[syzbot] [kernel?] KASAN: slab-use-after-free Read in reweight_entity

[syzbot] [kernel?] KASAN: slab-use-after-free Read in reweight_entity

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9a3dad63edbe Merge tag '6.6-rc5-ksmbd-server-fixes' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1413e691680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5d83dadac33c08b7
dashboard link: https://syzkaller.appspot.com/bug?extid=3908cdfd655fd839c82f
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12a055f9680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=103ef619680000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-9a3dad63.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/98467f6633b7/vmlinux-9a3dad63.xz
kernel image: https://storage.googleapis.com/syzbot-assets/93b5cb4a26b0/bzImage-9a3dad63.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3908cdfd655fd839c82f@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in __update_min_deadline kernel/sched/fair.c:805 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_update kernel/sched/fair.c:819 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
BUG: KASAN: slab-use-after-free in reweight_entity+0x8e3/0xa60 kernel/sched/fair.c:3660
Read of size 8 at addr ffff888022a59a70 by task syz-executor206/5331

CPU: 3 PID: 5331 Comm: syz-executor206 Not tainted 6.6.0-rc5-syzkaller-00267-g9a3dad63edbe #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 __update_min_deadline kernel/sched/fair.c:805 [inline]
 min_deadline_update kernel/sched/fair.c:819 [inline]
 min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
 reweight_entity+0x8e3/0xa60 kernel/sched/fair.c:3660
 entity_tick kernel/sched/fair.c:5317 [inline]
 task_tick_fair+0xee/0xcd0 kernel/sched/fair.c:12392
 scheduler_tick+0x210/0x650 kernel/sched/core.c:5657
 update_process_times+0x19f/0x220 kernel/time/timer.c:2076
 tick_sched_handle+0x8e/0x170 kernel/time/tick-sched.c:254
 tick_sched_timer+0xe9/0x110 kernel/time/tick-sched.c:1492
 __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
 __hrtimer_run_queues+0x647/0xc10 kernel/time/hrtimer.c:1752
 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1814
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1063 [inline]
 __sysvec_apic_timer_interrupt+0x105/0x3f0 arch/x86/kernel/apic/apic.c:1080
 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1074
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:rcu_dynticks_curr_cpu_in_eqs include/linux/context_tracking.h:122 [inline]
RIP: 0010:rcu_is_watching+0x39/0xb0 kernel/rcu/tree.c:699
Code: a5 cf 08 48 c7 c3 e8 6d 03 00 83 f8 07 89 c5 77 7a 48 8d 3c ed 40 ba 5c 8c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 54 48 03 1c ed 40 ba 5c 8c 48 b8 00 00 00 00 00 fc
RSP: 0018:ffffc90003cc73d8 EFLAGS: 00000a06
RAX: dffffc0000000000 RBX: 0000000000036de8 RCX: 1ffffffff1d9a7c0
RDX: 1ffffffff18b974b RSI: ffffffff8ae90aa0 RDI: ffffffff8c5cba58
RBP: 0000000000000003 R08: 0000000000000007 R09: ffffffffff600000
R10: 00007fcac0348000 R11: dffffc0000000000 R12: ffffc90003cc7488
R13: ffffffff81747dc0 R14: ffffc90003cc7500 R15: ffff88802787c780
 kernel_text_address kernel/extable.c:113 [inline]
 kernel_text_address+0x62/0xd0 kernel/extable.c:94
 __kernel_text_address+0xd/0x30 kernel/extable.c:79
 unwind_get_return_address+0x78/0xe0 arch/x86/kernel/unwind_orc.c:369
 arch_stack_walk+0xbe/0x170 arch/x86/kernel/stacktrace.c:26
 stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slab.c:3237 [inline]
 slab_alloc mm/slab.c:3246 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3423 [inline]
 kmem_cache_alloc+0x159/0x400 mm/slab.c:3432
 kmem_cache_zalloc include/linux/slab.h:710 [inline]
 alloc_buffer_head+0x21/0x140 fs/buffer.c:3023
 folio_alloc_buffers+0x2e7/0x7f0 fs/buffer.c:935
 folio_create_empty_buffers+0x36/0x470 fs/buffer.c:1648
 ext4_block_write_begin+0xcc4/0xf10 fs/ext4/inode.c:1024
 ext4_da_write_begin+0x40a/0x8c0 fs/ext4/inode.c:2890
 generic_perform_write+0x278/0x600 mm/filemap.c:3969
 ext4_buffered_write_iter+0x11f/0x3c0 fs/ext4/file.c:299
 ext4_file_write_iter+0x7f7/0x1860 fs/ext4/file.c:717
 call_write_iter include/linux/fs.h:1956 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x650/0xe40 fs/read_write.c:584
 ksys_write+0x12f/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fcac0348789
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff03860d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcac0348789
RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff03860d7c
R13: 00007fff03860d90 R14: 00007fff03860dd0 R15: 0000000000000015
 </TASK>

Allocated by task 2:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slab.c:3237 [inline]
 kmem_cache_alloc_node+0x173/0x540 mm/slab.c:3509
 alloc_task_struct_node kernel/fork.c:173 [inline]
 dup_task_struct kernel/fork.c:1110 [inline]
 copy_process+0x41c/0x73f0 kernel/fork.c:2327
 kernel_clone+0xfd/0x920 kernel/fork.c:2909
 kernel_thread+0xc0/0x100 kernel/fork.c:2971
 create_kthread kernel/kthread.c:411 [inline]
 kthreadd+0x4fb/0x7d0 kernel/kthread.c:746
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

Freed by task 21:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x138/0x190 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 __cache_free mm/slab.c:3370 [inline]
 __do_kmem_cache_free mm/slab.c:3557 [inline]
 kmem_cache_free+0x104/0x380 mm/slab.c:3582
 put_task_struct include/linux/sched/task.h:136 [inline]
 put_task_struct include/linux/sched/task.h:123 [inline]
 delayed_put_task_struct+0x21b/0x2b0 kernel/exit.c:226
 rcu_do_batch kernel/rcu/tree.c:2139 [inline]
 rcu_core+0x805/0x1bb0 kernel/rcu/tree.c:2403
 __do_softirq+0x218/0x965 kernel/softirq.c:553

Last potentially related work creation:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:492
 __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2653
 put_task_struct_rcu_user kernel/exit.c:232 [inline]
 put_task_struct_rcu_user+0x87/0xc0 kernel/exit.c:229
 context_switch kernel/sched/core.c:5385 [inline]
 __schedule+0xee9/0x5a10 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_timeout+0x278/0x2c0 kernel/time/timer.c:2143
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common+0x3e0/0x5f0 kernel/sched/completion.c:116
 kthread_stop+0x18e/0x5f0 kernel/kthread.c:709
 kvm_mmu_pre_destroy_vm+0x44/0x60 arch/x86/kvm/mmu/mmu.c:7160
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1313 [inline]
 kvm_put_kvm+0x254/0xad0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1373
 kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1396
 __fput+0x3f7/0xa70 fs/file_table.c:384
 __fput_sync+0x47/0x50 fs/file_table.c:465
 __do_sys_close fs/open.c:1572 [inline]
 __se_sys_close fs/open.c:1557 [inline]
 __x64_sys_close+0x87/0xf0 fs/open.c:1557
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Second to last potentially related work creation:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:492
 __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2653
 put_task_struct_rcu_user kernel/exit.c:232 [inline]
 put_task_struct_rcu_user+0x87/0xc0 kernel/exit.c:229
 context_switch kernel/sched/core.c:5385 [inline]
 __schedule+0xee9/0x5a10 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_timeout+0x278/0x2c0 kernel/time/timer.c:2143
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common+0x3e0/0x5f0 kernel/sched/completion.c:116
 kthread_stop+0x18e/0x5f0 kernel/kthread.c:709
 kvm_mmu_pre_destroy_vm+0x44/0x60 arch/x86/kvm/mmu/mmu.c:7160
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1313 [inline]
 kvm_put_kvm+0x254/0xad0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1373
 kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1396
 __fput+0x3f7/0xa70 fs/file_table.c:384
 __fput_sync+0x47/0x50 fs/file_table.c:465
 __do_sys_close fs/open.c:1572 [inline]
 __se_sys_close fs/open.c:1557 [inline]
 __x64_sys_close+0x87/0xf0 fs/open.c:1557
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888022a599c0
 which belongs to the cache task_struct of size 8960
The buggy address is located 176 bytes inside of
 freed 8960-byte region [ffff888022a599c0, ffff888022a5bcc0)

The buggy address belongs to the physical page:
page:ffffea00008a9600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22a58
head:ffffea00008a9600 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0x1()
raw: 00fff00000000840 ffff88810005a500 ffffea00009ffb10 ffffea0000bf6410
raw: 0000000000000000 ffff888022a599c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 4949, tgid 4949 (dhcpcd-run-hook), ts 26983961004, free_ts 23254563577
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0xee0/0x2f20 mm/page_alloc.c:3170
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4426
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 kmem_getpages mm/slab.c:1356 [inline]
 cache_grow_begin+0x99/0x3a0 mm/slab.c:2550
 cache_alloc_refill+0x294/0x3a0 mm/slab.c:2923
 ____cache_alloc mm/slab.c:2999 [inline]
 ____cache_alloc mm/slab.c:2982 [inline]
 __do_cache_alloc mm/slab.c:3182 [inline]
 slab_alloc_node mm/slab.c:3230 [inline]
 kmem_cache_alloc_node+0x481/0x540 mm/slab.c:3509
 alloc_task_struct_node kernel/fork.c:173 [inline]
 dup_task_struct kernel/fork.c:1110 [inline]
 copy_process+0x41c/0x73f0 kernel/fork.c:2327
 kernel_clone+0xfd/0x920 kernel/fork.c:2909
 __do_sys_clone+0xba/0x100 kernel/fork.c:3052
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2312
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2405
 slab_destroy mm/slab.c:1608 [inline]
 slabs_destroy+0x85/0xc0 mm/slab.c:1628
 cache_flusharray mm/slab.c:3341 [inline]
 ___cache_free+0x2b7/0x420 mm/slab.c:3404
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x4c/0x1b0 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slab.c:3237 [inline]
 kmem_cache_alloc_node+0x173/0x540 mm/slab.c:3509
 __alloc_skb+0x287/0x330 net/core/skbuff.c:640
 alloc_skb include/linux/skbuff.h:1286 [inline]
 alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6313
 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2795
 unix_dgram_sendmsg+0x455/0x1c30 net/unix/af_unix.c:1953
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0xd5/0x180 net/socket.c:745
 sock_write_iter+0x29b/0x3d0 net/socket.c:1158
 call_write_iter include/linux/fs.h:1956 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x650/0xe40 fs/read_write.c:584
 ksys_write+0x1f0/0x250 fs/read_write.c:637

Memory state around the buggy address:
 ffff888022a59900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888022a59980: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff888022a59a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff888022a59a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888022a59b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	48 c7 c3 e8 6d 03 00 	mov    $0x36de8,%rbx
   7:	83 f8 07             	cmp    $0x7,%eax
   a:	89 c5                	mov    %eax,%ebp
   c:	77 7a                	ja     0x88
   e:	48 8d 3c ed 40 ba 5c 	lea    -0x73a345c0(,%rbp,8),%rdi
  15:	8c
  16:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1d:	fc ff df
  20:	48 89 fa             	mov    %rdi,%rdx
  23:	48 c1 ea 03          	shr    $0x3,%rdx
* 27:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2b:	75 54                	jne    0x81
  2d:	48 03 1c ed 40 ba 5c 	add    -0x73a345c0(,%rbp,8),%rbx
  34:	8c
  35:	48                   	rex.W
  36:	b8 00 00 00 00       	mov    $0x0,%eax
  3b:	00 fc                	add    %bh,%ah


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [kernel?] KASAN: slab-use-after-free Read in reweight_entity

[Dmitry Safonov]

FWIW,
Managed to locally reproduce it twice on 58720809f527 (tag: v6.6-rc6)
Linux 6.6-rc6 + TCP-AO patches on the top.
(but can't reproduce reliably at will)

[dima@Mindolluin linux-tcp-ao]$ ./scripts/faddr2line vmlinux
reweight_entity+0x3b0/0x490
reweight_entity+0x3b0/0x490:
__update_min_deadline at kernel/sched/fair.c:805
(inlined by) min_deadline_update at kernel/sched/fair.c:819
(inlined by) min_deadline_cb_propagate at kernel/sched/fair.c:825
(inlined by) reweight_entity at kernel/sched/fair.c:3660

[  258.450573] TCP: AO key not found for (10.0.1.1,
58651)->(10.0.254.1, 7018) S keyid: 100 L3index: 0
[  259.482680] ==================================================================
[  259.483732] BUG: KASAN: slab-use-after-free in reweight_entity+0x3b0/0x490
[  259.484564] Read of size 8 at addr ffff88800859dcf0 by task
unsigned-md5_ip/2535

[  259.485593] CPU: 0 PID: 2535 Comm: unsigned-md5_ip Not tainted 6.6.0-rc6+ #7
[  259.486393] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS Arch Linux 1.16.2-2-2 04/01/2014
[  259.487445] Call Trace:
[  259.487783]  <TASK>
[  259.488057]  dump_stack_lvl+0x46/0x70
[  259.488578]  print_report+0xc5/0x610
[  259.489099]  ? lock_acquire+0x162/0x3d0
[  259.489641]  ? __virt_addr_valid+0xbe/0x130
[  259.490211]  kasan_report+0xbe/0xf0
[  259.490902]  ? reweight_entity+0x3b0/0x490
[  259.491683]  ? reweight_entity+0x3b0/0x490
[  259.492475]  reweight_entity+0x3b0/0x490
[  259.493319]  enqueue_task_fair+0x944/0xc90
[  259.494146]  activate_task+0x95/0x1b0
[  259.494932]  ttwu_do_activate+0x91/0x3c0
[  259.495645]  try_to_wake_up+0x423/0xd60
[  259.496425]  ? sched_ttwu_pending+0x260/0x260
[  259.497543]  ? _raw_spin_unlock+0x29/0x40
[  259.498301]  wake_up_q+0x6f/0xf0
[  259.498889]  __mutex_unlock_slowpath+0x19b/0x3e0
[  259.500191]  ? bit_wait_io_timeout+0xc0/0xc0
[  259.501691]  ? reacquire_held_locks+0x280/0x280
[  259.502634]  ? rcu_is_watching+0x34/0x50
[  259.503485]  __rtnl_unlock+0x3f/0x80
[  259.504089]  netdev_run_todo+0x1b7/0x840
[  259.504721]  ? generic_xdp_install+0x2a0/0x2a0
[  259.505394]  ? __kmem_cache_free+0x192/0x2b0
[  259.506021]  ? rtnl_newlink+0x59/0x70
[  259.506562]  rtnetlink_rcv_msg+0x200/0x650
[  259.507088]  ? rtnl_getlink+0x590/0x590
[  259.507600]  ? lockdep_hardirqs_on_prepare+0x220/0x220
[  259.508247]  ? find_held_lock+0x8a/0xa0
[  259.508750]  ? local_clock_noinstr+0x9/0xb0
[  259.509254]  netlink_rcv_skb+0xdd/0x210
[  259.509751]  ? rtnl_getlink+0x590/0x590
[  259.510214]  ? netlink_ack+0x840/0x840
[  259.511082]  ? lock_sync+0x100/0x100
[  259.511775]  ? __rcu_read_unlock+0x6b/0x2a0
[  259.512822]  ? netlink_deliver_tap+0xfe/0x620
[  259.513527]  netlink_unicast+0x2f3/0x480
[  259.514105]  ? netlink_attachskb+0x440/0x440
[  259.514642]  netlink_sendmsg+0x3c0/0x6e0
[  259.515108]  ? netlink_unicast+0x480/0x480
[  259.515572]  ? netlink_unicast+0x480/0x480
[  259.516030]  __sock_sendmsg+0x73/0xc0
[  259.516425]  __sys_sendto+0x18b/0x210
[  259.516878]  ? __ia32_sys_getpeername+0x50/0x50
[  259.517435]  ? mark_held_locks+0x1a/0x80
[  259.517949]  __x64_sys_sendto+0x72/0x80
[  259.518457]  do_syscall_64+0x35/0x80
[  259.518945]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[  259.519626] RIP: 0033:0x7f62cf55f9ec
[  259.520117] Code: 89 4c 24 1c e8 a5 63 f7 ff 44 8b 54 24 1c 8b 3c
24 45 31 c9 89 c5 48 8b 54 24 10 48 8b 74 24 08 45 31 c0 b8 2c 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 04 24 e8 f1 63 f7 ff 48
8b 04
[  259.522762] RSP: 002b:00007ffddd3c4c90 EFLAGS: 00000246 ORIG_RAX:
000000000000002c
[  259.523854] RAX: ffffffffffffffda RBX: 00007ffddd3c4cd0 RCX: 00007f62cf55f9ec
[  259.524768] RDX: 0000000000000044 RSI: 00007ffddd3c4cd0 RDI: 0000000000000006
[  259.525679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  259.526585] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000038
[  259.528558] R13: 0000000000000006 R14: 00007ffddd3c4cfc R15: 00007ffddd3c4d08
[  259.529452]  </TASK>

[  259.529950] Allocated by task 31:
[  259.530390]  kasan_save_stack+0x21/0x40
[  259.530904]  kasan_set_track+0x21/0x30
[  259.531399]  __kasan_slab_alloc+0x62/0x70
[  259.531946]  kmem_cache_alloc_node+0x187/0x370
[  259.532551]  copy_process+0x2c4/0x3460
[  259.533080]  kernel_clone+0xf6/0x570
[  259.533553]  user_mode_thread+0xab/0xe0
[  259.534067]  call_usermodehelper_exec_work+0x78/0xb0
[  259.534713]  process_one_work+0x439/0x8d0
[  259.535240]  worker_thread+0x393/0x680
[  259.535733]  kthread+0x1ad/0x1f0
[  259.536192]  ret_from_fork+0x2d/0x50
[  259.536682]  ret_from_fork_asm+0x11/0x20

[  259.537439] Freed by task 21:
[  259.537837]  kasan_save_stack+0x21/0x40
[  259.538350]  kasan_set_track+0x21/0x30
[  259.538864]  kasan_save_free_info+0x27/0x40
[  259.539427]  __kasan_slab_free+0x106/0x180
[  259.539932]  kmem_cache_free+0x1d4/0x460
[  259.540437]  delayed_put_task_struct+0x131/0x170
[  259.541068]  rcu_core+0x63d/0x1470
[  259.541494]  __do_softirq+0x10f/0x51b

[  259.542145] Last potentially related work creation:
[  259.542746]  kasan_save_stack+0x21/0x40
[  259.544124]  __kasan_record_aux_stack+0x94/0xa0
[  259.545804]  __call_rcu_common.constprop.0+0x47/0x620
[  259.546507]  __schedule+0x74c/0x1490
[  259.547010]  schedule+0x81/0xe0
[  259.547458]  schedule_timeout+0x138/0x2a0
[  259.548006]  rcu_gp_fqs_loop+0x1c0/0x990
[  259.548522]  rcu_gp_kthread+0x307/0x3a0
[  259.549032]  kthread+0x1ad/0x1f0
[  259.549471]  ret_from_fork+0x2d/0x50
[  259.549965]  ret_from_fork_asm+0x11/0x20

[  259.550727] Second to last potentially related work creation:
[  259.551493]  kasan_save_stack+0x21/0x40
[  259.552017]  __kasan_record_aux_stack+0x94/0xa0
[  259.552609]  __call_rcu_common.constprop.0+0x47/0x620
[  259.553263]  wait_consider_task+0xad9/0x1a50
[  259.553868]  do_wait+0x3b7/0x530
[  259.554351]  kernel_wait4+0xf0/0x1c0
[  259.554841]  __do_sys_wait4+0xf5/0x100
[  259.555417]  do_syscall_64+0x35/0x80
[  259.555978]  entry_SYSCALL_64_after_hwframe+0x46/0xb0

[  259.556927] The buggy address belongs to the object at ffff88800859dc40
                which belongs to the cache task_struct of size 7616
[  259.558500] The buggy address is located 176 bytes inside of
                freed 7616-byte region [ffff88800859dc40, ffff88800859fa00)

[  259.560279] The buggy address belongs to the physical page:
[  259.561018] page:ffffea0000216600 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x8598
[  259.562223] head:ffffea0000216600 order:3 entire_mapcount:0
nr_pages_mapped:0 pincount:0
[  259.563253] memcg:ffff8880061adcc1
[  259.563701] flags: 0x100000000000840(slab|head|node=0|zone=1)
[  259.564489] page_type: 0xffffffff()
[  259.564968] raw: 0100000000000840 ffff888001270500 ffffea0000132000
dead000000000002
[  259.565986] raw: 0000000000000000 0000000080040004 00000001ffffffff
ffff8880061adcc1
[  259.566960] page dumped because: kasan: bad access detected

[  259.567919] Memory state around the buggy address:
[  259.568556]  ffff88800859db80: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[  259.569494]  ffff88800859dc00: fc fc fc fc fc fc fc fc fa fb fb fb
fb fb fb fb
[  259.570401] >ffff88800859dc80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[  259.571290]                                                              ^
[  259.572200]  ffff88800859dd00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[  259.573044]  ffff88800859dd80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[  259.574019] ==================================================================
[  259.575110] Disabling lock debugging due to kernel taint

And the second hit:

[   36.796236] TCP: AO key not found for (10.0.1.1,
35779)->(10.0.254.1, 7018) S keyid: 100 L3index: 0
[   37.869018] ==================================================================
[   37.870095] BUG: KASAN: slab-use-after-free in reweight_entity+0x3b0/0x490
[   37.870728] Read of size 8 at addr ffff88800fd51f70 by task
unsigned-md5_ip/1488

[   37.871569] CPU: 1 PID: 1488 Comm: unsigned-md5_ip Not tainted 6.6.0-rc6+ #10
[   37.872272] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS Arch Linux 1.16.2-2-2 04/01/2014
[   37.873054] Call Trace:
[   37.873275]  <IRQ>
[   37.873455]  dump_stack_lvl+0x46/0x70
[   37.873780]  print_report+0xc5/0x610
[   37.874147]  ? __virt_addr_valid+0xbe/0x130
[   37.874544]  kasan_report+0xbe/0xf0
[   37.874870]  ? reweight_entity+0x3b0/0x490
[   37.875240]  ? reweight_entity+0x3b0/0x490
[   37.875588]  reweight_entity+0x3b0/0x490
[   37.875923]  task_tick_fair+0x8e/0x3e0
[   37.876257]  ? lock_is_held_type+0xbf/0x110
[   37.876621]  scheduler_tick+0xef/0x210
[   37.876944]  update_process_times+0xb9/0xd0
[   37.877314]  tick_sched_handle+0x37/0x90
[   37.877660]  tick_sched_timer+0x84/0xa0
[   37.877989]  ? tick_sched_do_timer+0x100/0x100
[   37.878437]  __hrtimer_run_queues+0x35e/0x600
[   37.878828]  ? enqueue_hrtimer+0x140/0x140
[   37.879254]  ? kvm_clock_get_cycles+0x14/0x30
[   37.879652]  ? ktime_get_update_offsets_now+0xd9/0x1d0
[   37.880146]  hrtimer_interrupt+0x1b4/0x360
[   37.880506]  __sysvec_apic_timer_interrupt+0xb7/0x280
[   37.880941]  sysvec_apic_timer_interrupt+0x85/0xb0
[   37.881379]  </IRQ>
[   37.881565]  <TASK>
[   37.881751]  asm_sysvec_apic_timer_interrupt+0x16/0x20
[   37.882204] RIP: 0010:insert_header+0x3cf/0x8a0
[   37.882600] Code: 8b 7c 24 20 e8 32 17 ec ff 49 c7 47 38 00 00 00
00 48 89 df e8 12 fa ff ff 48 83 c4 60 89 e8 5b 5d 41 5c 41 5d 41 5e
41 5f c3 <48> 8d 6b 10 e9 f4 fd ff ff 31 db 4c 89 ef e8 fe 16 ec ff 49
89 5d
[   37.884196] RSP: 0018:ffffc9000114f240 EFLAGS: 00000286
[   37.884656] RAX: 00000000ffffffff RBX: ffff88800fd72590 RCX: ffffffff8e5cb5f1
[   37.885266] RDX: 1ffffffff1db04b4 RSI: 0000000000000008 RDI: ffffffff8ed825a1
[   37.885857] RBP: 000000000000000d R08: 0000000000000000 R09: fffffbfff1db04b4
[   37.886475] R10: ffffffff8ed825a7 R11: 0000000000000001 R12: 0000000000000013
[   37.887087] R13: ffff88800fd72690 R14: ffffffff8ed827a0 R15: ffffffff8ed825a0
[   37.887681]  ? memcmp+0x41/0xa0
[   37.887972]  __register_sysctl_table+0x57d/0xac0
[   37.888378]  ? proc_sys_evict_inode+0xa0/0xa0
[   37.888751]  ? rcu_is_watching+0x34/0x50
[   37.889134]  ? register_net_sysctl_sz+0xef/0x200
[   37.889531]  __addrconf_sysctl_register+0x16f/0x270
[   37.889954]  ? inet6_netconf_notify_devconf+0x100/0x100
[   37.890408]  ? lockdep_init_map_type+0xe8/0x390
[   37.890798]  addrconf_sysctl_register+0xa5/0xd0
[   37.891213]  ipv6_add_dev+0x4d5/0x890
[   37.891537]  addrconf_notify+0x21a/0xad0
[   37.891876]  ? cfg80211_netdev_notifier_call+0x31/0x750
[   37.892336]  ? lockdep_rtnl_is_held+0x16/0x20
[   37.892732]  notifier_call_chain+0x56/0x180
[   37.893130]  register_netdevice+0x83d/0x960
[   37.893487]  ? unregister_netdevice_queue+0x1e0/0x1e0
[   37.893911]  ? alloc_netdev_mqs+0x78a/0x800
[   37.894318]  vrf_newlink+0x8b/0x4f0
[   37.894654]  __rtnl_newlink+0x7ea/0xc90
[   37.895011]  ? rtnl_setlink+0x250/0x250
[   37.895351]  ? reacquire_held_locks+0x280/0x280
[   37.895753]  ? kasan_unpoison+0x40/0x60
[   37.896112]  ? rtnl_newlink+0x36/0x70
[   37.896439]  rtnl_newlink+0x4f/0x70
[   37.896749]  rtnetlink_rcv_msg+0x1f8/0x650
[   37.897263]  ? rtnl_getlink+0x590/0x590
[   37.897616]  ? lockdep_hardirqs_on_prepare+0x220/0x220
[   37.898089]  ? find_held_lock+0x8a/0xa0
[   37.898462]  ? local_clock_noinstr+0x9/0xb0
[   37.898896]  netlink_rcv_skb+0xdd/0x210
[   37.899709]  ? rtnl_getlink+0x590/0x590
[   37.900112]  ? netlink_ack+0x840/0x840
[   37.900468]  ? lock_sync+0x100/0x100
[   37.900784]  ? __rcu_read_unlock+0x6b/0x2a0
[   37.901198]  ? netlink_deliver_tap+0xfe/0x620
[   37.901583]  netlink_unicast+0x2f3/0x480
[   37.901926]  ? netlink_attachskb+0x440/0x440
[   37.902318]  netlink_sendmsg+0x3c0/0x6e0
[   37.902662]  ? netlink_unicast+0x480/0x480
[   37.903037]  ? netlink_unicast+0x480/0x480
[   37.903396]  __sock_sendmsg+0x73/0xc0
[   37.903725]  __sys_sendto+0x18b/0x210
[   37.904084]  ? __ia32_sys_getpeername+0x50/0x50
[   37.904521]  ? mark_held_locks+0x1a/0x80
[   37.904892]  __x64_sys_sendto+0x72/0x80
[   37.905257]  do_syscall_64+0x35/0x80
[   37.905584]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   37.906053] RIP: 0033:0x7fb3d69e69ec
[   37.906379] Code: 89 4c 24 1c e8 a5 63 f7 ff 44 8b 54 24 1c 8b 3c
24 45 31 c9 89 c5 48 8b 54 24 10 48 8b 74 24 08 45 31 c0 b8 2c 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 04 24 e8 f1 63 f7 ff 48
8b 04
[   37.907987] RSP: 002b:00007fff52147f60 EFLAGS: 00000246 ORIG_RAX:
000000000000002c
[   37.908695] RAX: ffffffffffffffda RBX: 00007fff52147fa0 RCX: 00007fb3d69e69ec
[   37.909335] RDX: 0000000000000044 RSI: 00007fff52147fa0 RDI: 0000000000000006
[   37.909978] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   37.910597] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000038
[   37.911224] R13: 0000000000000006 R14: 00007fff52147fcc R15: 00007fff52147fd8
[   37.911894]  </TASK>

[   37.912609] Allocated by task 817:
[   37.913277]  kasan_save_stack+0x21/0x40
[   37.913712]  kasan_set_track+0x21/0x30
[   37.914070]  __kasan_slab_alloc+0x62/0x70
[   37.914436]  kmem_cache_alloc_node+0x187/0x370
[   37.914835]  copy_process+0x2c4/0x3460
[   37.915187]  kernel_clone+0xf6/0x570
[   37.915502]  user_mode_thread+0xab/0xe0
[   37.915837]  call_usermodehelper_exec_work+0x78/0xb0
[   37.916288]  process_one_work+0x439/0x8d0
[   37.916652]  worker_thread+0x393/0x680
[   37.917001]  kthread+0x1ad/0x1f0
[   37.917343]  ret_from_fork+0x2d/0x50
[   37.917673]  ret_from_fork_asm+0x11/0x20

[   37.918208] Freed by task 0:
[   37.918471]  kasan_save_stack+0x21/0x40
[   37.918833]  kasan_set_track+0x21/0x30
[   37.919192]  kasan_save_free_info+0x27/0x40
[   37.919576]  __kasan_slab_free+0x106/0x180
[   37.919967]  kmem_cache_free+0x1d4/0x460
[   37.920337]  delayed_put_task_struct+0x131/0x170
[   37.920762]  rcu_core+0x63d/0x1470
[   37.921113]  __do_softirq+0x10f/0x51b

[   37.921613] Last potentially related work creation:
[   37.922097]  kasan_save_stack+0x21/0x40
[   37.922460]  __kasan_record_aux_stack+0x94/0xa0
[   37.922875]  __call_rcu_common.constprop.0+0x47/0x620
[   37.923353]  __schedule+0x74c/0x1490
[   37.923685]  schedule+0x81/0xe0
[   37.923989]  schedule_timeout+0x138/0x2a0
[   37.924365]  rcu_gp_fqs_loop+0x1c0/0x990
[   37.924737]  rcu_gp_kthread+0x307/0x3a0
[   37.925112]  kthread+0x1ad/0x1f0
[   37.925416]  ret_from_fork+0x2d/0x50
[   37.925753]  ret_from_fork_asm+0x11/0x20

[   37.926280] The buggy address belongs to the object at ffff88800fd51ec0
                which belongs to the cache task_struct of size 7616
[   37.927547] The buggy address is located 176 bytes inside of
                freed 7616-byte region [ffff88800fd51ec0, ffff88800fd53c80)

[   37.928923] The buggy address belongs to the physical page:
[   37.929463] page:ffffea00003f5400 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0xfd50
[   37.930370] head:ffffea00003f5400 order:3 entire_mapcount:0
nr_pages_mapped:0 pincount:0
[   37.931313] memcg:ffff888006cc0f41
[   37.931735] flags: 0x100000000000840(slab|head|node=0|zone=1)
[   37.932434] page_type: 0xffffffff()
[   37.932787] raw: 0100000000000840 ffff888001270500 dead000000000122
0000000000000000
[   37.933502] raw: 0000000000000000 0000000080040004 00000001ffffffff
ffff888006cc0f41
[   37.934220] page dumped because: kasan: bad access detected

[   37.934911] Memory state around the buggy address:
[   37.935377]  ffff88800fd51e00: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[   37.936063]  ffff88800fd51e80: fc fc fc fc fc fc fc fc fa fb fb fb
fb fb fb fb
[   37.936729] >ffff88800fd51f00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[   37.937445]                                                              ^
[   37.938101]  ffff88800fd51f80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[   37.938817]  ffff88800fd52000: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[   37.939655] ==================================================================
[   37.940196] Disabling lock debugging due to kernel taint


On Mon, 16 Oct 2023 at 08:41, syzbot
<syzbot+3908cdfd655fd839c82f@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    9a3dad63edbe Merge tag '6.6-rc5-ksmbd-server-fixes' of git..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1413e691680000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=5d83dadac33c08b7
> dashboard link: https://syzkaller.appspot.com/bug?extid=3908cdfd655fd839c82f
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12a055f9680000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=103ef619680000
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-9a3dad63.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/98467f6633b7/vmlinux-9a3dad63.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/93b5cb4a26b0/bzImage-9a3dad63.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3908cdfd655fd839c82f@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in __update_min_deadline kernel/sched/fair.c:805 [inline]
> BUG: KASAN: slab-use-after-free in min_deadline_update kernel/sched/fair.c:819 [inline]
> BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
> BUG: KASAN: slab-use-after-free in reweight_entity+0x8e3/0xa60 kernel/sched/fair.c:3660
> Read of size 8 at addr ffff888022a59a70 by task syz-executor206/5331
>
> CPU: 3 PID: 5331 Comm: syz-executor206 Not tainted 6.6.0-rc5-syzkaller-00267-g9a3dad63edbe #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> Call Trace:
>  <IRQ>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
>  print_address_description mm/kasan/report.c:364 [inline]
>  print_report+0xc4/0x620 mm/kasan/report.c:475
>  kasan_report+0xda/0x110 mm/kasan/report.c:588
>  __update_min_deadline kernel/sched/fair.c:805 [inline]
>  min_deadline_update kernel/sched/fair.c:819 [inline]
>  min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
>  reweight_entity+0x8e3/0xa60 kernel/sched/fair.c:3660
>  entity_tick kernel/sched/fair.c:5317 [inline]
>  task_tick_fair+0xee/0xcd0 kernel/sched/fair.c:12392
>  scheduler_tick+0x210/0x650 kernel/sched/core.c:5657
>  update_process_times+0x19f/0x220 kernel/time/timer.c:2076
>  tick_sched_handle+0x8e/0x170 kernel/time/tick-sched.c:254
>  tick_sched_timer+0xe9/0x110 kernel/time/tick-sched.c:1492
>  __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
>  __hrtimer_run_queues+0x647/0xc10 kernel/time/hrtimer.c:1752
>  hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1814
>  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1063 [inline]
>  __sysvec_apic_timer_interrupt+0x105/0x3f0 arch/x86/kernel/apic/apic.c:1080
>  sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1074
>  </IRQ>
>  <TASK>
>  asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
> RIP: 0010:rcu_dynticks_curr_cpu_in_eqs include/linux/context_tracking.h:122 [inline]
> RIP: 0010:rcu_is_watching+0x39/0xb0 kernel/rcu/tree.c:699
> Code: a5 cf 08 48 c7 c3 e8 6d 03 00 83 f8 07 89 c5 77 7a 48 8d 3c ed 40 ba 5c 8c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 54 48 03 1c ed 40 ba 5c 8c 48 b8 00 00 00 00 00 fc
> RSP: 0018:ffffc90003cc73d8 EFLAGS: 00000a06
> RAX: dffffc0000000000 RBX: 0000000000036de8 RCX: 1ffffffff1d9a7c0
> RDX: 1ffffffff18b974b RSI: ffffffff8ae90aa0 RDI: ffffffff8c5cba58
> RBP: 0000000000000003 R08: 0000000000000007 R09: ffffffffff600000
> R10: 00007fcac0348000 R11: dffffc0000000000 R12: ffffc90003cc7488
> R13: ffffffff81747dc0 R14: ffffc90003cc7500 R15: ffff88802787c780
>  kernel_text_address kernel/extable.c:113 [inline]
>  kernel_text_address+0x62/0xd0 kernel/extable.c:94
>  __kernel_text_address+0xd/0x30 kernel/extable.c:79
>  unwind_get_return_address+0x78/0xe0 arch/x86/kernel/unwind_orc.c:369
>  arch_stack_walk+0xbe/0x170 arch/x86/kernel/stacktrace.c:26
>  stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
>  kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
>  kasan_set_track+0x25/0x30 mm/kasan/common.c:52
>  __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
>  kasan_slab_alloc include/linux/kasan.h:188 [inline]
>  slab_post_alloc_hook mm/slab.h:762 [inline]
>  slab_alloc_node mm/slab.c:3237 [inline]
>  slab_alloc mm/slab.c:3246 [inline]
>  __kmem_cache_alloc_lru mm/slab.c:3423 [inline]
>  kmem_cache_alloc+0x159/0x400 mm/slab.c:3432
>  kmem_cache_zalloc include/linux/slab.h:710 [inline]
>  alloc_buffer_head+0x21/0x140 fs/buffer.c:3023
>  folio_alloc_buffers+0x2e7/0x7f0 fs/buffer.c:935
>  folio_create_empty_buffers+0x36/0x470 fs/buffer.c:1648
>  ext4_block_write_begin+0xcc4/0xf10 fs/ext4/inode.c:1024
>  ext4_da_write_begin+0x40a/0x8c0 fs/ext4/inode.c:2890
>  generic_perform_write+0x278/0x600 mm/filemap.c:3969
>  ext4_buffered_write_iter+0x11f/0x3c0 fs/ext4/file.c:299
>  ext4_file_write_iter+0x7f7/0x1860 fs/ext4/file.c:717
>  call_write_iter include/linux/fs.h:1956 [inline]
>  new_sync_write fs/read_write.c:491 [inline]
>  vfs_write+0x650/0xe40 fs/read_write.c:584
>  ksys_write+0x12f/0x250 fs/read_write.c:637
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fcac0348789
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fff03860d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcac0348789
> RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000005
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff03860d7c
> R13: 00007fff03860d90 R14: 00007fff03860dd0 R15: 0000000000000015
>  </TASK>
>
> Allocated by task 2:
>  kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
>  kasan_set_track+0x25/0x30 mm/kasan/common.c:52
>  __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
>  kasan_slab_alloc include/linux/kasan.h:188 [inline]
>  slab_post_alloc_hook mm/slab.h:762 [inline]
>  slab_alloc_node mm/slab.c:3237 [inline]
>  kmem_cache_alloc_node+0x173/0x540 mm/slab.c:3509
>  alloc_task_struct_node kernel/fork.c:173 [inline]
>  dup_task_struct kernel/fork.c:1110 [inline]
>  copy_process+0x41c/0x73f0 kernel/fork.c:2327
>  kernel_clone+0xfd/0x920 kernel/fork.c:2909
>  kernel_thread+0xc0/0x100 kernel/fork.c:2971
>  create_kthread kernel/kthread.c:411 [inline]
>  kthreadd+0x4fb/0x7d0 kernel/kthread.c:746
>  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
>  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
>
> Freed by task 21:
>  kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
>  kasan_set_track+0x25/0x30 mm/kasan/common.c:52
>  kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
>  ____kasan_slab_free mm/kasan/common.c:236 [inline]
>  ____kasan_slab_free+0x138/0x190 mm/kasan/common.c:200
>  kasan_slab_free include/linux/kasan.h:164 [inline]
>  __cache_free mm/slab.c:3370 [inline]
>  __do_kmem_cache_free mm/slab.c:3557 [inline]
>  kmem_cache_free+0x104/0x380 mm/slab.c:3582
>  put_task_struct include/linux/sched/task.h:136 [inline]
>  put_task_struct include/linux/sched/task.h:123 [inline]
>  delayed_put_task_struct+0x21b/0x2b0 kernel/exit.c:226
>  rcu_do_batch kernel/rcu/tree.c:2139 [inline]
>  rcu_core+0x805/0x1bb0 kernel/rcu/tree.c:2403
>  __do_softirq+0x218/0x965 kernel/softirq.c:553
>
> Last potentially related work creation:
>  kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
>  __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:492
>  __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2653
>  put_task_struct_rcu_user kernel/exit.c:232 [inline]
>  put_task_struct_rcu_user+0x87/0xc0 kernel/exit.c:229
>  context_switch kernel/sched/core.c:5385 [inline]
>  __schedule+0xee9/0x5a10 kernel/sched/core.c:6695
>  schedule+0xe7/0x1b0 kernel/sched/core.c:6771
>  schedule_timeout+0x278/0x2c0 kernel/time/timer.c:2143
>  do_wait_for_common kernel/sched/completion.c:95 [inline]
>  __wait_for_common+0x3e0/0x5f0 kernel/sched/completion.c:116
>  kthread_stop+0x18e/0x5f0 kernel/kthread.c:709
>  kvm_mmu_pre_destroy_vm+0x44/0x60 arch/x86/kvm/mmu/mmu.c:7160
>  kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1313 [inline]
>  kvm_put_kvm+0x254/0xad0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1373
>  kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1396
>  __fput+0x3f7/0xa70 fs/file_table.c:384
>  __fput_sync+0x47/0x50 fs/file_table.c:465
>  __do_sys_close fs/open.c:1572 [inline]
>  __se_sys_close fs/open.c:1557 [inline]
>  __x64_sys_close+0x87/0xf0 fs/open.c:1557
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Second to last potentially related work creation:
>  kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
>  __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:492
>  __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2653
>  put_task_struct_rcu_user kernel/exit.c:232 [inline]
>  put_task_struct_rcu_user+0x87/0xc0 kernel/exit.c:229
>  context_switch kernel/sched/core.c:5385 [inline]
>  __schedule+0xee9/0x5a10 kernel/sched/core.c:6695
>  schedule+0xe7/0x1b0 kernel/sched/core.c:6771
>  schedule_timeout+0x278/0x2c0 kernel/time/timer.c:2143
>  do_wait_for_common kernel/sched/completion.c:95 [inline]
>  __wait_for_common+0x3e0/0x5f0 kernel/sched/completion.c:116
>  kthread_stop+0x18e/0x5f0 kernel/kthread.c:709
>  kvm_mmu_pre_destroy_vm+0x44/0x60 arch/x86/kvm/mmu/mmu.c:7160
>  kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1313 [inline]
>  kvm_put_kvm+0x254/0xad0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1373
>  kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1396
>  __fput+0x3f7/0xa70 fs/file_table.c:384
>  __fput_sync+0x47/0x50 fs/file_table.c:465
>  __do_sys_close fs/open.c:1572 [inline]
>  __se_sys_close fs/open.c:1557 [inline]
>  __x64_sys_close+0x87/0xf0 fs/open.c:1557
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> The buggy address belongs to the object at ffff888022a599c0
>  which belongs to the cache task_struct of size 8960
> The buggy address is located 176 bytes inside of
>  freed 8960-byte region [ffff888022a599c0, ffff888022a5bcc0)
>
> The buggy address belongs to the physical page:
> page:ffffea00008a9600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22a58
> head:ffffea00008a9600 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: 0x1()
> raw: 00fff00000000840 ffff88810005a500 ffffea00009ffb10 ffffea0000bf6410
> raw: 0000000000000000 ffff888022a599c0 0000000100000001 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 2, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 4949, tgid 4949 (dhcpcd-run-hook), ts 26983961004, free_ts 23254563577
>  set_page_owner include/linux/page_owner.h:31 [inline]
>  post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
>  prep_new_page mm/page_alloc.c:1543 [inline]
>  get_page_from_freelist+0xee0/0x2f20 mm/page_alloc.c:3170
>  __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4426
>  __alloc_pages_node include/linux/gfp.h:237 [inline]
>  kmem_getpages mm/slab.c:1356 [inline]
>  cache_grow_begin+0x99/0x3a0 mm/slab.c:2550
>  cache_alloc_refill+0x294/0x3a0 mm/slab.c:2923
>  ____cache_alloc mm/slab.c:2999 [inline]
>  ____cache_alloc mm/slab.c:2982 [inline]
>  __do_cache_alloc mm/slab.c:3182 [inline]
>  slab_alloc_node mm/slab.c:3230 [inline]
>  kmem_cache_alloc_node+0x481/0x540 mm/slab.c:3509
>  alloc_task_struct_node kernel/fork.c:173 [inline]
>  dup_task_struct kernel/fork.c:1110 [inline]
>  copy_process+0x41c/0x73f0 kernel/fork.c:2327
>  kernel_clone+0xfd/0x920 kernel/fork.c:2909
>  __do_sys_clone+0xba/0x100 kernel/fork.c:3052
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> page last free stack trace:
>  reset_page_owner include/linux/page_owner.h:24 [inline]
>  free_pages_prepare mm/page_alloc.c:1136 [inline]
>  free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2312
>  free_unref_page+0x33/0x3b0 mm/page_alloc.c:2405
>  slab_destroy mm/slab.c:1608 [inline]
>  slabs_destroy+0x85/0xc0 mm/slab.c:1628
>  cache_flusharray mm/slab.c:3341 [inline]
>  ___cache_free+0x2b7/0x420 mm/slab.c:3404
>  qlink_free mm/kasan/quarantine.c:166 [inline]
>  qlist_free_all+0x4c/0x1b0 mm/kasan/quarantine.c:185
>  kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:292
>  __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
>  kasan_slab_alloc include/linux/kasan.h:188 [inline]
>  slab_post_alloc_hook mm/slab.h:762 [inline]
>  slab_alloc_node mm/slab.c:3237 [inline]
>  kmem_cache_alloc_node+0x173/0x540 mm/slab.c:3509
>  __alloc_skb+0x287/0x330 net/core/skbuff.c:640
>  alloc_skb include/linux/skbuff.h:1286 [inline]
>  alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6313
>  sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2795
>  unix_dgram_sendmsg+0x455/0x1c30 net/unix/af_unix.c:1953
>  sock_sendmsg_nosec net/socket.c:730 [inline]
>  __sock_sendmsg+0xd5/0x180 net/socket.c:745
>  sock_write_iter+0x29b/0x3d0 net/socket.c:1158
>  call_write_iter include/linux/fs.h:1956 [inline]
>  new_sync_write fs/read_write.c:491 [inline]
>  vfs_write+0x650/0xe40 fs/read_write.c:584
>  ksys_write+0x1f0/0x250 fs/read_write.c:637
>
> Memory state around the buggy address:
>  ffff888022a59900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff888022a59980: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
> >ffff888022a59a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                                                              ^
>  ffff888022a59a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff888022a59b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
> ----------------
> Code disassembly (best guess), 3 bytes skipped:
>    0:   48 c7 c3 e8 6d 03 00    mov    $0x36de8,%rbx
>    7:   83 f8 07                cmp    $0x7,%eax
>    a:   89 c5                   mov    %eax,%ebp
>    c:   77 7a                   ja     0x88
>    e:   48 8d 3c ed 40 ba 5c    lea    -0x73a345c0(,%rbp,8),%rdi
>   15:   8c
>   16:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
>   1d:   fc ff df
>   20:   48 89 fa                mov    %rdi,%rdx
>   23:   48 c1 ea 03             shr    $0x3,%rdx
> * 27:   80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
>   2b:   75 54                   jne    0x81
>   2d:   48 03 1c ed 40 ba 5c    add    -0x73a345c0(,%rbp,8),%rbx
>   34:   8c
>   35:   48                      rex.W
>   36:   b8 00 00 00 00          mov    $0x0,%eax
>   3b:   00 fc                   add    %bh,%ah
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup



-- 
             Dmitry

Re: [syzbot] [kernel?] KASAN: slab-use-after-free Read in reweight_entity

[Peter Zijlstra]

On Tue, Oct 17, 2023 at 07:58:56PM +0100, Dmitry Safonov wrote:
> FWIW,
> Managed to locally reproduce it twice on 58720809f527 (tag: v6.6-rc6)
> Linux 6.6-rc6 + TCP-AO patches on the top.
> (but can't reproduce reliably at will)
> 
> [dima@Mindolluin linux-tcp-ao]$ ./scripts/faddr2line vmlinux
> reweight_entity+0x3b0/0x490
> reweight_entity+0x3b0/0x490:

Could you please try:

  https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git/commit/?h=sched/urgent&id=a3b75dce9d9ae4510ea75b655567f50622f48706


---
Subject: sched/eevdf: Fix heap corruption more
From: Peter Zijlstra <peterz@infradead.org>
Date: Tue Oct 17 16:59:47 CEST 2023

Because someone is a flaming idiot... :/

Fixes: 8dafa9d0eb1a ("sched/eevdf: Fix min_deadline heap integrity")
Reported-by: 0599jiangyc@gmail.com
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218020
---
 kernel/sched/fair.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3699,7 +3699,8 @@ static void reweight_entity(struct cfs_r
 		 */
 		deadline = div_s64(deadline * old_weight, weight);
 		se->deadline = se->vruntime + deadline;
-		min_deadline_cb_propagate(&se->run_node, NULL);
+		if (se != cfs_rq->curr)
+			min_deadline_cb_propagate(&se->run_node, NULL);
 	}
 
 #ifdef CONFIG_SMP

Re: [syzbot] [kernel?] KASAN: slab-use-after-free Read in reweight_entity

[Dmitry Safonov]

On 10/17/23 20:07, Peter Zijlstra wrote:
> On Tue, Oct 17, 2023 at 07:58:56PM +0100, Dmitry Safonov wrote:
>> FWIW,
>> Managed to locally reproduce it twice on 58720809f527 (tag: v6.6-rc6)
>> Linux 6.6-rc6 + TCP-AO patches on the top.
>> (but can't reproduce reliably at will)
>>
>> [dima@Mindolluin linux-tcp-ao]$ ./scripts/faddr2line vmlinux
>> reweight_entity+0x3b0/0x490
>> reweight_entity+0x3b0/0x490:
> 
> Could you please try:
> 
>   https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git/commit/?h=sched/urgent&id=a3b75dce9d9ae4510ea75b655567f50622f48706

I've run a hundred times the test that previously hit it twice, no
reproductions.

> ---
> Subject: sched/eevdf: Fix heap corruption more
> From: Peter Zijlstra <peterz@infradead.org>
> Date: Tue Oct 17 16:59:47 CEST 2023
> 
> Because someone is a flaming idiot... :/
> 
> Fixes: 8dafa9d0eb1a ("sched/eevdf: Fix min_deadline heap integrity")
> Reported-by: 0599jiangyc@gmail.com
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218020
> ---
>  kernel/sched/fair.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> --- a/kernel/sched/fair.c
> +++ b/kernel/sched/fair.c
> @@ -3699,7 +3699,8 @@ static void reweight_entity(struct cfs_r
>  		 */
>  		deadline = div_s64(deadline * old_weight, weight);
>  		se->deadline = se->vruntime + deadline;
> -		min_deadline_cb_propagate(&se->run_node, NULL);
> +		if (se != cfs_rq->curr)
> +			min_deadline_cb_propagate(&se->run_node, NULL);
>  	}
>  
>  #ifdef CONFIG_SMP

Thanks,
         Dmitry

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: yuran.pereira@hotmail.com

#syz test: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazinalhaddad05@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazinalhaddad05@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

The issue has not been happening for >1800 days.

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: bottaawesome633@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: almaz.alexandrovich@paragon-software.com

#syz test: https://github.com/Paragon-Software-Group/linux-ntfs3.git 
d57431c6f511bf020e474026d9f3123d7bfbea8c

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: axboe@kernel.dk

#syz invalid

-- 
Jens Axboe

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

The reproducer now hits

WARNING: CPU: 0 PID: 5640 at net/bluetooth/hci_conn.c:565
hci_conn_timeout+0xfb/0x290 net/bluetooth/hci_conn.c:565

for which we have a separate bug.

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Repro now triggers a different kind of problem

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Repro triggers a different kind of an issue

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Repro triggers a different problem

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Repro triggers a different kind of problem

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Fix lockdep splat in bch2_accounting_read

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: fix shift oob in alloc_lru_idx_fragmentation

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Fix invalid shift in validate_sb_layout()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: -o norecovery now bails out of recovery earlier

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Ancient versions with bad bkey_formats are no longer supported

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Change OPT_STR max to be 1 less than the size of choices array

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: bch2_btree_write_buffer_flush_going_ro()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix missing validation for bch_backpointer.level

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: bch2_btree_write_buffer_flush_going_ro()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix bch_member.btree_bitmap_shift validation

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix validate_bset() repair path

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix validate_bset() repair path

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix assertion pop in topology repair

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix missing validation for bch_backpointer.level

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Allow for unknown key types in backpointers fsck

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: bch2_btree_write_buffer_flush_going_ro()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix journal_entry_dev_usage_to_text() overrun

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix assertion pop in bch2_ptr_swab()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

There will be no such crash title under the new report extraction rules

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix btree node scan when unknown btree IDs are present

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix dup/misordered check in btree node read

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Kill bch2_bucket_alloc_new_fs()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Kill bch2_bucket_alloc_new_fs()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't try to en/decrypt when encryption not available

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Ignore empty btree root journal entries

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Guard against journal seq overflow

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Issue a transaction restart after commit in repair

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Guard against journal seq overflow

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Guard against journal seq overflow

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix btree node scan when unknown btree IDs are present

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix journal_iter list corruption

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: struct bkey_validate_context

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Check for bucket journal sequence numbers from the future

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Check for inode journal seq in the future

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: cryptographic MACs on superblock are not (yet?) supported

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: bch2_trans_relock() is trylock for lockdep

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Check for extent crc uncompressed/compressed size mismatch

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't recurse in check_discard_freespace_key

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Kill bch2_get_next_backpointer()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz set subsystems: mm, fs

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

All the previous reasons for build breakages are no longer relevant.

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Fix kmsan warnings in bch2_extent_crc_pack()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix  bcachefs: Fix a KMSAN splat in btree_update_nodes_written()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Eliminate padding in move_bucket_key

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Re: [syzbot]

[Arnaud Lecomte]

#syz test: https://github.com/ArnaudLcm/linux bounds-checking-txmung

Re: [syzbot]

[Arnaud Lecomte]

Author: contact@arnaud-lcm.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 644e99fc3623..520d895acc60 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
 	unsigned char *data;
 	int islcp;
 
+	/* Ensure we can safely access protocol field and LCP code */
+	if (!skb || !pskb_may_pull(skb, 3)) {
+		kfree_skb(skb);
+		return NULL;
+	}
 	data  = skb->data;
 	proto = get_unaligned_be16(data);

Re: [syzbot]

[syzbot]

> Author: contact@arnaud-lcm.com
>
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

want either no args or 2 args (repo, branch), got 5

>
> diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
> index 644e99fc3623..520d895acc60 100644
> --- a/drivers/net/ppp/ppp_synctty.c
> +++ b/drivers/net/ppp/ppp_synctty.c
> @@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
>  	unsigned char *data;
>  	int islcp;
>  
> +	/* Ensure we can safely access protocol field and LCP code */
> +	if (!skb || !pskb_may_pull(skb, 3)) {
> +		kfree_skb(skb);
> +		return NULL;
> +	}
>  	data  = skb->data;
>  	proto = get_unaligned_be16(data);

Re: [syzbot]

[Arnaud Lecomte]

Author: contact@arnaud-lcm.com

#syz test

diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 644e99fc3623..520d895acc60 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
 	unsigned char *data;
 	int islcp;
 
+	/* Ensure we can safely access protocol field and LCP code */
+	if (!skb || !pskb_may_pull(skb, 3)) {
+		kfree_skb(skb);
+		return NULL;
+	}
 	data  = skb->data;
 	proto = get_unaligned_be16(data);

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

The bug was fixed with a different commit than the recorded [PATCH] discussion.
Close it so that it may be reopened the next time we face a linux next
build problem.

#syz invalid

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Prevent granting write refs when filesystem is read-only

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't trust sb->nr_devices in members_to_text()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't put rhashtable on stack

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix downgrade_table_extra()

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix possible console lock involved deadlock

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't put rhashtable on stack

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't put rhashtable on stack

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Call bch2_fs_start before getting vfs superblock

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't trust sb->nr_devices in members_to_text()