From: Bagas Sanjaya <bagasdotme@gmail.com>
To: Pengfei Xu <pengfei.xu@intel.com>, djwong@kernel.org
Cc: linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
heng.su@intel.com, dchinner@redhat.com, lkp@intel.com,
Linux Regressions <regressions@lists.linux.dev>
Subject: Re: [Syzkaller & bisect] There is BUG: unable to handle kernel NULL pointer dereference in xfs_extent_free_diff_items in v6.4-rc3
Date: Mon, 22 May 2023 13:39:27 +0700 [thread overview]
Message-ID: <ZGsOH5D5vLTLWzoB@debian.me> (raw)
In-Reply-To: <ZGrOYDZf+k0i4jyM@xpf.sh.intel.com>
[-- Attachment #1: Type: text/plain, Size: 6205 bytes --]
On Mon, May 22, 2023 at 10:07:28AM +0800, Pengfei Xu wrote:
> Hi Darrick,
>
> Greeting!
> There is BUG: unable to handle kernel NULL pointer dereference in
> xfs_extent_free_diff_items in v6.4-rc3:
>
> Above issue could be reproduced in v6.4-rc3 and v6.4-rc2 kernel in guest.
>
> Bisected this issue between v6.4-rc2 and v5.11, found the problem commit is:
> "
> f6b384631e1e xfs: give xfs_extfree_intent its own perag reference
> "
>
> report0, repro.stat and so on detailed info is link: https://github.com/xupengfe/syzkaller_logs/tree/main/230521_043336_xfs_extent_free_diff_items
> Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/230521_043336_xfs_extent_free_diff_items/repro.c
> Syzkaller reproduced prog: https://github.com/xupengfe/syzkaller_logs/blob/main/230521_043336_xfs_extent_free_diff_items/repro.prog
> Kconfig: https://github.com/xupengfe/syzkaller_logs/blob/main/230521_043336_xfs_extent_free_diff_items/kconfig_origin
> Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/230521_043336_xfs_extent_free_diff_items/bisect_info.log
> Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/230521_043336_xfs_extent_free_diff_items/v6.4-rc3_reproduce_dmesg.log
>
> v6.4-rc3 reproduced info:
> "
> [ 91.419498] loop0: detected capacity change from 0 to 65536
> [ 91.420095] XFS: attr2 mount option is deprecated.
> [ 91.420500] XFS: ikeep mount option is deprecated.
> [ 91.422379] XFS (loop0): Deprecated V4 format (crc=0) will not be supported after September 2030.
> [ 91.423468] XFS (loop0): Mounting V4 Filesystem d28317a9-9e04-4f2a-be27-e55b4c413ff6
> [ 91.428169] XFS (loop0): Ending clean mount
> [ 91.429120] XFS (loop0): Quotacheck needed: Please wait.
> [ 91.432182] BUG: kernel NULL pointer dereference, address: 0000000000000008
> [ 91.432770] #PF: supervisor read access in kernel mode
> [ 91.433216] #PF: error_code(0x0000) - not-present page
> [ 91.433640] PGD 0 P4D 0
> [ 91.433864] Oops: 0000 [#1] PREEMPT SMP NOPTI
> [ 91.434232] CPU: 0 PID: 33 Comm: kworker/u4:2 Not tainted 6.4.0-rc3-kvm #2
> [ 91.434793] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
> [ 91.435445] Workqueue: xfs_iwalk-393 xfs_pwork_work
> [ 91.435855] RIP: 0010:xfs_extent_free_diff_items+0x27/0x40
> [ 91.436312] Code: 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 e5 41 54 49 89 f4 53 48 89 d3 e8 05 73 7d ff 49 8b 44 24 28 48 8b 53 28 5b 41 5c <8b> 40 08 5d 2b 42 08 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00
> [ 91.437812] RSP: 0000:ffffc9000012b8c0 EFLAGS: 00010246
> [ 91.438250] RAX: 0000000000000000 RBX: ffff8880015826c8 RCX: ffffffff81d71e41
> [ 91.438840] RDX: 0000000000000000 RSI: ffff888001ca4800 RDI: 0000000000000002
> [ 91.439430] RBP: ffffc9000012b8c0 R08: ffffc9000012b8e0 R09: 0000000000000000
> [ 91.440019] R10: ffff88800613f290 R11: ffffffff83e426c0 R12: ffff888001582230
> [ 91.440610] R13: ffff888001582428 R14: ffffffff81b042c0 R15: ffffc9000012b908
> [ 91.441202] FS: 0000000000000000(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> [ 91.441864] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 91.442343] CR2: 0000000000000008 CR3: 000000000ed22006 CR4: 0000000000770ef0
> [ 91.442941] PKRU: 55555554
> [ 91.443178] Call Trace:
> [ 91.443394] <TASK>
> [ 91.443585] list_sort+0xb8/0x3a0
> [ 91.443885] xfs_extent_free_create_intent+0xb6/0xc0
> [ 91.444312] xfs_defer_create_intents+0xc3/0x220
> [ 91.444711] ? write_comp_data+0x2f/0x90
> [ 91.445056] xfs_defer_finish_noroll+0x9e/0xbc0
> [ 91.445449] ? list_sort+0x344/0x3a0
> [ 91.445768] __xfs_trans_commit+0x4be/0x630
> [ 91.446135] xfs_trans_commit+0x20/0x30
> [ 91.446473] xfs_dquot_disk_alloc+0x45d/0x4e0
> [ 91.446860] xfs_qm_dqread+0x2f7/0x310
> [ 91.447192] xfs_qm_dqget+0xd5/0x300
> [ 91.447506] xfs_qm_quotacheck_dqadjust+0x5a/0x230
> [ 91.447921] xfs_qm_dqusage_adjust+0x249/0x300
> [ 91.448313] xfs_iwalk_ag_recs+0x1bd/0x2e0
> [ 91.448671] xfs_iwalk_run_callbacks+0xc3/0x1c0
> [ 91.449071] xfs_iwalk_ag+0x32e/0x3f0
> [ 91.449398] xfs_iwalk_ag_work+0xbe/0xf0
> [ 91.449744] xfs_pwork_work+0x2c/0xc0
> [ 91.450064] process_one_work+0x3b1/0x860
> [ 91.450416] worker_thread+0x52/0x660
> [ 91.450739] ? __pfx_worker_thread+0x10/0x10
> [ 91.451113] kthread+0x16d/0x1c0
> [ 91.451406] ? __pfx_kthread+0x10/0x10
> [ 91.451740] ret_from_fork+0x29/0x50
> [ 91.452064] </TASK>
> [ 91.452261] Modules linked in:
> [ 91.452530] CR2: 0000000000000008
> [ 91.452819] ---[ end trace 0000000000000000 ]---
> [ 91.487979] RIP: 0010:xfs_extent_free_diff_items+0x27/0x40
> [ 91.488463] Code: 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 e5 41 54 49 89 f4 53 48 89 d3 e8 05 73 7d ff 49 8b 44 24 28 48 8b 53 28 5b 41 5c <8b> 40 08 5d 2b 42 08 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00
> [ 91.490021] RSP: 0000:ffffc9000012b8c0 EFLAGS: 00010246
> [ 91.490472] RAX: 0000000000000000 RBX: ffff8880015826c8 RCX: ffffffff81d71e41
> [ 91.491080] RDX: 0000000000000000 RSI: ffff888001ca4800 RDI: 0000000000000002
> [ 91.491689] RBP: ffffc9000012b8c0 R08: ffffc9000012b8e0 R09: 0000000000000000
> [ 91.492298] R10: ffff88800613f290 R11: ffffffff83e426c0 R12: ffff888001582230
> [ 91.492909] R13: ffff888001582428 R14: ffffffff81b042c0 R15: ffffc9000012b908
> [ 91.493516] FS: 0000000000000000(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> [ 91.494199] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 91.494695] CR2: 0000000000000008 CR3: 000000000ed22006 CR4: 0000000000770ef0
> [ 91.495306] PKRU: 55555554
> [ 91.495549] note: kworker/u4:2[33] exited with irqs disabled
> "
>
Thanks for the regression report. I'm adding it to regzbot:
#regzbot ^introduced: f6b384631e1e34
#regzbot title: unable to handle kernel NULL pointer dereference in xfs_extent_free_diff_items (due to xfs_extfree_intent perag change)
#regzbot link: https://bugzilla.kernel.org/show_bug.cgi?id=217470
--
An old man doll... just what I always wanted! - Clara
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2023-05-22 6:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-22 2:07 [Syzkaller & bisect] There is BUG: unable to handle kernel NULL pointer dereference in xfs_extent_free_diff_items in v6.4-rc3 Pengfei Xu
2023-05-22 6:39 ` Bagas Sanjaya [this message]
2023-05-22 16:05 ` Darrick J. Wong
2023-05-22 17:05 ` Linux regression tracking (Thorsten Leemhuis)
2023-05-23 6:08 ` Bagas Sanjaya
2023-05-23 6:44 ` Pengfei Xu
2023-05-23 0:00 ` Eric Biggers
2023-05-23 7:31 ` Dave Chinner
2023-05-23 9:14 ` Pengfei Xu
2023-05-23 21:52 ` Dave Chinner
2023-05-24 2:20 ` Pengfei Xu
2023-05-23 16:50 ` Eric Biggers
2023-05-23 22:16 ` Dave Chinner
2023-05-23 23:46 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZGsOH5D5vLTLWzoB@debian.me \
--to=bagasdotme@gmail.com \
--cc=dchinner@redhat.com \
--cc=djwong@kernel.org \
--cc=heng.su@intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=lkp@intel.com \
--cc=pengfei.xu@intel.com \
--cc=regressions@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).