8801ad4f80d8 R14: dffffc0000000000 R15: ffff8801ad4f8080
> FS: 00000000017dd880(0000) GS:ffff8801dae00000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000ede000 CR3: 00000001adaac000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> btrfs_open_devices+0xc0/0xd0 fs/btrfs/volumes.c:1155
> btrfs_mount_root+0x91f/0x1e70 fs/btrfs/super.c:1568
> mount_fs+0xae/0x328 fs/super.c:1277
> vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
> vfs_kern_mount+0x40/0x60 fs/namespace.c:1027
> btrfs_mount+0x4a1/0x213e fs/btrfs/super.c:1661
> mount_fs+0xae/0x328 fs/super.c:1277
> vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
> vfs_kern_mount fs/namespace.c:1027 [inline]
> do_new_mount fs/namespace.c:2518 [inline]
> do_mount+0x564/0x30b0 fs/namespace.c:2848
> ksys_mount+0x12d/0x140 fs/namespace.c:3064
> __do_sys_mount fs/namespace.c:3078 [inline]
> __se_sys_mount fs/namespace.c:3075 [inline]
> __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4431fa
> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd e5 fb ff c3 66 2e
> 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
> f0 ff ff 0f 83 da e5 fb ff c3 66 0f 1f 84 00 00 00 00 00
> RSP: 002b:00007ffc2d953358 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004431fa
> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 00007ffc2d953370
> RBP: 0000000000000004 R08: 00000000200000c0 R09: 000000000000000a
> R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d
> R13: 0000000008100000 R14: 0030656c69662f2e R15: fe03f80fe03f80ff
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace d8b96c29a3ffd356 ]---
> RIP: 0010:open_fs_devices+0x7e8/0xc60 fs/btrfs/volumes.c:1124
> Code: 48 8b 85 e0 fe ff ff 41 c7 87 14 01 00 00 01 00 00 00 48 8d b8 a0
> 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 01 04 00 00 48 8b 85 e0 fe ff ff 49 8d 7f 50 48
> RSP: 0018:ffff8801d06971d8 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff82c386af
> RDX: 0000000000000014 RSI: ffffffff82c386bd RDI: 00000000000000a0
> RBP: ffff8801d0697348 R08: ffff8801ad4fc580 R09: ffff8801d0697240
> R10: ffffed003a0d2e5c R11: ffff8801d06972e7 R12: ffff8801ad4f8158
> R13: ffff8801ad4f80d8 R14: dffffc0000000000 R15: ffff8801ad4f8080
> FS: 00000000017dd880(0000) GS:ffff8801dae00000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000ede000 CR3: 00000001adaac000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread