Re: [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, lizhi.xu@windriver.com,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
Date: Wed, 24 Jul 2024 23:54:03 -0700	[thread overview]
Message-ID: <000000000000349950061e0cdcdd@google.com> (raw)
In-Reply-To: <20240725050750.3007233-1-lizhi.xu@windriver.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in f2fs_start_gc_thread

F2FS-fs (loop0): Stopped filesystem due to reason: 0
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 7528 Comm: syz.0.131 Not tainted 6.10.0-syzkaller-11185-g2c9b3512402e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:f2fs_start_gc_thread+0x33a/0x570 fs/f2fs/gc.c:191
Code: 00 00 e8 39 21 a5 fd 4c 89 f7 e8 01 9a 74 fd 43 80 7c 3d 00 00 74 08 4c 89 e7 e8 61 16 08 fe 49 8b 1c 24 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 37 17 08 fe 4c 89 33 48 89 e8 48
RSP: 0018:ffffc9000b0a79d0 EFLAGS: 00010246

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: ffffffff8bcacd20 RDI: 0000000000000001
RBP: ffff8880233dfd00 R08: ffffffff92fd071f R09: 1ffffffff25fa0e3
R10: dffffc0000000000 R11: fffffbfff25fa0e4 R12: ffff88807ed6d2c8
R13: 1ffff1100fdada59 R14: ffff88801a3bda00 R15: dffffc0000000000
FS:  00007f8ea496c6c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c003b37000 CR3: 000000002cdaa000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 f2fs_remount+0x14eb/0x1c20 fs/f2fs/super.c:2440
 reconfigure_super+0x445/0x880 fs/super.c:1072
 vfs_cmd_reconfigure fs/fsopen.c:263 [inline]
 vfs_fsconfig_locked fs/fsopen.c:292 [inline]
 __do_sys_fsconfig fs/fsopen.c:473 [inline]
 __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8ea3b75b59
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8ea496c048 EFLAGS: 00000246
 ORIG_RAX: 00000000000001af
RAX: ffffffffffffffda RBX: 00007f8ea3d05f60 RCX: 00007f8ea3b75b59
RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006
RBP: 00007f8ea3be4e5d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f8ea3d05f60 R15: 00007fffaa6511a8
 </TASK>
Modules linked in:
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	e8 39 21 a5 fd       	call   0xfda52140
   7:	4c 89 f7             	mov    %r14,%rdi
   a:	e8 01 9a 74 fd       	call   0xfd749a10
   f:	43 80 7c 3d 00 00    	cmpb   $0x0,0x0(%r13,%r15,1)
  15:	74 08                	je     0x1f
  17:	4c 89 e7             	mov    %r12,%rdi
  1a:	e8 61 16 08 fe       	call   0xfe081680
  1f:	49 8b 1c 24          	mov    (%r12),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 37 17 08 fe       	call   0xfe081770
  39:	4c 89 33             	mov    %r14,(%rbx)
  3c:	48 89 e8             	mov    %rbp,%rax
  3f:	48                   	rex.W


Tested on:

commit:         2c9b3512 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15fbadb1980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4925140c45a2a50
dashboard link: https://syzkaller.appspot.com/bug?extid=1a8e2b31f2ac9bd3d148
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16adb055980000

next      parent reply	other threads:[~2024-07-25  6:54 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20240725050750.3007233-1-lizhi.xu@windriver.com>
2024-07-25  6:54 ` syzbot [this message]
     [not found] <20240725135334.4018863-1-lizhi.xu@windriver.com>
2024-07-25 14:30 ` [syzbot] [f2fs?] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread syzbot
     [not found] <20240725131923.3802594-1-lizhi.xu@windriver.com>
2024-07-25 13:47 ` syzbot
     [not found] <20240725124919.3618893-1-lizhi.xu@windriver.com>
2024-07-25 13:06 ` syzbot
     [not found] <20240725080829.841010-1-lizhi.xu@windriver.com>
2024-07-25 12:27 ` syzbot
     [not found] <20240725072746.503703-1-lizhi.xu@windriver.com>
2024-07-25  8:04 ` syzbot
     [not found] <20240725022132.965591-1-lizhi.xu@windriver.com>
2024-07-25  3:30 ` syzbot
     [not found] <20240725013244.474343-1-lizhi.xu@windriver.com>
2024-07-25  1:54 ` syzbot
2024-07-24 19:20 syzbot
2024-07-26 11:08 ` Edward Adam Davis
2024-07-26 17:02   ` syzbot
2024-07-27  2:08 ` Edward Adam Davis
2024-07-27  2:48   ` syzbot
2024-07-27  3:38 ` Edward Adam Davis
2024-07-27  4:01   ` syzbot
2024-07-27  4:07 ` Edward Adam Davis
2024-07-27  5:13   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000349950061e0cdcdd@google.com \
    --to=syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizhi.xu@windriver.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox