INFO: task can't die in shrink_inactive_list (2)

INFO: task can't die in shrink_inactive_list (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    03430750 Add linux-next specific files for 20201116
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
compiler:       gcc (GCC) 10.1.0-syz 20200507
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com

INFO: task syz-executor880:8534 can't die for more than 143 seconds.
task:syz-executor880 state:R  running task     stack:25304 pid: 8534 ppid:  8504 flags:0x00004006
Call Trace:
 context_switch kernel/sched/core.c:4269 [inline]
 __schedule+0x890/0x2030 kernel/sched/core.c:5019
 preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:5179
 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:40
 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
 _raw_spin_unlock_irq+0x3c/0x40 kernel/locking/spinlock.c:199
 spin_unlock_irq include/linux/spinlock.h:404 [inline]
 shrink_inactive_list+0x4b1/0xce0 mm/vmscan.c:1974
 shrink_list mm/vmscan.c:2167 [inline]
 shrink_lruvec+0x61b/0x11b0 mm/vmscan.c:2462
 shrink_node_memcgs mm/vmscan.c:2650 [inline]
 shrink_node+0x839/0x1d60 mm/vmscan.c:2767
 shrink_zones mm/vmscan.c:2970 [inline]
 do_try_to_free_pages+0x38b/0x1440 mm/vmscan.c:3025
 try_to_free_pages+0x29f/0x720 mm/vmscan.c:3264
 __perform_reclaim mm/page_alloc.c:4360 [inline]
 __alloc_pages_direct_reclaim mm/page_alloc.c:4381 [inline]
 __alloc_pages_slowpath.constprop.0+0x917/0x2510 mm/page_alloc.c:4785
 __alloc_pages_nodemask+0x5f0/0x730 mm/page_alloc.c:4995
 alloc_pages_current+0x191/0x2a0 mm/mempolicy.c:2271
 alloc_pages include/linux/gfp.h:547 [inline]
 __page_cache_alloc mm/filemap.c:977 [inline]
 __page_cache_alloc+0x2ce/0x360 mm/filemap.c:962
 page_cache_ra_unbounded+0x3a1/0x920 mm/readahead.c:216
 do_page_cache_ra+0xf9/0x140 mm/readahead.c:267
 do_sync_mmap_readahead mm/filemap.c:2721 [inline]
 filemap_fault+0x19d0/0x2940 mm/filemap.c:2809
 __do_fault+0x10d/0x4d0 mm/memory.c:3623
 do_shared_fault mm/memory.c:4071 [inline]
 do_fault mm/memory.c:4149 [inline]
 handle_pte_fault mm/memory.c:4385 [inline]
 __handle_mm_fault mm/memory.c:4520 [inline]
 handle_mm_fault+0x3033/0x55d0 mm/memory.c:4618
 do_user_addr_fault+0x55b/0xba0 arch/x86/mm/fault.c:1377
 handle_page_fault arch/x86/mm/fault.c:1434 [inline]
 exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1490
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580
RIP: 0033:0x400e71
Code: Unable to access opcode bytes at RIP 0x400e47.
RSP: 002b:00007f8a5353fdc0 EFLAGS: 00010246
RAX: 6c756e2f7665642f RBX: 00000000006dbc38 RCX: 0000000000402824
RDX: 928195da81441750 RSI: 0000000000000000 RDI: 00000000006dbc30
RBP: 00000000006dbc30 R08: 0000000000000000 R09: 00007f8a53540700
R10: 00007f8a535409d0 R11: 0000000000000202 R12: 00000000006dbc3c
R13: 00007ffe80747a5f R14: 00007f8a535409c0 R15: 0000000000000001

Showing all locks held in the system:
1 lock held by khungtaskd/1659:
 #0: ffffffff8b339ce0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6252
1 lock held by kswapd0/2195:
1 lock held by kswapd1/2196:
1 lock held by in:imklog/8191:
 #0: ffff8880125b1270 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:932
1 lock held by cron/8189:
2 locks held by syz-executor880/8502:
2 locks held by syz-executor880/8505:
2 locks held by syz-executor880/8507:
2 locks held by syz-executor880/11706:
2 locks held by syz-executor880/11709:
3 locks held by syz-executor880/12008:
2 locks held by syz-executor880/12015:

=============================================



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: INFO: task can't die in shrink_inactive_list (2)

[Andrew Morton]

On Fri, 20 Nov 2020 17:55:22 -0800 syzbot <syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    03430750 Add linux-next specific files for 20201116
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
> dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000

Alex, your series "per memcg lru lock" changed the vmscan code rather a
lot.  Could you please take a look at that reproducer?

> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com
> 
> INFO: task syz-executor880:8534 can't die for more than 143 seconds.
> task:syz-executor880 state:R  running task     stack:25304 pid: 8534 ppid:  8504 flags:0x00004006
> Call Trace:
>  context_switch kernel/sched/core.c:4269 [inline]
>  __schedule+0x890/0x2030 kernel/sched/core.c:5019
>  preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:5179
>  preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:40
>  __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
>  _raw_spin_unlock_irq+0x3c/0x40 kernel/locking/spinlock.c:199
>  spin_unlock_irq include/linux/spinlock.h:404 [inline]
>  shrink_inactive_list+0x4b1/0xce0 mm/vmscan.c:1974
>  shrink_list mm/vmscan.c:2167 [inline]
>  shrink_lruvec+0x61b/0x11b0 mm/vmscan.c:2462
>  shrink_node_memcgs mm/vmscan.c:2650 [inline]
>  shrink_node+0x839/0x1d60 mm/vmscan.c:2767
>  shrink_zones mm/vmscan.c:2970 [inline]
>  do_try_to_free_pages+0x38b/0x1440 mm/vmscan.c:3025
>  try_to_free_pages+0x29f/0x720 mm/vmscan.c:3264
>  __perform_reclaim mm/page_alloc.c:4360 [inline]
>  __alloc_pages_direct_reclaim mm/page_alloc.c:4381 [inline]
>  __alloc_pages_slowpath.constprop.0+0x917/0x2510 mm/page_alloc.c:4785
>  __alloc_pages_nodemask+0x5f0/0x730 mm/page_alloc.c:4995
>  alloc_pages_current+0x191/0x2a0 mm/mempolicy.c:2271
>  alloc_pages include/linux/gfp.h:547 [inline]
>  __page_cache_alloc mm/filemap.c:977 [inline]
>  __page_cache_alloc+0x2ce/0x360 mm/filemap.c:962
>  page_cache_ra_unbounded+0x3a1/0x920 mm/readahead.c:216
>  do_page_cache_ra+0xf9/0x140 mm/readahead.c:267
>  do_sync_mmap_readahead mm/filemap.c:2721 [inline]
>  filemap_fault+0x19d0/0x2940 mm/filemap.c:2809
>  __do_fault+0x10d/0x4d0 mm/memory.c:3623
>  do_shared_fault mm/memory.c:4071 [inline]
>  do_fault mm/memory.c:4149 [inline]
>  handle_pte_fault mm/memory.c:4385 [inline]
>  __handle_mm_fault mm/memory.c:4520 [inline]
>  handle_mm_fault+0x3033/0x55d0 mm/memory.c:4618
>  do_user_addr_fault+0x55b/0xba0 arch/x86/mm/fault.c:1377
>  handle_page_fault arch/x86/mm/fault.c:1434 [inline]
>  exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1490
>  asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580
> RIP: 0033:0x400e71
> Code: Unable to access opcode bytes at RIP 0x400e47.
> RSP: 002b:00007f8a5353fdc0 EFLAGS: 00010246
> RAX: 6c756e2f7665642f RBX: 00000000006dbc38 RCX: 0000000000402824
> RDX: 928195da81441750 RSI: 0000000000000000 RDI: 00000000006dbc30
> RBP: 00000000006dbc30 R08: 0000000000000000 R09: 00007f8a53540700
> R10: 00007f8a535409d0 R11: 0000000000000202 R12: 00000000006dbc3c
> R13: 00007ffe80747a5f R14: 00007f8a535409c0 R15: 0000000000000001
> 
> Showing all locks held in the system:
> 1 lock held by khungtaskd/1659:
>  #0: ffffffff8b339ce0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6252
> 1 lock held by kswapd0/2195:
> 1 lock held by kswapd1/2196:
> 1 lock held by in:imklog/8191:
>  #0: ffff8880125b1270 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:932
> 1 lock held by cron/8189:
> 2 locks held by syz-executor880/8502:
> 2 locks held by syz-executor880/8505:
> 2 locks held by syz-executor880/8507:
> 2 locks held by syz-executor880/11706:
> 2 locks held by syz-executor880/11709:
> 3 locks held by syz-executor880/12008:
> 2 locks held by syz-executor880/12015:
> 
> =============================================
> 
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches

Re: INFO: task can't die in shrink_inactive_list (2)

[Alex Shi]

CC: Hugh Dickin & Johannes, 



在 2020/11/24 上午11:54, Andrew Morton 写道:
> On Fri, 20 Nov 2020 17:55:22 -0800 syzbot <syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com> wrote:
> 
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    03430750 Add linux-next specific files for 20201116
>> git tree:       linux-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
>> dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
>> compiler:       gcc (GCC) 10.1.0-syz 20200507
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000
> 
> Alex, your series "per memcg lru lock" changed the vmscan code rather a
> lot.  Could you please take a look at that reproducer?
> 

Sure, I will try to reproduce and look into it.

Thanks!
Alex

>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com
>>
>> INFO: task syz-executor880:8534 can't die for more than 143 seconds.
>> task:syz-executor880 state:R  running task     stack:25304 pid: 8534 ppid:  8504 flags:0x00004006
>> Call Trace:
>>  context_switch kernel/sched/core.c:4269 [inline]
>>  __schedule+0x890/0x2030 kernel/sched/core.c:5019
>>  preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:5179
>>  preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:40
>>  __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
>>  _raw_spin_unlock_irq+0x3c/0x40 kernel/locking/spinlock.c:199
>>  spin_unlock_irq include/linux/spinlock.h:404 [inline]
>>  shrink_inactive_list+0x4b1/0xce0 mm/vmscan.c:1974
>>  shrink_list mm/vmscan.c:2167 [inline]
>>  shrink_lruvec+0x61b/0x11b0 mm/vmscan.c:2462
>>  shrink_node_memcgs mm/vmscan.c:2650 [inline]
>>  shrink_node+0x839/0x1d60 mm/vmscan.c:2767
>>  shrink_zones mm/vmscan.c:2970 [inline]
>>  do_try_to_free_pages+0x38b/0x1440 mm/vmscan.c:3025
>>  try_to_free_pages+0x29f/0x720 mm/vmscan.c:3264
>>  __perform_reclaim mm/page_alloc.c:4360 [inline]
>>  __alloc_pages_direct_reclaim mm/page_alloc.c:4381 [inline]
>>  __alloc_pages_slowpath.constprop.0+0x917/0x2510 mm/page_alloc.c:4785
>>  __alloc_pages_nodemask+0x5f0/0x730 mm/page_alloc.c:4995
>>  alloc_pages_current+0x191/0x2a0 mm/mempolicy.c:2271
>>  alloc_pages include/linux/gfp.h:547 [inline]
>>  __page_cache_alloc mm/filemap.c:977 [inline]
>>  __page_cache_alloc+0x2ce/0x360 mm/filemap.c:962
>>  page_cache_ra_unbounded+0x3a1/0x920 mm/readahead.c:216
>>  do_page_cache_ra+0xf9/0x140 mm/readahead.c:267
>>  do_sync_mmap_readahead mm/filemap.c:2721 [inline]
>>  filemap_fault+0x19d0/0x2940 mm/filemap.c:2809
>>  __do_fault+0x10d/0x4d0 mm/memory.c:3623
>>  do_shared_fault mm/memory.c:4071 [inline]
>>  do_fault mm/memory.c:4149 [inline]
>>  handle_pte_fault mm/memory.c:4385 [inline]
>>  __handle_mm_fault mm/memory.c:4520 [inline]
>>  handle_mm_fault+0x3033/0x55d0 mm/memory.c:4618
>>  do_user_addr_fault+0x55b/0xba0 arch/x86/mm/fault.c:1377
>>  handle_page_fault arch/x86/mm/fault.c:1434 [inline]
>>  exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1490
>>  asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580
>> RIP: 0033:0x400e71
>> Code: Unable to access opcode bytes at RIP 0x400e47.
>> RSP: 002b:00007f8a5353fdc0 EFLAGS: 00010246
>> RAX: 6c756e2f7665642f RBX: 00000000006dbc38 RCX: 0000000000402824
>> RDX: 928195da81441750 RSI: 0000000000000000 RDI: 00000000006dbc30
>> RBP: 00000000006dbc30 R08: 0000000000000000 R09: 00007f8a53540700
>> R10: 00007f8a535409d0 R11: 0000000000000202 R12: 00000000006dbc3c
>> R13: 00007ffe80747a5f R14: 00007f8a535409c0 R15: 0000000000000001
>>
>> Showing all locks held in the system:
>> 1 lock held by khungtaskd/1659:
>>  #0: ffffffff8b339ce0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6252
>> 1 lock held by kswapd0/2195:
>> 1 lock held by kswapd1/2196:
>> 1 lock held by in:imklog/8191:
>>  #0: ffff8880125b1270 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:932
>> 1 lock held by cron/8189:
>> 2 locks held by syz-executor880/8502:
>> 2 locks held by syz-executor880/8505:
>> 2 locks held by syz-executor880/8507:
>> 2 locks held by syz-executor880/11706:
>> 2 locks held by syz-executor880/11709:
>> 3 locks held by syz-executor880/12008:
>> 2 locks held by syz-executor880/12015:
>>
>> =============================================
>>
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> syzbot can test patches for this issue, for details see:
>> https://goo.gl/tpsmEJ#testing-patches

Re: INFO: task can't die in shrink_inactive_list (2)

[Alex Shi]

在 2020/11/24 上午11:54, Andrew Morton 写道:
> On Fri, 20 Nov 2020 17:55:22 -0800 syzbot <syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com> wrote:
> 
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    03430750 Add linux-next specific files for 20201116
>> git tree:       linux-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
>> dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
>> compiler:       gcc (GCC) 10.1.0-syz 20200507
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000

CC Peter Zijlstra.

I found next-20200821 had a very very similar ops as this.
https://groups.google.com/g/syzkaller-upstream-moderation/c/S0pyqK1dZv8/m/dxMoEhGdAQAJ
So does this means the bug exist for long time from 5.9-rc1?

The reproducer works randomly on a cpu=2, mem=1600M x86 vm. It could cause hung again
on both kernel, but both with different kernel stack.

Maybe is system just too busy? I will try more older kernel with the reproducer.

Thanks
Alex

BTW, I remove the drm and wireless config in my testing.

[ 1861.939128][ T1586] INFO: task systemd-udevd:8999 blocked for more than 143 seconds.
[ 1861.939969][ T1586]       Not tainted 5.9.0-rc1-next-20200821 #5
[ 1861.940553][ T1586] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 1861.941369][ T1586] task:systemd-udevd   state:D stack:21192 pid: 8999 ppid:  4717 flags:0x00004080
[ 1861.942245][ T1586] Call Trace:
[ 1861.942581][ T1586]  __schedule+0xaab/0x1f20
[ 1861.943014][ T1586]  ? __sched_text_start+0x8/0x8
[ 1861.943482][ T1586]  schedule+0xc4/0x2b0
[ 1861.943872][ T1586]  schedule_preempt_disabled+0xf/0x20
[ 1861.944390][ T1586]  __mutex_lock+0x8a0/0x13e0
[ 1861.944831][ T1586]  ? __blkdev_get+0x4bc/0x1a00
[ 1861.945286][ T1586]  ? mutex_lock_io_nested+0x12c0/0x12c0
[ 1861.945818][ T1586]  ? up_read+0x1a5/0x740
[ 1861.946224][ T1586]  ? down_read+0x10a/0x420
[ 1861.946653][ T1586]  ? kobj_lookup+0x37a/0x480
[ 1861.947095][ T1586]  ? __blkdev_get+0x4bc/0x1a00
[ 1861.947545][ T1586]  __blkdev_get+0x4bc/0x1a00
[ 1861.947997][ T1586]  ? lock_release+0x730/0x730
[ 1861.948464][ T1586]  ? __blkdev_put+0x720/0x720
[ 1861.962189][T15367] systemd-journald[15367]: Sent WATCHDOG=1 notification.
[ 1861.991663][ T1586]  blkdev_get+0x20/0x80
[ 1861.992088][ T1586]  blkdev_open+0x20a/0x290
[ 1861.992514][ T1586]  do_dentry_open+0x69a/0x1240
[ 1861.992975][ T1586]  ? bd_acquire+0x2c0/0x2c0
[ 1861.993414][ T1586]  path_openat+0xdd2/0x26f0
[ 1861.993846][ T1586]  ? path_lookupat.isra.41+0x520/0x520
[ 1861.994368][ T1586]  ? lockdep_hardirqs_on_prepare+0x4d0/0x4d0
[ 1861.994937][ T1586]  ? lockdep_hardirqs_on_prepare+0x4d0/0x4d0
[ 1861.995502][ T1586]  ? ___sys_sendmsg+0x11c/0x180
[ 1861.995954][ T1586]  ? find_held_lock+0x33/0x1c0
[ 1861.996405][ T1586]  ? __might_fault+0x11f/0x1d0
[ 1861.996850][ T1586]  do_filp_open+0x192/0x260
[ 1861.997268][ T1586]  ? may_open_dev+0xf0/0xf0
[ 1861.997699][ T1586]  ? rwlock_bug.part.1+0x90/0x90
[ 1861.998161][ T1586]  ? do_raw_spin_unlock+0x4f/0x260
[ 1861.998650][ T1586]  ? __alloc_fd+0x282/0x600
[ 1862.002012][ T1586]  ? lock_downgrade+0x6f0/0x6f0
[ 1862.007607][ T1586]  do_sys_openat2+0x573/0x850
[ 1862.008112][ T1586]  ? file_open_root+0x3f0/0x3f0
[ 1862.008570][ T1586]  ? trace_hardirqs_on+0x5f/0x220
[ 1862.028918][ T1586]  do_sys_open+0xca/0x140
[ 1862.028932][ T1586]  ? filp_open+0x70/0x70
[ 1862.028945][ T1586]  do_syscall_64+0x2d/0x70
[ 1862.028954][ T1586]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1862.028966][ T1586] RIP: 0033:0x7fc04686eea0
[ 1862.028969][ T1586] Code: Bad RIP value.
[ 1862.028974][ T1586] RSP: 002b:00007ffd2c78ae68 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
[ 1862.028983][ T1586] RAX: ffffffffffffffda RBX: 000055785498f3c0 RCX: 00007fc04686eea0
[ 1862.028988][ T1586] RDX: 000055785498fcd0 RSI: 00000000000a0800 RDI: 000055785498fcd0
[ 1862.028992][ T1586] RBP: 0000000000000000 R08: 00007ffd2c7ad090 R09: 0000000000051dc0
[ 1862.028997][ T1586] R10: 0000000000051dc0 R11: 0000000000000246 R12: 0000557854990340
[ 1862.029002][ T1586] R13: 0000557854984010 R14: 0000557854990200 R15: 000000000000000c
[ 1862.029024][ T1586] INFO: task repro:17514 can't die for more than 143 seconds.
[ 1862.036603][ T1586] task:repro           state:R  running task     stack:25520 pid:17514 ppid:  8947 flags:0x00004086
[ 1862.037596][ T1586] Call Trace:
[ 1862.037909][ T1586]  __schedule+0xaab/0x1f20
[ 1862.038322][ T1586]  ? __sched_text_start+0x8/0x8
[ 1862.038776][ T1586]  ? preempt_schedule_irq+0x30/0x90
[ 1862.070004][ T1586]  ? bdev_evict_inode+0x420/0x420
[ 1862.070497][ T1586]  ? _raw_spin_unlock_irqrestore+0x47/0x60
[ 1862.071036][ T1586]  ? blkdev_write_begin+0x40/0x40
[ 1862.071504][ T1586]  ? read_pages+0x1ee/0x1170
[ 1862.071933][ T1586]  ? _raw_spin_unlock_irqrestore+0x34/0x60
[ 1862.072484][ T1586]  ? debug_check_no_obj_freed+0x205/0x45a
[ 1862.073013][ T1586]  ? rcu_read_lock_sched_held+0x9c/0xd0
[ 1862.073532][ T1586]  ? read_cache_pages+0x6e0/0x6e0
[ 1862.074002][ T1586]  ? page_cache_readahead_unbounded+0x57b/0x800
[ 1862.074591][ T1586]  ? read_pages+0x1170/0x1170
[ 1862.075028][ T1586]  ? down_read_non_owner+0x470/0x470
[ 1862.075522][ T1586]  ? __do_page_cache_readahead+0xc2/0xf0
[ 1862.076044][ T1586]  ? filemap_fault+0x16df/0x24d0
[ 1862.076507][ T1586]  ? lockdep_init_map_waits+0x267/0x7c0
[ 1862.077021][ T1586]  ? __do_fault+0x10d/0x530
[ 1862.077442][ T1586]  ? handle_mm_fault+0x36af/0x4800
[ 1862.077920][ T1586]  ? copy_page_range+0x2ea0/0x2ea0
[ 1862.078400][ T1586]  ? vmacache_update+0xce/0x140
[ 1862.078851][ T1586]  ? do_user_addr_fault+0x564/0xb40
[ 1862.088905][ T1586]  ? exc_page_fault+0xa1/0x170
[ 1862.089363][ T1586]  ? asm_exc_page_fault+0x8/0x30
[ 1862.089828][ T1586]  ? asm_exc_page_fault+0x1e/0x30
[ 1862.090314][ T1586] INFO: task repro:17545 can't die for more than 143 seconds.
[ 1862.090990][ T1586] task:repro           state:R  running task     stack:25312 pid:17545 ppid:  8946 flags:0x00004086
[ 1862.091978][ T1586] Call Trace:
[ 1862.092282][ T1586]  __schedule+0xaab/0x1f20
[ 1862.092696][ T1586]  ? __sched_text_start+0x8/0x8
[ 1862.093141][ T1586]  ? trace_hardirqs_on+0x5f/0x220
[ 1862.093613][ T1586]  ? asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 1862.094182][ T1586]  ? preempt_schedule_thunk+0x16/0x18
[ 1862.094681][ T1586]  preempt_schedule_common+0x1a/0xc0
[ 1862.095167][ T1586]  preempt_schedule_thunk+0x16/0x18
[ 1862.095653][ T1586]  kernel_init_free_pages+0xf0/0x110
[ 1862.096145][ T1586]  prep_new_page+0x12e/0x1f0
[ 1862.096578][ T1586]  get_page_from_freelist+0x1202/0x56c0
[ 1862.097097][ T1586]  ? lockdep_hardirqs_on_prepare+0x4d0/0x4d0
[ 1862.097659][ T1586]  ? __isolate_free_page+0x600/0x600
[ 1862.098147][ T1586]  __alloc_pages_nodemask+0x2d7/0x7d0
[ 1862.098645][ T1586]  ? __alloc_pages_slowpath.constprop.108+0x2380/0x2380
[ 1862.121238][ T1586]  ? add_to_page_cache_lru+0x1a3/0x700
[ 1862.121773][ T1586]  ? add_to_page_cache_locked+0x40/0x40
[ 1862.122285][ T1586]  alloc_pages_current+0x108/0x200
[ 1862.122766][ T1586]  __page_cache_alloc+0xfc/0x300
[ 1862.123229][ T1586]  page_cache_readahead_unbounded+0x47f/0x800
[ 1862.123795][ T1586]  ? rcu_read_lock_sched_held+0xd0/0xd0
[ 1862.124307][ T1586]  ? read_pages+0x1170/0x1170
[ 1862.124740][ T1586]  ? find_held_lock+0x33/0x1c0
[ 1862.125182][ T1586]  ? inode_congested+0x256/0x4e0
[ 1862.125647][ T1586]  ? page_cache_async_readahead+0x3e5/0x7c0
[ 1862.126199][ T1586]  __do_page_cache_readahead+0xc2/0xf0
[ 1862.126708][ T1586]  ondemand_readahead+0x579/0xd20
[ 1862.127175][ T1586]  page_cache_async_readahead+0x43b/0x7c0
[ 1862.127703][ T1586]  filemap_fault+0xde9/0x24d0
[ 1862.128143][ T1586]  __do_fault+0x10d/0x530
[ 1862.128550][ T1586]  handle_mm_fault+0x36af/0x4800
[ 1862.148903][ T1586]  ? copy_page_range+0x2ea0/0x2ea0
[ 1862.149413][ T1586]  ? vmacache_update+0xce/0x140
[ 1862.149866][ T1586]  do_user_addr_fault+0x564/0xb40
[ 1862.150336][ T1586]  exc_page_fault+0xa1/0x170
[ 1862.150767][ T1586]  ? asm_exc_page_fault+0x8/0x30
[ 1862.151222][ T1586]  asm_exc_page_fault+0x1e/0x30
[ 1862.151671][ T1586] RIP: 0033:0x428dd7
[ 1862.152033][ T1586] Code: Bad RIP value.
[ 1862.152416][ T1586] RSP: 002b:00007f8995966d78 EFLAGS: 00010202
[ 1862.152980][ T1586] RAX: 0000000020000080 RBX: 0000000000000000 RCX: 000000007665642f
[ 1862.153711][ T1586] RDX: 000000000000000c RSI: 00000000004b2370 RDI: 0000000020000080
[ 1862.154444][ T1586] RBP: 00007f8995966da0 R08: 00007f8995967700 R09: 00007f8995967700
[ 1862.155173][ T1586] R10: 00007f89959679d0 R11: 0000000000000202 R12: 0000000000000000
[ 1862.155901][ T1586] R13: 0000000000021000 R14: 0000000000000000 R15: 00007f8995967700
[ 1862.156630][ T1586] INFO: task repro:17769 can't die for more than 143 seconds.
[ 1862.157309][ T1586] task:repro           state:D stack:28536 pid:17769 ppid:  8950 flags:0x00000084
[ 1862.158153][ T1586] Call Trace:
[ 1862.158467][ T1586]  __schedule+0xaab/0x1f20
[ 1862.178902][ T1586]  ? __sched_text_start+0x8/0x8
[ 1862.179370][ T1586]  schedule+0xc4/0x2b0
[ 1862.179750][ T1586]  schedule_preempt_disabled+0xf/0x20
[ 1862.180247][ T1586]  __mutex_lock+0x8a0/0x13e0
[ 1862.180681][ T1586]  ? __blkdev_get+0x4bc/0x1a00
[ 1862.181121][ T1586]  ? mutex_lock_io_nested+0x12c0/0x12c0
[ 1862.181643][ T1586]  ? up_read+0x1a5/0x740
[ 1862.182035][ T1586]  ? down_read+0x10a/0x420
[ 1862.182449][ T1586]  ? kobj_lookup+0x37a/0x480
[ 1862.182879][ T1586]  ? __blkdev_get+0x4bc/0x1a00
[ 1862.183317][ T1586]  __blkdev_get+0x4bc/0x1a00
[ 1862.183747][ T1586]  ? lock_release+0x730/0x730
[ 1862.184182][ T1586]  ? __blkdev_put+0x720/0x720
[ 1862.184623][ T1586]  blkdev_get+0x20/0x80
[ 1862.185006][ T1586]  blkdev_open+0x20a/0x290
[ 1862.185420][ T1586]  do_dentry_open+0x69a/0x1240
[ 1862.185856][ T1586]  ? bd_acquire+0x2c0/0x2c0
[ 1862.186278][ T1586]  path_openat+0xdd2/0x26f0
[ 1862.186710][ T1586]  ? path_lookupat.isra.41+0x520/0x520
[ 1862.187209][ T1586]  ? lockdep_hardirqs_on_prepare+0x4d0/0x4d0
[ 1862.187769][ T1586]  ? lockdep_hardirqs_on_prepare+0x4d0/0x4d0
[ 1862.188317][ T1586]  ? find_held_lock+0x33/0x1c0
[ 1862.188755][ T1586]  ? __might_fault+0x11f/0x1d0
[ 1862.208898][ T1586]  do_filp_open+0x192/0x260
[ 1862.209341][ T1586]  ? may_open_dev+0xf0/0xf0
[ 1862.209774][ T1586]  ? rwlock_bug.part.1+0x90/0x90
[ 1862.210230][ T1586]  ? do_raw_spin_unlock+0x4f/0x260
[ 1862.210712][ T1586]  ? __alloc_fd+0x282/0x600
[ 1862.211134][ T1586]  ? lock_downgrade+0x6f0/0x6f0
[ 1862.211585][ T1586]  do_sys_openat2+0x573/0x850
[ 1862.212022][ T1586]  ? file_open_root+0x3f0/0x3f0
[ 1862.212478][ T1586]  ? trace_hardirqs_on+0x5f/0x220
[ 1862.212942][ T1586]  do_sys_open+0xca/0x140
[ 1862.213346][ T1586]  ? filp_open+0x70/0x70
[ 1862.213752][ T1586]  do_syscall_64+0x2d/0x70
[ 1862.214162][ T1586]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1862.214713][ T1586] RIP: 0033:0x437419
[ 1862.215071][ T1586] Code: Bad RIP value.
[ 1862.215450][ T1586] RSP: 002b:00007f8995966d78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 1862.216222][ T1586] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000437419
[ 1862.216961][ T1586] RDX: 0004000000004002 RSI: 0000000020000080 RDI: ffffffffffffff9c
[ 1862.217687][ T1586] RBP: 00007f8995966da0 R08: 00007f8995967700 R09: 0000000000000000
[ 1862.218419][ T1586] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 1862.248893][ T1586] R13: 0000000000021000 R14: 0000000000000000 R15: 00007f8995967700

or

[ 2005.496484][ T1626] INFO: task repro:10028 blocked for more than 143 seconds.
[ 2005.497214][ T1626]       Not tainted 5.10.0-rc3-next-20201116 #2
[ 2005.497841][ T1626] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 2005.498710][ T1626] task:repro           state:D stack:28080 pid:10028 ppid:  9078 flags:0x00004082
[ 2005.499641][ T1626] Call Trace:
[ 2005.499977][ T1626]  __schedule+0xaaa/0x1f70
[ 2005.500436][ T1626]  ? __sched_text_start+0x8/0x8
[ 2005.500930][ T1626]  schedule+0xc3/0x270
[ 2005.501347][ T1626]  schedule_preempt_disabled+0xf/0x20
[ 2005.501884][ T1626]  __mutex_lock+0x856/0x1420
[ 2005.502358][ T1626]  ? blkdev_put+0x31/0x530
[ 2005.513908][ T1626]  ? mutex_lock_io_nested+0x12c0/0x12c0
[ 2005.514486][ T1626]  ? lock_release+0x690/0x690
[ 2005.514962][ T1626]  ? do_raw_spin_lock+0x121/0x2d0
[ 2005.515468][ T1626]  ? rwlock_bug.part.1+0x90/0x90
[ 2005.515965][ T1626]  ? locks_check_ctx_file_list+0x1d/0x110
[ 2005.516551][ T1626]  ? __fsnotify_parent+0x4fc/0xab0
[ 2005.517076][ T1626]  ? _raw_spin_unlock+0x24/0x40
[ 2005.517572][ T1626]  ? locks_remove_file+0x319/0x570
[ 2005.518086][ T1626]  ? blkdev_put+0x530/0x530
[ 2005.518538][ T1626]  ? blkdev_put+0x31/0x530
[ 2005.518981][ T1626]  blkdev_put+0x31/0x530
[ 2005.519418][ T1626]  ? blkdev_put+0x530/0x530
[ 2005.519872][ T1626]  blkdev_close+0x8c/0xb0
[ 2005.520315][ T1626]  __fput+0x270/0x8e0
[ 2005.520719][ T1626]  task_work_run+0xe0/0x1a0
[ 2005.521178][ T1626]  do_exit+0xb80/0x2eb0
[ 2005.521612][ T1626]  ? rcu_read_lock_sched_held+0x9c/0xd0
[ 2005.522173][ T1626]  ? rcu_read_lock_bh_held+0xb0/0xb0
[ 2005.547613][ T1626]  ? mm_update_next_owner+0x7d0/0x7d0
[ 2005.548173][ T1626]  ? get_signal+0x325/0x2350
[ 2005.548643][ T1626]  ? lock_downgrade+0x6a0/0x6a0
[ 2005.549135][ T1626]  do_group_exit+0x125/0x340
[ 2005.549606][ T1626]  get_signal+0x3f8/0x2350
[ 2005.550050][ T1626]  ? rcu_read_lock_sched_held+0x9c/0xd0
[ 2005.550602][ T1626]  ? rcu_read_lock_bh_held+0xb0/0xb0
[ 2005.551127][ T1626]  ? find_held_lock+0x33/0x1c0
[ 2005.551610][ T1626]  arch_do_signal_or_restart+0x1ea/0x1d40
[ 2005.552181][ T1626]  ? rcu_read_lock_sched_held+0x9c/0xd0
[ 2005.562694][ T1626]  ? copy_siginfo_to_user32+0xa0/0xa0
[ 2005.563262][ T1626]  ? __x64_sys_futex+0x3f3/0x5b0
[ 2005.563758][ T1626]  ? __x64_sys_futex+0x3fc/0x5b0
[ 2005.564262][ T1626]  ? kfree+0x528/0x5b0
[ 2005.564683][ T1626]  ? dput.part.30+0x16/0xbc0
[ 2005.565152][ T1626]  ? unroll_tree_refs+0x2ae/0x410
[ 2005.565672][ T1626]  exit_to_user_mode_prepare+0x108/0x200
[ 2005.566247][ T1626]  syscall_exit_to_user_mode+0x38/0x260
[ 2005.566801][ T1626]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 2005.567402][ T1626] RIP: 0033:0x437419
[ 2005.567796][ T1626] Code: Unable to access opcode bytes at RIP 0x4373ef.
[ 2005.568487][ T1626] RSP: 002b:00007f0f27ecfd88 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 2005.569325][ T1626] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000437419
[ 2005.570109][ T1626] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000006e385c
[ 2005.570900][ T1626] RBP: 00007f0f27ecfda0 R08: 0000000000000000 R09: 0000000000000000
[ 2005.571697][ T1626] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 2005.572503][ T1626] R13: 0000000000021000 R14: 0000000000000000 R15: 00007f0f27ed0700

> 
> Alex, your series "per memcg lru lock" changed the vmscan code rather a
> lot.  Could you please take a look at that reproducer?
> 
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com
>>
>> INFO: task syz-executor880:8534 can't die for more than 143 seconds.
>> task:syz-executor880 state:R  running task     stack:25304 pid: 8534 ppid:  8504 flags:0x00004006
>> Call Trace:
>>  context_switch kernel/sched/core.c:4269 [inline]
>>  __schedule+0x890/0x2030 kernel/sched/core.c:5019
>>  preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:5179
>>  preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:40
>>  __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
>>  _raw_spin_unlock_irq+0x3c/0x40 kernel/locking/spinlock.c:199
>>  spin_unlock_irq include/linux/spinlock.h:404 [inline]
>>  shrink_inactive_list+0x4b1/0xce0 mm/vmscan.c:1974
>>  shrink_list mm/vmscan.c:2167 [inline]
>>  shrink_lruvec+0x61b/0x11b0 mm/vmscan.c:2462
>>  shrink_node_memcgs mm/vmscan.c:2650 [inline]
>>  shrink_node+0x839/0x1d60 mm/vmscan.c:2767
>>  shrink_zones mm/vmscan.c:2970 [inline]
>>  do_try_to_free_pages+0x38b/0x1440 mm/vmscan.c:3025
>>  try_to_free_pages+0x29f/0x720 mm/vmscan.c:3264
>>  __perform_reclaim mm/page_alloc.c:4360 [inline]
>>  __alloc_pages_direct_reclaim mm/page_alloc.c:4381 [inline]
>>  __alloc_pages_slowpath.constprop.0+0x917/0x2510 mm/page_alloc.c:4785
>>  __alloc_pages_nodemask+0x5f0/0x730 mm/page_alloc.c:4995
>>  alloc_pages_current+0x191/0x2a0 mm/mempolicy.c:2271
>>  alloc_pages include/linux/gfp.h:547 [inline]
>>  __page_cache_alloc mm/filemap.c:977 [inline]
>>  __page_cache_alloc+0x2ce/0x360 mm/filemap.c:962
>>  page_cache_ra_unbounded+0x3a1/0x920 mm/readahead.c:216
>>  do_page_cache_ra+0xf9/0x140 mm/readahead.c:267
>>  do_sync_mmap_readahead mm/filemap.c:2721 [inline]
>>  filemap_fault+0x19d0/0x2940 mm/filemap.c:2809
>>  __do_fault+0x10d/0x4d0 mm/memory.c:3623
>>  do_shared_fault mm/memory.c:4071 [inline]
>>  do_fault mm/memory.c:4149 [inline]
>>  handle_pte_fault mm/memory.c:4385 [inline]
>>  __handle_mm_fault mm/memory.c:4520 [inline]
>>  handle_mm_fault+0x3033/0x55d0 mm/memory.c:4618
>>  do_user_addr_fault+0x55b/0xba0 arch/x86/mm/fault.c:1377
>>  handle_page_fault arch/x86/mm/fault.c:1434 [inline]
>>  exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1490
>>  asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580
>> RIP: 0033:0x400e71
>> Code: Unable to access opcode bytes at RIP 0x400e47.
>> RSP: 002b:00007f8a5353fdc0 EFLAGS: 00010246
>> RAX: 6c756e2f7665642f RBX: 00000000006dbc38 RCX: 0000000000402824
>> RDX: 928195da81441750 RSI: 0000000000000000 RDI: 00000000006dbc30
>> RBP: 00000000006dbc30 R08: 0000000000000000 R09: 00007f8a53540700
>> R10: 00007f8a535409d0 R11: 0000000000000202 R12: 00000000006dbc3c
>> R13: 00007ffe80747a5f R14: 00007f8a535409c0 R15: 0000000000000001
>>
>> Showing all locks held in the system:
>> 1 lock held by khungtaskd/1659:
>>  #0: ffffffff8b339ce0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6252
>> 1 lock held by kswapd0/2195:
>> 1 lock held by kswapd1/2196:
>> 1 lock held by in:imklog/8191:
>>  #0: ffff8880125b1270 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:932
>> 1 lock held by cron/8189:
>> 2 locks held by syz-executor880/8502:
>> 2 locks held by syz-executor880/8505:
>> 2 locks held by syz-executor880/8507:
>> 2 locks held by syz-executor880/11706:
>> 2 locks held by syz-executor880/11709:
>> 3 locks held by syz-executor880/12008:
>> 2 locks held by syz-executor880/12015:
>>
>> =============================================
>>
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> syzbot can test patches for this issue, for details see:
>> https://goo.gl/tpsmEJ#testing-patches

Re: INFO: task can't die in shrink_inactive_list (2)

[Alex Shi]

在 2020/11/24 下午8:00, Alex Shi 写道:
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    03430750 Add linux-next specific files for 20201116
>>> git tree:       linux-next
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
>>> compiler:       gcc (GCC) 10.1.0-syz 20200507
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000
> CC Peter Zijlstra.
> 
> I found next-20200821 had a very very similar ops as this.
> https://groups.google.com/g/syzkaller-upstream-moderation/c/S0pyqK1dZv8/m/dxMoEhGdAQAJ
> So does this means the bug exist for long time from 5.9-rc1?

5.8 kernel sometime also failed on this test on my 2 cpus vm guest with 2g memory:


Thanks
Alex

[ 5875.750929][  T946] INFO: task repro:31866 blocked for more than 143 seconds.
[ 5875.751618][  T946]       Not tainted 5.8.0 #6
[ 5875.752046][  T946] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables th.
[ 5875.752845][  T946] repro           D12088 31866      1 0x80004086
[ 5875.753436][  T946] Call Trace:
[ 5875.753747][  T946]  __schedule+0x394/0x950
[ 5875.774033][  T946]  ? __mutex_lock+0x46f/0x9c0
[ 5875.774481][  T946]  ? blkdev_put+0x18/0x120
[ 5875.774894][  T946]  schedule+0x37/0xe0
[ 5875.775260][  T946]  schedule_preempt_disabled+0xf/0x20
[ 5875.775753][  T946]  __mutex_lock+0x474/0x9c0
[ 5875.776174][  T946]  ? lock_acquire+0xa7/0x390
[ 5875.776602][  T946]  ? locks_remove_file+0x1e7/0x2d0
[ 5875.777079][  T946]  ? blkdev_put+0x18/0x120
[ 5875.777485][  T946]  blkdev_put+0x18/0x120
[ 5875.777880][  T946]  blkdev_close+0x1f/0x30
[ 5875.778281][  T946]  __fput+0xf0/0x260
[ 5875.778639][  T946]  task_work_run+0x68/0xb0
[ 5875.779054][  T946]  do_exit+0x3df/0xce0
[ 5875.779430][  T946]  ? get_signal+0x11d/0xca0
[ 5875.779846][  T946]  do_group_exit+0x42/0xb0
[ 5875.780261][  T946]  get_signal+0x16a/0xca0
[ 5875.780662][  T946]  ? handle_mm_fault+0xc8f/0x19c0
[ 5875.781134][  T946]  do_signal+0x2b/0x8e0
[ 5875.781521][  T946]  ? trace_hardirqs_off+0xe/0xf0
[ 5875.781989][  T946]  __prepare_exit_to_usermode+0xef/0x1f0
[ 5875.782512][  T946]  ? asm_exc_page_fault+0x8/0x30
[ 5875.782979][  T946]  prepare_exit_to_usermode+0x5/0x30
[ 5875.783461][  T946]  asm_exc_page_fault+0x1e/0x30
[ 5875.783909][  T946] RIP: 0033:0x428dd7
[ 5875.794899][  T946] Code: Bad RIP value.
[ 5875.795290][  T946] RSP: 002b:00007f37c99e0d78 EFLAGS: 00010202
[ 5875.795858][  T946] RAX: 0000000020000080 RBX: 0000000000000000 RCX: 0000000076656f
[ 5875.796588][  T946] RDX: 000000000000000c RSI: 00000000004b2370 RDI: 00000000200000
[ 5875.797326][  T946] RBP: 00007f37c99e0da0 R08: 00007f37c99e1700 R09: 00007f37c99e10
[ 5875.798063][  T946] R10: 00007f37c99e19d0 R11: 0000000000000202 R12: 00000000000000
[ 5875.798802][  T946] R13: 0000000000021000 R14: 0000000000000000 R15: 00007f37c99e10

Re: INFO: task can't die in shrink_inactive_list (2)

[Alex Shi]

在 2020/11/24 下午8:00, Alex Shi 写道:
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    03430750 Add linux-next specific files for 20201116
>>> git tree:       linux-next
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
>>> compiler:       gcc (GCC) 10.1.0-syz 20200507
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000
> CC Peter Zijlstra.
> 
> I found next-20200821 had a very very similar ops as this.
> https://groups.google.com/g/syzkaller-upstream-moderation/c/S0pyqK1dZv8/m/dxMoEhGdAQAJ
> So does this means the bug exist for long time from 5.9-rc1?
> 
> The reproducer works randomly on a cpu=2, mem=1600M x86 vm. It could cause hung again
> on both kernel, but both with different kernel stack.
> 
> Maybe is system just too busy? I will try more older kernel with the reproducer.

5.8 kernel sometime also failed on this test on my 2 cpus vm guest with 2g memory:
Any comments for this issue?

Thanks
Alex

[ 5875.750929][  T946] INFO: task repro:31866 blocked for more than 143 seconds.
[ 5875.751618][  T946]       Not tainted 5.8.0 #6
[ 5875.752046][  T946] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables th.
[ 5875.752845][  T946] repro           D12088 31866      1 0x80004086
[ 5875.753436][  T946] Call Trace:
[ 5875.753747][  T946]  __schedule+0x394/0x950
[ 5875.774033][  T946]  ? __mutex_lock+0x46f/0x9c0
[ 5875.774481][  T946]  ? blkdev_put+0x18/0x120
[ 5875.774894][  T946]  schedule+0x37/0xe0
[ 5875.775260][  T946]  schedule_preempt_disabled+0xf/0x20
[ 5875.775753][  T946]  __mutex_lock+0x474/0x9c0
[ 5875.776174][  T946]  ? lock_acquire+0xa7/0x390
[ 5875.776602][  T946]  ? locks_remove_file+0x1e7/0x2d0
[ 5875.777079][  T946]  ? blkdev_put+0x18/0x120
[ 5875.777485][  T946]  blkdev_put+0x18/0x120
[ 5875.777880][  T946]  blkdev_close+0x1f/0x30
[ 5875.778281][  T946]  __fput+0xf0/0x260
[ 5875.778639][  T946]  task_work_run+0x68/0xb0
[ 5875.779054][  T946]  do_exit+0x3df/0xce0
[ 5875.779430][  T946]  ? get_signal+0x11d/0xca0
[ 5875.779846][  T946]  do_group_exit+0x42/0xb0
[ 5875.780261][  T946]  get_signal+0x16a/0xca0
[ 5875.780662][  T946]  ? handle_mm_fault+0xc8f/0x19c0
[ 5875.781134][  T946]  do_signal+0x2b/0x8e0
[ 5875.781521][  T946]  ? trace_hardirqs_off+0xe/0xf0
[ 5875.781989][  T946]  __prepare_exit_to_usermode+0xef/0x1f0
[ 5875.782512][  T946]  ? asm_exc_page_fault+0x8/0x30
[ 5875.782979][  T946]  prepare_exit_to_usermode+0x5/0x30
[ 5875.783461][  T946]  asm_exc_page_fault+0x1e/0x30
[ 5875.783909][  T946] RIP: 0033:0x428dd7
[ 5875.794899][  T946] Code: Bad RIP value.
[ 5875.795290][  T946] RSP: 002b:00007f37c99e0d78 EFLAGS: 00010202
[ 5875.795858][  T946] RAX: 0000000020000080 RBX: 0000000000000000 RCX: 0000000076656f
[ 5875.796588][  T946] RDX: 000000000000000c RSI: 00000000004b2370 RDI: 00000000200000
[ 5875.797326][  T946] RBP: 00007f37c99e0da0 R08: 00007f37c99e1700 R09: 00007f37c99e10
[ 5875.798063][  T946] R10: 00007f37c99e19d0 R11: 0000000000000202 R12: 00000000000000
[ 5875.798802][  T946] R13: 0000000000021000 R14: 0000000000000000 R15: 00007f37c99e10

Re: INFO: task can't die in shrink_inactive_list (2)

[Hugh Dickins]

On Mon, 23 Nov 2020, Andrew Morton wrote:
> On Fri, 20 Nov 2020 17:55:22 -0800 syzbot <syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com> wrote:
> 
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    03430750 Add linux-next specific files for 20201116
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
> > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000
> 
> Alex, your series "per memcg lru lock" changed the vmscan code rather a
> lot.  Could you please take a look at that reproducer?

Andrew, I promised I'd take a look at this syzreport too (though I think
we're agreed by now that it has nothing to do with per-memcg lru_lock).

I did try, but (unlike Alex) did not manage to get the reproducer to
reproduce it.  No doubt I did not try hard enough: I did rather lose
interest after seeing that it appears to involve someone with
CAP_SYS_ADMIN doing an absurdly large ioctl(BLKFRASET) on /dev/nullb0
("Null test block driver" enabled via CONFIG_BLK_DEV_NULL_BLK=y: that I
did enable) and faulting from it: presumably triggering an absurd amount
of readahead.

Cc'ing Matthew since he has a particular interest in readahead, and
might be inspired to make some small safe change that would fix this,
and benefit realistic cases too; but on the whole it didn't look worth
worrying about - or at least not by me.

Hugh

> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com
> > 
> > INFO: task syz-executor880:8534 can't die for more than 143 seconds.
> > task:syz-executor880 state:R  running task     stack:25304 pid: 8534 ppid:  8504 flags:0x00004006
> > Call Trace:
> >  context_switch kernel/sched/core.c:4269 [inline]
> >  __schedule+0x890/0x2030 kernel/sched/core.c:5019
> >  preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:5179
> >  preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:40
> >  __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
> >  _raw_spin_unlock_irq+0x3c/0x40 kernel/locking/spinlock.c:199
> >  spin_unlock_irq include/linux/spinlock.h:404 [inline]
> >  shrink_inactive_list+0x4b1/0xce0 mm/vmscan.c:1974
> >  shrink_list mm/vmscan.c:2167 [inline]
> >  shrink_lruvec+0x61b/0x11b0 mm/vmscan.c:2462
> >  shrink_node_memcgs mm/vmscan.c:2650 [inline]
> >  shrink_node+0x839/0x1d60 mm/vmscan.c:2767
> >  shrink_zones mm/vmscan.c:2970 [inline]
> >  do_try_to_free_pages+0x38b/0x1440 mm/vmscan.c:3025
> >  try_to_free_pages+0x29f/0x720 mm/vmscan.c:3264
> >  __perform_reclaim mm/page_alloc.c:4360 [inline]
> >  __alloc_pages_direct_reclaim mm/page_alloc.c:4381 [inline]
> >  __alloc_pages_slowpath.constprop.0+0x917/0x2510 mm/page_alloc.c:4785
> >  __alloc_pages_nodemask+0x5f0/0x730 mm/page_alloc.c:4995
> >  alloc_pages_current+0x191/0x2a0 mm/mempolicy.c:2271
> >  alloc_pages include/linux/gfp.h:547 [inline]
> >  __page_cache_alloc mm/filemap.c:977 [inline]
> >  __page_cache_alloc+0x2ce/0x360 mm/filemap.c:962
> >  page_cache_ra_unbounded+0x3a1/0x920 mm/readahead.c:216
> >  do_page_cache_ra+0xf9/0x140 mm/readahead.c:267
> >  do_sync_mmap_readahead mm/filemap.c:2721 [inline]
> >  filemap_fault+0x19d0/0x2940 mm/filemap.c:2809
> >  __do_fault+0x10d/0x4d0 mm/memory.c:3623
> >  do_shared_fault mm/memory.c:4071 [inline]
> >  do_fault mm/memory.c:4149 [inline]
> >  handle_pte_fault mm/memory.c:4385 [inline]
> >  __handle_mm_fault mm/memory.c:4520 [inline]
> >  handle_mm_fault+0x3033/0x55d0 mm/memory.c:4618
> >  do_user_addr_fault+0x55b/0xba0 arch/x86/mm/fault.c:1377
> >  handle_page_fault arch/x86/mm/fault.c:1434 [inline]
> >  exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1490
> >  asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580
> > RIP: 0033:0x400e71
> > Code: Unable to access opcode bytes at RIP 0x400e47.
> > RSP: 002b:00007f8a5353fdc0 EFLAGS: 00010246
> > RAX: 6c756e2f7665642f RBX: 00000000006dbc38 RCX: 0000000000402824
> > RDX: 928195da81441750 RSI: 0000000000000000 RDI: 00000000006dbc30
> > RBP: 00000000006dbc30 R08: 0000000000000000 R09: 00007f8a53540700
> > R10: 00007f8a535409d0 R11: 0000000000000202 R12: 00000000006dbc3c
> > R13: 00007ffe80747a5f R14: 00007f8a535409c0 R15: 0000000000000001
> > 
> > Showing all locks held in the system:
> > 1 lock held by khungtaskd/1659:
> >  #0: ffffffff8b339ce0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6252
> > 1 lock held by kswapd0/2195:
> > 1 lock held by kswapd1/2196:
> > 1 lock held by in:imklog/8191:
> >  #0: ffff8880125b1270 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:932
> > 1 lock held by cron/8189:
> > 2 locks held by syz-executor880/8502:
> > 2 locks held by syz-executor880/8505:
> > 2 locks held by syz-executor880/8507:
> > 2 locks held by syz-executor880/11706:
> > 2 locks held by syz-executor880/11709:
> > 3 locks held by syz-executor880/12008:
> > 2 locks held by syz-executor880/12015:
> > 
> > =============================================
> > 
> > 
> > 
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > 
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > syzbot can test patches for this issue, for details see:
> > https://goo.gl/tpsmEJ#testing-patches

Re: INFO: task can't die in shrink_inactive_list (2)

[Matthew Wilcox]

On Mon, Dec 21, 2020 at 11:56:36AM -0800, Hugh Dickins wrote:
> On Mon, 23 Nov 2020, Andrew Morton wrote:
> > On Fri, 20 Nov 2020 17:55:22 -0800 syzbot <syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com> wrote:
> > 
> > > Hello,
> > > 
> > > syzbot found the following issue on:
> > > 
> > > HEAD commit:    03430750 Add linux-next specific files for 20201116
> > > git tree:       linux-next
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
> > > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000
> > 
> > Alex, your series "per memcg lru lock" changed the vmscan code rather a
> > lot.  Could you please take a look at that reproducer?
> 
> Andrew, I promised I'd take a look at this syzreport too (though I think
> we're agreed by now that it has nothing to do with per-memcg lru_lock).
> 
> I did try, but (unlike Alex) did not manage to get the reproducer to
> reproduce it.  No doubt I did not try hard enough: I did rather lose
> interest after seeing that it appears to involve someone with
> CAP_SYS_ADMIN doing an absurdly large ioctl(BLKFRASET) on /dev/nullb0
> ("Null test block driver" enabled via CONFIG_BLK_DEV_NULL_BLK=y: that I
> did enable) and faulting from it: presumably triggering an absurd amount
> of readahead.
> 
> Cc'ing Matthew since he has a particular interest in readahead, and
> might be inspired to make some small safe change that would fix this,
> and benefit realistic cases too; but on the whole it didn't look worth
> worrying about - or at least not by me.

Oh, interesting.  Thanks for looping me in, I hadn't looked at this one
at all.  Building on the debugging you did, this is the interesting
part of the backtrace to me:

> > >  try_to_free_pages+0x29f/0x720 mm/vmscan.c:3264
> > >  __perform_reclaim mm/page_alloc.c:4360 [inline]
> > >  __alloc_pages_direct_reclaim mm/page_alloc.c:4381 [inline]
> > >  __alloc_pages_slowpath.constprop.0+0x917/0x2510 mm/page_alloc.c:4785
> > >  __alloc_pages_nodemask+0x5f0/0x730 mm/page_alloc.c:4995
> > >  alloc_pages_current+0x191/0x2a0 mm/mempolicy.c:2271
> > >  alloc_pages include/linux/gfp.h:547 [inline]
> > >  __page_cache_alloc mm/filemap.c:977 [inline]
> > >  __page_cache_alloc+0x2ce/0x360 mm/filemap.c:962
> > >  page_cache_ra_unbounded+0x3a1/0x920 mm/readahead.c:216
> > >  do_page_cache_ra+0xf9/0x140 mm/readahead.c:267
> > >  do_sync_mmap_readahead mm/filemap.c:2721 [inline]
> > >  filemap_fault+0x19d0/0x2940 mm/filemap.c:2809

So ra_pages has been set to something ridiculously large, and as
a result, we call do_page_cache_ra() asking to read more memory than
is available in the machine.  Funny thing, we actually have a function
to prevent this kind of situation, and it's force_page_cache_ra().

So this might fix the problem.  I only tested that it compiles.  I'll
be happy to write up a proper changelog and sign-off for it if it works ...
it'd be good to get it some soak testing on a variety of different
workloads; changing this stuff is enormously subtle.

As a testament to that, I think Fengguang got it wrong in commit
2cbea1d3ab11 -- async_size should have been 3 * ra_pages / 4, not ra_pages
/ 4 (because we read-behind by half the range, so we're looking for a
page fault to happen a quarter of the way behind this fault ...)

This is partially Roman's fault, see commit 600e19afc5f8.

diff --git a/mm/filemap.c b/mm/filemap.c
index d5e7c2029d16..43fe0f0ae3bb 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2632,7 +2632,7 @@ static struct file *do_sync_mmap_readahead(struct vm_fault *vmf)
 	ra->size = ra->ra_pages;
 	ra->async_size = ra->ra_pages / 4;
 	ractl._index = ra->start;
-	do_page_cache_ra(&ractl, ra->size, ra->async_size);
+	force_page_cache_ra(&ractl, ra, ra->size);
 	return fpin;
 }
 
diff --git a/mm/internal.h b/mm/internal.h
index c43ccdddb0f6..5664b4b91340 100644
--- a/mm/internal.h
+++ b/mm/internal.h
@@ -49,8 +49,6 @@ void unmap_page_range(struct mmu_gather *tlb,
 			     unsigned long addr, unsigned long end,
 			     struct zap_details *details);
 
-void do_page_cache_ra(struct readahead_control *, unsigned long nr_to_read,
-		unsigned long lookahead_size);
 void force_page_cache_ra(struct readahead_control *, struct file_ra_state *,
 		unsigned long nr);
 static inline void force_page_cache_readahead(struct address_space *mapping,
diff --git a/mm/readahead.c b/mm/readahead.c
index c5b0457415be..f344c894c26a 100644
--- a/mm/readahead.c
+++ b/mm/readahead.c
@@ -246,7 +246,7 @@ EXPORT_SYMBOL_GPL(page_cache_ra_unbounded);
  * behaviour which would occur if page allocations are causing VM writeback.
  * We really don't want to intermingle reads and writes like that.
  */
-void do_page_cache_ra(struct readahead_control *ractl,
+static void do_page_cache_ra(struct readahead_control *ractl,
 		unsigned long nr_to_read, unsigned long lookahead_size)
 {
 	struct inode *inode = ractl->mapping->host;

Re: INFO: task can't die in shrink_inactive_list (2)

[Roman Gushchin]

On Mon, Dec 21, 2020 at 08:33:44PM +0000, Matthew Wilcox wrote:
> On Mon, Dec 21, 2020 at 11:56:36AM -0800, Hugh Dickins wrote:
> > On Mon, 23 Nov 2020, Andrew Morton wrote:
> > > On Fri, 20 Nov 2020 17:55:22 -0800 syzbot <syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com> wrote:
> > > 
> > > > Hello,
> > > > 
> > > > syzbot found the following issue on:
> > > > 
> > > > HEAD commit:    03430750 Add linux-next specific files for 20201116
> > > > git tree:       linux-next
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000 
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8 
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2 
> > > > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000 
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000 
> > > 
> > > Alex, your series "per memcg lru lock" changed the vmscan code rather a
> > > lot.  Could you please take a look at that reproducer?
> > 
> > Andrew, I promised I'd take a look at this syzreport too (though I think
> > we're agreed by now that it has nothing to do with per-memcg lru_lock).
> > 
> > I did try, but (unlike Alex) did not manage to get the reproducer to
> > reproduce it.  No doubt I did not try hard enough: I did rather lose
> > interest after seeing that it appears to involve someone with
> > CAP_SYS_ADMIN doing an absurdly large ioctl(BLKFRASET) on /dev/nullb0
> > ("Null test block driver" enabled via CONFIG_BLK_DEV_NULL_BLK=y: that I
> > did enable) and faulting from it: presumably triggering an absurd amount
> > of readahead.
> > 
> > Cc'ing Matthew since he has a particular interest in readahead, and
> > might be inspired to make some small safe change that would fix this,
> > and benefit realistic cases too; but on the whole it didn't look worth
> > worrying about - or at least not by me.
> 
> Oh, interesting.  Thanks for looping me in, I hadn't looked at this one
> at all.  Building on the debugging you did, this is the interesting
> part of the backtrace to me:
> 
> > > >  try_to_free_pages+0x29f/0x720 mm/vmscan.c:3264
> > > >  __perform_reclaim mm/page_alloc.c:4360 [inline]
> > > >  __alloc_pages_direct_reclaim mm/page_alloc.c:4381 [inline]
> > > >  __alloc_pages_slowpath.constprop.0+0x917/0x2510 mm/page_alloc.c:4785
> > > >  __alloc_pages_nodemask+0x5f0/0x730 mm/page_alloc.c:4995
> > > >  alloc_pages_current+0x191/0x2a0 mm/mempolicy.c:2271
> > > >  alloc_pages include/linux/gfp.h:547 [inline]
> > > >  __page_cache_alloc mm/filemap.c:977 [inline]
> > > >  __page_cache_alloc+0x2ce/0x360 mm/filemap.c:962
> > > >  page_cache_ra_unbounded+0x3a1/0x920 mm/readahead.c:216
> > > >  do_page_cache_ra+0xf9/0x140 mm/readahead.c:267
> > > >  do_sync_mmap_readahead mm/filemap.c:2721 [inline]
> > > >  filemap_fault+0x19d0/0x2940 mm/filemap.c:2809
> 
> So ra_pages has been set to something ridiculously large, and as
> a result, we call do_page_cache_ra() asking to read more memory than
> is available in the machine.  Funny thing, we actually have a function
> to prevent this kind of situation, and it's force_page_cache_ra().
> 
> So this might fix the problem.  I only tested that it compiles.  I'll
> be happy to write up a proper changelog and sign-off for it if it works ...
> it'd be good to get it some soak testing on a variety of different
> workloads; changing this stuff is enormously subtle.
> 
> As a testament to that, I think Fengguang got it wrong in commit
> 2cbea1d3ab11 -- async_size should have been 3 * ra_pages / 4, not ra_pages
> / 4 (because we read-behind by half the range, so we're looking for a
> page fault to happen a quarter of the way behind this fault ...)
> 
> This is partially Roman's fault, see commit 600e19afc5f8.

Hi Matthew,

Lol, I had a hard time to imagine how I managed to break the readahead
by my recent changes before looking into the commit:  it's from 2015 :)

I wonder how a __GFP_NORETRY allocation is causing a 143 seconds stall.
The loop in page_cache_ra_unbounded() should in theory be easily broken
on the first allocation failure. So it could be that (partially) because of
the unrealistically high ra limit the memory is becoming completely depleted
and the memory pressure is insane.

Anyway, your change looks good to me. I'll ack the full version.

Thanks!

Re: INFO: task can't die in shrink_inactive_list (2)

[Matthew Wilcox]

Hugh, did you get a chance to test this?

On Mon, Dec 21, 2020 at 08:33:44PM +0000, Matthew Wilcox wrote:
> On Mon, Dec 21, 2020 at 11:56:36AM -0800, Hugh Dickins wrote:
> > On Mon, 23 Nov 2020, Andrew Morton wrote:
> > > On Fri, 20 Nov 2020 17:55:22 -0800 syzbot <syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com> wrote:
> > > 
> > > > Hello,
> > > > 
> > > > syzbot found the following issue on:
> > > > 
> > > > HEAD commit:    03430750 Add linux-next specific files for 20201116
> > > > git tree:       linux-next
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
> > > > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000
> > > 
> > > Alex, your series "per memcg lru lock" changed the vmscan code rather a
> > > lot.  Could you please take a look at that reproducer?
> > 
> > Andrew, I promised I'd take a look at this syzreport too (though I think
> > we're agreed by now that it has nothing to do with per-memcg lru_lock).
> > 
> > I did try, but (unlike Alex) did not manage to get the reproducer to
> > reproduce it.  No doubt I did not try hard enough: I did rather lose
> > interest after seeing that it appears to involve someone with
> > CAP_SYS_ADMIN doing an absurdly large ioctl(BLKFRASET) on /dev/nullb0
> > ("Null test block driver" enabled via CONFIG_BLK_DEV_NULL_BLK=y: that I
> > did enable) and faulting from it: presumably triggering an absurd amount
> > of readahead.
> > 
> > Cc'ing Matthew since he has a particular interest in readahead, and
> > might be inspired to make some small safe change that would fix this,
> > and benefit realistic cases too; but on the whole it didn't look worth
> > worrying about - or at least not by me.
> 
> Oh, interesting.  Thanks for looping me in, I hadn't looked at this one
> at all.  Building on the debugging you did, this is the interesting
> part of the backtrace to me:
> 
> > > >  try_to_free_pages+0x29f/0x720 mm/vmscan.c:3264
> > > >  __perform_reclaim mm/page_alloc.c:4360 [inline]
> > > >  __alloc_pages_direct_reclaim mm/page_alloc.c:4381 [inline]
> > > >  __alloc_pages_slowpath.constprop.0+0x917/0x2510 mm/page_alloc.c:4785
> > > >  __alloc_pages_nodemask+0x5f0/0x730 mm/page_alloc.c:4995
> > > >  alloc_pages_current+0x191/0x2a0 mm/mempolicy.c:2271
> > > >  alloc_pages include/linux/gfp.h:547 [inline]
> > > >  __page_cache_alloc mm/filemap.c:977 [inline]
> > > >  __page_cache_alloc+0x2ce/0x360 mm/filemap.c:962
> > > >  page_cache_ra_unbounded+0x3a1/0x920 mm/readahead.c:216
> > > >  do_page_cache_ra+0xf9/0x140 mm/readahead.c:267
> > > >  do_sync_mmap_readahead mm/filemap.c:2721 [inline]
> > > >  filemap_fault+0x19d0/0x2940 mm/filemap.c:2809
> 
> So ra_pages has been set to something ridiculously large, and as
> a result, we call do_page_cache_ra() asking to read more memory than
> is available in the machine.  Funny thing, we actually have a function
> to prevent this kind of situation, and it's force_page_cache_ra().
> 
> So this might fix the problem.  I only tested that it compiles.  I'll
> be happy to write up a proper changelog and sign-off for it if it works ...
> it'd be good to get it some soak testing on a variety of different
> workloads; changing this stuff is enormously subtle.
> 
> As a testament to that, I think Fengguang got it wrong in commit
> 2cbea1d3ab11 -- async_size should have been 3 * ra_pages / 4, not ra_pages
> / 4 (because we read-behind by half the range, so we're looking for a
> page fault to happen a quarter of the way behind this fault ...)
> 
> This is partially Roman's fault, see commit 600e19afc5f8.
> 
> diff --git a/mm/filemap.c b/mm/filemap.c
> index d5e7c2029d16..43fe0f0ae3bb 100644
> --- a/mm/filemap.c
> +++ b/mm/filemap.c
> @@ -2632,7 +2632,7 @@ static struct file *do_sync_mmap_readahead(struct vm_fault *vmf)
>  	ra->size = ra->ra_pages;
>  	ra->async_size = ra->ra_pages / 4;
>  	ractl._index = ra->start;
> -	do_page_cache_ra(&ractl, ra->size, ra->async_size);
> +	force_page_cache_ra(&ractl, ra, ra->size);
>  	return fpin;
>  }
>  
> diff --git a/mm/internal.h b/mm/internal.h
> index c43ccdddb0f6..5664b4b91340 100644
> --- a/mm/internal.h
> +++ b/mm/internal.h
> @@ -49,8 +49,6 @@ void unmap_page_range(struct mmu_gather *tlb,
>  			     unsigned long addr, unsigned long end,
>  			     struct zap_details *details);
>  
> -void do_page_cache_ra(struct readahead_control *, unsigned long nr_to_read,
> -		unsigned long lookahead_size);
>  void force_page_cache_ra(struct readahead_control *, struct file_ra_state *,
>  		unsigned long nr);
>  static inline void force_page_cache_readahead(struct address_space *mapping,
> diff --git a/mm/readahead.c b/mm/readahead.c
> index c5b0457415be..f344c894c26a 100644
> --- a/mm/readahead.c
> +++ b/mm/readahead.c
> @@ -246,7 +246,7 @@ EXPORT_SYMBOL_GPL(page_cache_ra_unbounded);
>   * behaviour which would occur if page allocations are causing VM writeback.
>   * We really don't want to intermingle reads and writes like that.
>   */
> -void do_page_cache_ra(struct readahead_control *ractl,
> +static void do_page_cache_ra(struct readahead_control *ractl,
>  		unsigned long nr_to_read, unsigned long lookahead_size)
>  {
>  	struct inode *inode = ractl->mapping->host;
> 

Re: INFO: task can't die in shrink_inactive_list (2)

[Hugh Dickins]

On Fri, 5 Feb 2021, Matthew Wilcox wrote:
> 
> Hugh, did you get a chance to test this?

'fraid not: since I was unable to reproduce the problem,
I did not try running with your suggested fix at all:
hoped someone who could reproduce the problem might.

Hugh

> 
> On Mon, Dec 21, 2020 at 08:33:44PM +0000, Matthew Wilcox wrote:
> > On Mon, Dec 21, 2020 at 11:56:36AM -0800, Hugh Dickins wrote:
> > > On Mon, 23 Nov 2020, Andrew Morton wrote:
> > > > On Fri, 20 Nov 2020 17:55:22 -0800 syzbot <syzbot+e5a33e700b1dd0da20a2@syzkaller.appspotmail.com> wrote:
> > > > 
> > > > > Hello,
> > > > > 
> > > > > syzbot found the following issue on:
> > > > > 
> > > > > HEAD commit:    03430750 Add linux-next specific files for 20201116
> > > > > git tree:       linux-next
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=13f80e5e500000
> > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=e5a33e700b1dd0da20a2
> > > > > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f7bc5a500000
> > > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10934cf2500000
> > > > 
> > > > Alex, your series "per memcg lru lock" changed the vmscan code rather a
> > > > lot.  Could you please take a look at that reproducer?
> > > 
> > > Andrew, I promised I'd take a look at this syzreport too (though I think
> > > we're agreed by now that it has nothing to do with per-memcg lru_lock).
> > > 
> > > I did try, but (unlike Alex) did not manage to get the reproducer to
> > > reproduce it.  No doubt I did not try hard enough: I did rather lose
> > > interest after seeing that it appears to involve someone with
> > > CAP_SYS_ADMIN doing an absurdly large ioctl(BLKFRASET) on /dev/nullb0
> > > ("Null test block driver" enabled via CONFIG_BLK_DEV_NULL_BLK=y: that I
> > > did enable) and faulting from it: presumably triggering an absurd amount
> > > of readahead.
> > > 
> > > Cc'ing Matthew since he has a particular interest in readahead, and
> > > might be inspired to make some small safe change that would fix this,
> > > and benefit realistic cases too; but on the whole it didn't look worth
> > > worrying about - or at least not by me.
> > 
> > Oh, interesting.  Thanks for looping me in, I hadn't looked at this one
> > at all.  Building on the debugging you did, this is the interesting
> > part of the backtrace to me:
> > 
> > > > >  try_to_free_pages+0x29f/0x720 mm/vmscan.c:3264
> > > > >  __perform_reclaim mm/page_alloc.c:4360 [inline]
> > > > >  __alloc_pages_direct_reclaim mm/page_alloc.c:4381 [inline]
> > > > >  __alloc_pages_slowpath.constprop.0+0x917/0x2510 mm/page_alloc.c:4785
> > > > >  __alloc_pages_nodemask+0x5f0/0x730 mm/page_alloc.c:4995
> > > > >  alloc_pages_current+0x191/0x2a0 mm/mempolicy.c:2271
> > > > >  alloc_pages include/linux/gfp.h:547 [inline]
> > > > >  __page_cache_alloc mm/filemap.c:977 [inline]
> > > > >  __page_cache_alloc+0x2ce/0x360 mm/filemap.c:962
> > > > >  page_cache_ra_unbounded+0x3a1/0x920 mm/readahead.c:216
> > > > >  do_page_cache_ra+0xf9/0x140 mm/readahead.c:267
> > > > >  do_sync_mmap_readahead mm/filemap.c:2721 [inline]
> > > > >  filemap_fault+0x19d0/0x2940 mm/filemap.c:2809
> > 
> > So ra_pages has been set to something ridiculously large, and as
> > a result, we call do_page_cache_ra() asking to read more memory than
> > is available in the machine.  Funny thing, we actually have a function
> > to prevent this kind of situation, and it's force_page_cache_ra().
> > 
> > So this might fix the problem.  I only tested that it compiles.  I'll
> > be happy to write up a proper changelog and sign-off for it if it works ...
> > it'd be good to get it some soak testing on a variety of different
> > workloads; changing this stuff is enormously subtle.
> > 
> > As a testament to that, I think Fengguang got it wrong in commit
> > 2cbea1d3ab11 -- async_size should have been 3 * ra_pages / 4, not ra_pages
> > / 4 (because we read-behind by half the range, so we're looking for a
> > page fault to happen a quarter of the way behind this fault ...)
> > 
> > This is partially Roman's fault, see commit 600e19afc5f8.
> > 
> > diff --git a/mm/filemap.c b/mm/filemap.c
> > index d5e7c2029d16..43fe0f0ae3bb 100644
> > --- a/mm/filemap.c
> > +++ b/mm/filemap.c
> > @@ -2632,7 +2632,7 @@ static struct file *do_sync_mmap_readahead(struct vm_fault *vmf)
> >  	ra->size = ra->ra_pages;
> >  	ra->async_size = ra->ra_pages / 4;
> >  	ractl._index = ra->start;
> > -	do_page_cache_ra(&ractl, ra->size, ra->async_size);
> > +	force_page_cache_ra(&ractl, ra, ra->size);
> >  	return fpin;
> >  }
> >  
> > diff --git a/mm/internal.h b/mm/internal.h
> > index c43ccdddb0f6..5664b4b91340 100644
> > --- a/mm/internal.h
> > +++ b/mm/internal.h
> > @@ -49,8 +49,6 @@ void unmap_page_range(struct mmu_gather *tlb,
> >  			     unsigned long addr, unsigned long end,
> >  			     struct zap_details *details);
> >  
> > -void do_page_cache_ra(struct readahead_control *, unsigned long nr_to_read,
> > -		unsigned long lookahead_size);
> >  void force_page_cache_ra(struct readahead_control *, struct file_ra_state *,
> >  		unsigned long nr);
> >  static inline void force_page_cache_readahead(struct address_space *mapping,
> > diff --git a/mm/readahead.c b/mm/readahead.c
> > index c5b0457415be..f344c894c26a 100644
> > --- a/mm/readahead.c
> > +++ b/mm/readahead.c
> > @@ -246,7 +246,7 @@ EXPORT_SYMBOL_GPL(page_cache_ra_unbounded);
> >   * behaviour which would occur if page allocations are causing VM writeback.
> >   * We really don't want to intermingle reads and writes like that.
> >   */
> > -void do_page_cache_ra(struct readahead_control *ractl,
> > +static void do_page_cache_ra(struct readahead_control *ractl,
> >  		unsigned long nr_to_read, unsigned long lookahead_size)
> >  {
> >  	struct inode *inode = ractl->mapping->host;

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

[syzbot] [bcachefs?] WARNING in __init_work (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    19272b37aa4f Linux 6.16-rc1
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=174ea10c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8409c4d4e51ac27
dashboard link: https://syzkaller.appspot.com/bug?extid=011218db4fea20179df3
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17096d70580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10976e0c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/92d22b0c6493/disk-19272b37.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3fb0142bb63a/vmlinux-19272b37.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3d5f3836ae42/Image-19272b37.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e49d008f1550/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+011218db4fea20179df3@syzkaller.appspotmail.com

ODEBUG: object 000000004394caab is on stack 0000000077db2857, but NOT annotated.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6533 at lib/debugobjects.c:655 debug_object_is_on_stack lib/debugobjects.c:-1 [inline]
WARNING: CPU: 0 PID: 6533 at lib/debugobjects.c:655 lookup_object_or_alloc lib/debugobjects.c:688 [inline]
WARNING: CPU: 0 PID: 6533 at lib/debugobjects.c:655 __debug_object_init+0x364/0x40c lib/debugobjects.c:743
Modules linked in:
CPU: 0 UID: 0 PID: 6533 Comm: bch-copygc/loop Not tainted 6.16.0-rc1-syzkaller-g19272b37aa4f #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_object_is_on_stack lib/debugobjects.c:-1 [inline]
pc : lookup_object_or_alloc lib/debugobjects.c:688 [inline]
pc : __debug_object_init+0x364/0x40c lib/debugobjects.c:743
lr : debug_object_is_on_stack lib/debugobjects.c:-1 [inline]
lr : lookup_object_or_alloc lib/debugobjects.c:688 [inline]
lr : __debug_object_init+0x364/0x40c lib/debugobjects.c:743
sp : ffff80009bd57700
x29: ffff80009bd57700 x28: 0000000000000000 x27: dfff800000000000
x26: ffff800097589000 x25: ffff0000cb6c9ea0 x24: 0000000000000000
x23: ffff0000cc399428 x22: 0000000000000000 x21: ffff800097467ee8
x20: ffff80008af00de0 x19: ffff80009bd57bb0 x18: 00000000ffffffff
x17: ffff800093215000 x16: ffff80008ae5617c x15: 0000000000000001
x14: 1ffff000137aae58
 x13: 0000000000000000 x12: 0000000000000000
x11: ffff7000137aae59 x10: 0000000000ff0100 x9 : c1ad3b4b6b986d00
x8 : c1ad3b4b6b986d00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80009bd57098 x4 : ffff80008f657060 x3 : ffff8000807bb744
x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000050
Call trace:
 debug_object_is_on_stack lib/debugobjects.c:-1 [inline] (P)
 lookup_object_or_alloc lib/debugobjects.c:688 [inline] (P)
 __debug_object_init+0x364/0x40c lib/debugobjects.c:743 (P)
 debug_object_init+0x20/0x2c lib/debugobjects.c:779
 __init_work+0x58/0x68 kernel/workqueue.c:677
 rhashtable_init_noprof+0x734/0xa10 lib/rhashtable.c:1085
 bch2_copygc_thread+0xec/0xd40 fs/bcachefs/movinggc.c:353
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
irq event stamp: 18
hardirqs last  enabled at (17): [<ffff800083e501f4>] get_random_u32+0x2d4/0x540 drivers/char/random.c:554
hardirqs last disabled at (18): [<ffff80008ae77604>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (18): [<ffff80008ae77604>] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162
softirqs last  enabled at (0): [<ffff8000803aab44>] copy_process+0x1134/0x31ec kernel/fork.c:2114
softirqs last disabled at (0): [<0000000000000000>] 0x0
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't put rhashtable on stack

[syzbot] [bcachefs?] divide error in bch2_sb_members_v2_to_text

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    b27cc623e01b Add linux-next specific files for 20250610
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=169ac60c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=846e731334efc0f8
dashboard link: https://syzkaller.appspot.com/bug?extid=7c8101d4d0ba2eb511d7
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1c0c417339c8/disk-b27cc623.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fa29c0f3a1fa/vmlinux-b27cc623.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b902a80b6e7e/bzImage-b27cc623.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7c8101d4d0ba2eb511d7@syzkaller.appspotmail.com

loop2: detected capacity change from 0 to 32768
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6339 Comm: syz.2.181 Not tainted 6.16.0-rc1-next-20250610-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:bch2_sb_members_v2_to_text+0x10a/0x3c0 fs/bcachefs/sb-members.c:347
Code: 49 89 f4 49 c1 ec 03 43 0f b6 0c 34 84 c9 48 89 b4 24 a0 00 00 00 0f 85 67 02 00 00 0f b7 0e 48 89 c2 48 c1 ea 20 74 07 48 99 <48> f7 f9 eb 04 31 d2 f7 f1 48 89 84 24 b0 00 00 00 48 8b 84 24 c8
RSP: 0000:ffffc90003e5ed40 EFLAGS: 00010a02
RAX: ffff888029b58368 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffffffffffff RSI: ffff888029b58338 RDI: 0000000000001de6
RBP: ffffc90003e5ef70 R08: 000000000000003a R09: 000000000000003a
R10: dffffc0000000000 R11: ffffffff844fcfb0 R12: 1ffff1100536b067
R13: 000000000000000b R14: dffffc0000000000 R15: 1ffff920007cbdc4
FS:  00007f61376166c0(0000) GS:ffff888125c4b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5581bb5f78 CR3: 000000007e792000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_sb_field_validate+0x1c6/0x280 fs/bcachefs/super-io.c:1380
 bch2_sb_validate+0x14bd/0x1980 fs/bcachefs/super-io.c:552
 __bch2_read_super+0xba4/0x1040 fs/bcachefs/super-io.c:925
 bch2_fs_open+0x1fe/0x2570 fs/bcachefs/super.c:2382
 bch2_fs_get_tree+0x437/0x14f0 fs/bcachefs/fs.c:2473
 vfs_get_tree+0x8f/0x2b0 fs/super.c:1802
 do_new_mount+0x24a/0xa40 fs/namespace.c:3885
 do_mount fs/namespace.c:4222 [inline]
 __do_sys_mount fs/namespace.c:4433 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4410
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f61367900ca
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6137615e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f6137615ef0 RCX: 00007f61367900ca
RDX: 0000200000000000 RSI: 0000200000011a40 RDI: 00007f6137615eb0
RBP: 0000200000000000 R08: 00007f6137615ef0 R09: 00000000028080c9
R10: 00000000028080c9 R11: 0000000000000246 R12: 0000200000011a40
R13: 00007f6137615eb0 R14: 00000000000119f9 R15: 0000200000013d00
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_sb_members_v2_to_text+0x10a/0x3c0 fs/bcachefs/sb-members.c:347
Code: 49 89 f4 49 c1 ec 03 43 0f b6 0c 34 84 c9 48 89 b4 24 a0 00 00 00 0f 85 67 02 00 00 0f b7 0e 48 89 c2 48 c1 ea 20 74 07 48 99 <48> f7 f9 eb 04 31 d2 f7 f1 48 89 84 24 b0 00 00 00 48 8b 84 24 c8
RSP: 0000:ffffc90003e5ed40 EFLAGS: 00010a02
RAX: ffff888029b58368 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffffffffffff RSI: ffff888029b58338 RDI: 0000000000001de6
RBP: ffffc90003e5ef70 R08: 000000000000003a R09: 000000000000003a
R10: dffffc0000000000 R11: ffffffff844fcfb0 R12: 1ffff1100536b067
R13: 000000000000000b R14: dffffc0000000000 R15: 1ffff920007cbdc4
FS:  00007f61376166c0(0000) GS:ffff888125c4b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f961d79c000 CR3: 000000007e792000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	49 89 f4             	mov    %rsi,%r12
   3:	49 c1 ec 03          	shr    $0x3,%r12
   7:	43 0f b6 0c 34       	movzbl (%r12,%r14,1),%ecx
   c:	84 c9                	test   %cl,%cl
   e:	48 89 b4 24 a0 00 00 	mov    %rsi,0xa0(%rsp)
  15:	00
  16:	0f 85 67 02 00 00    	jne    0x283
  1c:	0f b7 0e             	movzwl (%rsi),%ecx
  1f:	48 89 c2             	mov    %rax,%rdx
  22:	48 c1 ea 20          	shr    $0x20,%rdx
  26:	74 07                	je     0x2f
  28:	48 99                	cqto
* 2a:	48 f7 f9             	idiv   %rcx <-- trapping instruction
  2d:	eb 04                	jmp    0x33
  2f:	31 d2                	xor    %edx,%edx
  31:	f7 f1                	div    %ecx
  33:	48 89 84 24 b0 00 00 	mov    %rax,0xb0(%rsp)
  3a:	00
  3b:	48                   	rex.W
  3c:	8b                   	.byte 0x8b
  3d:	84 24 c8             	test   %ah,(%rax,%rcx,8)


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't trust sb->nr_devices in members_to_text()

[syzbot] [bcachefs?] kernel BUG in vfs_get_tree (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    911483b25612 Add linux-next specific files for 20250604
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=161761d4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=28859360c84ac63d
dashboard link: https://syzkaller.appspot.com/bug?extid=10a214d962941493d1dd
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1106940c580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10ce7c82580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1067df4a0ae9/disk-911483b2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ec468cccc74/vmlinux-911483b2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/02250b138a0f/bzImage-911483b2.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ac45824a405f/mount_0.gz

The issue was bisected to:

commit ad7a2ae339342ce4721993e637ecd9f7dc654f3b
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Mon Jun 2 00:22:17 2025 +0000

    bcachefs: Add missing restart handling to check_topology()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=162c2c0c580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=152c2c0c580000
console output: https://syzkaller.appspot.com/x/log.txt?x=112c2c0c580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+10a214d962941493d1dd@syzkaller.appspotmail.com
Fixes: ad7a2ae33934 ("bcachefs: Add missing restart handling to check_topology()")

bcachefs (loop0): error in recovery: ENOMEMemergency read only at seq 10
bcachefs (loop0): bch2_fs_start(): error starting filesystem ENOMEM
bcachefs (loop0): shutting down
bcachefs (loop0): shutdown complete
bcachefs: bch2_fs_get_tree() error: ENOMEM
Filesystem bcachefs get_tree() didn't set fc->root, returned 12
------------[ cut here ]------------
kernel BUG at fs/super.c:1812!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 5842 Comm: syz-executor187 Not tainted 6.15.0-next-20250604-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:vfs_get_tree+0x29f/0x2b0 fs/super.c:1812
Code: 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 14 8b ee ff 48 8b 33 48 c7 c7 00 31 99 8b 44 89 f2 e8 d2 42 f2 fe 90 <0f> 0b 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc9000437fd58 EFLAGS: 00010246
RAX: 000000000000003f RBX: ffffffff8e7829a0 RCX: ad6f5de195933e00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1bfa9ec R12: 1ffff1100ea3c216
R13: dffffc0000000000 R14: 000000000000000c R15: 0000000000000000
FS:  000055558ea4c380(0000) GS:ffff888125c4d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005620027d9f60 CR3: 0000000075234000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 do_new_mount+0x24a/0xa40 fs/namespace.c:3874
 do_mount fs/namespace.c:4211 [inline]
 __do_sys_mount fs/namespace.c:4422 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4399
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff57623fe2a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffda26af7f8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffda26af810 RCX: 00007ff57623fe2a
RDX: 00002000000000c0 RSI: 0000200000000000 RDI: 00007ffda26af810
RBP: 0000200000000000 R08: 00007ffda26af850 R09: 0000000000005972
R10: 0000000000800000 R11: 0000000000000282 R12: 00002000000000c0
R13: 00007ffda26af850 R14: 0000000000000003 R15: 0000000000800000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:vfs_get_tree+0x29f/0x2b0 fs/super.c:1812
Code: 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 14 8b ee ff 48 8b 33 48 c7 c7 00 31 99 8b 44 89 f2 e8 d2 42 f2 fe 90 <0f> 0b 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc9000437fd58 EFLAGS: 00010246
RAX: 000000000000003f RBX: ffffffff8e7829a0 RCX: ad6f5de195933e00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1bfa9ec R12: 1ffff1100ea3c216
R13: dffffc0000000000 R14: 000000000000000c R15: 0000000000000000
FS:  000055558ea4c380(0000) GS:ffff888125c4d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe40667f19 CR3: 0000000075234000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Call bch2_fs_start before getting vfs superblock

[syzbot] [bcachefs?] WARNING in lookup_object_or_alloc

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    015a99fa7665 Merge tag 'nolibc-20250526-for-6.16-1' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16fcedf4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=231a962e5fdb804b
dashboard link: https://syzkaller.appspot.com/bug?extid=88e6a26b68fb670364e1
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f68bd0ec2940/disk-015a99fa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8c78735943b8/vmlinux-015a99fa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7d9332085f01/bzImage-015a99fa.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+88e6a26b68fb670364e1@syzkaller.appspotmail.com

ODEBUG: object ffffc9000d537a98 is on stack ffffc9000d530000, but NOT annotated.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 16496 at lib/debugobjects.c:655 debug_object_is_on_stack lib/debugobjects.c:655 [inline]
WARNING: CPU: 1 PID: 16496 at lib/debugobjects.c:655 lookup_object_or_alloc.part.0+0x2b1/0x590 lib/debugobjects.c:688
Modules linked in:
CPU: 1 UID: 0 PID: 16496 Comm: bch-copygc/loop Not tainted 6.15.0-syzkaller-02443-g015a99fa7665 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:debug_object_is_on_stack lib/debugobjects.c:655 [inline]
RIP: 0010:lookup_object_or_alloc.part.0+0x2b1/0x590 lib/debugobjects.c:688
Code: 0e 48 8d 7d 20 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 58 02 00 00 48 8b 55 20 4c 89 e6 48 c7 c7 c0 07 f5 8b e8 60 ff bf fc 90 <0f> 0b 90 48 83 c4 18 48 89 d8 5b 5d 41 5c 41 5d 41 5e 41 5f e9 b1
RSP: 0018:ffffc9000d5377b0 EFLAGS: 00010086
RAX: 0000000000000050 RBX: ffff8880347347a8 RCX: ffffffff819a71b9
RDX: 0000000000000000 RSI: ffffffff819af046 RDI: 0000000000000005
RBP: ffff88801f7e3c00 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000002be0 R12: ffffc9000d537a98
R13: ffff88801f7e3c00 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888124aaa000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdb0980f000 CR3: 0000000030dfd000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 lookup_object_or_alloc lib/debugobjects.c:665 [inline]
 __debug_object_init+0x2a9/0x3d0 lib/debugobjects.c:743
 __init_work+0x4c/0x60 kernel/workqueue.c:677
 rhashtable_init_noprof+0x49f/0x7e0 lib/rhashtable.c:1085
 bch2_copygc_thread+0xf6/0xdd0 fs/bcachefs/movinggc.c:355
 kthread+0x3c5/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't put rhashtable on stack

[syzbot] [bcachefs?] KASAN: slab-out-of-bounds Read in bch2_sb_members_v2_to_text

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    176e917e010c Add linux-next specific files for 20250523
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1159c5f4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e7902c752bef748
dashboard link: https://syzkaller.appspot.com/bug?extid=5138f00559ffb3cb3610
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14a759f4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14e065f4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f7692c642fa/disk-176e917e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/057a442d42d0/vmlinux-176e917e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8f8ebdb4dd96/bzImage-176e917e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/9032c3d09738/mount_0.gz

The issue was bisected to:

commit 1c8dfd7ba50dbbb72113caf4fa7868512cdad2f4
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Wed Apr 16 03:35:48 2025 +0000

    bcachefs: sb_validate() no longer requires members_v1

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11d21ad4580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=13d21ad4580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15d21ad4580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5138f00559ffb3cb3610@syzkaller.appspotmail.com
Fixes: 1c8dfd7ba50d ("bcachefs: sb_validate() no longer requires members_v1")

loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in members_v2_get fs/bcachefs/sb-members.c:68 [inline]
BUG: KASAN: slab-out-of-bounds in bch2_sb_members_v2_to_text+0x1ae/0x310 fs/bcachefs/sb-members.c:347
Read of size 136 at addr ffff88807716dfb8 by task syz-executor118/5842

CPU: 0 UID: 0 PID: 5842 Comm: syz-executor118 Not tainted 6.15.0-rc7-next-20250523-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xd2/0x2b0 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 members_v2_get fs/bcachefs/sb-members.c:68 [inline]
 bch2_sb_members_v2_to_text+0x1ae/0x310 fs/bcachefs/sb-members.c:347
 bch2_sb_field_validate+0x1c6/0x280 fs/bcachefs/super-io.c:1380
 bch2_sb_validate+0x14bd/0x1980 fs/bcachefs/super-io.c:552
 __bch2_read_super+0xba4/0x1040 fs/bcachefs/super-io.c:925
 bch2_fs_open+0x1fe/0x25c0 fs/bcachefs/super.c:2371
 bch2_fs_get_tree+0x44d/0x15f0 fs/bcachefs/fs.c:2463
 vfs_get_tree+0x92/0x2b0 fs/super.c:1802
 do_new_mount+0x24a/0xa40 fs/namespace.c:3869
 do_mount fs/namespace.c:4206 [inline]
 __do_sys_mount fs/namespace.c:4417 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4394
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f813c8a7dfa
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffeafb83b88 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffeafb83ba0 RCX: 00007f813c8a7dfa
RDX: 00002000000000c0 RSI: 0000200000000300 RDI: 00007ffeafb83ba0
RBP: 0000000000000010 R08: 00007ffeafb83be0 R09: 00ffffffffffffff
R10: 0000000000000010 R11: 0000000000000282 R12: 00002000000000c0
R13: 0000200000000300 R14: 00007ffeafb83be0 R15: 0000000000000003
 </TASK>

Allocated by task 5842:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_node_track_caller_noprof+0x271/0x4e0 mm/slub.c:4346
 __do_krealloc mm/slub.c:4904 [inline]
 krealloc_noprof+0x124/0x340 mm/slub.c:4957
 bch2_sb_realloc+0x348/0x630 fs/bcachefs/super-io.c:222
 read_one_super+0x3a3/0x850 fs/bcachefs/super-io.c:759
 __bch2_read_super+0x6c6/0x1040 fs/bcachefs/super-io.c:851
 bch2_fs_open+0x1fe/0x25c0 fs/bcachefs/super.c:2371
 bch2_fs_get_tree+0x44d/0x15f0 fs/bcachefs/fs.c:2463
 vfs_get_tree+0x92/0x2b0 fs/super.c:1802
 do_new_mount+0x24a/0xa40 fs/namespace.c:3869
 do_mount fs/namespace.c:4206 [inline]
 __do_sys_mount fs/namespace.c:4417 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4394
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807716c000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 8120 bytes inside of
 allocated 8192-byte region [ffff88807716c000, ffff88807716e000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x77168
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001dc5a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5759, tgid 5759 (sshd-session), ts 67004973254, free_ts 66925363852
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2450 [inline]
 allocate_slab+0x8a/0x3b0 mm/slub.c:2618
 new_slab mm/slub.c:2672 [inline]
 ___slab_alloc+0xbfc/0x1480 mm/slub.c:3858
 __slab_alloc mm/slub.c:3948 [inline]
 __slab_alloc_node mm/slub.c:4023 [inline]
 slab_alloc_node mm/slub.c:4184 [inline]
 __do_kmalloc_node mm/slub.c:4326 [inline]
 __kmalloc_node_track_caller_noprof+0x2f8/0x4e0 mm/slub.c:4346
 kmalloc_reserve+0x136/0x290 net/core/skbuff.c:601
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1336 [inline]
 netlink_dump+0x1c7/0xe20 net/netlink/af_netlink.c:2275
 netlink_recvmsg+0x67b/0xe00 net/netlink/af_netlink.c:1965
 sock_recvmsg_nosec net/socket.c:1017 [inline]
 sock_recvmsg+0x229/0x270 net/socket.c:1039
 ____sys_recvmsg+0x1c9/0x460 net/socket.c:2786
 ___sys_recvmsg+0x1b5/0x510 net/socket.c:2828
 __sys_recvmsg net/socket.c:2861 [inline]
 __do_sys_recvmsg net/socket.c:2867 [inline]
 __se_sys_recvmsg net/socket.c:2864 [inline]
 __x64_sys_recvmsg+0x198/0x260 net/socket.c:2864
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
page last free pid 5758 tgid 5758 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 discard_slab mm/slub.c:2716 [inline]
 __put_partials+0x161/0x1c0 mm/slub.c:3185
 put_cpu_partial+0x17c/0x250 mm/slub.c:3260
 __slab_free+0x2f7/0x400 mm/slub.c:4512
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4147 [inline]
 slab_alloc_node mm/slub.c:4196 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4203
 getname_flags+0xb8/0x540 fs/namei.c:146
 getname include/linux/fs.h:2903 [inline]
 __do_sys_unlink fs/namei.c:4696 [inline]
 __se_sys_unlink fs/namei.c:4694 [inline]
 __x64_sys_unlink+0x3a/0x50 fs/namei.c:4694
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88807716df00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88807716df80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807716e000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff88807716e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807716e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't trust sb->nr_devices in members_to_text()

[syzbot] [bcachefs?] WARNING in rhashtable_init_noprof

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    176e917e010c Add linux-next specific files for 20250523
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13d555f4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e7902c752bef748
dashboard link: https://syzkaller.appspot.com/bug?extid=bcc38a9556d0324c2ec2
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145948e8580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13d6a170580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f7692c642fa/disk-176e917e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/057a442d42d0/vmlinux-176e917e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8f8ebdb4dd96/bzImage-176e917e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d3d310848021/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bcc38a9556d0324c2ec2@syzkaller.appspotmail.com

ODEBUG: object ffffc9000469fb90 is on stack ffffc90004698000, but NOT annotated.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5924 at lib/debugobjects.c:655 debug_object_is_on_stack lib/debugobjects.c:655 [inline]
WARNING: CPU: 1 PID: 5924 at lib/debugobjects.c:655 lookup_object_or_alloc lib/debugobjects.c:688 [inline]
WARNING: CPU: 1 PID: 5924 at lib/debugobjects.c:655 __debug_object_init+0x2c9/0x3c0 lib/debugobjects.c:743
Modules linked in:
CPU: 1 UID: 0 PID: 5924 Comm: bch-copygc/loop Not tainted 6.15.0-rc7-next-20250523-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:debug_object_is_on_stack lib/debugobjects.c:655 [inline]
RIP: 0010:lookup_object_or_alloc lib/debugobjects.c:688 [inline]
RIP: 0010:__debug_object_init+0x2c9/0x3c0 lib/debugobjects.c:743
Code: cc cc cc 41 ff c7 44 89 3d a4 18 14 15 48 c7 c1 80 9b e2 8b 48 c7 c7 e0 9b e2 8b 84 c0 48 0f 45 f9 48 89 de e8 48 2b 61 fc 90 <0f> 0b 90 e9 c0 fe ff ff e8 3a 1c 00 00 8b 05 1c 9c c6 09 3b 05 1a
RSP: 0018:ffffc9000469f6e0 EFLAGS: 00010046
RAX: 0000000000000050 RBX: ffffc9000469fb90 RCX: 0aa01120dfd08500
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffff88802f5c9e20 R08: ffffc9000469f3c7 R09: 1ffff920008d3e78
R10: dffffc0000000000 R11: fffff520008d3e79 R12: 0000000000000040
R13: ffff8880771e5d20 R14: dffffc0000000000 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff888125d56000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1c5ee80000 CR3: 0000000077540000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 rhashtable_init_noprof+0x7c0/0xbb0 lib/rhashtable.c:1085
 bch2_copygc_thread+0x116/0xdc0 fs/bcachefs/movinggc.c:355
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't put rhashtable on stack

[syzbot] [bcachefs?] UBSAN: array-index-out-of-bounds in bch2_sb_downgrade_update

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e72e9e693307 Merge tag 'net-6.15-rc4' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11ef21b3980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4f9c44a22d09fd53
dashboard link: https://syzkaller.appspot.com/bug?extid=14c52d86ddbd89bea13e
compiler:       Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11777d9b980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15ef21b3980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-e72e9e69.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2bee8b8591c3/vmlinux-e72e9e69.xz
kernel image: https://storage.googleapis.com/syzbot-assets/97a6564905c3/bzImage-e72e9e69.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/067449ccbbaf/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+14c52d86ddbd89bea13e@syzkaller.appspotmail.com

bcachefs (loop0): bucket 0:26 gen 0 data type btree sector count overflow: 0 + -256 > U32_MAX
  while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq ac62141f8dc7e261 written 24 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0
  
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/bcachefs/sb-downgrade.c:268:4
index 0 is out of range for type '__le16[] __counted_by(nr_errors)' (aka 'unsigned short[]')
CPU: 0 UID: 0 PID: 1037 Comm: kworker/u4:6 Not tainted 6.15.0-rc3-syzkaller-00076-ge72e9e693307 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: btree_update btree_interior_update_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:231
 __ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:453
 downgrade_table_extra fs/bcachefs/sb-downgrade.c:268 [inline]
 bch2_sb_downgrade_update+0xb10/0xcc0 fs/bcachefs/sb-downgrade.c:388
 bch2_write_super+0xbf4/0x2cc0 fs/bcachefs/super-io.c:1071
 btree_update_new_nodes_mark_sb fs/bcachefs/btree_update_interior.c:608 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:678 [inline]
 btree_interior_update_work+0x441/0x25e0 fs/bcachefs/btree_update_interior.c:843
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
---[ end trace ]---
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 0 UID: 0 PID: 1037 Comm: kworker/u4:6 Not tainted 6.15.0-rc3-syzkaller-00076-ge72e9e693307 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: btree_update btree_interior_update_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x99/0x250 lib/dump_stack.c:120
 panic+0x2db/0x790 kernel/panic.c:354
 check_panic_on_warn+0x89/0xb0 kernel/panic.c:243
 __ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:453
 downgrade_table_extra fs/bcachefs/sb-downgrade.c:268 [inline]
 bch2_sb_downgrade_update+0xb10/0xcc0 fs/bcachefs/sb-downgrade.c:388
 bch2_write_super+0xbf4/0x2cc0 fs/bcachefs/super-io.c:1071
 btree_update_new_nodes_mark_sb fs/bcachefs/btree_update_interior.c:608 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:678 [inline]
 btree_interior_update_work+0x441/0x25e0 fs/bcachefs/btree_update_interior.c:843
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix downgrade_table_extra()

[syzbot] [bcachefs?] WARNING in bch2_dev_free

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    a4cda136f021 Add linux-next specific files for 20250404
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12c3db4c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8a257c454bb1afb7
dashboard link: https://syzkaller.appspot.com/bug?extid=aec9606169fbc3a12ca6
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17ca0c04580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11c3db4c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/59048bc9c206/disk-a4cda136.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ad2ba7306f20/vmlinux-a4cda136.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b3bef7acbf10/bzImage-a4cda136.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/110624be1513/mount_0.gz

The issue was bisected to:

commit dcffc3b1ae3251d796a25c673f614e3099ca83d3
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Sun Mar 30 03:11:08 2025 +0000

    bcachefs: Split up bch_dev.io_ref

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13948c04580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10548c04580000
console output: https://syzkaller.appspot.com/x/log.txt?x=17948c04580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aec9606169fbc3a12ca6@syzkaller.appspotmail.com
Fixes: dcffc3b1ae32 ("bcachefs: Split up bch_dev.io_ref")

bcachefs (loop0): shutting down
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5844 at fs/bcachefs/super.c:1229 bch2_dev_free+0x228/0x290 fs/bcachefs/super.c:1229
Modules linked in:
CPU: 0 UID: 0 PID: 5844 Comm: syz-executor121 Not tainted 6.14.0-next-20250404-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:bch2_dev_free+0x228/0x290 fs/bcachefs/super.c:1229
Code: ff e8 4c cf 74 00 4c 89 ef e8 44 cf 74 00 48 89 df 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d e9 ee 53 96 07 e8 59 e9 32 fd 90 <0f> 0b 90 e9 09 fe ff ff e8 4b e9 32 fd 90 0f 0b 90 e9 15 fe ff ff
RSP: 0018:ffffc9000406fb88 EFLAGS: 00010293
RAX: ffffffff849073d7 RBX: ffff888035282000 RCX: ffff888034af9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880352820c0 R08: ffffffff850552f7 R09: 0000000000000000
R10: ffff888035282208 R11: ffffed1006a5044a R12: ffff888075e003f0
R13: ffff8880352820b0 R14: ffff888075e00000 R15: ffff888075e007b2
FS:  000055558bb20380(0000) GS:ffff888124f8f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045bdd0 CR3: 00000000122a0000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_fs_free+0x2b0/0x400 fs/bcachefs/super.c:688
 deactivate_locked_super+0xc4/0x130 fs/super.c:473
 cleanup_mnt+0x422/0x4c0 fs/namespace.c:1435
 task_work_run+0x251/0x310 kernel/task_work.c:227
 ptrace_notify+0x2dc/0x390 kernel/signal.c:2520
 ptrace_report_syscall include/linux/ptrace.h:415 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
 syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
 syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f49b0cec447
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd94723978 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f49b0cec447
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd94723a30
RBP: 00007ffd94723a30 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffd94724aa0
R13: 000055558bb216c0 R14: 0000000000000001 R15: 431bde82d7b634db
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Prevent granting write refs when filesystem is read-only

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_copygc (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    1e1ba8d23dae Merge tag 'timers-clocksource-2025-03-26' of ..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15a8ede4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=887673359f1a92bf
dashboard link: https://syzkaller.appspot.com/bug?extid=cebfe3f22eeaff4ddd7c
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/97b3a10186d9/disk-1e1ba8d2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/de4a9446d205/vmlinux-1e1ba8d2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/529352453703/bzImage-1e1ba8d2.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cebfe3f22eeaff4ddd7c@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
BUG: KMSAN: uninit-value in bucket_in_flight fs/bcachefs/movinggc.c:143 [inline]
BUG: KMSAN: uninit-value in bch2_copygc_get_buckets fs/bcachefs/movinggc.c:169 [inline]
BUG: KMSAN: uninit-value in bch2_copygc+0x1d5c/0x5e00 fs/bcachefs/movinggc.c:221
 rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
 __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
 rhashtable_lookup include/linux/rhashtable.h:646 [inline]
 rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
 bucket_in_flight fs/bcachefs/movinggc.c:143 [inline]
 bch2_copygc_get_buckets fs/bcachefs/movinggc.c:169 [inline]
 bch2_copygc+0x1d5c/0x5e00 fs/bcachefs/movinggc.c:221
 bch2_copygc_thread+0x7d2/0xf80 fs/bcachefs/movinggc.c:383
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Local variable b214.i created at:
 bucket_in_flight fs/bcachefs/movinggc.c:-1 [inline]
 bch2_copygc_get_buckets fs/bcachefs/movinggc.c:169 [inline]
 bch2_copygc+0x159e/0x5e00 fs/bcachefs/movinggc.c:221
 bch2_copygc_thread+0x7d2/0xf80 fs/bcachefs/movinggc.c:383

CPU: 1 UID: 0 PID: 5998 Comm: bch-copygc/loop Not tainted 6.14.0-syzkaller-03576-g1e1ba8d23dae #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
=====================================================
Kernel panic - not syncing: kmsan.panic set ...
CPU: 1 UID: 0 PID: 5998 Comm: bch-copygc/loop Tainted: G    B              6.14.0-syzkaller-03576-g1e1ba8d23dae #0 PREEMPT(undef) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x216/0x2d0 lib/dump_stack.c:120
 dump_stack+0x1e/0x24 lib/dump_stack.c:129
 panic+0x4e5/0xcf0 kernel/panic.c:354
 kmsan_report+0x2ca/0x2d0 mm/kmsan/report.c:218
 __msan_warning+0x95/0x120 mm/kmsan/instrumentation.c:318
 rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
 __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
 rhashtable_lookup include/linux/rhashtable.h:646 [inline]
 rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
 bucket_in_flight fs/bcachefs/movinggc.c:143 [inline]
 bch2_copygc_get_buckets fs/bcachefs/movinggc.c:169 [inline]
 bch2_copygc+0x1d5c/0x5e00 fs/bcachefs/movinggc.c:221
 bch2_copygc_thread+0x7d2/0xf80 fs/bcachefs/movinggc.c:383
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Eliminate padding in move_bucket_key

[syzbot] [input?] [usb?] UBSAN: shift-out-of-bounds in __kfifo_alloc

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f6e0150b2003 Merge tag 'mtd/for-6.15' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14ebabb0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a15c3c5deef99cef
dashboard link: https://syzkaller.appspot.com/bug?extid=d5204cbbdd921f1f7cad
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=146e4a4c580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17d1d804580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-f6e0150b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/416c28ebba43/vmlinux-f6e0150b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/df554d24e7cb/bzImage-f6e0150b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d5204cbbdd921f1f7cad@syzkaller.appspotmail.com

usb 5-1: New USB device found, idVendor=056a, idProduct=00f8, bcdDevice= 0.00
usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 5-1: config 0 descriptor??
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 0 UID: 0 PID: 835 Comm: kworker/0:2 Not tainted 6.14.0-syzkaller-03565-gf6e0150b2003 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:492
 __roundup_pow_of_two include/linux/log2.h:57 [inline]
 __kfifo_alloc.cold+0x18/0x1d lib/kfifo.c:32
 wacom_devm_kfifo_alloc drivers/hid/wacom_sys.c:1308 [inline]
 wacom_parse_and_register+0x28e/0x5d10 drivers/hid/wacom_sys.c:2368
 wacom_probe+0xa1c/0xe10 drivers/hid/wacom_sys.c:2867
 __hid_device_probe drivers/hid/hid-core.c:2717 [inline]
 hid_device_probe+0x354/0x710 drivers/hid/hid-core.c:2754
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1a70 drivers/base/core.c:3666
 hid_add_device+0x373/0xa60 drivers/hid/hid-core.c:2900
 usbhid_probe+0xd38/0x13f0 drivers/hid/usbhid/hid-core.c:1432
 usb_probe_interface+0x300/0x9c0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1a70 drivers/base/core.c:3666
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1a70 drivers/base/core.c:3666
 usb_new_device+0xd07/0x1a20 drivers/usb/core/hub.c:2663
 hub_port_connect drivers/usb/core/hub.c:5533 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5673 [inline]
 port_event drivers/usb/core/hub.c:5833 [inline]
 hub_event+0x2eb7/0x4fa0 drivers/usb/core/hub.c:5915
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c1/0xef0 kernel/workqueue.c:3400
 kthread+0x3a4/0x760 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [pci?] upstream test error: BUG: unable to handle kernel NULL pointer dereference in msix_prepare_msi_desc

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f6e0150b2003 Merge tag 'mtd/for-6.15' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=161dd43f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5484680e4cf4b356
dashboard link: https://syzkaller.appspot.com/bug?extid=9c23146ed23f4a1be6d1
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b6dd1dc395cb/disk-f6e0150b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d374849a451e/vmlinux-f6e0150b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1cae448b43cd/bzImage-f6e0150b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9c23146ed23f4a1be6d1@syzkaller.appspotmail.com

ntfs3: Enabled Linux POSIX ACLs support
ntfs3: Read-only LZX/Xpress compression included
efs: 1.0a - http://aeschi.ch.eu.org/efs/
jffs2: version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
QNX4 filesystem 0.2.3 registered.
qnx6: QNX6 filesystem 1.0.0 registered.
fuse: init (API version 7.42)
orangefs_debugfs_init: called with debug mask: :none: :0:
orangefs_init: module version upstream loaded
JFS: nTxBlock = 8192, nTxLock = 65536
SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
9p: Installing v9fs 9p2000 file system support
NILFS version 2 loaded
befs: version: 0.9.3
ocfs2: Registered cluster interface o2cb
ocfs2: Registered cluster interface user
OCFS2 User DLM kernel interface loaded
gfs2: GFS2 installed
ceph: loaded (mds proto 32)
NET: Registered PF_ALG protocol family
xor: automatically using best checksumming function   avx       
async_tx: api initialized (async)
Key type asymmetric registered
Asymmetric key parser 'x509' registered
Asymmetric key parser 'pkcs8' registered
Key type pkcs7_test registered
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 238)
io scheduler mq-deadline registered
io scheduler kyber registered
io scheduler bfq registered
input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
ACPI: button: Power Button [PWRF]
input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
ACPI: button: Sleep Button [SLPF]
ioatdma: Intel(R) QuickData Technology Driver 5.00
ACPI: \_SB_.LNKC: Enabled at IRQ 11
virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
ACPI: \_SB_.LNKD: Enabled at IRQ 10
virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
ACPI: \_SB_.LNKB: Enabled at IRQ 10
virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
virtio-pci 0000:00:07.0: virtio_pci: leaving for legacy driver
N_HDLC line discipline registered with maxframe=4096
Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
Non-volatile memory driver v1.3
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-syzkaller-03565-gf6e0150b2003 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:msix_prepare_msi_desc+0x46/0xc0 drivers/pci/msi/msi.c:615
Code: 02 00 00 31 ff 48 8b 40 20 66 81 4b 54 01 01 c7 43 04 01 00 00 00 8b 95 ac 03 00 00 89 53 58 4c 8b a5 a0 09 00 00 4c 89 63 60 <8b> 28 81 e5 00 00 40 00 89 ee e8 1b 62 9f fe 85 ed 75 1c e8 c2 69
RSP: 0000:ffffc9000005b988 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffffc9000005b9d0 RCX: ffffffff82c27691
RDX: 000000000000000b RSI: ffffffff82c27508 RDI: 0000000000000000
RBP: ffff88814047a000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000002 R11: ffffffff83293622 R12: ffffc90000085008
R13: 0000000000000000 R14: ffffc9000005b9d0 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881b26e8000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000006c62000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 msix_setup_msi_descs+0xf3/0x190 drivers/pci/msi/msi.c:639
 __msix_setup_interrupts drivers/pci/msi/msi.c:672 [inline]
 msix_setup_interrupts drivers/pci/msi/msi.c:701 [inline]
 msix_capability_init drivers/pci/msi/msi.c:743 [inline]
 __pci_enable_msix_range+0x55a/0x9b0 drivers/pci/msi/msi.c:851
 pci_alloc_irq_vectors_affinity+0x18b/0x1f0 drivers/pci/msi/api.c:268
 vp_request_msix_vectors drivers/virtio/virtio_pci_common.c:160 [inline]
 vp_find_vqs_msix+0x28e/0x710 drivers/virtio/virtio_pci_common.c:417
 vp_find_vqs+0x4a/0x3c0 drivers/virtio/virtio_pci_common.c:525
 virtio_find_vqs include/linux/virtio_config.h:226 [inline]
 virtio_find_single_vq include/linux/virtio_config.h:237 [inline]
 probe_common+0x12e/0x2b0 drivers/char/hw_random/virtio-rng.c:155
 virtio_dev_probe+0x305/0x430 drivers/virtio/virtio.c:341
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x12c/0x430 drivers/base/dd.c:658
 __driver_probe_device+0xc3/0x1a0 drivers/base/dd.c:800
 driver_probe_device+0x2a/0x120 drivers/base/dd.c:830
 __driver_attach drivers/base/dd.c:1216 [inline]
 __driver_attach+0x10e/0x200 drivers/base/dd.c:1156
 bus_for_each_dev+0xb2/0x110 drivers/base/bus.c:370
 bus_add_driver+0x122/0x2e0 drivers/base/bus.c:678
 driver_register+0x85/0x180 drivers/base/driver.c:249
 do_one_initcall+0x74/0x480 init/main.c:1257
 do_initcall_level init/main.c:1319 [inline]
 do_initcalls init/main.c:1335 [inline]
 do_basic_setup init/main.c:1354 [inline]
 kernel_init_freeable+0x251/0x450 init/main.c:1567
 kernel_init+0x1b/0x2a0 init/main.c:1457
 ret_from_fork+0x45/0x60 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:msix_prepare_msi_desc+0x46/0xc0 drivers/pci/msi/msi.c:615
Code: 02 00 00 31 ff 48 8b 40 20 66 81 4b 54 01 01 c7 43 04 01 00 00 00 8b 95 ac 03 00 00 89 53 58 4c 8b a5 a0 09 00 00 4c 89 63 60 <8b> 28 81 e5 00 00 40 00 89 ee e8 1b 62 9f fe 85 ed 75 1c e8 c2 69
RSP: 0000:ffffc9000005b988 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffffc9000005b9d0 RCX: ffffffff82c27691
RDX: 000000000000000b RSI: ffffffff82c27508 RDI: 0000000000000000
RBP: ffff88814047a000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000002 R11: ffffffff83293622 R12: ffffc90000085008
R13: 0000000000000000 R14: ffffc9000005b9d0 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881b26e8000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000006c62000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	02 00                	add    (%rax),%al
   2:	00 31                	add    %dh,(%rcx)
   4:	ff 48 8b             	decl   -0x75(%rax)
   7:	40 20 66 81          	and    %spl,-0x7f(%rsi)
   b:	4b 54                	rex.WXB push %r12
   d:	01 01                	add    %eax,(%rcx)
   f:	c7 43 04 01 00 00 00 	movl   $0x1,0x4(%rbx)
  16:	8b 95 ac 03 00 00    	mov    0x3ac(%rbp),%edx
  1c:	89 53 58             	mov    %edx,0x58(%rbx)
  1f:	4c 8b a5 a0 09 00 00 	mov    0x9a0(%rbp),%r12
  26:	4c 89 63 60          	mov    %r12,0x60(%rbx)
* 2a:	8b 28                	mov    (%rax),%ebp <-- trapping instruction
  2c:	81 e5 00 00 40 00    	and    $0x400000,%ebp
  32:	89 ee                	mov    %ebp,%esi
  34:	e8 1b 62 9f fe       	call   0xfe9f6254
  39:	85 ed                	test   %ebp,%ebp
  3b:	75 1c                	jne    0x59
  3d:	e8                   	.byte 0xe8
  3e:	c2                   	.byte 0xc2
  3f:	69                   	.byte 0x69


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

[syzbot] [pci?] upstream test error: general protection fault in msix_prepare_msi_desc

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f6e0150b2003 Merge tag 'mtd/for-6.15' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12bf5804580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4444a7da3861fcf5
dashboard link: https://syzkaller.appspot.com/bug?extid=8423775fd52d4cc7e5c9
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9113c1eac62e/disk-f6e0150b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f1dd0f2f5338/vmlinux-f6e0150b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b275479ad610/bzImage-f6e0150b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8423775fd52d4cc7e5c9@syzkaller.appspotmail.com

ntfs3: Enabled Linux POSIX ACLs support
ntfs3: Read-only LZX/Xpress compression included
efs: 1.0a - http://aeschi.ch.eu.org/efs/
jffs2: version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
QNX4 filesystem 0.2.3 registered.
qnx6: QNX6 filesystem 1.0.0 registered.
fuse: init (API version 7.42)
orangefs_debugfs_init: called with debug mask: :none: :0:
orangefs_init: module version upstream loaded
JFS: nTxBlock = 8192, nTxLock = 65536
SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
9p: Installing v9fs 9p2000 file system support
NILFS version 2 loaded
befs: version: 0.9.3
ocfs2: Registered cluster interface o2cb
ocfs2: Registered cluster interface user
OCFS2 User DLM kernel interface loaded
gfs2: GFS2 installed
ceph: loaded (mds proto 32)
NET: Registered PF_ALG protocol family
xor: automatically using best checksumming function   avx       
async_tx: api initialized (async)
Key type asymmetric registered
Asymmetric key parser 'x509' registered
Asymmetric key parser 'pkcs8' registered
Key type pkcs7_test registered
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 238)
io scheduler mq-deadline registered
io scheduler kyber registered
io scheduler bfq registered
input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
ACPI: button: Power Button [PWRF]
input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
ACPI: button: Sleep Button [SLPF]
ioatdma: Intel(R) QuickData Technology Driver 5.00
ACPI: \_SB_.LNKC: Enabled at IRQ 11
virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
ACPI: \_SB_.LNKD: Enabled at IRQ 10
virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
ACPI: \_SB_.LNKB: Enabled at IRQ 10
virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
virtio-pci 0000:00:07.0: virtio_pci: leaving for legacy driver
N_HDLC line discipline registered with maxframe=4096
Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
Non-volatile memory driver v1.3
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-syzkaller-03565-gf6e0150b2003 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:msix_prepare_msi_desc+0x18a/0x310 drivers/pci/msi/msi.c:615
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 7f 01 00 00 4c 89 ea 4c 89 63 60 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e fd 00 00 00 41 8b 6d 00 31 ff
RSP: 0000:ffffc900000674f8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffc90000067588 RCX: ffffffff8501ef7f
RDX: 0000000000000000 RSI: ffffffff8501eb05 RDI: ffffc900000675e8
RBP: ffff888021efe000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000002ba3 R12: ffffc9000008e008
R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888124e5a000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000df82000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 msix_setup_msi_descs+0x19c/0x260 drivers/pci/msi/msi.c:639
 __msix_setup_interrupts drivers/pci/msi/msi.c:672 [inline]
 msix_setup_interrupts drivers/pci/msi/msi.c:701 [inline]
 msix_capability_init drivers/pci/msi/msi.c:743 [inline]
 __pci_enable_msix_range+0x90f/0x1150 drivers/pci/msi/msi.c:851
 pci_alloc_irq_vectors_affinity+0x238/0x2a0 drivers/pci/msi/api.c:268
 vp_request_msix_vectors drivers/virtio/virtio_pci_common.c:160 [inline]
 vp_find_vqs_msix+0x423/0xea0 drivers/virtio/virtio_pci_common.c:417
 vp_find_vqs+0x96/0x7a0 drivers/virtio/virtio_pci_common.c:525
 virtio_find_vqs include/linux/virtio_config.h:226 [inline]
 virtio_find_single_vq include/linux/virtio_config.h:237 [inline]
 probe_common+0x324/0x700 drivers/char/hw_random/virtio-rng.c:155
 virtio_dev_probe+0x586/0x8a0 drivers/virtio/virtio.c:341
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __driver_attach+0x283/0x580 drivers/base/dd.c:1216
 bus_for_each_dev+0x13b/0x1d0 drivers/base/bus.c:370
 bus_add_driver+0x2e9/0x690 drivers/base/bus.c:678
 driver_register+0x15c/0x4b0 drivers/base/driver.c:249
 do_one_initcall+0x120/0x6e0 init/main.c:1257
 do_initcall_level init/main.c:1319 [inline]
 do_initcalls init/main.c:1335 [inline]
 do_basic_setup init/main.c:1354 [inline]
 kernel_init_freeable+0x5c2/0x900 init/main.c:1567
 kernel_init+0x1c/0x2b0 init/main.c:1457
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:msix_prepare_msi_desc+0x18a/0x310 drivers/pci/msi/msi.c:615
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 7f 01 00 00 4c 89 ea 4c 89 63 60 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e fd 00 00 00 41 8b 6d 00 31 ff
RSP: 0000:ffffc900000674f8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffc90000067588 RCX: ffffffff8501ef7f
RDX: 0000000000000000 RSI: ffffffff8501eb05 RDI: ffffc900000675e8
RBP: ffff888021efe000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000002ba3 R12: ffffc9000008e008
R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888124f5a000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000df82000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	df 48 89             	fisttps -0x77(%rax)
   3:	fa                   	cli
   4:	48 c1 ea 03          	shr    $0x3,%rdx
   8:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   c:	0f 85 7f 01 00 00    	jne    0x191
  12:	4c 89 ea             	mov    %r13,%rdx
  15:	4c 89 63 60          	mov    %r12,0x60(%rbx)
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 c1 ea 03          	shr    $0x3,%rdx
* 27:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2b:	84 c0                	test   %al,%al
  2d:	74 08                	je     0x37
  2f:	3c 03                	cmp    $0x3,%al
  31:	0f 8e fd 00 00 00    	jle    0x134
  37:	41 8b 6d 00          	mov    0x0(%r13),%ebp
  3b:	31 ff                	xor    %edi,%edi


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_extent_crc_append (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    48a5eed9ad58 Merge tag 'devicetree-fixes-for-6.14-2' of gi..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10a275a8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1d47ea4b9912d894
dashboard link: https://syzkaller.appspot.com/bug?extid=79e4e34c2a37d5a9c1f7
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=134ed7a0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16630254580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0f1f7744db24/disk-48a5eed9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0abefd13fceb/vmlinux-48a5eed9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a1858ec33bb8/bzImage-48a5eed9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f81e1c2bd91c/mount_2.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+79e4e34c2a37d5a9c1f7@syzkaller.appspotmail.com

bcachefs (loop0): check_allocations... done
bcachefs (loop0): going read-write
bcachefs (loop0): done starting filesystem
=====================================================
BUG: KMSAN: uninit-value in variable__ffs arch/x86/include/asm/bitops.h:251 [inline]
BUG: KMSAN: uninit-value in extent_entry_type fs/bcachefs/extents.h:59 [inline]
BUG: KMSAN: uninit-value in extent_entry_bytes fs/bcachefs/extents.h:68 [inline]
BUG: KMSAN: uninit-value in extent_entry_u64s fs/bcachefs/extents.h:81 [inline]
BUG: KMSAN: uninit-value in bch2_extent_crc_append+0x7c2/0x830 fs/bcachefs/extents.c:593
 variable__ffs arch/x86/include/asm/bitops.h:251 [inline]
 extent_entry_type fs/bcachefs/extents.h:59 [inline]
 extent_entry_bytes fs/bcachefs/extents.h:68 [inline]
 extent_entry_u64s fs/bcachefs/extents.h:81 [inline]
 bch2_extent_crc_append+0x7c2/0x830 fs/bcachefs/extents.c:593
 init_append_extent+0x466/0x1050 fs/bcachefs/io_write.c:729
 bch2_write_extent fs/bcachefs/io_write.c:1073 [inline]
 __bch2_write+0x54a9/0x8490 fs/bcachefs/io_write.c:1487
 bch2_write+0xc98/0x1af0 fs/bcachefs/io_write.c:1659
 closure_queue include/linux/closure.h:270 [inline]
 closure_call include/linux/closure.h:432 [inline]
 bch2_writepage_do_io fs/bcachefs/fs-io-buffered.c:469 [inline]
 bch2_writepages+0x24a/0x3c0 fs/bcachefs/fs-io-buffered.c:652
 do_writepages+0x427/0xc30 mm/page-writeback.c:2687
 filemap_fdatawrite_wbc mm/filemap.c:389 [inline]
 __filemap_fdatawrite_range mm/filemap.c:422 [inline]
 file_write_and_wait_range+0x6f2/0x7b0 mm/filemap.c:797
 bch2_fsync+0xb6/0x510 fs/bcachefs/fs-io.c:228
 vfs_fsync_range+0x1f9/0x260 fs/sync.c:187
 generic_write_sync include/linux/fs.h:2970 [inline]
 bch2_write_iter+0x4dce/0x50f0 fs/bcachefs/fs-io-buffered.c:1072
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0xb34/0x1540 fs/read_write.c:679
 ksys_write+0x240/0x4b0 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:739
 x64_sys_call+0x3161/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 bch2_extent_crc_pack+0x686/0x6b0 fs/bcachefs/extents.c:549
 bch2_extent_crc_append+0x645/0x830 fs/bcachefs/extents.c:591
 init_append_extent+0x466/0x1050 fs/bcachefs/io_write.c:729
 bch2_write_extent fs/bcachefs/io_write.c:1073 [inline]
 __bch2_write+0x54a9/0x8490 fs/bcachefs/io_write.c:1487
 bch2_write+0xc98/0x1af0 fs/bcachefs/io_write.c:1659
 closure_queue include/linux/closure.h:270 [inline]
 closure_call include/linux/closure.h:432 [inline]
 bch2_writepage_do_io fs/bcachefs/fs-io-buffered.c:469 [inline]
 bch2_writepages+0x24a/0x3c0 fs/bcachefs/fs-io-buffered.c:652
 do_writepages+0x427/0xc30 mm/page-writeback.c:2687
 filemap_fdatawrite_wbc mm/filemap.c:389 [inline]
 __filemap_fdatawrite_range mm/filemap.c:422 [inline]
 file_write_and_wait_range+0x6f2/0x7b0 mm/filemap.c:797
 bch2_fsync+0xb6/0x510 fs/bcachefs/fs-io.c:228
 vfs_fsync_range+0x1f9/0x260 fs/sync.c:187
 generic_write_sync include/linux/fs.h:2970 [inline]
 bch2_write_iter+0x4dce/0x50f0 fs/bcachefs/fs-io-buffered.c:1072
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0xb34/0x1540 fs/read_write.c:679
 ksys_write+0x240/0x4b0 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:739
 x64_sys_call+0x3161/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_frozen_pages_noprof+0x9a7/0xe00 mm/page_alloc.c:4762
 alloc_pages_mpol+0x4cd/0x890 mm/mempolicy.c:2270
 alloc_frozen_pages_noprof+0x1bf/0x1e0 mm/mempolicy.c:2341
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab+0x23a/0x1110 mm/slub.c:2587
 new_slab mm/slub.c:2640 [inline]
 ___slab_alloc+0x1287/0x3540 mm/slub.c:3826
 __slab_alloc mm/slub.c:3916 [inline]
 __slab_alloc_node mm/slub.c:3991 [inline]
 slab_alloc_node mm/slub.c:4152 [inline]
 kmem_cache_alloc_noprof+0x84e/0xe10 mm/slub.c:4171
 mempool_alloc_slab+0x36/0x50 mm/mempool.c:559
 mempool_init_node+0x202/0x4d0 mm/mempool.c:217
 mempool_init_noprof+0x57/0x70 mm/mempool.c:246
 bioset_init+0x279/0xb30 block/bio.c:1707
 bch2_fs_fs_io_buffered_init+0x4a/0xc0 fs/bcachefs/fs-io-buffered.c:1084
 bch2_fs_alloc fs/bcachefs/super.c:934 [inline]
 bch2_fs_open+0x5654/0x5ba0 fs/bcachefs/super.c:2064
 bch2_fs_get_tree+0x98a/0x24e0 fs/bcachefs/fs.c:2190
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5782 Comm: syz-executor407 Not tainted 6.14.0-rc5-syzkaller-00016-g48a5eed9ad58 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Fix kmsan warnings in bch2_extent_crc_pack()

[syzbot] linux-next build error (20)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d4b0fd87ff0d Add linux-next specific files for 20250221
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17a5bae4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=76d7299d72819017
dashboard link: https://syzkaller.appspot.com/bug?extid=06fd1a3613c50d36129e
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+06fd1a3613c50d36129e@syzkaller.appspotmail.com

<stdin>:4:15: error: use of undeclared identifier '__ref_stack_chk_guard'

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

The bug was fixed with a different commit than the recorded [PATCH] discussion.
Close it so that it may be reopened the next time we face a linux next
build problem.

#syz invalid

[syzbot] [can?] WARNING in ucan_probe

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    496659003dac Merge tag 'i2c-for-6.14-rc3' of git://git.ker..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11012bf8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c776e555cfbdb82d
dashboard link: https://syzkaller.appspot.com/bug?extid=d7d8c418e8317899e88c
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14f7b9b0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=155602e4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c1675d5fc116/disk-49665900.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0342ce7d0bc9/vmlinux-49665900.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5ce5b4978fc4/bzImage-49665900.xz

The issue was bisected to:

commit b3e40fc85735b787ce65909619fcd173107113c2
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu May 2 11:51:40 2024 +0000

    USB: usb_parse_endpoint: ignore reserved bits

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11c65bf8580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=13c65bf8580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15c65bf8580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d7d8c418e8317899e88c@syzkaller.appspotmail.com
Fixes: b3e40fc85735 ("USB: usb_parse_endpoint: ignore reserved bits")

------------[ cut here ]------------
strnlen: detected buffer overflow: 129 byte read of buffer size 128
WARNING: CPU: 0 PID: 9 at lib/string_helpers.c:1033 __fortify_report+0x9d/0xb0 lib/string_helpers.c:1032
Modules linked in:
CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.14.0-rc2-syzkaller-00281-g496659003dac #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: usb_hub_wq hub_event
RIP: 0010:__fortify_report+0x9d/0xb0 lib/string_helpers.c:1032
Code: 84 ed 48 8b 33 48 c7 c0 a0 ae 80 8c 48 c7 c1 c0 ae 80 8c 48 0f 44 c8 48 c7 c7 20 ac 80 8c 4c 89 fa 4d 89 f0 e8 04 dd 8b fc 90 <0f> 0b 90 90 5b 41 5e 41 5f 5d c3 cc cc cc cc 0f 1f 40 00 90 90 90
RSP: 0018:ffffc900000e6b50 EFLAGS: 00010246
RAX: e8edca93825f5800 RBX: ffffffff8c80ab68 RCX: ffff88801c2f8000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff81817e32 R09: fffffbfff1d3a614
R10: dffffc0000000000 R11: fffffbfff1d3a614 R12: dffffc0000000000
R13: 1ffff9200001cd84 R14: 0000000000000080 R15: 0000000000000081
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d6c3b85e50 CR3: 0000000078508000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __fortify_panic+0x9/0x10 lib/string_helpers.c:1039
 _Z7strnlenPKcU25pass_dynamic_object_size1m include/linux/fortify-string.h:235 [inline]
 _Z13sized_strscpyPcU25pass_dynamic_object_size1PKcU25pass_dynamic_object_size1m include/linux/fortify-string.h:309 [inline]
 ucan_probe+0x195e/0x1980 drivers/net/can/usb/ucan.c:1535
 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396
 really_probe+0x2b9/0xad0 drivers/base/dd.c:658
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
 driver_probe_device+0x50/0x430 drivers/base/dd.c:830
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:958
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
 __device_attach+0x333/0x520 drivers/base/dd.c:1030
 bus_probe_device+0x189/0x260 drivers/base/bus.c:537
 device_add+0x856/0xbf0 drivers/base/core.c:3665
 usb_set_configuration+0x1976/0x1fb0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x88/0x140 drivers/usb/core/generic.c:250
 usb_probe_device+0x1b8/0x380 drivers/usb/core/driver.c:291
 really_probe+0x2b9/0xad0 drivers/base/dd.c:658
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
 driver_probe_device+0x50/0x430 drivers/base/dd.c:830
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:958
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
 __device_attach+0x333/0x520 drivers/base/dd.c:1030
 bus_probe_device+0x189/0x260 drivers/base/bus.c:537
 device_add+0x856/0xbf0 drivers/base/core.c:3665
 usb_new_device+0x104a/0x19a0 drivers/usb/core/hub.c:2652
 hub_port_connect drivers/usb/core/hub.c:5523 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5663 [inline]
 port_event drivers/usb/core/hub.c:5823 [inline]
 hub_event+0x2d6d/0x5150 drivers/usb/core/hub.c:5905
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xabe/0x18e0 kernel/workqueue.c:3317
 worker_thread+0x870/0xd30 kernel/workqueue.c:3398
 kthread+0x7a9/0x920 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [usb?] KMSAN: uninit-value in mii_nway_restart (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    128c8f96eb86 Merge tag 'drm-fixes-2025-02-14' of https://g..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11546098580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=264db44f1897cdc3
dashboard link: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17d9d9b0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1039d9b0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7aa6f3aa12c5/disk-128c8f96.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7ca2c0dbfd2f/vmlinux-128c8f96.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aa690978a38e/bzImage-128c8f96.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in mii_nway_restart+0x119/0x1e0 drivers/net/mii.c:468
 mii_nway_restart+0x119/0x1e0 drivers/net/mii.c:468
 ch9200_bind+0x238/0xeb0 drivers/net/usb/ch9200.c:354
 usbnet_probe+0xdb0/0x3eb0 drivers/net/usb/usbnet.c:1761
 usb_probe_interface+0xd33/0x12e0 drivers/usb/core/driver.c:396
 really_probe+0x4dc/0xd90 drivers/base/dd.c:658
 __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:800
 driver_probe_device+0x72/0x890 drivers/base/dd.c:830
 __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:958
 bus_for_each_drv+0x403/0x620 drivers/base/bus.c:462
 __device_attach+0x3c1/0x650 drivers/base/dd.c:1030
 device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
 bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:537
 device_add+0x13aa/0x1ba0 drivers/base/core.c:3665
 usb_set_configuration+0x31c9/0x38d0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:250
 usb_probe_device+0x3a7/0x690 drivers/usb/core/driver.c:291
 really_probe+0x4dc/0xd90 drivers/base/dd.c:658
 __driver_probe_device+0x2ab/0x5d0 drivers/base/dd.c:800
 driver_probe_device+0x72/0x890 drivers/base/dd.c:830
 __device_attach_driver+0x568/0x9e0 drivers/base/dd.c:958
 bus_for_each_drv+0x403/0x620 drivers/base/bus.c:462
 __device_attach+0x3c1/0x650 drivers/base/dd.c:1030
 device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
 bus_probe_device+0x3dc/0x5c0 drivers/base/bus.c:537
 device_add+0x13aa/0x1ba0 drivers/base/core.c:3665
 usb_new_device+0x15f0/0x2470 drivers/usb/core/hub.c:2652
 hub_port_connect drivers/usb/core/hub.c:5523 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5663 [inline]
 port_event drivers/usb/core/hub.c:5823 [inline]
 hub_event+0x4ffb/0x72d0 drivers/usb/core/hub.c:5905
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xc1a/0x1e80 kernel/workqueue.c:3317
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3398
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Local variable buff created at:
 ch9200_mdio_read+0x3c/0x100 drivers/net/usb/ch9200.c:180
 mii_nway_restart+0x8a/0x1e0 drivers/net/mii.c:466

CPU: 1 UID: 0 PID: 3067 Comm: kworker/1:2 Not tainted 6.14.0-rc2-syzkaller-00185-g128c8f96eb86 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: usb_hub_wq hub_event
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [ppp?] KMSAN: uninit-value in ppp_sync_send (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9946eaf552b1 Merge tag 'hardening-v6.14-rc2' of git://git...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=131dabdf980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f20bce78db15972a
dashboard link: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17b142a4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14167df8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/955ec208b383/disk-9946eaf5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ccb7613686d1/vmlinux-9946eaf5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/10b92522362a/bzImage-9946eaf5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in ppp_sync_txmunge drivers/net/ppp/ppp_synctty.c:516 [inline]
BUG: KMSAN: uninit-value in ppp_sync_send+0x21c/0xb00 drivers/net/ppp/ppp_synctty.c:568
 ppp_sync_txmunge drivers/net/ppp/ppp_synctty.c:516 [inline]
 ppp_sync_send+0x21c/0xb00 drivers/net/ppp/ppp_synctty.c:568
 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
 ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122
 __release_sock+0x1da/0x330 net/core/sock.c:3106
 release_sock+0x6b/0x250 net/core/sock.c:3660
 pppoe_sendmsg+0xb35/0xc50 drivers/net/ppp/pppoe.c:903
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:733
 ____sys_sendmsg+0x903/0xb60 net/socket.c:2573
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
 __sys_sendmmsg+0x2ff/0x880 net/socket.c:2716
 __do_sys_sendmmsg net/socket.c:2743 [inline]
 __se_sys_sendmmsg net/socket.c:2740 [inline]
 __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2740
 x64_sys_call+0x33c2/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:308
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4121 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 kmem_cache_alloc_node_noprof+0x907/0xe00 mm/slub.c:4216
 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
 alloc_skb include/linux/skbuff.h:1331 [inline]
 sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2746
 pppoe_sendmsg+0x385/0xc50 drivers/net/ppp/pppoe.c:867
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:733
 ____sys_sendmsg+0x903/0xb60 net/socket.c:2573
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
 __sys_sendmmsg+0x2ff/0x880 net/socket.c:2716
 __do_sys_sendmmsg net/socket.c:2743 [inline]
 __se_sys_sendmmsg net/socket.c:2740 [inline]
 __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2740
 x64_sys_call+0x33c2/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:308
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5806 Comm: syz-executor201 Not tainted 6.14.0-rc1-syzkaller-00235-g9946eaf552b1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[Arnaud Lecomte]

#syz test: https://github.com/ArnaudLcm/linux bounds-checking-txmung

Re: [syzbot]

[Arnaud Lecomte]

Author: contact@arnaud-lcm.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 644e99fc3623..520d895acc60 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
 	unsigned char *data;
 	int islcp;
 
+	/* Ensure we can safely access protocol field and LCP code */
+	if (!skb || !pskb_may_pull(skb, 3)) {
+		kfree_skb(skb);
+		return NULL;
+	}
 	data  = skb->data;
 	proto = get_unaligned_be16(data);

Re: [syzbot]

[syzbot]

> Author: contact@arnaud-lcm.com
>
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

want either no args or 2 args (repo, branch), got 5

>
> diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
> index 644e99fc3623..520d895acc60 100644
> --- a/drivers/net/ppp/ppp_synctty.c
> +++ b/drivers/net/ppp/ppp_synctty.c
> @@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
>  	unsigned char *data;
>  	int islcp;
>  
> +	/* Ensure we can safely access protocol field and LCP code */
> +	if (!skb || !pskb_may_pull(skb, 3)) {
> +		kfree_skb(skb);
> +		return NULL;
> +	}
>  	data  = skb->data;
>  	proto = get_unaligned_be16(data);

Re: [syzbot]

[Arnaud Lecomte]

Author: contact@arnaud-lcm.com

#syz test

diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 644e99fc3623..520d895acc60 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
 	unsigned char *data;
 	int islcp;
 
+	/* Ensure we can safely access protocol field and LCP code */
+	if (!skb || !pskb_may_pull(skb, 3)) {
+		kfree_skb(skb);
+		return NULL;
+	}
 	data  = skb->data;
 	proto = get_unaligned_be16(data);

[syzbot] [modules?] KMSAN: uninit-value in __request_module (6)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    febbc555cf0f Merge tag 'nfsd-6.14-1' of git://git.kernel.o..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=137a78e4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=48f90cac5eea091a
dashboard link: https://syzkaller.appspot.com/bug?extid=1fcd957a82e3a1baa94d
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=177a78e4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16adc3f8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f90f94285615/disk-febbc555.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b8a8bb66806c/vmlinux-febbc555.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c8af6c511559/bzImage-febbc555.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1fcd957a82e3a1baa94d@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline]
BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714
 string_nocheck lib/vsprintf.c:633 [inline]
 string+0x3ec/0x5f0 lib/vsprintf.c:714
 vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843
 __request_module+0x252/0x9f0 kernel/module/kmod.c:149
 team_mode_get drivers/net/team/team_core.c:480 [inline]
 team_change_mode drivers/net/team/team_core.c:607 [inline]
 team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401
 team_option_set drivers/net/team/team_core.c:375 [inline]
 team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2661
 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543
 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
 netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348
 netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:733
 ____sys_sendmsg+0x877/0xb60 net/socket.c:2573
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
 __sys_sendmsg net/socket.c:2659 [inline]
 __do_sys_sendmsg net/socket.c:2664 [inline]
 __se_sys_sendmsg net/socket.c:2662 [inline]
 __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662
 x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4121 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 kmem_cache_alloc_node_noprof+0x907/0xe00 mm/slub.c:4216
 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
 alloc_skb include/linux/skbuff.h:1331 [inline]
 netlink_alloc_large_skb+0x1b4/0x280 net/netlink/af_netlink.c:1196
 netlink_sendmsg+0xa96/0x11e0 net/netlink/af_netlink.c:1867
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:733
 ____sys_sendmsg+0x877/0xb60 net/socket.c:2573
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
 __sys_sendmsg net/socket.c:2659 [inline]
 __do_sys_sendmsg net/socket.c:2664 [inline]
 __se_sys_sendmsg net/socket.c:2662 [inline]
 __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662
 x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5814 Comm: syz-executor989 Not tainted 6.14.0-rc2-syzkaller-00034-gfebbc555cf0f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

[syzbot] [jfs?] KASAN: slab-out-of-bounds Read in ea_get (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7ee983c850b4 Merge tag 'drm-fixes-2025-02-08' of https://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14a8dca4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1909f2f0d8e641ce
dashboard link: https://syzkaller.appspot.com/bug?extid=4e6e7e4279d046613bc5
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11bf61b0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12a8dca4580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-7ee983c8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f2f78699fc41/vmlinux-7ee983c8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca55e6e8dd01/bzImage-7ee983c8.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b234819f8863/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=10a8dca4580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4e6e7e4279d046613bc5@syzkaller.appspotmail.com

ffff88804566b698: 90 b6 66 45 80 88 ff ff 00 00 00 00 00 00 00 00  ..fE............
ffff88804566b6a8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
ffff88804566b6b8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
==================================================================
BUG: KASAN: slab-out-of-bounds in hex_dump_to_buffer+0x731/0xba0 lib/hexdump.c:193
Read of size 1 at addr ffff88804566b6d0 by task syz-executor271/5307

CPU: 0 UID: 0 PID: 5307 Comm: syz-executor271 Not tainted 6.14.0-rc1-syzkaller-00181-g7ee983c850b4 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 hex_dump_to_buffer+0x731/0xba0 lib/hexdump.c:193
 print_hex_dump+0x13f/0x250 lib/hexdump.c:276
 ea_get+0xd30/0x12e0 fs/jfs/xattr.c:565
 __jfs_setxattr+0xfc/0x1190 fs/jfs/xattr.c:675
 __jfs_xattr_set+0xf9/0x180 fs/jfs/xattr.c:936
 __vfs_setxattr+0x468/0x4a0 fs/xattr.c:200
 __vfs_setxattr_noperm+0x12e/0x660 fs/xattr.c:234
 vfs_setxattr+0x221/0x430 fs/xattr.c:321
 do_setxattr fs/xattr.c:636 [inline]
 filename_setxattr+0x2af/0x430 fs/xattr.c:665
 path_setxattrat+0x440/0x510 fs/xattr.c:713
 __do_sys_lsetxattr fs/xattr.c:754 [inline]
 __se_sys_lsetxattr fs/xattr.c:750 [inline]
 __x64_sys_lsetxattr+0xbf/0xe0 fs/xattr.c:750
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fee5a1fde19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff6b319538 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 00007fee5a247095 RCX: 00007fee5a1fde19
RDX: 0000000000000000 RSI: 0000400000002580 RDI: 0000400000000080
RBP: 00007fee5a27a5f0 R08: 0000000000000001 R09: 00005555596ac4c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff6b319560
R13: 00007fff6b319788 R14: 431bde82d7b634db R15: 00007fee5a24703b
 </TASK>

Allocated by task 5307:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4115 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 kmem_cache_alloc_lru_noprof+0x1dd/0x390 mm/slub.c:4183
 jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
 alloc_inode+0x65/0x1a0 fs/inode.c:336
 iget_locked+0xf1/0x5a0 fs/inode.c:1487
 jfs_iget+0x23/0x3e0 fs/jfs/inode.c:29
 jfs_lookup+0x226/0x410 fs/jfs/namei.c:1469
 __lookup_slow+0x296/0x400 fs/namei.c:1793
 lookup_slow+0x53/0x70 fs/namei.c:1810
 walk_component+0x2e1/0x410 fs/namei.c:2114
 lookup_last fs/namei.c:2612 [inline]
 path_lookupat+0x16f/0x450 fs/namei.c:2636
 filename_lookup+0x2a3/0x670 fs/namei.c:2665
 filename_setxattr+0xb9/0x430 fs/xattr.c:660
 path_setxattrat+0x440/0x510 fs/xattr.c:713
 __do_sys_lsetxattr fs/xattr.c:754 [inline]
 __se_sys_lsetxattr fs/xattr.c:750 [inline]
 __x64_sys_lsetxattr+0xbf/0xe0 fs/xattr.c:750
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88804566ae18
 which belongs to the cache jfs_ip of size 2232
The buggy address is located 0 bytes to the right of
 allocated 2232-byte region [ffff88804566ae18, ffff88804566b6d0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x45668
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff88801f64b780 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000
head: 04fff00000000040 ffff88801f64b780 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000
head: 04fff00000000003 ffffea0001159a01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5307, tgid 5307 (syz-executor271), ts 63066622694, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x292/0x710 mm/page_alloc.c:4739
 alloc_pages_mpol+0x311/0x660 mm/mempolicy.c:2270
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab+0x8f/0x3a0 mm/slub.c:2587
 new_slab mm/slub.c:2640 [inline]
 ___slab_alloc+0xc27/0x14a0 mm/slub.c:3826
 __slab_alloc+0x58/0xa0 mm/slub.c:3916
 __slab_alloc_node mm/slub.c:3991 [inline]
 slab_alloc_node mm/slub.c:4152 [inline]
 kmem_cache_alloc_lru_noprof+0x26c/0x390 mm/slub.c:4183
 jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
 alloc_inode+0x65/0x1a0 fs/inode.c:336
 new_inode_pseudo fs/inode.c:1174 [inline]
 new_inode+0x22/0x1d0 fs/inode.c:1193
 jfs_fill_super+0x570/0xd90 fs/jfs/super.c:511
 get_tree_bdev_flags+0x48c/0x5c0 fs/super.c:1636
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3560
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4088
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88804566b580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88804566b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804566b680: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
                                                 ^
 ffff88804566b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88804566b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [isofs?] KMSAN: uninit-value in isofs_readdir

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    5c8c229261f1 Merge tag 'kthreads-fixes-2025-02-04' of git:..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13a8beb0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f20bce78db15972a
dashboard link: https://syzkaller.appspot.com/bug?extid=812641c6c3d7586a1613
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12042df8580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17ff93df980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63aa4d99d73d/disk-5c8c2292.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/104150a76e91/vmlinux-5c8c2292.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c4622f8c58f4/bzImage-5c8c2292.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/24fb8c942e20/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+812641c6c3d7586a1613@syzkaller.appspotmail.com

loop0: detected capacity change from 1764 to 1763
=====================================================
BUG: KMSAN: uninit-value in do_isofs_readdir fs/isofs/dir.c:150 [inline]
BUG: KMSAN: uninit-value in isofs_readdir+0xa33/0x2610 fs/isofs/dir.c:262
 do_isofs_readdir fs/isofs/dir.c:150 [inline]
 isofs_readdir+0xa33/0x2610 fs/isofs/dir.c:262
 iterate_dir+0x740/0x930 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:403 [inline]
 __se_sys_getdents64+0x170/0x540 fs/readdir.c:389
 __x64_sys_getdents64+0x96/0xe0 fs/readdir.c:389
 x64_sys_call+0x3b0f/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:218
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_frozen_pages_noprof+0x9a7/0xe00 mm/page_alloc.c:4762
 alloc_pages_mpol+0x4cd/0x890 mm/mempolicy.c:2270
 alloc_frozen_pages_noprof mm/mempolicy.c:2341 [inline]
 alloc_pages_noprof+0x1b5/0x250 mm/mempolicy.c:2361
 get_free_pages_noprof+0x34/0xc0 mm/page_alloc.c:4798
 isofs_readdir+0x74/0x2610 fs/isofs/dir.c:256
 iterate_dir+0x740/0x930 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:403 [inline]
 __se_sys_getdents64+0x170/0x540 fs/readdir.c:389
 __x64_sys_getdents64+0x96/0xe0 fs/readdir.c:389
 x64_sys_call+0x3b0f/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:218
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5784 Comm: syz-executor207 Not tainted 6.14.0-rc1-syzkaller-00028-g5c8c229261f1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_btree_ptr_v2_validate

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    0de63bb7d919 Merge tag 'pull-fix' of git://git.kernel.org/..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=110078a4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f20bce78db15972a
dashboard link: https://syzkaller.appspot.com/bug?extid=655143dc5f99972b52e6
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11c74f64580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15c74f64580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b06dbcd0bfdc/disk-0de63bb7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bc7060cef2b6/vmlinux-0de63bb7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3578d0574f33/bzImage-0de63bb7.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/eec1bd50a821/mount_2.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+655143dc5f99972b52e6@syzkaller.appspotmail.com

bucket incorrectly unset in freespace btree
  u64s 5 type deleted 0:29:0 len 0 ver 0, , continuing
=====================================================
BUG: KMSAN: uninit-value in bpos_le fs/bcachefs/bkey.h:113 [inline]
BUG: KMSAN: uninit-value in bpos_ge fs/bcachefs/bkey.h:125 [inline]
BUG: KMSAN: uninit-value in bch2_btree_ptr_v2_validate+0x51c/0xb20 fs/bcachefs/extents.c:211
 bpos_le fs/bcachefs/bkey.h:113 [inline]
 bpos_ge fs/bcachefs/bkey.h:125 [inline]
 bch2_btree_ptr_v2_validate+0x51c/0xb20 fs/bcachefs/extents.c:211
 bch2_bkey_val_validate+0x357/0x530 fs/bcachefs/bkey_methods.c:143
 btree_node_bkey_val_validate fs/bcachefs/btree_io.c:838 [inline]
 bset_key_validate fs/bcachefs/btree_io.c:859 [inline]
 validate_bset_keys+0x20e3/0x2350 fs/bcachefs/btree_io.c:942
 validate_bset_for_write+0x2b3/0x410 fs/bcachefs/btree_io.c:1987
 __bch2_btree_node_write+0x53df/0x6830 fs/bcachefs/btree_io.c:2197
 bch2_btree_node_write_trans+0xd7/0x890 fs/bcachefs/btree_io.c:2357
 btree_node_write_if_need fs/bcachefs/btree_io.h:153 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:816 [inline]
 btree_interior_update_work+0x3e3f/0x4820 fs/bcachefs/btree_update_interior.c:844
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3317
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3398
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:416 [inline]
 bkey_p_copy fs/bcachefs/bkey.h:40 [inline]
 bch2_sort_keys_keep_unwritten_whiteouts+0x17d1/0x19d0 fs/bcachefs/bkey_sort.c:187
 __bch2_btree_node_write+0x3ae8/0x6830 fs/bcachefs/btree_io.c:2140
 bch2_btree_node_write_trans+0xd7/0x890 fs/bcachefs/btree_io.c:2357
 btree_node_write_if_need fs/bcachefs/btree_io.h:153 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:816 [inline]
 btree_interior_update_work+0x3e3f/0x4820 fs/bcachefs/btree_update_interior.c:844
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3317
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3398
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4249
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4266
 __do_kmalloc_node mm/slub.c:4282 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4300
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:662
 btree_node_data_alloc fs/bcachefs/btree_cache.c:156 [inline]
 bch2_btree_node_mem_alloc+0xa72/0x2ee0 fs/bcachefs/btree_cache.c:834
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:304 [inline]
 bch2_btree_reserve_get+0x37f/0x2290 fs/bcachefs/btree_update_interior.c:532
 bch2_btree_update_start+0x1af9/0x2d60 fs/bcachefs/btree_update_interior.c:1230
 bch2_btree_split_leaf+0x120/0xc90 fs/bcachefs/btree_update_interior.c:1851
 bch2_trans_commit_error+0x1c0/0x1d60 fs/bcachefs/btree_trans_commit.c:908
 __bch2_trans_commit+0x1d60/0xd310 fs/bcachefs/btree_trans_commit.c:1085
 bch2_trans_commit fs/bcachefs/btree_update.h:183 [inline]
 bch2_journal_replay+0x3082/0x4d30 fs/bcachefs/recovery.c:373
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:226 [inline]
 bch2_run_recovery_passes+0x5a2/0x1160 fs/bcachefs/recovery_passes.c:291
 bch2_fs_recovery+0x489c/0x6230 fs/bcachefs/recovery.c:936
 bch2_fs_start+0x7ca/0xc20 fs/bcachefs/super.c:1030
 bch2_fs_get_tree+0x143a/0x2330 fs/bcachefs/fs.c:2203
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 1092 Comm: kworker/u8:7 Not tainted 6.14.0-rc1-syzkaller-00020-g0de63bb7d919 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: btree_update btree_interior_update_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in btree_interior_update_work

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ab18b8fff124 Merge tag 'auxdisplay-v6.14-1' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13a47564580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ac8df499d47c7efd
dashboard link: https://syzkaller.appspot.com/bug?extid=de02219c78c082fe2f21
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/366f413714ce/disk-ab18b8ff.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5270d59ecedc/vmlinux-ab18b8ff.xz
kernel image: https://storage.googleapis.com/syzbot-assets/43d7aec7a24c/bzImage-ab18b8ff.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+de02219c78c082fe2f21@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in btree_update_nodes_written fs/bcachefs/btree_update_interior.c:688 [inline]
BUG: KMSAN: uninit-value in btree_interior_update_work+0xcef/0x4820 fs/bcachefs/btree_update_interior.c:844
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:688 [inline]
 btree_interior_update_work+0xcef/0x4820 fs/bcachefs/btree_update_interior.c:844
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3317
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3398
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4253
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4270
 __do_kmalloc_node mm/slub.c:4286 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4304
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:645
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 __bch2_btree_node_mem_alloc+0x2be/0xa80 fs/bcachefs/btree_cache.c:198
 bch2_fs_btree_cache_init+0x4f0/0xb60 fs/bcachefs/btree_cache.c:652
 bch2_fs_alloc fs/bcachefs/super.c:908 [inline]
 bch2_fs_open+0x4b24/0x59c0 fs/bcachefs/super.c:2053
 bch2_fs_get_tree+0x986/0x2330 fs/bcachefs/fs.c:2190
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5856 Comm: kworker/u8:4 Not tainted 6.13.0-syzkaller-06077-gab18b8fff124 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: btree_update btree_interior_update_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix  bcachefs: Fix a KMSAN splat in btree_update_nodes_written()

[syzbot] [usb?] general protection fault in status_show

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    be548645527a Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=105adbc4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ad08f7f48e13abcd
dashboard link: https://syzkaller.appspot.com/bug?extid=83976e47ec1ef91e66f1
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=179bbef8580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12d51cb0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/68edb33a6611/disk-be548645.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9c748ff58068/vmlinux-be548645.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6ae2859fc0e3/bzImage-be548645.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+83976e47ec1ef91e66f1@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000081: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000408-0x000000000000040f]
CPU: 0 UID: 0 PID: 5830 Comm: syz-executor351 Not tainted 6.13.0-rc6-syzkaller-00290-gbe548645527a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:status_show_vhci drivers/usb/usbip/vhci_sysfs.c:80 [inline]
RIP: 0010:status_show+0x306/0x5a0 drivers/usb/usbip/vhci_sysfs.c:160
Code: 03 80 3c 02 00 0f 85 9c 02 00 00 48 8b 9b 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 08 04 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 7d 02 00 00 4c 8b ab 08 04 00 00 c1 e5 04 41 bf
RSP: 0018:ffffc90003cbfad8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87534bb9
RDX: 0000000000000081 RSI: ffffffff87534d75 RDI: 0000000000000408
RBP: 000000000000000f R08: 0000000000000005 R09: 0000000000000000
R10: 000000000000000f R11: 64666b636f732020 R12: ffffc90003cbfb28
R13: ffff888034b8c02d R14: ffffffff87534ab0 R15: ffff888034b8c000
FS:  0000555582a4a380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000035336000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 dev_attr_show+0x53/0xe0 drivers/base/core.c:2423
 sysfs_kf_seq_show+0x223/0x3e0 fs/sysfs/file.c:59
 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
 new_sync_read fs/read_write.c:484 [inline]
 vfs_read+0x87f/0xbe0 fs/read_write.c:565
 ksys_read+0x12b/0x250 fs/read_write.c:708
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5c749f72e9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffd7fbd308 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007fffd7fbd4d8 RCX: 00007f5c749f72e9
RDX: 0000000000000062 RSI: 0000000020001080 RDI: 0000000000000003
RBP: 00007f5c74a6a610 R08: 0000000000000000 R09: 00007fffd7fbd4d8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fffd7fbd4c8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:status_show_vhci drivers/usb/usbip/vhci_sysfs.c:80 [inline]
RIP: 0010:status_show+0x306/0x5a0 drivers/usb/usbip/vhci_sysfs.c:160
Code: 03 80 3c 02 00 0f 85 9c 02 00 00 48 8b 9b 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 08 04 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 7d 02 00 00 4c 8b ab 08 04 00 00 c1 e5 04 41 bf
RSP: 0018:ffffc90003cbfad8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87534bb9
RDX: 0000000000000081 RSI: ffffffff87534d75 RDI: 0000000000000408
RBP: 000000000000000f R08: 0000000000000005 R09: 0000000000000000
R10: 000000000000000f R11: 64666b636f732020 R12: ffffc90003cbfb28
R13: ffff888034b8c02d R14: ffffffff87534ab0 R15: ffff888034b8c000
FS:  0000555582a4a380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000035336000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	03 80 3c 02 00 0f    	add    0xf00023c(%rax),%eax
   6:	85 9c 02 00 00 48 8b 	test   %ebx,-0x74b80000(%rdx,%rax,1)
   d:	9b                   	fwait
   e:	88 00                	mov    %al,(%rax)
  10:	00 00                	add    %al,(%rax)
  12:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  19:	fc ff df
  1c:	48 8d bb 08 04 00 00 	lea    0x408(%rbx),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 7d 02 00 00    	jne    0x2b1
  34:	4c 8b ab 08 04 00 00 	mov    0x408(%rbx),%r13
  3b:	c1 e5 04             	shl    $0x4,%ebp
  3e:	41                   	rex.B
  3f:	bf                   	.byte 0xbf


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [iommu?] UBSAN: shift-out-of-bounds in iova_bitmap_alloc

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    09a0fa92e5b4 Merge tag 'selinux-pr-20250107' of git://git...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16e35b0f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ef22c4fce5135b4
dashboard link: https://syzkaller.appspot.com/bug?extid=85992ace37d5b7b51635
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=121fbedf980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=159e8ef8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c59c19cd5728/disk-09a0fa92.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/27a8ecc530b5/vmlinux-09a0fa92.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6ed4573ed205/bzImage-09a0fa92.xz

The issue was bisected to:

commit 266ce58989ba05e2a24460fdbf402d766c2e3870
Author: Joao Martins <joao.m.martins@oracle.com>
Date:   Tue Oct 24 13:51:05 2023 +0000

    iommufd/selftest: Test IOMMU_HWPT_ALLOC_DIRTY_TRACKING

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11f3b218580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=13f3b218580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15f3b218580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+85992ace37d5b7b51635@syzkaller.appspotmail.com
Fixes: 266ce58989ba ("iommufd/selftest: Test IOMMU_HWPT_ALLOC_DIRTY_TRACKING")

iommufd_mock iommufd_mock0: Adding to iommu group 0
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in drivers/iommu/iommufd/iova_bitmap.c:133:27
shift exponent 63 is too large for 32-bit type 'int'
CPU: 1 UID: 0 PID: 5829 Comm: syz-executor365 Not tainted 6.13.0-rc6-syzkaller-00038-g09a0fa92e5b4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468
 iova_bitmap_offset_to_index drivers/iommu/iommufd/iova_bitmap.c:133 [inline]
 iova_bitmap_alloc+0x2bd/0x2d0 drivers/iommu/iommufd/iova_bitmap.c:259
 iommu_read_and_clear_dirty drivers/iommu/iommufd/io_pagetable.c:534 [inline]
 iopt_read_and_clear_dirty_data+0x35a/0x6c0 drivers/iommu/iommufd/io_pagetable.c:594
 iommufd_hwpt_get_dirty_bitmap+0x17c/0x2e0 drivers/iommu/iommufd/hw_pagetable.c:470
 iommufd_fops_ioctl+0x4d6/0x5a0 drivers/iommu/iommufd/main.c:409
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa2fda974a9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc593f2558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc593f2728 RCX: 00007fa2fda974a9
RDX: 0000000020000300 RSI: 0000000000003b8c RDI: 0000000000000003
RBP: 00007fa2fdb0a610 R08: 00007ffc593f2728 R09: 00007ffc593f2728
R10: 00007ffc593f2728 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc593f2718 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_readdir (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    fbfd64d25c7a Merge tag 'vfs-6.13-rc7.fixes' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=125755c4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=93fafdd434f3247d
dashboard link: https://syzkaller.appspot.com/bug?extid=a7b475122da841580575
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/be5f7d21fc6d/disk-fbfd64d2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/18656986c542/vmlinux-fbfd64d2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/23240d42568c/bzImage-fbfd64d2.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a7b475122da841580575@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_dirent_read_target fs/bcachefs/dirent.c:259 [inline]
BUG: KMSAN: uninit-value in bch2_readdir+0x1a45/0x2470 fs/bcachefs/dirent.c:551
 bch2_dirent_read_target fs/bcachefs/dirent.c:259 [inline]
 bch2_readdir+0x1a45/0x2470 fs/bcachefs/dirent.c:551
 bch2_vfs_readdir+0x347/0x7c0 fs/bcachefs/fs.c:1377
 iterate_dir+0x5b3/0x9e0 fs/readdir.c:108
 __do_sys_getdents fs/readdir.c:322 [inline]
 __se_sys_getdents+0x170/0x550 fs/readdir.c:308
 __x64_sys_getdents+0x96/0xe0 fs/readdir.c:308
 x64_sys_call+0x38d8/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:79
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_reassemble fs/bcachefs/bkey.h:513 [inline]
 bch2_bkey_buf_reassemble fs/bcachefs/bkey_buf.h:28 [inline]
 bch2_readdir+0x14f7/0x2470 fs/bcachefs/dirent.c:551
 bch2_vfs_readdir+0x347/0x7c0 fs/bcachefs/fs.c:1377
 iterate_dir+0x5b3/0x9e0 fs/readdir.c:108
 __do_sys_getdents fs/readdir.c:322 [inline]
 __se_sys_getdents+0x170/0x550 fs/readdir.c:308
 __x64_sys_getdents+0x96/0xe0 fs/readdir.c:308
 x64_sys_call+0x38d8/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:79
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4253
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4270
 __do_kmalloc_node mm/slub.c:4286 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4304
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:645
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2248
 bch2_btree_node_write+0x21c/0x2e0 fs/bcachefs/btree_io.c:2289
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:261
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 9169 Comm: syz.7.774 Not tainted 6.13.0-rc6-syzkaller-00036-gfbfd64d25c7a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [usb?] general protection fault in qt2_read_bulk_callback

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    5428dc1906dd Merge tag 'exfat-for-6.13-rc7' of git://git.k..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1469f9c4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ef22c4fce5135b4
dashboard link: https://syzkaller.appspot.com/bug?extid=506479ebf12fe435d01a
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17597418580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1269f9c4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/02ab71af0937/disk-5428dc19.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/55b33cfb5bd7/vmlinux-5428dc19.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a3aa8c69a577/bzImage-5428dc19.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+506479ebf12fe435d01a@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000024: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127]
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.13.0-rc6-syzkaller-00006-g5428dc1906dd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:tty_insert_flip_char include/linux/tty_flip.h:67 [inline]
RIP: 0010:qt2_process_read_urb drivers/usb/serial/quatech2.c:538 [inline]
RIP: 0010:qt2_read_bulk_callback+0x3b2/0x1160 drivers/usb/serial/quatech2.c:574
Code: 00 00 42 0f b6 04 28 84 c0 0f 85 e0 08 00 00 c6 84 24 d0 00 00 00 00 48 8b 44 24 08 48 8d 98 20 01 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 0f 1b 81 fa 4c 8b 3b 4d 8d 67 08
RSP: 0018:ffffc90000a18720 EFLAGS: 00010006
RAX: 0000000000000024 RBX: 0000000000000120 RCX: ffffc90000a18700
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000001b
RBP: ffffc90000a18870 R08: ffffffff8784cba6 R09: 1ffffffff203303e
R10: dffffc0000000000 R11: fffffbfff203303f R12: ffff888032352c13
R13: dffffc0000000000 R14: 00000000000000a5 R15: ffff888033680800
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556bc64d0d60 CR3: 0000000035e4e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __usb_hcd_giveback_urb+0x42c/0x6e0 drivers/usb/core/hcd.c:1650
 dummy_timer+0x856/0x4620 drivers/usb/gadget/udc/dummy_hcd.c:1993
 __run_hrtimer kernel/time/hrtimer.c:1739 [inline]
 __hrtimer_run_queues+0x59b/0xd30 kernel/time/hrtimer.c:1803
 hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1820
 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
 common_interrupt+0xb9/0xd0 arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:finish_task_switch+0x1ea/0x870 kernel/sched/core.c:5243
Code: c9 50 e8 49 0c 0c 00 48 83 c4 08 4c 89 f7 e8 ed 39 00 00 0f 1f 44 00 00 4c 89 f7 e8 e0 d9 5c 0a e8 0b 8c 38 00 fb 48 8b 5d c0 <48> 8d bb f8 15 00 00 48 89 f8 48 c1 e8 03 49 be 00 00 00 00 00 fc
RSP: 0018:ffffc900001a7b48 EFLAGS: 00000286
RAX: 1d3ab2024a67fb00 RBX: ffff88801d2e8000 RCX: ffffffff9a3ab903
RDX: dffffc0000000000 RSI: ffffffff8c0a98e0 RDI: ffffffff8c5fb020
RBP: ffffc900001a7b90 R08: ffffffff901981f7 R09: 1ffffffff203303e
R10: dffffc0000000000 R11: fffffbfff203303f R12: 1ffff110170e7edc
R13: dffffc0000000000 R14: ffff8880b873e8c0 R15: ffff8880b873f6e0
 context_switch kernel/sched/core.c:5372 [inline]
 __schedule+0x1858/0x4c30 kernel/sched/core.c:6756
 schedule_idle+0x56/0x90 kernel/sched/core.c:6874
 do_idle+0x567/0x5c0 kernel/sched/idle.c:353
 cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:423
 start_secondary+0x102/0x110 arch/x86/kernel/smpboot.c:314
 common_startup_64+0x13e/0x147
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:tty_insert_flip_char include/linux/tty_flip.h:67 [inline]
RIP: 0010:qt2_process_read_urb drivers/usb/serial/quatech2.c:538 [inline]
RIP: 0010:qt2_read_bulk_callback+0x3b2/0x1160 drivers/usb/serial/quatech2.c:574
Code: 00 00 42 0f b6 04 28 84 c0 0f 85 e0 08 00 00 c6 84 24 d0 00 00 00 00 48 8b 44 24 08 48 8d 98 20 01 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 0f 1b 81 fa 4c 8b 3b 4d 8d 67 08
RSP: 0018:ffffc90000a18720 EFLAGS: 00010006
RAX: 0000000000000024 RBX: 0000000000000120 RCX: ffffc90000a18700
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000001b
RBP: ffffc90000a18870 R08: ffffffff8784cba6 R09: 1ffffffff203303e
R10: dffffc0000000000 R11: fffffbfff203303f R12: ffff888032352c13
R13: dffffc0000000000 R14: 00000000000000a5 R15: ffff888033680800
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556bc64d0d60 CR3: 0000000035e4e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax
   7:	84 c0                	test   %al,%al
   9:	0f 85 e0 08 00 00    	jne    0x8ef
   f:	c6 84 24 d0 00 00 00 	movb   $0x0,0xd0(%rsp)
  16:	00
  17:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
  1c:	48 8d 98 20 01 00 00 	lea    0x120(%rax),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 0f 1b 81 fa       	call   0xfa811b48
  39:	4c 8b 3b             	mov    (%rbx),%r15
  3c:	4d 8d 67 08          	lea    0x8(%r15),%r12


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_trans_start_alloc_update_noupdate

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    4099a71718b0 Merge tag 'sched-urgent-2024-12-29' of git://..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103e70b0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f9048090d7bb0d06
dashboard link: https://syzkaller.appspot.com/bug?extid=3304ecaea706d3a6524c
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/62835b60de83/disk-4099a717.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9262b999e6be/vmlinux-4099a717.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3fc8cec4d596/bzImage-4099a717.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3304ecaea706d3a6524c@syzkaller.appspotmail.com

bcachefs (loop3): starting version 1.7: mi_btree_bitmap opts=errors=continue,metadata_checksum=none,data_checksum=none,compression=lz4,nojournal_transaction_names
bcachefs (loop3): initializing new filesystem
bcachefs (loop3): going read-write
bcachefs (loop3): marking superblocks
=====================================================
BUG: KMSAN: uninit-value in bch2_alloc_to_v4_mut_inlined fs/bcachefs/alloc_background.c:447 [inline]
BUG: KMSAN: uninit-value in bch2_trans_start_alloc_update_noupdate+0x61b/0x12f0 fs/bcachefs/alloc_background.c:472
 bch2_alloc_to_v4_mut_inlined fs/bcachefs/alloc_background.c:447 [inline]
 bch2_trans_start_alloc_update_noupdate+0x61b/0x12f0 fs/bcachefs/alloc_background.c:472
 __bch2_trans_mark_metadata_bucket fs/bcachefs/buckets.c:958 [inline]
 bch2_trans_mark_metadata_bucket+0x2e6/0x2430 fs/bcachefs/buckets.c:1048
 __bch2_trans_mark_dev_sb fs/bcachefs/buckets.c:1120 [inline]
 bch2_trans_mark_dev_sb+0xcf7/0x10e0 fs/bcachefs/buckets.c:1133
 bch2_trans_mark_dev_sbs_flags+0x3e5/0x9f0 fs/bcachefs/buckets.c:1143
 bch2_trans_mark_dev_sbs+0x32/0x40 fs/bcachefs/buckets.c:1155
 bch2_fs_initialize+0x19bd/0x35d0 fs/bcachefs/recovery.c:1074
 bch2_fs_start+0x77d/0xbd0 fs/bcachefs/super.c:1038
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_reassemble fs/bcachefs/bkey.h:513 [inline]
 btree_key_cache_create fs/bcachefs/btree_key_cache.c:259 [inline]
 btree_key_cache_fill+0x13da/0x3d60 fs/bcachefs/btree_key_cache.c:309
 bch2_btree_path_traverse_cached+0x988/0xe20 fs/bcachefs/btree_key_cache.c:361
 bch2_btree_path_traverse_one+0x749/0x47b0 fs/bcachefs/btree_iter.c:1159
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 bch2_btree_iter_peek_slot+0x10b7/0x3950 fs/bcachefs/btree_iter.c:2629
 __bch2_bkey_get_iter fs/bcachefs/btree_iter.h:575 [inline]
 bch2_bkey_get_iter fs/bcachefs/btree_iter.h:589 [inline]
 bch2_trans_start_alloc_update_noupdate+0x390/0x12f0 fs/bcachefs/alloc_background.c:464
 __bch2_trans_mark_metadata_bucket fs/bcachefs/buckets.c:958 [inline]
 bch2_trans_mark_metadata_bucket+0x2e6/0x2430 fs/bcachefs/buckets.c:1048
 __bch2_trans_mark_dev_sb fs/bcachefs/buckets.c:1120 [inline]
 bch2_trans_mark_dev_sb+0xcf7/0x10e0 fs/bcachefs/buckets.c:1133
 bch2_trans_mark_dev_sbs_flags+0x3e5/0x9f0 fs/bcachefs/buckets.c:1143
 bch2_trans_mark_dev_sbs+0x32/0x40 fs/bcachefs/buckets.c:1155
 bch2_fs_initialize+0x19bd/0x35d0 fs/bcachefs/recovery.c:1074
 bch2_fs_start+0x77d/0xbd0 fs/bcachefs/super.c:1038
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4253
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4270
 __do_kmalloc_node mm/slub.c:4286 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4304
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 __bch2_btree_node_mem_alloc+0x2be/0xa80 fs/bcachefs/btree_cache.c:198
 bch2_fs_btree_cache_init+0x4e4/0xb50 fs/bcachefs/btree_cache.c:653
 bch2_fs_alloc fs/bcachefs/super.c:917 [inline]
 bch2_fs_open+0x4d3a/0x5b40 fs/bcachefs/super.c:2065
 bch2_fs_get_tree+0x983/0x22d0 fs/bcachefs/fs.c:2157
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 10842 Comm: syz.3.1345 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [f2fs?] KASAN: slab-out-of-bounds Read in f2fs_getxattr

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    573067a5a685 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=108aa818580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cd7202b56d469648
dashboard link: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b9cac4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=178bb0b0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9d3b5c855aa0/disk-573067a5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0c06fc1ead83/vmlinux-573067a5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3390e59b9e4b/Image-573067a5.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/eddf26185633/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f5e74075e096e757bdbf@syzkaller.appspotmail.com

F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Mounted with checkpoint version = 1b41e954
==================================================================
BUG: KASAN: slab-out-of-bounds in __find_xattr fs/f2fs/xattr.c:235 [inline]
BUG: KASAN: slab-out-of-bounds in __find_inline_xattr fs/f2fs/xattr.c:261 [inline]
BUG: KASAN: slab-out-of-bounds in lookup_all_xattrs fs/f2fs/xattr.c:345 [inline]
BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0xf5c/0x1064 fs/f2fs/xattr.c:533
Read of size 4 at addr ffff0000cc09b278 by task syz-executor773/6410

CPU: 0 UID: 0 PID: 6410 Comm: syz-executor773 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:489
 kasan_report+0xd8/0x138 mm/kasan/report.c:602
 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
 __find_xattr fs/f2fs/xattr.c:235 [inline]
 __find_inline_xattr fs/f2fs/xattr.c:261 [inline]
 lookup_all_xattrs fs/f2fs/xattr.c:345 [inline]
 f2fs_getxattr+0xf5c/0x1064 fs/f2fs/xattr.c:533
 f2fs_xattr_generic_get+0x130/0x174 fs/f2fs/xattr.c:63
 __vfs_getxattr+0x394/0x3c0 fs/xattr.c:423
 smk_fetch+0xc8/0x150 security/smack/smack_lsm.c:306
 smack_d_instantiate+0x594/0x880 security/smack/smack_lsm.c:3615
 security_d_instantiate+0x100/0x204 security/security.c:4070
 d_splice_alias+0x70/0x310 fs/dcache.c:3001
 f2fs_lookup+0x4c8/0x948 fs/f2fs/namei.c:523
 lookup_open fs/namei.c:3627 [inline]
 open_last_lookups fs/namei.c:3748 [inline]
 path_openat+0xf7c/0x2b14 fs/namei.c:3984
 do_filp_open+0x1e8/0x404 fs/namei.c:4014
 do_sys_openat2+0x124/0x1b8 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __arm64_sys_openat+0x1f0/0x240 fs/open.c:1428
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Allocated by task 6410:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:568
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4298 [inline]
 __kmalloc_noprof+0x32c/0x54c mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 f2fs_kmalloc fs/f2fs/f2fs.h:3428 [inline]
 f2fs_kzalloc+0x124/0x254 fs/f2fs/f2fs.h:3447
 xattr_alloc fs/f2fs/xattr.c:34 [inline]
 lookup_all_xattrs fs/f2fs/xattr.c:333 [inline]
 f2fs_getxattr+0xc60/0x1064 fs/f2fs/xattr.c:533
 f2fs_xattr_generic_get+0x130/0x174 fs/f2fs/xattr.c:63
 __vfs_getxattr+0x394/0x3c0 fs/xattr.c:423
 smk_fetch+0xc8/0x150 security/smack/smack_lsm.c:306
 smack_d_instantiate+0x594/0x880 security/smack/smack_lsm.c:3615
 security_d_instantiate+0x100/0x204 security/security.c:4070
 d_splice_alias+0x70/0x310 fs/dcache.c:3001
 f2fs_lookup+0x4c8/0x948 fs/f2fs/namei.c:523
 lookup_open fs/namei.c:3627 [inline]
 open_last_lookups fs/namei.c:3748 [inline]
 path_openat+0xf7c/0x2b14 fs/namei.c:3984
 do_filp_open+0x1e8/0x404 fs/namei.c:4014
 do_sys_openat2+0x124/0x1b8 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __arm64_sys_openat+0x1f0/0x240 fs/open.c:1428
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff0000cc09b260
 which belongs to the cache kmalloc-16 of size 16
The buggy address is located 12 bytes to the right of
 allocated 12-byte region [ffff0000cc09b260, ffff0000cc09b26c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10c09b
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000000 ffff0000c0001640 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000cc09b100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
 ffff0000cc09b180: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
>ffff0000cc09b200: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc
                                                                ^
 ffff0000cc09b280: 00 06 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
 ffff0000cc09b300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_inode_unpack (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ccb98ccef0e5 Merge tag 'platform-drivers-x86-v6.13-4' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13493818580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=31c2647cf06aa81e
dashboard link: https://syzkaller.appspot.com/bug?extid=9b79c816ed3895539cf4
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/da86466e08c0/disk-ccb98cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/673316cfa30c/vmlinux-ccb98cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4d50a89ed2d4/bzImage-ccb98cce.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9b79c816ed3895539cf4@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_inode_unpack_v3 fs/bcachefs/inode.c:274 [inline]
BUG: KMSAN: uninit-value in bch2_inode_unpack+0x9fb/0x4ca0 fs/bcachefs/inode.c:331
 bch2_inode_unpack_v3 fs/bcachefs/inode.c:274 [inline]
 bch2_inode_unpack+0x9fb/0x4ca0 fs/bcachefs/inode.c:331
 bch2_inode_rm+0xdbc/0x1260 fs/bcachefs/inode.c:1042
 bch2_evict_inode+0x2d5/0x6a0 fs/bcachefs/fs.c:1836
 evict+0x723/0xd10 fs/inode.c:796
 iput_final fs/inode.c:1946 [inline]
 iput+0x97b/0xdb0 fs/inode.c:1972
 bch2_symlink+0x49f/0x540 fs/bcachefs/fs.c:821
 vfs_symlink+0x1ed/0x460 fs/namei.c:4669
 do_symlinkat+0x253/0x8b0 fs/namei.c:4695
 __do_sys_symlink fs/namei.c:4716 [inline]
 __se_sys_symlink fs/namei.c:4714 [inline]
 __x64_sys_symlink+0xe0/0x140 fs/namei.c:4714
 x64_sys_call+0x31ca/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:89
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_reassemble fs/bcachefs/bkey.h:513 [inline]
 btree_key_cache_create fs/bcachefs/btree_key_cache.c:259 [inline]
 btree_key_cache_fill+0xd1a/0x3d60 fs/bcachefs/btree_key_cache.c:309
 bch2_btree_path_traverse_cached+0x988/0xe20 fs/bcachefs/btree_key_cache.c:361
 bch2_btree_path_traverse_one+0x749/0x47b0 fs/bcachefs/btree_iter.c:1159
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 bch2_btree_iter_peek_slot+0x10b7/0x3950 fs/bcachefs/btree_iter.c:2629
 __bch2_bkey_get_iter fs/bcachefs/btree_iter.h:575 [inline]
 bch2_bkey_get_iter fs/bcachefs/btree_iter.h:589 [inline]
 bch2_inode_rm+0x95d/0x1260 fs/bcachefs/inode.c:1027
 bch2_evict_inode+0x2d5/0x6a0 fs/bcachefs/fs.c:1836
 evict+0x723/0xd10 fs/inode.c:796
 iput_final fs/inode.c:1946 [inline]
 iput+0x97b/0xdb0 fs/inode.c:1972
 bch2_symlink+0x49f/0x540 fs/bcachefs/fs.c:821
 vfs_symlink+0x1ed/0x460 fs/namei.c:4669
 do_symlinkat+0x253/0x8b0 fs/namei.c:4695
 __do_sys_symlink fs/namei.c:4716 [inline]
 __se_sys_symlink fs/namei.c:4714 [inline]
 __x64_sys_symlink+0xe0/0x140 fs/namei.c:4714
 x64_sys_call+0x31ca/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:89
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4253
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4270
 __do_kmalloc_node mm/slub.c:4286 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4304
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2248
 bch2_btree_node_write+0x21c/0x2e0 fs/bcachefs/btree_io.c:2289
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:261
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 6027 Comm: syz.1.13 Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in force_devcd_write

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    48f506ad0b68 Merge tag 'soc-fixes-6.13-2' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f19f30580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
dashboard link: https://syzkaller.appspot.com/bug?extid=bc71245e56f06e3127b7
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17df9fe8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f42f936a7d8d/disk-48f506ad.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5f5d9512f350/vmlinux-48f506ad.xz
kernel image: https://storage.googleapis.com/syzbot-assets/08855819fbb0/bzImage-48f506ad.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc71245e56f06e3127b7@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff88805dfd8800 by task syz.0.616/6633

CPU: 1 UID: 0 PID: 6633 Comm: syz.0.616 Not tainted 6.13.0-rc3-syzkaller-00289-g48f506ad0b68 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 force_devcd_write+0x31f/0x350 drivers/bluetooth/hci_vhci.c:327
 full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4c25785d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffacf7c428 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f4c25975fa0 RCX: 00007f4c25785d29
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f4c25801aa8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4c25975fa0 R14: 00007f4c25975fa0 R15: 00000000000018c5
 </TASK>

Allocated by task 5945:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:634
 misc_open+0x35a/0x420 drivers/char/misc.c:165
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5945:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:670
 __fput+0x3f8/0xb60 fs/file_table.c:450
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xad8/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3017
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88805dfd8800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff88805dfd8800, ffff88805dfd8c00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5dfd8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000177f601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5606, tgid 5606 (dhcpcd), ts 41765829328, free_ts 41751365215
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558
 prep_new_page mm/page_alloc.c:1566 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753
 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xce2/0x1650 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_noprof+0x2de/0x4f0 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 load_elf_phdrs+0x103/0x210 fs/binfmt_elf.c:532
 load_elf_binary+0x14c6/0x4ed0 fs/binfmt_elf.c:961
 search_binary_handler fs/exec.c:1748 [inline]
 exec_binprm fs/exec.c:1790 [inline]
 bprm_execve fs/exec.c:1842 [inline]
 bprm_execve+0x703/0x19b0 fs/exec.c:1818
 do_execveat_common.isra.0+0x4f1/0x630 fs/exec.c:1949
 do_execve fs/exec.c:2023 [inline]
 __do_sys_execve fs/exec.c:2099 [inline]
 __se_sys_execve fs/exec.c:2094 [inline]
 __x64_sys_execve+0x8c/0xb0 fs/exec.c:2094
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5498 tgid 5498 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0x1080 mm/page_alloc.c:2659
 __put_partials+0x14c/0x170 mm/slub.c:3157
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4119 [inline]
 slab_alloc_node mm/slub.c:4168 [inline]
 kmem_cache_alloc_node_noprof+0x1ca/0x3b0 mm/slub.c:4220
 __alloc_skb+0x2b3/0x380 net/core/skbuff.c:668
 alloc_skb include/linux/skbuff.h:1323 [inline]
 netlink_alloc_large_skb+0x69/0x130 net/netlink/af_netlink.c:1196
 netlink_sendmsg+0x689/0xd70 net/netlink/af_netlink.c:1866
 sock_sendmsg_nosec net/socket.c:711 [inline]
 __sock_sendmsg net/socket.c:726 [inline]
 __sys_sendto+0x488/0x4f0 net/socket.c:2197
 __do_sys_sendto net/socket.c:2204 [inline]
 __se_sys_sendto net/socket.c:2200 [inline]
 __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805dfd8700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805dfd8780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805dfd8800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88805dfd8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805dfd8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [bcachefs?] KMSAN: uninit-value in __bch2_bkey_cmp_left_packed

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8faabc041a00 Merge tag 'net-6.13-rc4' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10099cf8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=caeefc00e8b4dc9f
dashboard link: https://syzkaller.appspot.com/bug?extid=ed0bdc5b29ea2e281a83
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=131100c4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d3426cd3c012/disk-8faabc04.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c05067e0c579/vmlinux-8faabc04.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4788f870d98f/bzImage-8faabc04.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/71ea5ea439f5/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ed0bdc5b29ea2e281a83@syzkaller.appspotmail.com

 done
bcachefs (loop3): going read-write
bcachefs (loop3): journal_replay...
=====================================================
BUG: KMSAN: uninit-value in packed_to_bkey_c fs/bcachefs/bkey.h:251 [inline]
BUG: KMSAN: uninit-value in __bch2_bkey_cmp_left_packed+0x256/0x770 fs/bcachefs/bkey.c:1046
 packed_to_bkey_c fs/bcachefs/bkey.h:251 [inline]
 __bch2_bkey_cmp_left_packed+0x256/0x770 fs/bcachefs/bkey.c:1046
 bkey_cmp_left_packed fs/bcachefs/bkey.h:88 [inline]
 bkey_iter_pos_cmp fs/bcachefs/bset.h:391 [inline]
 btree_path_advance_to_pos fs/bcachefs/btree_iter.c:599 [inline]
 __bch2_btree_path_set_pos+0x1a9b/0x1ec0 fs/bcachefs/btree_iter.c:1301
 bch2_btree_path_set_pos fs/bcachefs/btree_iter.h:229 [inline]
 bch2_btree_iter_traverse+0x8d0/0x1020 fs/bcachefs/btree_iter.c:1875
 wb_flush_one fs/bcachefs/btree_write_buffer.c:149 [inline]
 bch2_btree_write_buffer_flush_locked+0x28d3/0x7090 fs/bcachefs/btree_write_buffer.c:379
 btree_write_buffer_flush_seq+0x2ec7/0x30b0 fs/bcachefs/btree_write_buffer.c:517
 bch2_btree_write_buffer_journal_flush+0x103/0x1f0 fs/bcachefs/btree_write_buffer.c:533
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 journal_flush_done+0xe1/0x3f0 fs/bcachefs/journal_reclaim.c:819
 bch2_journal_flush_pins+0x2a9/0x3b0 fs/bcachefs/journal_reclaim.c:852
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 bch2_journal_replay+0x4937/0x4d30 fs/bcachefs/recovery.c:383
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:191 [inline]
 bch2_run_recovery_passes+0xaf9/0xf80 fs/bcachefs/recovery_passes.c:244
 bch2_fs_recovery+0x447b/0x5b00 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4253
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4270
 __do_kmalloc_node mm/slub.c:4286 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4304
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 __bch2_btree_node_mem_alloc+0x2be/0xa80 fs/bcachefs/btree_cache.c:198
 bch2_fs_btree_cache_init+0x4e4/0xb50 fs/bcachefs/btree_cache.c:653
 bch2_fs_alloc fs/bcachefs/super.c:917 [inline]
 bch2_fs_open+0x4d3a/0x5b40 fs/bcachefs/super.c:2065
 bch2_fs_get_tree+0x983/0x22d0 fs/bcachefs/fs.c:2157
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 6246 Comm: syz.3.37 Not tainted 6.13.0-rc3-syzkaller-00136-g8faabc041a00 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [input?] KASAN: null-ptr-deref Write in input_ff_create

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=111cafe8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
dashboard link: https://syzkaller.appspot.com/bug?extid=dd5f8d6456680e55eb0a
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12ea52df980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=111600c4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98a974fc662d/disk-8155b4ef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2dea9b72f624/vmlinux-8155b4ef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/593a42b9eb34/bzImage-8155b4ef.xz

The issue was bisected to:

commit 5203b3a18c1bbf50ec5fff27489da8e9bce48ddb
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Thu Nov 7 07:15:29 2024 +0000

    Input: ff-core - make use of __free() cleanup facility

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14ffd2df980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=16ffd2df980000
console output: https://syzkaller.appspot.com/x/log.txt?x=12ffd2df980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dd5f8d6456680e55eb0a@syzkaller.appspotmail.com
Fixes: 5203b3a18c1b ("Input: ff-core - make use of __free() cleanup facility")

usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
==================================================================
BUG: KASAN: null-ptr-deref in instrument_write include/linux/instrumented.h:40 [inline]
BUG: KASAN: null-ptr-deref in ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]
BUG: KASAN: null-ptr-deref in input_ff_create+0x1aa/0x2f0 drivers/input/ff-core.c:325
Write of size 8 at addr 0000000000000040 by task kworker/0:2/975

CPU: 0 UID: 0 PID: 975 Comm: kworker/0:2 Not tainted 6.13.0-rc3-next-20241220-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_report+0xe8/0x550 mm/kasan/report.c:492
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_write include/linux/instrumented.h:40 [inline]
 ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]
 input_ff_create+0x1aa/0x2f0 drivers/input/ff-core.c:325
 input_ff_create_memless+0x133/0x630 drivers/input/ff-memless.c:522
 xpad_init_ff drivers/input/joystick/xpad.c:1562 [inline]
 xpad_init_input+0xcef/0x1440 drivers/input/joystick/xpad.c:1960
 xpad_probe+0x1427/0x1b90 drivers/input/joystick/xpad.c:2143
 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396
 really_probe+0x2b9/0xad0 drivers/base/dd.c:658
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
 driver_probe_device+0x50/0x430 drivers/base/dd.c:830
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:958
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:459
 __device_attach+0x333/0x520 drivers/base/dd.c:1030
 bus_probe_device+0x189/0x260 drivers/base/bus.c:534
 device_add+0x856/0xbf0 drivers/base/core.c:3665
 usb_set_configuration+0x1976/0x1fb0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x88/0x140 drivers/usb/core/generic.c:254
 usb_probe_device+0x1b8/0x380 drivers/usb/core/driver.c:291
 really_probe+0x2b9/0xad0 drivers/base/dd.c:658
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
 driver_probe_device+0x50/0x430 drivers/base/dd.c:830
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:958
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:459
 __device_attach+0x333/0x520 drivers/base/dd.c:1030
 bus_probe_device+0x189/0x260 drivers/base/bus.c:534
 device_add+0x856/0xbf0 drivers/base/core.c:3665
 usb_new_device+0x104a/0x19a0 drivers/usb/core/hub.c:2651
 hub_port_connect drivers/usb/core/hub.c:5521 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
 port_event drivers/usb/core/hub.c:5821 [inline]
 hub_event+0x2d6d/0x5150 drivers/usb/core/hub.c:5903
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x7a9/0x920 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: qasdev00@gmail.com

#syz test

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_dirent_rename (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    a0e3919a2df2 Merge tag 'usb-6.13-rc3' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=105407e8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=95d0bb0535bcaca0
dashboard link: https://syzkaller.appspot.com/bug?extid=af2db1cea2ed7231e15b
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/458b3e5de594/disk-a0e3919a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/35b6151a9024/vmlinux-a0e3919a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5d6ac5e24841/bzImage-a0e3919a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+af2db1cea2ed7231e15b@syzkaller.appspotmail.com

bcachefs (loop3): check_allocations... done
bcachefs (loop3): going read-write
bcachefs (loop3): done starting filesystem
=====================================================
BUG: KMSAN: uninit-value in dirent_is_visible fs/bcachefs/dirent.c:88 [inline]
BUG: KMSAN: uninit-value in is_visible_key fs/bcachefs/str_hash.h:148 [inline]
BUG: KMSAN: uninit-value in bch2_hash_lookup_in_snapshot fs/bcachefs/str_hash.h:167 [inline]
BUG: KMSAN: uninit-value in bch2_hash_lookup fs/bcachefs/str_hash.h:195 [inline]
BUG: KMSAN: uninit-value in bch2_dirent_rename+0xa9c/0x5e30 fs/bcachefs/dirent.c:298
 dirent_is_visible fs/bcachefs/dirent.c:88 [inline]
 is_visible_key fs/bcachefs/str_hash.h:148 [inline]
 bch2_hash_lookup_in_snapshot fs/bcachefs/str_hash.h:167 [inline]
 bch2_hash_lookup fs/bcachefs/str_hash.h:195 [inline]
 bch2_dirent_rename+0xa9c/0x5e30 fs/bcachefs/dirent.c:298
 bch2_rename_trans+0xb47/0x26f0 fs/bcachefs/fs-common.c:417
 bch2_rename2+0x1863/0x3600 fs/bcachefs/fs.c:895
 vfs_rename+0x1d9d/0x2280 fs/namei.c:5067
 do_renameat2+0x18d0/0x1d50 fs/namei.c:5224
 __do_sys_rename fs/namei.c:5271 [inline]
 __se_sys_rename fs/namei.c:5269 [inline]
 __x64_sys_rename+0xe8/0x140 fs/namei.c:5269
 x64_sys_call+0x36cb/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4253
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4270
 __do_kmalloc_node mm/slub.c:4286 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4304
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2248
 bch2_btree_node_prep_for_write+0x494/0x720 fs/bcachefs/btree_trans_commit.c:93
 bch2_trans_lock_write+0x7ef/0xc00 fs/bcachefs/btree_trans_commit.c:129
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:896 [inline]
 __bch2_trans_commit+0x31c4/0xd190 fs/bcachefs/btree_trans_commit.c:1121
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 __bch2_create+0xfd8/0x1700 fs/bcachefs/fs.c:540
 bch2_mknod fs/bcachefs/fs.c:673 [inline]
 bch2_create+0xc0/0x1d0 fs/bcachefs/fs.c:687
 lookup_open fs/namei.c:3649 [inline]
 open_last_lookups fs/namei.c:3748 [inline]
 path_openat+0x2e9e/0x6200 fs/namei.c:3984
 do_filp_open+0x268/0x600 fs/namei.c:4014
 do_sys_openat2+0x1bf/0x2f0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_creat fs/open.c:1495 [inline]
 __se_sys_creat fs/open.c:1489 [inline]
 __x64_sys_creat+0xe6/0x140 fs/open.c:1489
 x64_sys_call+0x12e3/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:86
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 25892 Comm: syz.3.5499 Not tainted 6.13.0-rc2-syzkaller-00333-ga0e3919a2df2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_checksum_update (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f92f4749861b Merge tag 'clk-fixes-for-linus' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=129b3544580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=95d0bb0535bcaca0
dashboard link: https://syzkaller.appspot.com/bug?extid=60ea31958b52b09e04af
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/71d71ad0e41a/disk-f92f4749.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3c061489bceb/vmlinux-f92f4749.xz
kernel image: https://storage.googleapis.com/syzbot-assets/30c84208490c/bzImage-f92f4749.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+60ea31958b52b09e04af@syzkaller.appspotmail.com

bcachefs (loop9): shutting down
bcachefs (loop9): going read-only
bcachefs (loop9): finished waiting for writes to stop
bcachefs (loop9): flushing journal and stopping allocators, journal seq 11
=====================================================
BUG: KMSAN: uninit-value in crc64_be+0x202/0x310 lib/crc64.c:59
 crc64_be+0x202/0x310 lib/crc64.c:59
 bch2_checksum_update+0x15e/0x1d0 fs/bcachefs/checksum.c:88
 bch2_checksum+0x3ca/0x800 fs/bcachefs/checksum.c:225
 __bch2_btree_node_write+0x52e3/0x6830 fs/bcachefs/btree_io.c:2148
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 journal_flush_done+0x156/0x3f0 fs/bcachefs/journal_reclaim.c:822
 bch2_journal_flush_pins+0xdb/0x3b0 fs/bcachefs/journal_reclaim.c:852
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 __bch2_fs_read_only+0x210/0xb40 fs/bcachefs/super.c:276
 bch2_fs_read_only+0xd2c/0x15d0 fs/bcachefs/super.c:356
 __bch2_fs_stop+0xf0/0xf10 fs/bcachefs/super.c:621
 bch2_put_super+0x3c/0x50 fs/bcachefs/fs.c:2050
 generic_shutdown_super+0x197/0x4c0 fs/super.c:642
 bch2_kill_sb+0x3d/0x70 fs/bcachefs/fs.c:2278
 deactivate_locked_super+0xe0/0x3f0 fs/super.c:473
 deactivate_super+0x14f/0x160 fs/super.c:506
 cleanup_mnt+0x6bb/0x730 fs/namespace.c:1373
 __cleanup_mnt+0x22/0x30 fs/namespace.c:1380
 task_work_run+0x268/0x310 kernel/task_work.c:239
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xbf/0x160 kernel/entry/common.c:218
 do_syscall_64+0xda/0x1e0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_p_copy fs/bcachefs/bkey.h:47 [inline]
 bch2_sort_keys_keep_unwritten_whiteouts+0x12d5/0x19d0 fs/bcachefs/bkey_sort.c:187
 __bch2_btree_node_write+0x3ae8/0x6830 fs/bcachefs/btree_io.c:2095
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 journal_flush_done+0x156/0x3f0 fs/bcachefs/journal_reclaim.c:822
 bch2_journal_flush_pins+0xdb/0x3b0 fs/bcachefs/journal_reclaim.c:852
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 __bch2_fs_read_only+0x210/0xb40 fs/bcachefs/super.c:276
 bch2_fs_read_only+0xd2c/0x15d0 fs/bcachefs/super.c:356
 __bch2_fs_stop+0xf0/0xf10 fs/bcachefs/super.c:621
 bch2_put_super+0x3c/0x50 fs/bcachefs/fs.c:2050
 generic_shutdown_super+0x197/0x4c0 fs/super.c:642
 bch2_kill_sb+0x3d/0x70 fs/bcachefs/fs.c:2278
 deactivate_locked_super+0xe0/0x3f0 fs/super.c:473
 deactivate_super+0x14f/0x160 fs/super.c:506
 cleanup_mnt+0x6bb/0x730 fs/namespace.c:1373
 __cleanup_mnt+0x22/0x30 fs/namespace.c:1380
 task_work_run+0x268/0x310 kernel/task_work.c:239
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xbf/0x160 kernel/entry/common.c:218
 do_syscall_64+0xda/0x1e0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4238
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4255
 __do_kmalloc_node mm/slub.c:4271 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4289
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2248
 bch2_btree_node_write+0x21c/0x2e0 fs/bcachefs/btree_io.c:2289
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:261
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 13300 Comm: syz-executor Tainted: G        W          6.13.0-rc2-syzkaller-00031-gf92f4749861b #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in __build_ro_aux_tree

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    fac04efc5c79 Linux 6.13-rc2
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15eeab30580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=95d0bb0535bcaca0
dashboard link: https://syzkaller.appspot.com/bug?extid=ac254bd3bcde20072a0a
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9d6e1c34e8de/disk-fac04efc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3e1de71b47f9/vmlinux-fac04efc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/915cb3b3a8e7/bzImage-fac04efc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ac254bd3bcde20072a0a@syzkaller.appspotmail.com

bcachefs (loop3): journal_replay...
=====================================================
BUG: KMSAN: uninit-value in __build_ro_aux_tree+0x61f/0x21a0 fs/bcachefs/bset.c:715
 __build_ro_aux_tree+0x61f/0x21a0 fs/bcachefs/bset.c:715
 bch2_bset_build_aux_tree+0x6e6/0x850 fs/bcachefs/bset.c:779
 bch2_btree_build_aux_trees fs/bcachefs/btree_io.c:448 [inline]
 bch2_btree_init_next+0xdda/0x11e0 fs/bcachefs/btree_io.c:508
 bch2_btree_node_prep_for_write+0x6c8/0x720 fs/bcachefs/btree_trans_commit.c:101
 bch2_trans_lock_write+0x7ef/0xc00 fs/bcachefs/btree_trans_commit.c:129
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:896 [inline]
 __bch2_trans_commit+0x31c4/0xd190 fs/bcachefs/btree_trans_commit.c:1121
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 btree_key_cache_flush_pos fs/bcachefs/btree_key_cache.c:432 [inline]
 bch2_btree_key_cache_journal_flush+0x1076/0x1900 fs/bcachefs/btree_key_cache.c:512
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 journal_flush_done+0xe1/0x3f0 fs/bcachefs/journal_reclaim.c:819
 bch2_journal_flush_pins+0xdb/0x3b0 fs/bcachefs/journal_reclaim.c:852
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 bch2_journal_replay+0x4937/0x4d30 fs/bcachefs/recovery.c:383
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:191 [inline]
 bch2_run_recovery_passes+0xaf9/0xf80 fs/bcachefs/recovery_passes.c:244
 bch2_fs_recovery+0x447b/0x5b00 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:4034
 ia32_sys_call+0x260e/0x4180 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4238
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4255
 __do_kmalloc_node mm/slub.c:4271 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4289
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 __bch2_btree_node_mem_alloc+0x2be/0xa80 fs/bcachefs/btree_cache.c:198
 bch2_fs_btree_cache_init+0x4e4/0xb50 fs/bcachefs/btree_cache.c:653
 bch2_fs_alloc fs/bcachefs/super.c:917 [inline]
 bch2_fs_open+0x4d3a/0x5b40 fs/bcachefs/super.c:2065
 bch2_fs_get_tree+0x983/0x22d0 fs/bcachefs/fs.c:2157
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:4034
 ia32_sys_call+0x260e/0x4180 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

CPU: 1 UID: 0 PID: 6069 Comm: syz.3.35 Not tainted 6.13.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_xattr_validate

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    62b5a46999c7 Merge tag '6.13-rc1-smb3-client-fixes' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15a42b30580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dcc2c6db74766fbc
dashboard link: https://syzkaller.appspot.com/bug?extid=983249082bd062b1c4ef
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/60049925b49e/disk-62b5a469.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b4566aa70779/vmlinux-62b5a469.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6ba7b00a199e/bzImage-62b5a469.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+983249082bd062b1c4ef@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_xattr_validate+0x3bb/0x720 fs/bcachefs/xattr.c:81
 bch2_xattr_validate+0x3bb/0x720 fs/bcachefs/xattr.c:81
 bch2_bkey_val_validate+0x2b5/0x440 fs/bcachefs/bkey_methods.c:143
 bset_key_validate fs/bcachefs/btree_io.c:841 [inline]
 validate_bset_keys+0x1531/0x2080 fs/bcachefs/btree_io.c:910
 validate_bset_for_write+0x142/0x290 fs/bcachefs/btree_io.c:1942
 __bch2_btree_node_write+0x53df/0x6830 fs/bcachefs/btree_io.c:2152
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_p_copy fs/bcachefs/bkey.h:47 [inline]
 bch2_sort_keys_keep_unwritten_whiteouts+0x12d5/0x19d0 fs/bcachefs/bkey_sort.c:187
 __bch2_btree_node_write+0x3ae8/0x6830 fs/bcachefs/btree_io.c:2095
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4238
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4255
 __do_kmalloc_node mm/slub.c:4271 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4289
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2248
 bch2_btree_node_write+0x21c/0x2e0 fs/bcachefs/btree_io.c:2289
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:261
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 6046 Comm: bch-reclaim/loo Not tainted 6.13.0-rc1-syzkaller-00378-g62b5a46999c7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_dev_freespace_init

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    2ba9f676d0a2 Merge tag 'drm-next-2024-11-29' of https://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=127f3bc0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b131ba4658863ffa
dashboard link: https://syzkaller.appspot.com/bug?extid=aa2232cb0e5de0c0b56f
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/43bff3f0073a/disk-2ba9f676.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0683b9881a99/vmlinux-2ba9f676.xz
kernel image: https://storage.googleapis.com/syzbot-assets/37c30742afb0/bzImage-2ba9f676.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa2232cb0e5de0c0b56f@syzkaller.appspotmail.com

bcachefs (loop4): marking superblocks
bcachefs (loop4): initializing freespace
=====================================================
BUG: KMSAN: uninit-value in bch2_alloc_to_v4 fs/bcachefs/alloc_background.h:235 [inline]
BUG: KMSAN: uninit-value in bch2_dev_freespace_init+0x1044/0x1eb0 fs/bcachefs/alloc_background.c:2232
 bch2_alloc_to_v4 fs/bcachefs/alloc_background.h:235 [inline]
 bch2_dev_freespace_init+0x1044/0x1eb0 fs/bcachefs/alloc_background.c:2232
 bch2_fs_freespace_init+0x599/0xb30 fs/bcachefs/alloc_background.c:2304
 bch2_fs_initialize+0x2140/0x35d0 fs/bcachefs/recovery.c:1082
 bch2_fs_start+0x77d/0xbd0 fs/bcachefs/super.c:1038
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:4034
 ia32_sys_call+0x260e/0x4180 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4238
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4255
 __do_kmalloc_node mm/slub.c:4271 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4289
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 __bch2_btree_node_mem_alloc+0x2be/0xa80 fs/bcachefs/btree_cache.c:198
 bch2_fs_btree_cache_init+0x4e4/0xb50 fs/bcachefs/btree_cache.c:653
 bch2_fs_alloc fs/bcachefs/super.c:917 [inline]
 bch2_fs_open+0x4d3a/0x5b40 fs/bcachefs/super.c:2065
 bch2_fs_get_tree+0x983/0x22d0 fs/bcachefs/fs.c:2157
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:4034
 ia32_sys_call+0x260e/0x4180 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

CPU: 0 UID: 0 PID: 6020 Comm: syz.4.18 Not tainted 6.12.0-syzkaller-11677-g2ba9f676d0a2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_btree_node_get

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    445d9f05fa14 Merge tag 'nfsd-6.13' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=112afff7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c5486b9d7cc64830
dashboard link: https://syzkaller.appspot.com/bug?extid=2b2046c73fcb7e6a0e4e
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7024ceac9339/disk-445d9f05.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ebf50afbcd15/vmlinux-445d9f05.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9e60e080ed9e/bzImage-445d9f05.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2b2046c73fcb7e6a0e4e@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_btree_node_get+0x605/0x18b0 fs/bcachefs/btree_cache.c:1180
 bch2_btree_node_get+0x605/0x18b0 fs/bcachefs/btree_cache.c:1180
 btree_path_down fs/bcachefs/btree_iter.c:956 [inline]
 bch2_btree_path_traverse_one+0x2c34/0x47b0 fs/bcachefs/btree_iter.c:1182
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 bch2_btree_iter_peek_node+0x2c5/0x15d0 fs/bcachefs/btree_iter.c:1901
 async_btree_node_rewrite_trans fs/bcachefs/btree_update_interior.c:2218 [inline]
 async_btree_node_rewrite_work+0x29d/0x1710 fs/bcachefs/btree_update_interior.c:2249
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_reassemble fs/bcachefs/bkey.h:513 [inline]
 bch2_bkey_buf_reassemble fs/bcachefs/bkey_buf.h:28 [inline]
 btree_node_iter_and_journal_peek+0x866/0x2520 fs/bcachefs/btree_iter.c:898
 btree_path_down fs/bcachefs/btree_iter.c:927 [inline]
 bch2_btree_path_traverse_one+0x254c/0x47b0 fs/bcachefs/btree_iter.c:1182
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 bch2_btree_iter_peek_node+0x2c5/0x15d0 fs/bcachefs/btree_iter.c:1901
 async_btree_node_rewrite_trans fs/bcachefs/btree_update_interior.c:2218 [inline]
 async_btree_node_rewrite_work+0x29d/0x1710 fs/bcachefs/btree_update_interior.c:2249
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4238
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4255
 __do_kmalloc_node mm/slub.c:4271 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4289
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 bch2_btree_node_mem_alloc+0xa72/0x2ee0 fs/bcachefs/btree_cache.c:832
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:321 [inline]
 bch2_btree_reserve_get+0x37f/0x2290 fs/bcachefs/btree_update_interior.c:549
 bch2_btree_update_start+0x1af9/0x2d60 fs/bcachefs/btree_update_interior.c:1247
 bch2_btree_split_leaf+0x120/0xc00 fs/bcachefs/btree_update_interior.c:1856
 bch2_trans_commit_error+0x1c0/0x1d60 fs/bcachefs/btree_trans_commit.c:942
 __bch2_trans_commit+0x210f/0xd190 fs/bcachefs/btree_trans_commit.c:1140
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 bch2_journal_replay+0x2e3d/0x4d30 fs/bcachefs/recovery.c:317
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:191 [inline]
 bch2_run_recovery_passes+0xaf9/0xf80 fs/bcachefs/recovery_passes.c:244
 bch2_fs_recovery+0x447b/0x5b00 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:4034
 ia32_sys_call+0x260e/0x4180 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

CPU: 0 UID: 0 PID: 7199 Comm: kworker/u8:2 Tainted: G        W          6.12.0-syzkaller-09734-g445d9f05fa14 #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btree_node_rewrite async_btree_node_rewrite_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_ptrs_validate

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    445d9f05fa14 Merge tag 'nfsd-6.13' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=150f83c0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c5486b9d7cc64830
dashboard link: https://syzkaller.appspot.com/bug?extid=5d8a06a9e86672d9f71f
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7024ceac9339/disk-445d9f05.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ebf50afbcd15/vmlinux-445d9f05.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9e60e080ed9e/bzImage-445d9f05.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5d8a06a9e86672d9f71f@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in __extent_entry_type fs/bcachefs/extents.h:54 [inline]
BUG: KMSAN: uninit-value in bch2_bkey_ptrs_validate+0x589/0x2df0 fs/bcachefs/extents.c:1239
 __extent_entry_type fs/bcachefs/extents.h:54 [inline]
 bch2_bkey_ptrs_validate+0x589/0x2df0 fs/bcachefs/extents.c:1239
 bch2_bkey_val_validate+0x2b5/0x440 fs/bcachefs/bkey_methods.c:143
 bset_key_validate fs/bcachefs/btree_io.c:841 [inline]
 validate_bset_keys+0x1531/0x2080 fs/bcachefs/btree_io.c:910
 validate_bset_for_write+0x142/0x290 fs/bcachefs/btree_io.c:1942
 __bch2_btree_node_write+0x53df/0x6830 fs/bcachefs/btree_io.c:2152
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 bch2_btree_node_rewrite+0x1442/0x1930 fs/bcachefs/btree_update_interior.c:2179
 async_btree_node_rewrite_trans fs/bcachefs/btree_update_interior.c:2236 [inline]
 async_btree_node_rewrite_work+0x485/0x1710 fs/bcachefs/btree_update_interior.c:2249
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_p_copy fs/bcachefs/bkey.h:47 [inline]
 bch2_sort_keys_keep_unwritten_whiteouts+0x12d5/0x19d0 fs/bcachefs/bkey_sort.c:187
 __bch2_btree_node_write+0x3ae8/0x6830 fs/bcachefs/btree_io.c:2095
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 bch2_btree_node_rewrite+0x1442/0x1930 fs/bcachefs/btree_update_interior.c:2179
 async_btree_node_rewrite_trans fs/bcachefs/btree_update_interior.c:2236 [inline]
 async_btree_node_rewrite_work+0x485/0x1710 fs/bcachefs/btree_update_interior.c:2249
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4238
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4255
 __do_kmalloc_node mm/slub.c:4271 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4289
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 __bch2_btree_node_mem_alloc+0x2be/0xa80 fs/bcachefs/btree_cache.c:198
 bch2_fs_btree_cache_init+0x4e4/0xb50 fs/bcachefs/btree_cache.c:653
 bch2_fs_alloc fs/bcachefs/super.c:917 [inline]
 bch2_fs_open+0x4d3a/0x5b40 fs/bcachefs/super.c:2065
 bch2_fs_get_tree+0x983/0x22d0 fs/bcachefs/fs.c:2157
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:4034
 ia32_sys_call+0x260e/0x4180 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

CPU: 0 UID: 0 PID: 3613 Comm: kworker/u8:11 Tainted: G        W          6.12.0-syzkaller-09734-g445d9f05fa14 #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btree_node_rewrite async_btree_node_rewrite_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_dirent_validate

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7af08b57bcb9 Merge tag 'trace-v6.13-2' of git://git.kernel..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=167b4d30580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d66c9f9a88c492bd
dashboard link: https://syzkaller.appspot.com/bug?extid=652199d534e8c0a1c0ac
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9c3165413ea6/disk-7af08b57.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdc591e3d285/vmlinux-7af08b57.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bef82d827bd2/bzImage-7af08b57.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+652199d534e8c0a1c0ac@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_dirent_name_bytes fs/bcachefs/dirent.c:27 [inline]
BUG: KMSAN: uninit-value in bch2_dirent_get_name fs/bcachefs/dirent.c:37 [inline]
BUG: KMSAN: uninit-value in bch2_dirent_validate+0x5ee/0xc30 fs/bcachefs/dirent.c:107
 bch2_dirent_name_bytes fs/bcachefs/dirent.c:27 [inline]
 bch2_dirent_get_name fs/bcachefs/dirent.c:37 [inline]
 bch2_dirent_validate+0x5ee/0xc30 fs/bcachefs/dirent.c:107
 bch2_bkey_val_validate+0x2b5/0x440 fs/bcachefs/bkey_methods.c:143
 bset_key_validate fs/bcachefs/btree_io.c:841 [inline]
 validate_bset_keys+0x1531/0x2080 fs/bcachefs/btree_io.c:910
 validate_bset_for_write+0x142/0x290 fs/bcachefs/btree_io.c:1942
 __bch2_btree_node_write+0x53df/0x6830 fs/bcachefs/btree_io.c:2152
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_p_copy fs/bcachefs/bkey.h:47 [inline]
 bch2_sort_keys_keep_unwritten_whiteouts+0x12d5/0x19d0 fs/bcachefs/bkey_sort.c:187
 __bch2_btree_node_write+0x3ae8/0x6830 fs/bcachefs/btree_io.c:2095
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4238
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4255
 __do_kmalloc_node mm/slub.c:4271 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4289
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2248
 bch2_btree_node_write+0x21c/0x2e0 fs/bcachefs/btree_io.c:2289
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:261
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 6699 Comm: bch-reclaim/loo Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_val_validate

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9f16d5e6f220 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1465dee8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ce1e2eda2213557
dashboard link: https://syzkaller.appspot.com/bug?extid=09c915024af5057b77da
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2fcdec73c0f3/disk-9f16d5e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d4dc8d1847e1/vmlinux-9f16d5e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/db0e04822d2c/bzImage-9f16d5e6.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+09c915024af5057b77da@syzkaller.appspotmail.com

 done
bcachefs (loop2): going read-write
bcachefs (loop2): journal_replay...
=====================================================
BUG: KMSAN: uninit-value in bch2_backpointer_validate+0x63a/0x8f0 fs/bcachefs/backpointers.c:57
 bch2_backpointer_validate+0x63a/0x8f0 fs/bcachefs/backpointers.c:57
 bch2_bkey_val_validate+0x2b5/0x440 fs/bcachefs/bkey_methods.c:143
 bset_key_validate fs/bcachefs/btree_io.c:841 [inline]
 validate_bset_keys+0x1531/0x2080 fs/bcachefs/btree_io.c:910
 validate_bset_for_write+0x142/0x290 fs/bcachefs/btree_io.c:1942
 __bch2_btree_node_write+0x53df/0x6830 fs/bcachefs/btree_io.c:2152
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 journal_flush_done+0x156/0x3f0 fs/bcachefs/journal_reclaim.c:822
 bch2_journal_flush_pins+0x2a9/0x3b0 fs/bcachefs/journal_reclaim.c:852
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 bch2_journal_replay+0x4937/0x4d30 fs/bcachefs/recovery.c:383
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:191 [inline]
 bch2_run_recovery_passes+0xaf9/0xf80 fs/bcachefs/recovery_passes.c:244
 bch2_fs_recovery+0x447b/0x5b00 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_p_copy fs/bcachefs/bkey.h:47 [inline]
 bch2_sort_keys_keep_unwritten_whiteouts+0x12d5/0x19d0 fs/bcachefs/bkey_sort.c:187
 __bch2_btree_node_write+0x3ae8/0x6830 fs/bcachefs/btree_io.c:2095
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 journal_flush_done+0x156/0x3f0 fs/bcachefs/journal_reclaim.c:822
 bch2_journal_flush_pins+0x2a9/0x3b0 fs/bcachefs/journal_reclaim.c:852
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 bch2_journal_replay+0x4937/0x4d30 fs/bcachefs/recovery.c:383
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:191 [inline]
 bch2_run_recovery_passes+0xaf9/0xf80 fs/bcachefs/recovery_passes.c:244
 bch2_fs_recovery+0x447b/0x5b00 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4219
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4236
 __do_kmalloc_node mm/slub.c:4252 [inline]
 __kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4270
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:658
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2248
 bch2_btree_node_write+0x21c/0x2e0 fs/bcachefs/btree_io.c:2289
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:261
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 journal_flush_done+0x156/0x3f0 fs/bcachefs/journal_reclaim.c:822
 bch2_journal_flush_pins+0x2a9/0x3b0 fs/bcachefs/journal_reclaim.c:852
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 bch2_journal_replay+0x4937/0x4d30 fs/bcachefs/recovery.c:383
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:191 [inline]
 bch2_run_recovery_passes+0xaf9/0xf80 fs/bcachefs/recovery_passes.c:244
 bch2_fs_recovery+0x447b/0x5b00 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 6059 Comm: syz.2.30 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] kernel BUG in bch2_get_scanned_nodes

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f486c8aa16b8 Add linux-next specific files for 20241128
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1432a3c0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e348a4873516af92
dashboard link: https://syzkaller.appspot.com/bug?extid=64e6509c7f777aec3a24
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1389ef5f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=164a8f78580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/beb58ebb63cf/disk-f486c8aa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b241b5609e64/vmlinux-f486c8aa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c9d817f665f2/bzImage-f486c8aa.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ee49d5c23880/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+64e6509c7f777aec3a24@syzkaller.appspotmail.com

bcachefs (loop0): bch2_get_scanned_nodes(): recovery btree=xattrs level=0 POS_MIN - SPOS_MAX
bcachefs (loop0): bch2_get_scanned_nodes(): recovering u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 22000000ba0abe32 written 8 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0
invalid bkey in btree_node btree=xattrs level=0: u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 22000000ba0abe32 written 8 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0
  key at POS_MAX: delete?, fixing
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_node_scan.c:546!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 5831 Comm: syz-executor341 Not tainted 6.12.0-next-20241128-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:bch2_get_scanned_nodes+0x1e23/0x1e30 fs/bcachefs/btree_node_scan.c:541
Code: 24 18 48 8d b4 24 f0 03 00 00 48 8b 94 24 00 01 00 00 e9 17 e8 ff ff e8 4b de a7 07 e8 f6 74 73 fd 90 0f 0b e8 ee 74 73 fd 90 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003e36cc0 EFLAGS: 00010293
RAX: ffffffff842c0012 RBX: ffff888074b80000 RCX: ffff888035983c00
RDX: 0000000000000000 RSI: 00000000fffff75b RDI: 0000000000000000
RBP: ffffc90003e37160 R08: ffffffff842bf611 R09: 1ffffffff285892b
R10: dffffc0000000000 R11: fffffbfff285892c R12: 1ffff920007c6dcc
R13: ffffc90003e37020 R14: 00000000fffff75b R15: dffffc0000000000
FS:  0000555584e7a380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005590e5ed3c28 CR3: 0000000074aca000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_check_topology+0x597/0xbb0 fs/bcachefs/btree_gc.c:543
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:222
 bch2_run_recovery_passes+0x290/0x9f0 fs/bcachefs/recovery_passes.c:285
 bch2_fs_recovery+0x2660/0x3ab0 fs/bcachefs/recovery.c:917
 bch2_fs_start+0x37c/0x610 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0xd8d/0x1740 fs/bcachefs/fs.c:2201
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8b2490497a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffe3bd4ff8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fffe3bd5010 RCX: 00007f8b2490497a
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 00007fffe3bd5010
RBP: 0000000000000004 R08: 00007fffe3bd5050 R09: 000000000000595a
R10: 0000000000800000 R11: 0000000000000282 R12: 0000000000800000
R13: 00007fffe3bd5050 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_get_scanned_nodes+0x1e23/0x1e30 fs/bcachefs/btree_node_scan.c:541
Code: 24 18 48 8d b4 24 f0 03 00 00 48 8b 94 24 00 01 00 00 e9 17 e8 ff ff e8 4b de a7 07 e8 f6 74 73 fd 90 0f 0b e8 ee 74 73 fd 90 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003e36cc0 EFLAGS: 00010293
RAX: ffffffff842c0012 RBX: ffff888074b80000 RCX: ffff888035983c00
RDX: 0000000000000000 RSI: 00000000fffff75b RDI: 0000000000000000
RBP: ffffc90003e37160 R08: ffffffff842bf611 R09: 1ffffffff285892b
R10: dffffc0000000000 R11: fffffbfff285892c R12: 1ffff920007c6dcc
R13: ffffc90003e37020 R14: 00000000fffff75b R15: dffffc0000000000
FS:  0000555584e7a380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005590e5ed3c28 CR3: 0000000074aca000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: struct bkey_validate_context

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7eef7e306d3c Merge tag 'for-6.13/dm-changes' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=131543c0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c5486b9d7cc64830
dashboard link: https://syzkaller.appspot.com/bug?extid=65b594f491e4023728b0
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12eb2f5f980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2331c33a914b/disk-7eef7e30.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8e50ed828391/vmlinux-7eef7e30.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a942e199e781/bzImage-7eef7e30.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/94dbb977c302/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+65b594f491e4023728b0@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_bkey_cmp_packed_inlined+0x8d0/0xd50 fs/bcachefs/bkey_cmp.h:115
 bch2_bkey_cmp_packed_inlined+0x8d0/0xd50 fs/bcachefs/bkey_cmp.h:115
 bch2_sort_keys_keep_unwritten_whiteouts+0xf94/0x19d0 fs/bcachefs/bkey_sort.c:184
 __bch2_btree_node_write+0x3ae8/0x6830 fs/bcachefs/btree_io.c:2095
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:833 [inline]
 btree_interior_update_work+0x3c24/0x4870 fs/bcachefs/btree_update_interior.c:861
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4238
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4255
 __do_kmalloc_node mm/slub.c:4271 [inline]
 __kmalloc_node_noprof+0xc96/0x1250 mm/slub.c:4289
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:650
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 __bch2_btree_node_mem_alloc+0x2be/0xa80 fs/bcachefs/btree_cache.c:198
 bch2_fs_btree_cache_init+0x4e4/0xb50 fs/bcachefs/btree_cache.c:653
 bch2_fs_alloc fs/bcachefs/super.c:917 [inline]
 bch2_fs_open+0x4d3a/0x5b40 fs/bcachefs/super.c:2065
 bch2_fs_get_tree+0x983/0x22d0 fs/bcachefs/fs.c:2157
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 13 Comm: kworker/u8:1 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btree_update btree_interior_update_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] upstream build error (22)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9f16d5e6f220 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12cd69c0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=604eacde21ba24e2
dashboard link: https://syzkaller.appspot.com/bug?extid=f6c113186405efe2140e
compiler:       aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f6c113186405efe2140e@syzkaller.appspotmail.com

failed to run ["make" "-j" "16" "ARCH=arm64" "CROSS_COMPILE=aarch64-linux-gnu-" "Image.gz"]: exit status 2

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

All the previous reasons for build breakages are no longer relevant.

#syz invalid

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_trans_start_alloc_update

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    06afb0f36106 Merge tag 'trace-v6.13' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=124736e8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ef9abe59471e0aee
dashboard link: https://syzkaller.appspot.com/bug?extid=f02ee424846cc4e04e04
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164736e8580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12347b78580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/25d599464308/disk-06afb0f3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0846a79f5c2a/vmlinux-06afb0f3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a69b15a49da1/bzImage-06afb0f3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/da403496381c/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f02ee424846cc4e04e04@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_alloc_to_v4_mut_inlined fs/bcachefs/alloc_background.c:447 [inline]
BUG: KMSAN: uninit-value in bch2_trans_start_alloc_update_noupdate fs/bcachefs/alloc_background.c:472 [inline]
BUG: KMSAN: uninit-value in bch2_trans_start_alloc_update+0x674/0x14b0 fs/bcachefs/alloc_background.c:487
 bch2_alloc_to_v4_mut_inlined fs/bcachefs/alloc_background.c:447 [inline]
 bch2_trans_start_alloc_update_noupdate fs/bcachefs/alloc_background.c:472 [inline]
 bch2_trans_start_alloc_update+0x674/0x14b0 fs/bcachefs/alloc_background.c:487
 bch2_trigger_pointer fs/bcachefs/buckets.c:588 [inline]
 __trigger_extent+0x2425/0x6810 fs/bcachefs/buckets.c:740
 bch2_trigger_extent+0x90e/0x11a0 fs/bcachefs/buckets.c:869
 bch2_key_trigger fs/bcachefs/bkey_methods.h:87 [inline]
 bch2_key_trigger_old fs/bcachefs/bkey_methods.h:101 [inline]
 btree_update_nodes_written_trans fs/bcachefs/btree_update_interior.c:651 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:723 [inline]
 btree_interior_update_work+0x1661/0x4870 fs/bcachefs/btree_update_interior.c:861
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_reassemble fs/bcachefs/bkey.h:513 [inline]
 btree_key_cache_create fs/bcachefs/btree_key_cache.c:259 [inline]
 btree_key_cache_fill+0x13da/0x3d60 fs/bcachefs/btree_key_cache.c:309
 bch2_btree_path_traverse_cached+0x988/0xe20 fs/bcachefs/btree_key_cache.c:361
 bch2_btree_path_traverse_one+0x749/0x47b0 fs/bcachefs/btree_iter.c:1159
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 bch2_btree_iter_peek_slot+0x10b7/0x3950 fs/bcachefs/btree_iter.c:2629
 __bch2_bkey_get_iter fs/bcachefs/btree_iter.h:575 [inline]
 bch2_bkey_get_iter fs/bcachefs/btree_iter.h:589 [inline]
 bch2_trans_start_alloc_update_noupdate fs/bcachefs/alloc_background.c:464 [inline]
 bch2_trans_start_alloc_update+0x3d8/0x14b0 fs/bcachefs/alloc_background.c:487
 bch2_trigger_pointer fs/bcachefs/buckets.c:588 [inline]
 __trigger_extent+0x2425/0x6810 fs/bcachefs/buckets.c:740
 bch2_trigger_extent+0x90e/0x11a0 fs/bcachefs/buckets.c:869
 bch2_key_trigger fs/bcachefs/bkey_methods.h:87 [inline]
 bch2_key_trigger_old fs/bcachefs/bkey_methods.h:101 [inline]
 btree_update_nodes_written_trans fs/bcachefs/btree_update_interior.c:651 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:723 [inline]
 btree_interior_update_work+0x1661/0x4870 fs/bcachefs/btree_update_interior.c:861
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4219
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4236
 __do_kmalloc_node mm/slub.c:4252 [inline]
 __kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4270
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:658
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 __bch2_btree_node_mem_alloc+0x2be/0xa80 fs/bcachefs/btree_cache.c:198
 bch2_fs_btree_cache_init+0x4e4/0xb50 fs/bcachefs/btree_cache.c:653
 bch2_fs_alloc fs/bcachefs/super.c:917 [inline]
 bch2_fs_open+0x4d3a/0x5b40 fs/bcachefs/super.c:2065
 bch2_fs_get_tree+0x983/0x22d0 fs/bcachefs/fs.c:2157
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 75 Comm: kworker/u8:5 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btree_update btree_interior_update_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] BUG: corrupted list in bch2_btree_and_journal_iter_exit

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9f16d5e6f220 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1238e9c0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e92fc420ca55fe33
dashboard link: https://syzkaller.appspot.com/bug?extid=2f7c2225ed8a5cb24af1
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16cf575f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14be0530580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c9f905470542/disk-9f16d5e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5b4c9cc530ec/vmlinux-9f16d5e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e0f262e4c35e/bzImage-9f16d5e6.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f54c993ed1c0/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2f7c2225ed8a5cb24af1@syzkaller.appspotmail.com

bcachefs (loop0): stripes_read... done
bcachefs (loop0): snapshots_read... done
bcachefs (loop0): check_allocations...
btree root with incorrect max_key: 18446744073707239423:U64_MAX:U32_MAX, continuing
list_del corruption, ffffc90003f06588->next is NULL
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5836 Comm: syz-executor268 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__list_del_entry_valid_or_report+0xd0/0x140 lib/list_debug.c:52
Code: 56 fe 49 fd 48 8b 13 4c 39 fa 75 6b b0 01 5b 41 5c 41 5e 41 5f c3 cc cc cc cc 48 c7 c7 00 ad 5f 8c 4c 89 fe e8 51 50 08 07 90 <0f> 0b 48 c7 c7 60 ad 5f 8c 4c 89 fe e8 3f 50 08 07 90 0f 0b 48 c7
RSP: 0018:ffffc90003f06400 EFLAGS: 00010246
RAX: 0000000000000033 RBX: 0000000000000000 RCX: bdc83a46e3ff8100
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003f06790 R08: ffffffff8175714c R09: 1ffff920007e0c1c
R10: dffffc0000000000 R11: fffff520007e0c1d R12: dffffc0000000000
R13: dffffc0000000000 R14: 0000000000000000 R15: ffffc90003f06588
FS:  0000555585f8b380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a3fcc540f0 CR3: 00000000746f0000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del include/linux/list.h:229 [inline]
 bch2_journal_iter_exit fs/bcachefs/btree_journal_iter.c:339 [inline]
 bch2_btree_and_journal_iter_exit+0x2c/0x100 fs/bcachefs/btree_journal_iter.c:443
 bch2_btree_node_check_topology+0x13dd/0x2b00 fs/bcachefs/btree_update_interior.c:144
 bch2_gc_mark_key+0x1dc/0x10e0 fs/bcachefs/btree_gc.c:588
 bch2_gc_btree fs/bcachefs/btree_gc.c:670 [inline]
 bch2_gc_btrees fs/bcachefs/btree_gc.c:729 [inline]
 bch2_check_allocations+0x1c3e/0x7070 fs/bcachefs/btree_gc.c:1133
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:191
 bch2_run_recovery_passes+0x3a7/0x880 fs/bcachefs/recovery_passes.c:244
 bch2_fs_recovery+0x25cc/0x39d0 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa7105e0a7a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe1b2a6168 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffe1b2a6180 RCX: 00007fa7105e0a7a
RDX: 0000000020000040 RSI: 0000000020000000 RDI: 00007ffe1b2a6180
RBP: 0000000000000004 R08: 00007ffe1b2a61c0 R09: 0000000000005993
R10: 0000000000800000 R11: 0000000000000282 R12: 0000000000800000
R13: 00007ffe1b2a61c0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0xd0/0x140 lib/list_debug.c:52
Code: 56 fe 49 fd 48 8b 13 4c 39 fa 75 6b b0 01 5b 41 5c 41 5e 41 5f c3 cc cc cc cc 48 c7 c7 00 ad 5f 8c 4c 89 fe e8 51 50 08 07 90 <0f> 0b 48 c7 c7 60 ad 5f 8c 4c 89 fe e8 3f 50 08 07 90 0f 0b 48 c7
RSP: 0018:ffffc90003f06400 EFLAGS: 00010246
RAX: 0000000000000033 RBX: 0000000000000000 RCX: bdc83a46e3ff8100
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003f06790 R08: ffffffff8175714c R09: 1ffff920007e0c1c
R10: dffffc0000000000 R11: fffff520007e0c1d R12: dffffc0000000000
R13: dffffc0000000000 R14: 0000000000000000 R15: ffffc90003f06588
FS:  0000555585f8b380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a3fcc540f0 CR3: 00000000746f0000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix journal_iter list corruption

[syzbot] [bcachefs?] kernel BUG in bch2_journal_pin_set

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9f16d5e6f220 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1411a530580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e92fc420ca55fe33
dashboard link: https://syzkaller.appspot.com/bug?extid=3bd0834534ada7200422
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=162325c0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=112325c0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c9f905470542/disk-9f16d5e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5b4c9cc530ec/vmlinux-9f16d5e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e0f262e4c35e/bzImage-9f16d5e6.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/68d3db7c217d/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3bd0834534ada7200422@syzkaller.appspotmail.com

bucket 0:42 gen 0 data type btree has wrong dirty_sectors: got 0, should be 256, fixing
 done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay...
------------[ cut here ]------------
kernel BUG at fs/bcachefs/journal_reclaim.h:30!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5839 Comm: syz-executor780 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:journal_seq_pin fs/bcachefs/journal_reclaim.h:30 [inline]
RIP: 0010:bch2_journal_pin_set_locked fs/bcachefs/journal_reclaim.c:389 [inline]
RIP: 0010:bch2_journal_pin_set+0x766/0x780 fs/bcachefs/journal_reclaim.c:449
Code: c1 0f 8c fe f9 ff ff 48 89 df e8 c5 28 c8 fd e9 f1 f9 ff ff e8 5b 71 60 fd 90 0f 0b e8 53 71 60 fd 90 0f 0b e8 4b 71 60 fd 90 <0f> 0b e8 43 71 60 fd 90 0f 0b e8 3b 71 60 fd 90 0f 0b e8 33 71 60
RSP: 0018:ffffc9000394ee50 EFLAGS: 00010293
RAX: ffffffff84356e75 RBX: 0000000000000000 RCX: ffff88802c313c00
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff84356bc2 R09: fffff52000729db8
R10: dffffc0000000000 R11: fffff52000729db8 R12: ffff88802766c901
R13: ffff8880789ca500 R14: ffff88802766c940 R15: ffffffffffffffff
FS:  00005555718ec380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557704c1da48 CR3: 000000007a91c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_journal_pin_add fs/bcachefs/journal_reclaim.h:48 [inline]
 bch2_btree_add_journal_pin fs/bcachefs/btree_trans_commit.c:274 [inline]
 bch2_btree_insert_key_leaf+0x800/0xa90 fs/bcachefs/btree_trans_commit.c:306
 bch2_trans_commit_write_locked fs/bcachefs/btree_trans_commit.c:820 [inline]
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:900 [inline]
 __bch2_trans_commit+0x7163/0x93c0 fs/bcachefs/btree_trans_commit.c:1121
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 bch2_journal_replay+0x1a3a/0x2a40 fs/bcachefs/recovery.c:317
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:191
 bch2_run_recovery_passes+0x3a7/0x880 fs/bcachefs/recovery_passes.c:244
 bch2_fs_recovery+0x25cc/0x39d0 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc6f34c6dea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc6a712b88 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc6a712ba0 RCX: 00007fc6f34c6dea
RDX: 0000000020000000 RSI: 0000000020000080 RDI: 00007ffc6a712ba0
RBP: 0000000000000004 R08: 00007ffc6a712be0 R09: 0000000000005983
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 00007ffc6a712be0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:journal_seq_pin fs/bcachefs/journal_reclaim.h:30 [inline]
RIP: 0010:bch2_journal_pin_set_locked fs/bcachefs/journal_reclaim.c:389 [inline]
RIP: 0010:bch2_journal_pin_set+0x766/0x780 fs/bcachefs/journal_reclaim.c:449
Code: c1 0f 8c fe f9 ff ff 48 89 df e8 c5 28 c8 fd e9 f1 f9 ff ff e8 5b 71 60 fd 90 0f 0b e8 53 71 60 fd 90 0f 0b e8 4b 71 60 fd 90 <0f> 0b e8 43 71 60 fd 90 0f 0b e8 3b 71 60 fd 90 0f 0b e8 33 71 60
RSP: 0018:ffffc9000394ee50 EFLAGS: 00010293
RAX: ffffffff84356e75 RBX: 0000000000000000 RCX: ffff88802c313c00
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff84356bc2 R09: fffff52000729db8
R10: dffffc0000000000 R11: fffff52000729db8 R12: ffff88802766c901
R13: ffff8880789ca500 R14: ffff88802766c940 R15: ffffffffffffffff
FS:  00005555718ec380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557704c1da48 CR3: 000000007a91c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Guard against journal seq overflow

[syzbot] [bcachefs?] kernel BUG in bch2_evacuate_bucket

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9f16d5e6f220 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13260ee8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e92fc420ca55fe33
dashboard link: https://syzkaller.appspot.com/bug?extid=bd56952613b5dae47ca4
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=124c25c0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=164c25c0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c9f905470542/disk-9f16d5e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5b4c9cc530ec/vmlinux-9f16d5e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e0f262e4c35e/bzImage-9f16d5e6.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/8b2fe0894685/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bd56952613b5dae47ca4@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/bcachefs/bkey_types.h:210!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5847 Comm: bch-copygc/loop Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:bkey_s_c_to_backpointer fs/bcachefs/bkey_types.h:210 [inline]
RIP: 0010:bch2_get_next_backpointer+0x1316/0x1320 fs/bcachefs/backpointers.c:257
Code: f9 fd e9 56 f9 ff ff e8 78 58 91 fd 90 0f 0b e8 d0 5a ba 07 e8 6b 58 91 fd 90 0f 0b e8 63 58 91 fd 90 0f 0b e8 5b 58 91 fd 90 <0f> 0b 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003dd6c80 EFLAGS: 00010293
RAX: ffffffff84048765 RBX: 00000000000000b3 RCX: ffff888033fc5a00
RDX: 0000000000000000 RSI: 00000000000000b3 RDI: 000000000000001c
RBP: ffffc90003dd6ff8 R08: ffffffff840480a8 R09: 0000000000000000
R10: 0000000000880000 R11: 0000000000000000 R12: ffff88807dae4000
R13: 1ffff920007bad9c R14: ffffc90003dd6ed0 R15: ffff88806f8c0160
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f337ebb000 CR3: 000000007db9a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_evacuate_bucket+0x113c/0x3620 fs/bcachefs/move.c:708
 bch2_copygc+0x42c9/0x4ca0 fs/bcachefs/movinggc.c:240
 bch2_copygc_thread+0x737/0xc20 fs/bcachefs/movinggc.c:381
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bkey_s_c_to_backpointer fs/bcachefs/bkey_types.h:210 [inline]
RIP: 0010:bch2_get_next_backpointer+0x1316/0x1320 fs/bcachefs/backpointers.c:257
Code: f9 fd e9 56 f9 ff ff e8 78 58 91 fd 90 0f 0b e8 d0 5a ba 07 e8 6b 58 91 fd 90 0f 0b e8 63 58 91 fd 90 0f 0b e8 5b 58 91 fd 90 <0f> 0b 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003dd6c80 EFLAGS: 00010293
RAX: ffffffff84048765 RBX: 00000000000000b3 RCX: ffff888033fc5a00
RDX: 0000000000000000 RSI: 00000000000000b3 RDI: 000000000000001c
RBP: ffffc90003dd6ff8 R08: ffffffff840480a8 R09: 0000000000000000
R10: 0000000000880000 R11: 0000000000000000 R12: ffff88807dae4000
R13: 1ffff920007bad9c R14: ffffc90003dd6ed0 R15: ffff88806f8c0160
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f337c9a518 CR3: 000000007ce96000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Kill bch2_get_next_backpointer()

[syzbot] [bcachefs?] kernel BUG in __bch2_journal_pin_put

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8f7c8b88bda4 Merge tag 'sched_ext-for-6.13' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=116f1930580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=48190c1cdf985419
dashboard link: https://syzkaller.appspot.com/bug?extid=73ed43fbe826227bd4e0
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-8f7c8b88.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c5e6fdef85e9/vmlinux-8f7c8b88.xz
kernel image: https://storage.googleapis.com/syzbot-assets/67596a080582/bzImage-8f7c8b88.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+73ed43fbe826227bd4e0@syzkaller.appspotmail.com

Bluetooth: hci0: command tx timeout
------------[ cut here ]------------
kernel BUG at fs/bcachefs/journal_reclaim.h:30!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5345 Comm: kworker/u5:3 Not tainted 6.12.0-syzkaller-01892-g8f7c8b88bda4 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: bcachefs_journal journal_write_work
RIP: 0010:journal_seq_pin fs/bcachefs/journal_reclaim.h:30 [inline]
RIP: 0010:__bch2_journal_pin_put+0x121/0x130 fs/bcachefs/journal_reclaim.c:327
Code: 62 53 fd 31 ff 89 de e8 6d 62 53 fd 89 d8 5b 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc e8 58 5f 53 fd 90 0f 0b e8 50 5f 53 fd 90 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90 90 90 90 90
RSP: 0018:ffffc9000d2efa10 EFLAGS: 00010293
RAX: ffffffff84417ee0 RBX: 0000000000000000 RCX: ffff888000de8000
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000000
RBP: ffffc9000d2efb78 R08: ffffffff84417e41 R09: ffffffff843ef148
R10: 0000000000000004 R11: ffff888000de8000 R12: dffffc0000000000
R13: ffff888052e4a500 R14: ffffffffffffffff R15: ffff888052e4a500
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055edf841c118 CR3: 000000004316a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_journal_buf_put_final fs/bcachefs/journal.c:217 [inline]
 __bch2_journal_buf_put fs/bcachefs/journal.h:276 [inline]
 __journal_entry_close+0x80a/0xe30 fs/bcachefs/journal.c:301
 journal_write_work+0x129/0x140 fs/bcachefs/journal.c:487
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:journal_seq_pin fs/bcachefs/journal_reclaim.h:30 [inline]
RIP: 0010:__bch2_journal_pin_put+0x121/0x130 fs/bcachefs/journal_reclaim.c:327
Code: 62 53 fd 31 ff 89 de e8 6d 62 53 fd 89 d8 5b 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc e8 58 5f 53 fd 90 0f 0b e8 50 5f 53 fd 90 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90 90 90 90 90
RSP: 0018:ffffc9000d2efa10 EFLAGS: 00010293
RAX: ffffffff84417ee0 RBX: 0000000000000000 RCX: ffff888000de8000
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000000
RBP: ffffc9000d2efb78 R08: ffffffff84417e41 R09: ffffffff843ef148
R10: 0000000000000004 R11: ffff888000de8000 R12: dffffc0000000000
R13: ffff888052e4a500 R14: ffffffffffffffff R15: ffff888052e4a500
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055edf841c118 CR3: 000000004316a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Guard against journal seq overflow

[syzbot] [bcachefs?] kernel BUG in bch2_btree_pos_to_text (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    158f238aa69d Merge tag 'for-linus-6.13-rc1-tag' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13798b78580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6e547da255e4eefa
dashboard link: https://syzkaller.appspot.com/bug?extid=1f202d4da221ec6ebf8e
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12e386c0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1105875f980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-158f238a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0a823971fc99/vmlinux-158f238a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e215e05844b2/bzImage-158f238a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b0994925a8f6/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1f202d4da221ec6ebf8e@syzkaller.appspotmail.com

invalid bkey u64s 5 type set 18446462598867058688:34:0 len 3072 ver 0
  size != 0: delete?, fixing
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_cache.h:131!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5321 Comm: read_btree_node Not tainted 6.12.0-syzkaller-00971-g158f238aa69d #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:bch2_btree_id_root fs/bcachefs/btree_cache.h:131 [inline]
RIP: 0010:bch2_btree_pos_to_text+0x1ee/0x1f0 fs/bcachefs/btree_cache.c:1403
Code: 00 00 fc ff df e9 70 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c 7a ff ff ff 48 89 df e8 fd 89 e9 fd e9 6d ff ff ff e8 c3 a1 7f fd 90 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa
RSP: 0018:ffffc9000d14f448 EFLAGS: 00010293
RAX: ffffffff8415501d RBX: 000000000000001e RCX: ffff888000c04880
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff84154f0a R09: 0000000000000000
R10: ffffc9000d14f5e0 R11: fffff52001a29ec1 R12: ffff888040420800
R13: ffff888044700000 R14: ffff888044700000 R15: ffffc9000d14f5e0
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562b097d2fd0 CR3: 0000000011e62000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 btree_node_read_work+0x486/0x1260 fs/bcachefs/btree_io.c:1308
 bch2_btree_node_read+0x2433/0x2a10
 bch2_btree_node_fill+0xc75/0x12f0 fs/bcachefs/btree_cache.c:991
 bch2_btree_node_get_noiter+0x9d5/0xf70 fs/bcachefs/btree_cache.c:1260
 found_btree_node_is_readable fs/bcachefs/btree_node_scan.c:85 [inline]
 try_read_btree_node fs/bcachefs/btree_node_scan.c:193 [inline]
 read_btree_nodes_worker+0x13c5/0x2220 fs/bcachefs/btree_node_scan.c:242
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_btree_id_root fs/bcachefs/btree_cache.h:131 [inline]
RIP: 0010:bch2_btree_pos_to_text+0x1ee/0x1f0 fs/bcachefs/btree_cache.c:1403
Code: 00 00 fc ff df e9 70 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c 7a ff ff ff 48 89 df e8 fd 89 e9 fd e9 6d ff ff ff e8 c3 a1 7f fd 90 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa
RSP: 0018:ffffc9000d14f448 EFLAGS: 00010293
RAX: ffffffff8415501d RBX: 000000000000001e RCX: ffff888000c04880
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff84154f0a R09: 0000000000000000
R10: ffffc9000d14f5e0 R11: fffff52001a29ec1 R12: ffff888040420800
R13: ffff888044700000 R14: ffff888044700000 R15: ffffc9000d14f5e0
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b6646f3018 CR3: 0000000011e62000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix btree node scan when unknown btree IDs are present

[syzbot] [bcachefs?] KMSAN: uninit-value in rw_aux_tree_set (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    fc39fb56917b Merge tag 'jfs-6.13' of github.com:kleikamp/l..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1346bec0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1a5c320d506b5745
dashboard link: https://syzkaller.appspot.com/bug?extid=ed52fb987e4b52cbfad9
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16565b78580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1746bec0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c35bd17a0dc5/disk-fc39fb56.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/900f3f8ce653/vmlinux-fc39fb56.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fae5edad1eaf/bzImage-fc39fb56.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/989b3cf7acff/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ed52fb987e4b52cbfad9@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bkey_unpack_pos fs/bcachefs/bkey.h:463 [inline]
BUG: KMSAN: uninit-value in rw_aux_tree_set+0x4d2/0x580 fs/bcachefs/bset.c:494
 bkey_unpack_pos fs/bcachefs/bkey.h:463 [inline]
 rw_aux_tree_set+0x4d2/0x580 fs/bcachefs/bset.c:494
 rw_aux_tree_insert_entry+0x6c3/0x970 fs/bcachefs/bset.c:913
 bch2_bset_fix_lookup_table+0xecc/0x13e0
 bch2_bset_insert+0x1621/0x19f0 fs/bcachefs/bset.c:1015
 bch2_btree_bset_insert_key+0xf4e/0x2b60 fs/bcachefs/btree_trans_commit.c:217
 bch2_btree_insert_key_leaf+0x276/0x1050 fs/bcachefs/btree_trans_commit.c:300
 bch2_trans_commit_write_locked fs/bcachefs/btree_trans_commit.c:820 [inline]
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:900 [inline]
 __bch2_trans_commit+0xaf5e/0xd190 fs/bcachefs/btree_trans_commit.c:1121
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:723 [inline]
 btree_interior_update_work+0x2080/0x4870 fs/bcachefs/btree_update_interior.c:861
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4219
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4236
 __do_kmalloc_node mm/slub.c:4252 [inline]
 __kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4270
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:658
 btree_node_data_alloc fs/bcachefs/btree_cache.c:153 [inline]
 __bch2_btree_node_mem_alloc+0x2be/0xa80 fs/bcachefs/btree_cache.c:198
 bch2_fs_btree_cache_init+0x4e4/0xb50 fs/bcachefs/btree_cache.c:653
 bch2_fs_alloc fs/bcachefs/super.c:917 [inline]
 bch2_fs_open+0x4d3a/0x5b40 fs/bcachefs/super.c:2065
 bch2_fs_get_tree+0x983/0x22d0 fs/bcachefs/fs.c:2157
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4034
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 13 Comm: kworker/u8:1 Not tainted 6.12.0-syzkaller-05676-gfc39fb56917b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Workqueue: btree_update btree_interior_update_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] kernel BUG in bch2_btree_root_read

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    43fb83c17ba2 Merge tag 'soc-arm-6.13' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=150afae8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=aabf8d2f67b7072a
dashboard link: https://syzkaller.appspot.com/bug?extid=c4b76ec6c2d45b06ec1e
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1692a75f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15965930580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-43fb83c1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8ce8ef813dfe/vmlinux-43fb83c1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dbfeb37f6bfa/bzImage-43fb83c1.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/bc470092719b/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c4b76ec6c2d45b06ec1e@syzkaller.appspotmail.com

bcachefs (loop0): will run btree node scan
invalid bkey u64s 7 type xattr 536870912:3798421620223919902:U32_MAX len 0 ver 0: user.\x06:
  xattr name has invalid characters: delete?, fixing
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_io.c:1743!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5326 Comm: syz-executor408 Not tainted 6.12.0-syzkaller-03657-g43fb83c17ba2 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__bch2_btree_root_read fs/bcachefs/btree_io.c:1743 [inline]
RIP: 0010:bch2_btree_root_read+0x78d/0x7a0 fs/bcachefs/btree_io.c:1771
Code: ff 44 89 f1 80 e1 07 38 c1 0f 8c 98 fa ff ff 4c 89 f7 e8 b6 87 e6 fd e9 8b fa ff ff e8 6c 73 7c fd 90 0f 0b e8 64 73 7c fd 90 <0f> 0b e8 ec ab b2 07 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90
RSP: 0018:ffffc9000ceaf3a0 EFLAGS: 00010293
RAX: ffffffff8418856c RBX: 00000000ffffffef RCX: ffff888000728000
RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000
RBP: ffffc9000ceaf4e0 R08: ffffffff841883b1 R09: 1ffff920019d5e5c
R10: dffffc0000000000 R11: fffff520019d5e5d R12: ffff88804384f000
R13: 0000000000023001 R14: ffff888044a01a80 R15: 0000000000000000
FS:  000055558b9ee380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff9e053fe8 CR3: 0000000042fb4000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 read_btree_roots+0x296/0x840 fs/bcachefs/recovery.c:523
 bch2_fs_recovery+0x2585/0x39d0 fs/bcachefs/recovery.c:853
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd48bf0c9ba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdbfdd4698 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffdbfdd46b0 RCX: 00007fd48bf0c9ba
RDX: 00000000200058c0 RSI: 0000000020000000 RDI: 00007ffdbfdd46b0
RBP: 0000000000000004 R08: 00007ffdbfdd46f0 R09: 000000000000596c
R10: 0000000000210008 R11: 0000000000000282 R12: 0000000000210008
R13: 00007ffdbfdd46f0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__bch2_btree_root_read fs/bcachefs/btree_io.c:1743 [inline]
RIP: 0010:bch2_btree_root_read+0x78d/0x7a0 fs/bcachefs/btree_io.c:1771
Code: ff 44 89 f1 80 e1 07 38 c1 0f 8c 98 fa ff ff 4c 89 f7 e8 b6 87 e6 fd e9 8b fa ff ff e8 6c 73 7c fd 90 0f 0b e8 64 73 7c fd 90 <0f> 0b e8 ec ab b2 07 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90
RSP: 0018:ffffc9000ceaf3a0 EFLAGS: 00010293
RAX: ffffffff8418856c RBX: 00000000ffffffef RCX: ffff888000728000
RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000
RBP: ffffc9000ceaf4e0 R08: ffffffff841883b1 R09: 1ffff920019d5e5c
R10: dffffc0000000000 R11: fffff520019d5e5d R12: ffff88804384f000
R13: 0000000000023001 R14: ffff888044a01a80 R15: 0000000000000000
FS:  000055558b9ee380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff9e053fe8 CR3: 0000000042fb4000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Kill bch2_bucket_alloc_new_fs()

[syzbot] [netfilter?] KMSAN: uninit-value in ip6table_mangle_hook (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=105e0d87980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6fdf74cce377223b
dashboard link: https://syzkaller.appspot.com/bug?extid=6023ea32e206eef7920a
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=165d5d5f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=145e0d87980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/08456e37db58/disk-2e1b3cc9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cc957f7ba80b/vmlinux-2e1b3cc9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7579fe72ed89/bzImage-2e1b3cc9.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6023ea32e206eef7920a@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in ip6t_mangle_out net/ipv6/netfilter/ip6table_mangle.c:56 [inline]
BUG: KMSAN: uninit-value in ip6table_mangle_hook+0x97d/0x9c0 net/ipv6/netfilter/ip6table_mangle.c:72
 ip6t_mangle_out net/ipv6/netfilter/ip6table_mangle.c:56 [inline]
 ip6table_mangle_hook+0x97d/0x9c0 net/ipv6/netfilter/ip6table_mangle.c:72
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
 nf_hook include/linux/netfilter.h:269 [inline]
 __ip6_local_out+0x5ac/0x640 net/ipv6/output_core.c:143
 ip6_local_out+0x4c/0x210 net/ipv6/output_core.c:153
 ip6tunnel_xmit+0x129/0x460 include/net/ip6_tunnel.h:161
 ip6_tnl_xmit+0x341a/0x3860 net/ipv6/ip6_tunnel.c:1281
 __gre6_xmit+0x14b9/0x1550 net/ipv6/ip6_gre.c:815
 ip6gre_xmit_ipv4 net/ipv6/ip6_gre.c:839 [inline]
 ip6gre_tunnel_xmit+0x18f7/0x2030 net/ipv6/ip6_gre.c:922
 __netdev_start_xmit include/linux/netdevice.h:4928 [inline]
 netdev_start_xmit include/linux/netdevice.h:4937 [inline]
 xmit_one net/core/dev.c:3588 [inline]
 dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3604
 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:3825 [inline]
 __dev_queue_xmit+0x2fcf/0x56d0 net/core/dev.c:4398
 dev_queue_xmit include/linux/netdevice.h:3094 [inline]
 packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3145 [inline]
 packet_sendmsg+0x908b/0xa370 net/packet/af_packet.c:3177
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:744
 __sys_sendto+0x645/0x7f0 net/socket.c:2214
 __do_sys_sendto net/socket.c:2226 [inline]
 __se_sys_sendto net/socket.c:2222 [inline]
 __x64_sys_sendto+0x125/0x1d0 net/socket.c:2222
 x64_sys_call+0x3373/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:45
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 ip6_tnl_xmit+0x34f7/0x3860 net/ipv6/ip6_tunnel.c:1277
 __gre6_xmit+0x14b9/0x1550 net/ipv6/ip6_gre.c:815
 ip6gre_xmit_ipv4 net/ipv6/ip6_gre.c:839 [inline]
 ip6gre_tunnel_xmit+0x18f7/0x2030 net/ipv6/ip6_gre.c:922
 __netdev_start_xmit include/linux/netdevice.h:4928 [inline]
 netdev_start_xmit include/linux/netdevice.h:4937 [inline]
 xmit_one net/core/dev.c:3588 [inline]
 dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3604
 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:3825 [inline]
 __dev_queue_xmit+0x2fcf/0x56d0 net/core/dev.c:4398
 dev_queue_xmit include/linux/netdevice.h:3094 [inline]
 packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3145 [inline]
 packet_sendmsg+0x908b/0xa370 net/packet/af_packet.c:3177
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:744
 __sys_sendto+0x645/0x7f0 net/socket.c:2214
 __do_sys_sendto net/socket.c:2226 [inline]
 __se_sys_sendto net/socket.c:2222 [inline]
 __x64_sys_sendto+0x125/0x1d0 net/socket.c:2222
 x64_sys_call+0x3373/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:45
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4091 [inline]
 slab_alloc_node mm/slub.c:4134 [inline]
 __do_kmalloc_node mm/slub.c:4263 [inline]
 __kmalloc_node_track_caller_noprof+0x6c7/0xf90 mm/slub.c:4283
 kmalloc_reserve+0x23e/0x4a0 net/core/skbuff.c:609
 pskb_expand_head+0x226/0x1a60 net/core/skbuff.c:2275
 skb_realloc_headroom+0x140/0x2b0 net/core/skbuff.c:2355
 ip6_tnl_xmit+0x2106/0x3860 net/ipv6/ip6_tunnel.c:1227
 __gre6_xmit+0x14b9/0x1550 net/ipv6/ip6_gre.c:815
 ip6gre_xmit_ipv4 net/ipv6/ip6_gre.c:839 [inline]
 ip6gre_tunnel_xmit+0x18f7/0x2030 net/ipv6/ip6_gre.c:922
 __netdev_start_xmit include/linux/netdevice.h:4928 [inline]
 netdev_start_xmit include/linux/netdevice.h:4937 [inline]
 xmit_one net/core/dev.c:3588 [inline]
 dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3604
 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:3825 [inline]
 __dev_queue_xmit+0x2fcf/0x56d0 net/core/dev.c:4398
 dev_queue_xmit include/linux/netdevice.h:3094 [inline]
 packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3145 [inline]
 packet_sendmsg+0x908b/0xa370 net/packet/af_packet.c:3177
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:744
 __sys_sendto+0x645/0x7f0 net/socket.c:2214
 __do_sys_sendto net/socket.c:2226 [inline]
 __se_sys_sendto net/socket.c:2222 [inline]
 __x64_sys_sendto+0x125/0x1d0 net/socket.c:2222
 x64_sys_call+0x3373/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:45
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5819 Comm: syz-executor359 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [bcachefs?] kernel BUG in bch2_btree_node_lock_write

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ac24e26aa08f Add linux-next specific files for 20241120
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1471bae8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=45719eec4c74e6ba
dashboard link: https://syzkaller.appspot.com/bug?extid=78d82470c16a49702682
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17e61930580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13e126c0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9c6bcf3605c7/disk-ac24e26a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4ce96eb398a9/vmlinux-ac24e26a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9a22aac22c90/bzImage-ac24e26a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6a6e3ddf526a/mount_0.gz

The issue was bisected to:

commit feb21a9b4c1a8527e0a61c85eec4c078c558aee9
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Sun Oct 27 04:40:43 2024 +0000

    bcachefs: try_alloc_bucket() now uses bch2_check_discard_freespace_key()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=17b79930580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=14779930580000
console output: https://syzkaller.appspot.com/x/log.txt?x=10779930580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+78d82470c16a49702682@syzkaller.appspotmail.com
Fixes: feb21a9b4c1a ("bcachefs: try_alloc_bucket() now uses bch2_check_discard_freespace_key()")

  stripe            0
  stripe_redundancy 0
  io_time[READ]     0
  io_time[WRITE]    0
  fragmentation     0
  bp_start          8
  incorrectly set at freespace:0:24:0 (free 0, genbits 0 should be 0), fixing
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_locking.h:306!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.12.0-next-20241120-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Workqueue: btree_node_rewrite async_btree_node_rewrite_work
RIP: 0010:__btree_node_lock_write fs/bcachefs/btree_locking.h:306 [inline]
RIP: 0010:bch2_btree_node_lock_write+0x400/0x430 fs/bcachefs/btree_locking.h:327
Code: 06 be 03 00 00 00 48 c7 c7 80 97 f2 8e 48 89 da e8 a5 c3 d4 00 49 bf 00 00 00 00 00 fc ff df e9 f2 fd ff ff e8 b1 69 79 fd 90 <0f> 0b e8 a9 69 79 fd 90 0f 0b e8 a1 69 79 fd 90 0f 0b 48 8b 4c 24
RSP: 0018:ffffc90000107778 EFLAGS: 00010293
RAX: ffffffff8426110f RBX: ffff88803485c288 RCX: ffff88801befbc00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: ffff88803485c000 R08: ffffffff84260d65 R09: 1ffffffff2030b7e
R10: dffffc0000000000 R11: fffffbfff2030b7f R12: ffff88803485c268
R13: 1ffff110061a4b13 R14: ffff888030d25800 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055976c6126b8 CR3: 000000007b348000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_btree_set_root+0x1d8/0xd10 fs/bcachefs/btree_update_interior.c:1323
 bch2_btree_node_rewrite+0x69d/0x1280 fs/bcachefs/btree_update_interior.c:2172
 async_btree_node_rewrite_trans fs/bcachefs/btree_update_interior.c:2236 [inline]
 async_btree_node_rewrite_work+0x31e/0xdf0 fs/bcachefs/btree_update_interior.c:2249
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__btree_node_lock_write fs/bcachefs/btree_locking.h:306 [inline]
RIP: 0010:bch2_btree_node_lock_write+0x400/0x430 fs/bcachefs/btree_locking.h:327
Code: 06 be 03 00 00 00 48 c7 c7 80 97 f2 8e 48 89 da e8 a5 c3 d4 00 49 bf 00 00 00 00 00 fc ff df e9 f2 fd ff ff e8 b1 69 79 fd 90 <0f> 0b e8 a9 69 79 fd 90 0f 0b e8 a1 69 79 fd 90 0f 0b 48 8b 4c 24
RSP: 0018:ffffc90000107778 EFLAGS: 00010293
RAX: ffffffff8426110f RBX: ffff88803485c288 RCX: ffff88801befbc00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: ffff88803485c000 R08: ffffffff84260d65 R09: 1ffffffff2030b7e
R10: dffffc0000000000 R11: fffffbfff2030b7f R12: ffff88803485c268
R13: 1ffff110061a4b13 R14: ffff888030d25800 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055976c6126b8 CR3: 000000000e736000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Issue a transaction restart after commit in repair

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_inode_v3_validate

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    cfaaa7d010d1 Merge tag 'net-6.12-rc8' of git://git.kernel...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11eb6b5f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dcca673786a14715
dashboard link: https://syzkaller.appspot.com/bug?extid=3cd97352d16f0e6066d9
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1469b1a7980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=110bdcc0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1c694b6090aa/disk-cfaaa7d0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/981b31e0fb3c/vmlinux-cfaaa7d0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a4df6af9c5c6/bzImage-cfaaa7d0.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f8181b3bb66a/mount_4.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3cd97352d16f0e6066d9@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_inode_v3_validate+0x481/0x5a0 fs/bcachefs/inode.c:508
 bch2_inode_v3_validate+0x481/0x5a0 fs/bcachefs/inode.c:508
 bch2_bkey_val_validate+0x2b5/0x440 fs/bcachefs/bkey_methods.c:143
 bset_key_validate fs/bcachefs/btree_io.c:841 [inline]
 validate_bset_keys+0x1531/0x2080 fs/bcachefs/btree_io.c:910
 validate_bset_for_write+0x142/0x290 fs/bcachefs/btree_io.c:1942
 __bch2_btree_node_write+0x53df/0x6830 fs/bcachefs/btree_io.c:2152
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_p_copy fs/bcachefs/bkey.h:47 [inline]
 bch2_sort_keys_keep_unwritten_whiteouts+0x1797/0x19d0 fs/bcachefs/bkey_sort.c:187
 __bch2_btree_node_write+0x3ae8/0x6830 fs/bcachefs/btree_io.c:2095
 bch2_btree_node_write+0xa5/0x2e0 fs/bcachefs/btree_io.c:2284
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4219
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4236
 __do_kmalloc_node mm/slub.c:4252 [inline]
 __kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4270
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:658
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2248
 bch2_btree_node_write+0x21c/0x2e0 fs/bcachefs/btree_io.c:2289
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush0+0x35/0x60 fs/bcachefs/btree_trans_commit.c:261
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 5854 Comm: bch-reclaim/loo Not tainted 6.12.0-rc7-syzkaller-00125-gcfaaa7d010d1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] kernel BUG in bch2_bucket_alloc_trans (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    cfaaa7d010d1 Merge tag 'net-6.12-rc8' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13649cc0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=592425844580a6598410
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1437e130580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=163802e8580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-cfaaa7d0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/63eae0d3e67f/vmlinux-cfaaa7d0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6495d9e4ddee/bzImage-cfaaa7d0.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/902320cb2e25/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+592425844580a6598410@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/bcachefs/alloc_foreground.c:493!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 2975 Comm: kworker/u4:10 Not tainted 6.12.0-rc7-syzkaller-00125-gcfaaa7d010d1 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: btree_node_rewrite async_btree_node_rewrite_work
RIP: 0010:bch2_bucket_alloc_freelist fs/bcachefs/alloc_foreground.c:493 [inline]
RIP: 0010:bch2_bucket_alloc_trans+0x39ec/0x3a50 fs/bcachefs/alloc_foreground.c:648
Code: e8 a9 3a f0 fd e9 f0 c7 ff ff 89 d9 80 e1 07 38 c1 0f 8c f3 fd ff ff 48 89 df e8 3f 39 f0 fd e9 e6 fd ff ff e8 65 5d 86 fd 90 <0f> 0b e8 5d 5d 86 fd 90 0f 0b e8 45 4a b9 07 f3 0f 1e fa e8 4c 5d
RSP: 0018:ffffc9000d8fe140 EFLAGS: 00010293
RAX: ffffffff840e8cab RBX: 0000000000000019 RCX: ffff888040104880
RDX: 0000000000000000 RSI: 0000000000000019 RDI: 0000000000000000
RBP: ffffc9000d8fe868 R08: ffffffff840e5f79 R09: 0000000000000000
R10: ffffc9000d8fe728 R11: fffff52001b1fcea R12: dffffc0000000000
R13: ffff8880438ec000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005596e117f4e8 CR3: 0000000011cf8000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_bucket_alloc_set_trans+0x517/0xd30 fs/bcachefs/alloc_foreground.c:808
 __open_bucket_add_buckets+0x13d0/0x1ec0 fs/bcachefs/alloc_foreground.c:1057
 open_bucket_add_buckets+0x33a/0x410 fs/bcachefs/alloc_foreground.c:1101
 bch2_alloc_sectors_start_trans+0xce9/0x2030
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:339 [inline]
 bch2_btree_reserve_get+0x612/0x1890 fs/bcachefs/btree_update_interior.c:549
 bch2_btree_update_start+0xe56/0x14e0 fs/bcachefs/btree_update_interior.c:1247
 bch2_btree_node_rewrite+0x1c0/0x1280 fs/bcachefs/btree_update_interior.c:2148
 async_btree_node_rewrite_trans fs/bcachefs/btree_update_interior.c:2236 [inline]
 async_btree_node_rewrite_work+0x31e/0xda0 fs/bcachefs/btree_update_interior.c:2249
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_bucket_alloc_freelist fs/bcachefs/alloc_foreground.c:493 [inline]
RIP: 0010:bch2_bucket_alloc_trans+0x39ec/0x3a50 fs/bcachefs/alloc_foreground.c:648
Code: e8 a9 3a f0 fd e9 f0 c7 ff ff 89 d9 80 e1 07 38 c1 0f 8c f3 fd ff ff 48 89 df e8 3f 39 f0 fd e9 e6 fd ff ff e8 65 5d 86 fd 90 <0f> 0b e8 5d 5d 86 fd 90 0f 0b e8 45 4a b9 07 f3 0f 1e fa e8 4c 5d
RSP: 0018:ffffc9000d8fe140 EFLAGS: 00010293
RAX: ffffffff840e8cab RBX: 0000000000000019 RCX: ffff888040104880
RDX: 0000000000000000 RSI: 0000000000000019 RDI: 0000000000000000
RBP: ffffc9000d8fe868 R08: ffffffff840e5f79 R09: 0000000000000000
R10: ffffc9000d8fe728 R11: fffff52001b1fcea R12: dffffc0000000000
R13: ffff8880438ec000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd30c9ff000 CR3: 000000004399a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Kill bch2_bucket_alloc_new_fs()

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_alloc_v4_validate (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    3022e9d00ebe Merge tag 'sched_ext-for-6.12-rc7-fixes' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=175f0df7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dcca673786a14715
dashboard link: https://syzkaller.appspot.com/bug?extid=8dd95f470e7cd0ff4b66
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/937339c4ba17/disk-3022e9d0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/23acd73c301b/vmlinux-3022e9d0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/66d14471611f/bzImage-3022e9d0.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8dd95f470e7cd0ff4b66@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_alloc_v4_validate+0x739/0x19a0 fs/bcachefs/alloc_background.c:249
 bch2_alloc_v4_validate+0x739/0x19a0 fs/bcachefs/alloc_background.c:249
 bch2_bkey_val_validate+0x2b5/0x440 fs/bcachefs/bkey_methods.c:143
 bset_key_validate fs/bcachefs/btree_io.c:845 [inline]
 validate_bset_keys+0x1531/0x2080 fs/bcachefs/btree_io.c:914
 validate_bset_for_write+0x142/0x290 fs/bcachefs/btree_io.c:1946
 __bch2_btree_node_write+0x53df/0x6830 fs/bcachefs/btree_io.c:2156
 bch2_btree_node_write+0x256/0x2e0 fs/bcachefs/btree_io.c:2300
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was stored to memory at:
 bch2_alloc_v4_validate+0x27f/0x19a0 fs/bcachefs/alloc_background.c:247
 bch2_bkey_val_validate+0x2b5/0x440 fs/bcachefs/bkey_methods.c:143
 bset_key_validate fs/bcachefs/btree_io.c:845 [inline]
 validate_bset_keys+0x1531/0x2080 fs/bcachefs/btree_io.c:914
 validate_bset_for_write+0x142/0x290 fs/bcachefs/btree_io.c:1946
 __bch2_btree_node_write+0x53df/0x6830 fs/bcachefs/btree_io.c:2156
 bch2_btree_node_write+0x256/0x2e0 fs/bcachefs/btree_io.c:2300
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was stored to memory at:
 memcpy_u64s_small fs/bcachefs/util.h:393 [inline]
 bkey_p_copy fs/bcachefs/bkey.h:47 [inline]
 bch2_sort_keys_keep_unwritten_whiteouts+0x16af/0x19d0 fs/bcachefs/bkey_sort.c:187
 __bch2_btree_node_write+0x3ae8/0x6830 fs/bcachefs/btree_io.c:2099
 bch2_btree_node_write+0x256/0x2e0 fs/bcachefs/btree_io.c:2300
 btree_node_write_if_need fs/bcachefs/btree_io.h:151 [inline]
 __btree_node_flush+0x606/0x680 fs/bcachefs/btree_trans_commit.c:252
 bch2_btree_node_flush1+0x38/0x60 fs/bcachefs/btree_trans_commit.c:266
 journal_flush_pins+0xce6/0x1780 fs/bcachefs/journal_reclaim.c:565
 __bch2_journal_reclaim+0xda8/0x1670 fs/bcachefs/journal_reclaim.c:698
 bch2_journal_reclaim_thread+0x18e/0x760 fs/bcachefs/journal_reclaim.c:740
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4219
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4236
 __do_kmalloc_node mm/slub.c:4252 [inline]
 __kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4270
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:658
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2252
 bch2_btree_node_prep_for_write+0x494/0x720 fs/bcachefs/btree_trans_commit.c:93
 bch2_trans_lock_write+0x7ef/0xc00 fs/bcachefs/btree_trans_commit.c:129
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:896 [inline]
 __bch2_trans_commit+0x31c4/0xd190 fs/bcachefs/btree_trans_commit.c:1121
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 bch2_journal_replay+0x2e3d/0x4d30 fs/bcachefs/recovery.c:317
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:185 [inline]
 bch2_run_recovery_passes+0xaf9/0xf80 fs/bcachefs/recovery_passes.c:238
 bch2_fs_recovery+0x447b/0x5b00 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:4034
 ia32_sys_call+0x2530/0x40d0 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

CPU: 0 UID: 0 PID: 12680 Comm: bch-reclaim/loo Not tainted 6.12.0-rc7-syzkaller-00012-g3022e9d00ebe #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_btree_node_iter_init (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    3022e9d00ebe Merge tag 'sched_ext-for-6.12-rc7-fixes' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=162341a7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dcca673786a14715
dashboard link: https://syzkaller.appspot.com/bug?extid=62f5ae3a10a9e97accd4
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/937339c4ba17/disk-3022e9d0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/23acd73c301b/vmlinux-3022e9d0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/66d14471611f/bzImage-3022e9d0.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+62f5ae3a10a9e97accd4@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bkey_cmp_p_or_unp fs/bcachefs/bset.h:287 [inline]
BUG: KMSAN: uninit-value in bkey_iter_cmp_p_or_unp fs/bcachefs/bset.h:400 [inline]
BUG: KMSAN: uninit-value in bch2_bset_search_linear fs/bcachefs/bset.c:1189 [inline]
BUG: KMSAN: uninit-value in bch2_btree_node_iter_init+0x319a/0x51a0 fs/bcachefs/bset.c:1334
 bkey_cmp_p_or_unp fs/bcachefs/bset.h:287 [inline]
 bkey_iter_cmp_p_or_unp fs/bcachefs/bset.h:400 [inline]
 bch2_bset_search_linear fs/bcachefs/bset.c:1189 [inline]
 bch2_btree_node_iter_init+0x319a/0x51a0 fs/bcachefs/bset.c:1334
 __btree_path_level_init fs/bcachefs/btree_iter.c:615 [inline]
 bch2_btree_path_level_init+0x821/0xc80 fs/bcachefs/btree_iter.c:635
 btree_path_lock_root fs/bcachefs/btree_iter.c:769 [inline]
 bch2_btree_path_traverse_one+0x379d/0x47b0 fs/bcachefs/btree_iter.c:1183
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 bch2_btree_iter_traverse+0xaf9/0x1020 fs/bcachefs/btree_iter.c:1880
 bch2_btree_node_update_key_get_iter+0x15c/0x9e0 fs/bcachefs/btree_update_interior.c:2481
 btree_node_write_work+0xb37/0x15a0 fs/bcachefs/btree_io.c:1874
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4219
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4236
 __do_kmalloc_node mm/slub.c:4252 [inline]
 __kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4270
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:658
 btree_bounce_alloc fs/bcachefs/btree_io.c:124 [inline]
 btree_node_sort+0x78a/0x1d30 fs/bcachefs/btree_io.c:323
 bch2_btree_post_write_cleanup+0x1b0/0xf20 fs/bcachefs/btree_io.c:2252
 bch2_btree_node_prep_for_write+0x494/0x720 fs/bcachefs/btree_trans_commit.c:93
 bch2_trans_lock_write+0x7ef/0xc00 fs/bcachefs/btree_trans_commit.c:129
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:896 [inline]
 __bch2_trans_commit+0x31c4/0xd190 fs/bcachefs/btree_trans_commit.c:1121
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 bch2_journal_replay+0x2e3d/0x4d30 fs/bcachefs/recovery.c:317
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:185 [inline]
 bch2_run_recovery_passes+0xaf9/0xf80 fs/bcachefs/recovery_passes.c:238
 bch2_fs_recovery+0x447b/0x5b00 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x7b2/0xbd0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0x13ea/0x22d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:4034
 ia32_sys_call+0x2530/0x40d0 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

CPU: 0 UID: 0 PID: 43 Comm: kworker/0:1H Not tainted 6.12.0-rc7-syzkaller-00012-g3022e9d00ebe #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Workqueue: bcachefs_btree_io btree_node_write_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] possible deadlock in bch2_alloc_sectors_start_trans

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    74741a050b79 Add linux-next specific files for 20241107
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11fd5d87980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d3ef0574c9dc8b00
dashboard link: https://syzkaller.appspot.com/bug?extid=d4b38c802ea425ccf857
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15fd5d87980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16bbbf40580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8993ea1d09da/disk-74741a05.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dab7bc3c6e88/vmlinux-74741a05.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fda543ad532f/bzImage-74741a05.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/8f1af4532ebc/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d4b38c802ea425ccf857@syzkaller.appspotmail.com

  io_time[WRITE]    256
  fragmentation     0
  bp_start          8
  incorrectly set at freespace:0:27:0 (free 0, genbits 0 should be 0), fixing
============================================
WARNING: possible recursive locking detected
6.12.0-rc6-next-20241107-syzkaller #0 Not tainted
--------------------------------------------
kworker/1:2/58 is trying to acquire lock:
ffff88807871dc38 (&wp->lock){+.+.}-{4:4}, at: bch2_trans_mutex_lock_norelock fs/bcachefs/alloc_foreground.c:43 [inline]
ffff88807871dc38 (&wp->lock){+.+.}-{4:4}, at: writepoint_find fs/bcachefs/alloc_foreground.c:1249 [inline]
ffff88807871dc38 (&wp->lock){+.+.}-{4:4}, at: bch2_alloc_sectors_start_trans+0x956/0x2030 fs/bcachefs/alloc_foreground.c:1355

but task is already holding lock:
ffff88807871dc38 (&wp->lock){+.+.}-{4:4}, at: bch2_trans_mutex_lock_norelock fs/bcachefs/alloc_foreground.c:41 [inline]
ffff88807871dc38 (&wp->lock){+.+.}-{4:4}, at: writepoint_find fs/bcachefs/alloc_foreground.c:1249 [inline]
ffff88807871dc38 (&wp->lock){+.+.}-{4:4}, at: bch2_alloc_sectors_start_trans+0x2e8/0x2030 fs/bcachefs/alloc_foreground.c:1355

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&wp->lock);
  lock(&wp->lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

7 locks held by kworker/1:2/58:
 #0: ffff88802070fd48 ((wq_completion)bcachefs_write_ref){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
 #0: ffff88802070fd48 ((wq_completion)bcachefs_write_ref){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
 #1: ffffc9000133fd00 ((work_completion)(&ca->invalidate_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
 #1: ffffc9000133fd00 ((work_completion)(&ca->invalidate_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
 #2: ffff888078704750 (&wb->flushing.lock){+.+.}-{4:4}, at: bch2_btree_write_buffer_flush_nocheck_rw fs/bcachefs/btree_write_buffer.c:543 [inline]
 #2: ffff888078704750 (&wb->flushing.lock){+.+.}-{4:4}, at: bch2_btree_write_buffer_tryflush+0x14b/0x1c0 fs/bcachefs/btree_write_buffer.c:558
 #3: ffff8880787043a8 (&c->btree_trans_barrier){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:158 [inline]
 #3: ffff8880787043a8 (&c->btree_trans_barrier){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:255 [inline]
 #3: ffff8880787043a8 (&c->btree_trans_barrier){.+.+}-{0:0}, at: bch2_trans_srcu_lock+0x9a/0x1a0 fs/bcachefs/btree_iter.c:3195
 #4: ffff888078726710 (&c->gc_lock){++++}-{4:4}, at: bch2_btree_update_start+0x682/0x14e0 fs/bcachefs/btree_update_interior.c:1191
 #5: ffff88807871dc38 (&wp->lock){+.+.}-{4:4}, at: bch2_trans_mutex_lock_norelock fs/bcachefs/alloc_foreground.c:41 [inline]
 #5: ffff88807871dc38 (&wp->lock){+.+.}-{4:4}, at: writepoint_find fs/bcachefs/alloc_foreground.c:1249 [inline]
 #5: ffff88807871dc38 (&wp->lock){+.+.}-{4:4}, at: bch2_alloc_sectors_start_trans+0x2e8/0x2030 fs/bcachefs/alloc_foreground.c:1355
 #6: ffff888078726710 (&c->gc_lock){++++}-{4:4}, at: bch2_btree_update_start+0x682/0x14e0 fs/bcachefs/btree_update_interior.c:1191

stack backtrace:
CPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.12.0-rc6-next-20241107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Workqueue: bcachefs_write_ref bch2_do_invalidates_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
 check_deadlock kernel/locking/lockdep.c:3089 [inline]
 validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
 __mutex_lock_common kernel/locking/mutex.c:585 [inline]
 __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
 bch2_trans_mutex_lock_norelock fs/bcachefs/alloc_foreground.c:43 [inline]
 writepoint_find fs/bcachefs/alloc_foreground.c:1249 [inline]
 bch2_alloc_sectors_start_trans+0x956/0x2030 fs/bcachefs/alloc_foreground.c:1355
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:333 [inline]
 bch2_btree_reserve_get+0x612/0x1890 fs/bcachefs/btree_update_interior.c:543
 bch2_btree_update_start+0xe56/0x14e0 fs/bcachefs/btree_update_interior.c:1241
 bch2_btree_split_leaf+0x121/0x880 fs/bcachefs/btree_update_interior.c:1857
 bch2_trans_commit_error+0x212/0x1390 fs/bcachefs/btree_trans_commit.c:918
 __bch2_trans_commit+0x8069/0x9610 fs/bcachefs/btree_trans_commit.c:1099
 bch2_trans_commit fs/bcachefs/btree_update.h:182 [inline]
 bch2_check_discard_freespace_key+0xba7/0x1120 fs/bcachefs/alloc_background.c:1393
 try_alloc_bucket fs/bcachefs/alloc_foreground.c:287 [inline]
 bch2_bucket_alloc_freelist fs/bcachefs/alloc_foreground.c:463 [inline]
 bch2_bucket_alloc_trans+0x1526/0x31a0 fs/bcachefs/alloc_foreground.c:590
 bch2_bucket_alloc_set_trans+0x517/0xd30 fs/bcachefs/alloc_foreground.c:750
 __open_bucket_add_buckets+0x13d0/0x1ec0 fs/bcachefs/alloc_foreground.c:999
 open_bucket_add_buckets+0x33a/0x410 fs/bcachefs/alloc_foreground.c:1043
 bch2_alloc_sectors_start_trans+0xce9/0x2030
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:333 [inline]
 bch2_btree_reserve_get+0x612/0x1890 fs/bcachefs/btree_update_interior.c:543
 bch2_btree_update_start+0xe56/0x14e0 fs/bcachefs/btree_update_interior.c:1241
 bch2_btree_split_leaf+0x121/0x880 fs/bcachefs/btree_update_interior.c:1857
 bch2_trans_commit_error+0x212/0x1390 fs/bcachefs/btree_trans_commit.c:918
 __bch2_trans_commit+0x8069/0x9610 fs/bcachefs/btree_trans_commit.c:1099
 wb_flush_one fs/bcachefs/btree_write_buffer.c:183 [inline]
 bch2_btree_write_buffer_flush_locked+0x2b23/0x5a40 fs/bcachefs/btree_write_buffer.c:375
 bch2_btree_write_buffer_flush_nocheck_rw fs/bcachefs/btree_write_buffer.c:544 [inline]
 bch2_btree_write_buffer_tryflush+0x16a/0x1c0 fs/bcachefs/btree_write_buffer.c:558
 bch2_do_invalidates_work+0x131/0x2400 fs/bcachefs/alloc_background.c:2078
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't recurse in check_discard_freespace_key

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_btree_node_check_topology

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7758b206117d Merge tag 'tracefs-v6.12-rc6' of git://git.ke..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13e72e30580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6fdf74cce377223b
dashboard link: https://syzkaller.appspot.com/bug?extid=494bcd3631a9f6759f91
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13a0df40580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15e1f6a7980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cff7adedd889/disk-7758b206.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c3babec78429/vmlinux-7758b206.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9de747183951/bzImage-7758b206.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c2654a9124db/mount_1.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+494bcd3631a9f6759f91@syzkaller.appspotmail.com

BUG: KMSAN: uninit-value in bch2_btree_node_check_topology+0x12cc/0x2e40 fs/bcachefs/btree_update_interior.c:96
 bch2_btree_node_check_topology+0x12cc/0x2e40 fs/bcachefs/btree_update_interior.c:96
 btree_split_insert_keys+0x4fd/0x630 fs/bcachefs/btree_update_interior.c:1573
 btree_split+0xdc4/0x98e0 fs/bcachefs/btree_update_interior.c:1664
 bch2_btree_insert_node+0xaba/0x2810 fs/bcachefs/btree_update_interior.c:1837
 bch2_btree_node_rewrite+0x10f8/0x1930 fs/bcachefs/btree_update_interior.c:2164
 async_btree_node_rewrite_trans fs/bcachefs/btree_update_interior.c:2230 [inline]
 async_btree_node_rewrite_work+0x485/0x1710 fs/bcachefs/btree_update_interior.c:2243
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4219
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4236
 __do_kmalloc_node mm/slub.c:4252 [inline]
 __kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4270
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:658
 btree_node_data_alloc fs/bcachefs/btree_cache.c:125 [inline]
 bch2_btree_node_mem_alloc+0xa68/0x2e30 fs/bcachefs/btree_cache.c:807
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:325 [inline]
 bch2_btree_reserve_get+0x37f/0x2290 fs/bcachefs/btree_update_interior.c:554
 bch2_btree_update_start+0x1af9/0x2d60 fs/bcachefs/btree_update_interior.c:1252
 bch2_btree_node_rewrite+0x1da/0x1930 fs/bcachefs/btree_update_interior.c:2142
 async_btree_node_rewrite_trans fs/bcachefs/btree_update_interior.c:2230 [inline]
 async_btree_node_rewrite_work+0x485/0x1710 fs/bcachefs/btree_update_interior.c:2243
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 3761 Comm: kworker/u8:13 Not tainted 6.12.0-rc6-syzkaller-00099-g7758b206117d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btree_node_rewrite async_btree_node_rewrite_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] kernel BUG in __bch2_btree_node_hash_insert

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    850f22c42f4b Add linux-next specific files for 20241105
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16d656a7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=20c0926a86d94a8
dashboard link: https://syzkaller.appspot.com/bug?extid=19c1a30221401d741bc2
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10198e30580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12fdb587980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2f4977b60e81/disk-850f22c4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5574d3bf40f3/vmlinux-850f22c4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/013dbea598ca/bzImage-850f22c4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/442d7ae00d08/mount_0.gz

The issue was bisected to:

commit bf4baaa087e2be0279991f1dbf9acaa7a4c9148c
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Sat Oct 5 21:37:02 2024 +0000

    bcachefs: Fix lockdep splat in bch2_accounting_read

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=122c36a7980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=112c36a7980000
console output: https://syzkaller.appspot.com/x/log.txt?x=162c36a7980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+19c1a30221401d741bc2@syzkaller.appspotmail.com
Fixes: bf4baaa087e2 ("bcachefs: Fix lockdep splat in bch2_accounting_read")

  parent: u64s 5 type btree_ptr SPOS_MAX len 0 ver 0
  child: u64s 11 type btree_ptr_v2 U64_MAX:18374686479671623680:50331647 len 0 ver 0: seq 2285c34bed0abe32 written 16 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0, fixing
bcachefs (loop0): bch2_get_scanned_nodes(): recovery btree=xattrs level=0 U64_MAX:18374686479671623680:50331648 - SPOS_MAX
bcachefs (loop0): set_node_max(): u64s 11 type btree_ptr_v2 U64_MAX:18374686479671623680:50331647 len 0 ver 0: seq 2285c34bed0abe32 written 16 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0 -> SPOS_MAX
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_cache.c:280!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5854 Comm: syz-executor700 Not tainted 6.12.0-rc6-next-20241105-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__bch2_btree_node_hash_insert+0x12ed/0x1310 fs/bcachefs/btree_cache.c:280
Code: f6 fd e9 9d f5 ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c f2 f7 ff ff 48 89 df e8 2e d5 f6 fd e9 e5 f7 ff ff e8 04 74 8c fd 90 <0f> 0b e8 fc 73 8c fd 90 0f 0b e8 f4 73 8c fd 90 0f 0b e8 1c 6c bc
RSP: 0018:ffffc90003d36640 EFLAGS: 00010293
RAX: ffffffff840963bc RBX: ffff8880282a0228 RCX: ffff888034390000
RDX: 0000000000000000 RSI: ffff8880282a0000 RDI: ffff888075b81a90
RBP: ffffc90003d36770 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 000000000001f001 R12: 1ffff11005054045
R13: dffffc0000000000 R14: ffff888075b81a90 R15: ffff8880282a0000
FS:  0000555559c71380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055792096e558 CR3: 00000000758cc000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 set_node_max+0x542/0x710 fs/bcachefs/btree_gc.c:188
 btree_repair_node_end fs/bcachefs/btree_gc.c:301 [inline]
 bch2_btree_repair_topology_recurse+0x5a7c/0x6c10 fs/bcachefs/btree_gc.c:427
 bch2_check_topology+0x6d4/0xba0 fs/bcachefs/btree_gc.c:554
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:216
 bch2_run_recovery_passes+0x290/0x9f0 fs/bcachefs/recovery_passes.c:286
 bch2_fs_recovery+0x25cc/0x39b0 fs/bcachefs/recovery.c:893
 bch2_fs_start+0x37c/0x610 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2186
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa63b34497a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff4e112dd8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff4e112df0 RCX: 00007fa63b34497a
RDX: 0000000020000180 RSI: 0000000020000000 RDI: 00007fff4e112df0
RBP: 0000000000000004 R08: 00007fff4e112e30 R09: 00000000000059b6
R10: 0000000000800008 R11: 0000000000000282 R12: 0000000000800008
R13: 00007fff4e112e30 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__bch2_btree_node_hash_insert+0x12ed/0x1310 fs/bcachefs/btree_cache.c:280
Code: f6 fd e9 9d f5 ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c f2 f7 ff ff 48 89 df e8 2e d5 f6 fd e9 e5 f7 ff ff e8 04 74 8c fd 90 <0f> 0b e8 fc 73 8c fd 90 0f 0b e8 f4 73 8c fd 90 0f 0b e8 1c 6c bc
RSP: 0018:ffffc90003d36640 EFLAGS: 00010293
RAX: ffffffff840963bc RBX: ffff8880282a0228 RCX: ffff888034390000
RDX: 0000000000000000 RSI: ffff8880282a0000 RDI: ffff888075b81a90
RBP: ffffc90003d36770 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 000000000001f001 R12: 1ffff11005054045
R13: dffffc0000000000 R14: ffff888075b81a90 R15: ffff8880282a0000
FS:  0000555559c71380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055792096e558 CR3: 00000000758cc000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix assertion pop in topology repair

[syzbot] [bcachefs?] kernel BUG in bch2_rechecksum_bio

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    59b723cd2adb Linux 6.12-rc6
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1693f630580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=50d3544c9b8db9c99fd2
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1391ad5f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12e546a7980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-59b723cd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6b98f620edf1/vmlinux-59b723cd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b5d1377ba568/bzImage-59b723cd.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4854d6cc2b6a/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+50d3544c9b8db9c99fd2@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/bcachefs/checksum.c:424!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5323 Comm: bch-rebalance/l Not tainted 6.12.0-rc6-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:bch2_rechecksum_bio+0x148c/0x14b0 fs/bcachefs/checksum.c:424
Code: 48 89 df e8 76 b9 d7 fd e9 4d f9 ff ff 89 f9 80 e1 07 38 c1 0f 8c 1c fd ff ff e8 4f ba d7 fd e9 12 fd ff ff e8 e5 f3 6d fd 90 <0f> 0b e8 dd f3 6d fd 90 0f 0b e8 d5 f3 6d fd 90 0f 0b e8 1d 50 a0
RSP: 0018:ffffc9000d186b20 EFLAGS: 00010293
RAX: ffffffff8426e67b RBX: 0000000000000007 RCX: ffff88801e00c880
RDX: 0000000000000000 RSI: 0000000000000018 RDI: 0000000000000008
RBP: ffffc9000d186e70 R08: ffffffff8426d688 R09: 0000000000000000
R10: ffffc9000d186d40 R11: fffff52001a30dae R12: 0000000000000018
R13: dffffc0000000000 R14: 0000000000000008 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bb8ac5e0b8 CR3: 0000000011c00000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_write_rechecksum fs/bcachefs/io_write.c:776 [inline]
 bch2_write_prep_encoded_data fs/bcachefs/io_write.c:877 [inline]
 bch2_write_extent fs/bcachefs/io_write.c:909 [inline]
 __bch2_write+0x2f7b/0x5dd0 fs/bcachefs/io_write.c:1461
 bch2_write+0x9b5/0x1760 fs/bcachefs/io_write.c:1634
 closure_queue include/linux/closure.h:270 [inline]
 closure_call include/linux/closure.h:432 [inline]
 bch2_data_update_read_done+0x22e/0x330 fs/bcachefs/data_update.c:426
 move_write fs/bcachefs/move.c:133 [inline]
 bch2_moving_ctxt_do_pending_writes+0x44c/0x8d0 fs/bcachefs/move.c:164
 bch2_moving_ctxt_flush_all+0x1c3/0x2f0 fs/bcachefs/move.c:179
 do_rebalance fs/bcachefs/rebalance.c:379 [inline]
 bch2_rebalance_thread+0x1a87/0x1fc0 fs/bcachefs/rebalance.c:401
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_rechecksum_bio+0x148c/0x14b0 fs/bcachefs/checksum.c:424
Code: 48 89 df e8 76 b9 d7 fd e9 4d f9 ff ff 89 f9 80 e1 07 38 c1 0f 8c 1c fd ff ff e8 4f ba d7 fd e9 12 fd ff ff e8 e5 f3 6d fd 90 <0f> 0b e8 dd f3 6d fd 90 0f 0b e8 d5 f3 6d fd 90 0f 0b e8 1d 50 a0
RSP: 0018:ffffc9000d186b20 EFLAGS: 00010293
RAX: ffffffff8426e67b RBX: 0000000000000007 RCX: ffff88801e00c880
RDX: 0000000000000000 RSI: 0000000000000018 RDI: 0000000000000008
RBP: ffffc9000d186e70 R08: ffffffff8426d688 R09: 0000000000000000
R10: ffffc9000d186d40 R11: fffff52001a30dae R12: 0000000000000018
R13: dffffc0000000000 R14: 0000000000000008 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbfaf9ff000 CR3: 000000001fb7e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Check for extent crc uncompressed/compressed size mismatch

[syzbot] [bcachefs?] KMSAN: uninit-value in bch2_bucket_alloc_early

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    11066801dd4b Merge tag 'linux_kselftest-fixes-6.12-rc6' of..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1586755f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1edd801cefd6ca3e
dashboard link: https://syzkaller.appspot.com/bug?extid=07d7911319bd613ba885
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cc31a4a3feaf/disk-11066801.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/864b7b8a0366/vmlinux-11066801.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1d3aafe2185a/bzImage-11066801.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+07d7911319bd613ba885@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bch2_alloc_to_v4 fs/bcachefs/alloc_background.h:235 [inline]
BUG: KMSAN: uninit-value in bch2_bucket_alloc_early+0x11c0/0x2520 fs/bcachefs/alloc_foreground.c:439
 bch2_alloc_to_v4 fs/bcachefs/alloc_background.h:235 [inline]
 bch2_bucket_alloc_early+0x11c0/0x2520 fs/bcachefs/alloc_foreground.c:439
 bch2_bucket_alloc_trans+0x8e6/0x3fb0 fs/bcachefs/alloc_foreground.c:649
 bch2_bucket_alloc_set_trans+0x959/0x1650 fs/bcachefs/alloc_foreground.c:808
 __open_bucket_add_buckets+0x1dec/0x3070 fs/bcachefs/alloc_foreground.c:1057
 open_bucket_add_buckets+0x328/0x530 fs/bcachefs/alloc_foreground.c:1101
 bch2_alloc_sectors_start_trans+0x1833/0x32b0
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:343 [inline]
 bch2_btree_reserve_get+0x9d6/0x2290 fs/bcachefs/btree_update_interior.c:554
 bch2_btree_update_start+0x1af9/0x2d60 fs/bcachefs/btree_update_interior.c:1252
 bch2_btree_split_leaf+0x120/0xc00 fs/bcachefs/btree_update_interior.c:1850
 bch2_trans_commit_error+0x1c0/0x1d60 fs/bcachefs/btree_trans_commit.c:942
 __bch2_trans_commit+0x210f/0xd190 fs/bcachefs/btree_trans_commit.c:1140
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:728 [inline]
 btree_interior_update_work+0x2080/0x4870 fs/bcachefs/btree_update_interior.c:866
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
 kthread+0x3e2/0x540 kernel/kthread.c:389
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 ___kmalloc_large_node+0x22c/0x370 mm/slub.c:4219
 __kmalloc_large_node_noprof+0x3f/0x1e0 mm/slub.c:4236
 __do_kmalloc_node mm/slub.c:4252 [inline]
 __kmalloc_node_noprof+0x9d6/0xf50 mm/slub.c:4270
 __kvmalloc_node_noprof+0xc0/0x2d0 mm/util.c:658
 btree_node_data_alloc fs/bcachefs/btree_cache.c:125 [inline]
 __bch2_btree_node_mem_alloc+0x2c8/0x9d0 fs/bcachefs/btree_cache.c:170
 bch2_fs_btree_cache_init+0x4e4/0xb50 fs/bcachefs/btree_cache.c:633
 bch2_fs_alloc fs/bcachefs/super.c:916 [inline]
 bch2_fs_open+0x4d35/0x5b30 fs/bcachefs/super.c:2064
 bch2_fs_get_tree+0x983/0x22d0 fs/bcachefs/fs.c:2157
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3507
 path_mount+0x742/0x1f10 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x722/0x810 fs/namespace.c:4034
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:4034
 ia32_sys_call+0x2530/0x40d0 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

CPU: 1 UID: 0 PID: 1882 Comm: kworker/u8:7 Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btree_update btree_interior_update_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Disable asm memcpys when kmsan enabled

[syzbot] [bcachefs?] kernel BUG in bch2_btree_path_traverse_one

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    11066801dd4b Merge tag 'linux_kselftest-fixes-6.12-rc6' of..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=123e755f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=672325e7ab17fdf7
dashboard link: https://syzkaller.appspot.com/bug?extid=997f0573004dcb964555
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=156b2987980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=163e755f980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-11066801.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b062b193560b/vmlinux-11066801.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5b6da4ee7c42/bzImage-11066801.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/8becb7eaabe7/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+997f0573004dcb964555@syzkaller.appspotmail.com

bcachefs (loop0): check_btree_backpointers... done
bcachefs (loop0): check_backpointers_to_extents... done
bcachefs (loop0): check_extents_to_backpointers...
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_cache.h:129!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5320 Comm: syz-executor345 Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:bch2_btree_id_root fs/bcachefs/btree_cache.h:129 [inline]
RIP: 0010:btree_path_lock_root fs/bcachefs/btree_iter.c:723 [inline]
RIP: 0010:bch2_btree_path_traverse_one+0x28de/0x2940 fs/bcachefs/btree_iter.c:1183
Code: f4 8e 48 89 de e8 92 da dc 00 e9 78 f8 ff ff e8 38 e1 7b fd 90 0f 0b e8 c0 2d ae 07 e8 2b e1 7b fd 90 0f 0b e8 23 e1 7b fd 90 <0f> 0b e8 1b e1 7b fd 90 0f 0b e8 13 e1 7b fd 90 0f 0b 48 8b 4c 24
RSP: 0018:ffffc9000d0d5de0 EFLAGS: 00010293
RAX: ffffffff8418f8fd RBX: ffff888044480000 RCX: ffff88801f084880
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffffc9000d0d60d0 R08: ffffffff8418e949 R09: ffffffff8418b9a9
R10: 0000000000000002 R11: ffff88801f084880 R12: dffffc0000000000
R13: 0000000000000004 R14: ffff8880414cc380 R15: 0000000000000000
FS:  0000555593398380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056431d273820 CR3: 0000000044502000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 bch2_btree_iter_peek_slot+0x84f/0x2550 fs/bcachefs/btree_iter.c:2629
 bch2_backpointer_get_key+0x2bc/0x970 fs/bcachefs/backpointers.c:322
 check_bp_exists fs/bcachefs/backpointers.c:579 [inline]
 check_extent_to_backpointers+0x21f9/0x46b0 fs/bcachefs/backpointers.c:683
 bch2_check_extents_to_backpointers_pass fs/bcachefs/backpointers.c:879 [inline]
 bch2_check_extents_to_backpointers+0x1190/0x1bf0 fs/bcachefs/backpointers.c:932
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:861
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f31be2970aa
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd6f7edc68 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd6f7edc70 RCX: 00007f31be2970aa
RDX: 00000000200058c0 RSI: 0000000020005900 RDI: 00007ffd6f7edc70
RBP: 0000000000000004 R08: 00007ffd6f7edcb0 R09: 00000000000058cb
R10: 0000000000000001 R11: 0000000000000282 R12: 00007ffd6f7edcb0
R13: 0000000000000003 R14: 0000000001000000 R15: 00007f31be2de03b
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_btree_id_root fs/bcachefs/btree_cache.h:129 [inline]
RIP: 0010:btree_path_lock_root fs/bcachefs/btree_iter.c:723 [inline]
RIP: 0010:bch2_btree_path_traverse_one+0x28de/0x2940 fs/bcachefs/btree_iter.c:1183
Code: f4 8e 48 89 de e8 92 da dc 00 e9 78 f8 ff ff e8 38 e1 7b fd 90 0f 0b e8 c0 2d ae 07 e8 2b e1 7b fd 90 0f 0b e8 23 e1 7b fd 90 <0f> 0b e8 1b e1 7b fd 90 0f 0b e8 13 e1 7b fd 90 0f 0b 48 8b 4c 24
RSP: 0018:ffffc9000d0d5de0 EFLAGS: 00010293
RAX: ffffffff8418f8fd RBX: ffff888044480000 RCX: ffff88801f084880
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffffc9000d0d60d0 R08: ffffffff8418e949 R09: ffffffff8418b9a9
R10: 0000000000000002 R11: ffff88801f084880 R12: dffffc0000000000
R13: 0000000000000004 R14: ffff8880414cc380 R15: 0000000000000000
FS:  0000555593398380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055cc391660a8 CR3: 0000000044502000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix btree node scan when unknown btree IDs are present

[syzbot] [bcachefs?] kernel BUG in __bkey_unpack_pos

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    850925a8133c Merge tag '9p-for-6.12-rc5' of https://github..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13772a87980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=309bb816d40abc28
dashboard link: https://syzkaller.appspot.com/bug?extid=4d722d3c539d77c7bc82
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=160c44a7980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=120e7e40580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-850925a8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c831c931f29c/vmlinux-850925a8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/85f584e52a7f/bzImage-850925a8.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b2e9e371ca38/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4d722d3c539d77c7bc82@syzkaller.appspotmail.com

bcachefs (loop0): accounting_read... done
bcachefs (loop0): alloc_read... done
bcachefs (loop0): stripes_read... done
bcachefs (loop0): snapshots_read...
------------[ cut here ]------------
kernel BUG at fs/bcachefs/bkey.c:297!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5311 Comm: syz-executor213 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__bkey_unpack_pos+0x779/0x790 fs/bcachefs/bkey.c:297
Code: b6 e4 00 e9 ad fb ff ff e8 24 ea 83 fd 48 c7 c7 40 b1 f3 8e 4c 89 e6 48 89 da e8 f2 b5 e4 00 e9 f4 fc ff ff e8 08 ea 83 fd 90 <0f> 0b e8 00 ea 83 fd 90 0f 0b e8 f8 e9 83 fd 90 0f 0b 0f 1f 44 00
RSP: 0018:ffffc9000cdfe360 EFLAGS: 00010293
RAX: ffffffff84110068 RBX: 0000000000000001 RCX: ffff888000d4a440
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 0000000000000000 R08: ffffffff8410f998 R09: 0000000000000000
R10: ffffc9000cdfe400 R11: fffff520019bfc82 R12: ffffc9000cdfe400
R13: dffffc0000000000 R14: 0000000000000001 R15: ffffc9000cdfe840
FS:  0000555574f49380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc52831f40 CR3: 000000004475a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bkey_unpack_pos_format_checked fs/bcachefs/bkey.h:456 [inline]
 __bch2_bkey_cmp_left_packed_format_checked fs/bcachefs/bkey.c:1029 [inline]
 __bch2_bkey_cmp_left_packed+0xed/0x790 fs/bcachefs/bkey.c:1049
 bkey_cmp_left_packed fs/bcachefs/bkey.h:88 [inline]
 bch2_bkey_pack_pos_lossy+0xa08/0x1990 fs/bcachefs/bkey.c:532
 bch2_btree_node_iter_init+0x894/0x4280 fs/bcachefs/bset.c:1313
 __btree_path_level_init fs/bcachefs/btree_iter.c:615 [inline]
 bch2_btree_path_level_init+0x4d2/0x9f0 fs/bcachefs/btree_iter.c:635
 btree_path_lock_root fs/bcachefs/btree_iter.c:769 [inline]
 bch2_btree_path_traverse_one+0x10de/0x2940 fs/bcachefs/btree_iter.c:1170
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 __bch2_btree_iter_peek fs/bcachefs/btree_iter.c:2197 [inline]
 bch2_btree_iter_peek_upto+0xb58/0x70e0 fs/bcachefs/btree_iter.c:2297
 bch2_btree_iter_peek_upto_type fs/bcachefs/btree_iter.h:685 [inline]
 bch2_snapshots_read+0x4ac/0x15f0 fs/bcachefs/snapshot.c:1785
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:862
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe43d8e1cba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff67207cf8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff67207d10 RCX: 00007fe43d8e1cba
RDX: 00000000200058c0 RSI: 0000000020005900 RDI: 00007fff67207d10
RBP: 0000000000000004 R08: 00007fff67207d50 R09: 0000000000005946
R10: 0000000001000000 R11: 0000000000000282 R12: 0000000001000000
R13: 00007fff67207d50 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__bkey_unpack_pos+0x779/0x790 fs/bcachefs/bkey.c:297
Code: b6 e4 00 e9 ad fb ff ff e8 24 ea 83 fd 48 c7 c7 40 b1 f3 8e 4c 89 e6 48 89 da e8 f2 b5 e4 00 e9 f4 fc ff ff e8 08 ea 83 fd 90 <0f> 0b e8 00 ea 83 fd 90 0f 0b e8 f8 e9 83 fd 90 0f 0b 0f 1f 44 00
RSP: 0018:ffffc9000cdfe360 EFLAGS: 00010293
RAX: ffffffff84110068 RBX: 0000000000000001 RCX: ffff888000d4a440
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 0000000000000000 R08: ffffffff8410f998 R09: 0000000000000000
R10: ffffc9000cdfe400 R11: fffff520019bfc82 R12: ffffc9000cdfe400
R13: dffffc0000000000 R14: 0000000000000001 R15: ffffc9000cdfe840
FS:  0000555574f49380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc52831f40 CR3: 000000004475a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix validate_bset() repair path

[syzbot] [bcachefs?] kernel BUG in bch2_btree_write_buffer_flush_locked

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    850925a8133c Merge tag '9p-for-6.12-rc5' of https://github..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=126f1230580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=309bb816d40abc28
dashboard link: https://syzkaller.appspot.com/bug?extid=4aff7bdaa254c1d9f008
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13ddaa87980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166f1230580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-850925a8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c831c931f29c/vmlinux-850925a8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/85f584e52a7f/bzImage-850925a8.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c55dd771077b/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4aff7bdaa254c1d9f008@syzkaller.appspotmail.com

bucket 0:127 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
 done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay...
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_write_buffer.c:147!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5308 Comm: syz-executor416 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:wb_flush_one fs/bcachefs/btree_write_buffer.c:147 [inline]
RIP: 0010:bch2_btree_write_buffer_flush_locked+0x5695/0x59f0 fs/bcachefs/btree_write_buffer.c:375
Code: 31 05 f5 ff e8 8c b8 70 fd 90 0f 0b e8 84 b8 70 fd 90 0f 0b e8 7c b8 70 fd 90 0f 0b e8 74 b8 70 fd 90 0f 0b e8 6c b8 70 fd 90 <0f> 0b e8 64 b8 70 fd 90 0f 0b e8 5c b8 70 fd 90 0f 0b e8 54 b8 70
RSP: 0018:ffffc9000d0de820 EFLAGS: 00010293
RAX: ffffffff84243204 RBX: 010000000000000b RCX: ffff88801f6ca440
RDX: 0000000000000000 RSI: 000000000000000b RDI: 010000000000000b
RBP: ffffc9000d0dec70 R08: ffffffff8423f47f R09: 0000000000000000
R10: ffffc9000d0de300 R11: fffff52001a1bc61 R12: 0000000000000000
R13: ffff888044468000 R14: 000000000000000b R15: ffffc9000e600000
FS:  0000555592722380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe145a6dd8 CR3: 0000000042f12000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 btree_write_buffer_flush_seq+0x1a43/0x1bc0 fs/bcachefs/btree_write_buffer.c:510
 bch2_btree_write_buffer_journal_flush+0x4e/0x80 fs/bcachefs/btree_write_buffer.c:525
 journal_flush_pins+0x5f7/0xb20 fs/bcachefs/journal_reclaim.c:565
 journal_flush_done+0x8e/0x260 fs/bcachefs/journal_reclaim.c:819
 bch2_journal_flush_pins+0x18a/0x3a0 fs/bcachefs/journal_reclaim.c:852
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 bch2_journal_replay+0x270f/0x2a40 fs/bcachefs/recovery.c:384
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:862
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe1770828fa
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdda0a8558 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffdda0a8570 RCX: 00007fe1770828fa
RDX: 0000000020000340 RSI: 0000000020000000 RDI: 00007ffdda0a8570
RBP: 0000000000000004 R08: 00007ffdda0a85b0 R09: 0000000000005927
R10: 0000000000800000 R11: 0000000000000282 R12: 0000000000800000
R13: 00007ffdda0a85b0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:wb_flush_one fs/bcachefs/btree_write_buffer.c:147 [inline]
RIP: 0010:bch2_btree_write_buffer_flush_locked+0x5695/0x59f0 fs/bcachefs/btree_write_buffer.c:375
Code: 31 05 f5 ff e8 8c b8 70 fd 90 0f 0b e8 84 b8 70 fd 90 0f 0b e8 7c b8 70 fd 90 0f 0b e8 74 b8 70 fd 90 0f 0b e8 6c b8 70 fd 90 <0f> 0b e8 64 b8 70 fd 90 0f 0b e8 5c b8 70 fd 90 0f 0b e8 54 b8 70
RSP: 0018:ffffc9000d0de820 EFLAGS: 00010293
RAX: ffffffff84243204 RBX: 010000000000000b RCX: ffff88801f6ca440
RDX: 0000000000000000 RSI: 000000000000000b RDI: 010000000000000b
RBP: ffffc9000d0dec70 R08: ffffffff8423f47f R09: 0000000000000000
R10: ffffc9000d0de300 R11: fffff52001a1bc61 R12: 0000000000000000
R13: ffff888044468000 R14: 000000000000000b R15: ffffc9000e600000
FS:  0000555592722380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a002f01098 CR3: 0000000042f12000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Guard against journal seq overflow

[syzbot] [bcachefs?] kernel BUG in bch2_inconsistent_error

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c2ee9f594da8 KVM: selftests: Fix build on on non-x86 archi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14202a5f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=bee87a0c3291c06aa8c6
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11468c30580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166fa640580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-c2ee9f59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8a3541902b13/vmlinux-c2ee9f59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a00efacc2604/bzImage-c2ee9f59.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7da30fa86689/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bee87a0c3291c06aa8c6@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/bcachefs/error.c:29!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5094 Comm: syz-executor353 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:bch2_inconsistent_error+0x14c/0x150 fs/bcachefs/error.c:29
Code: fb 02 75 20 e8 f5 53 67 fd 49 81 c7 cc 01 00 00 e8 09 0c d1 fd 48 c7 c7 20 74 53 8c 4c 89 fe e8 2a cb 95 07 e8 d5 53 67 fd 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f
RSP: 0018:ffffc9000b0965f8 EFLAGS: 00010293
RAX: ffffffff842d840b RBX: 0000000000000004 RCX: ffff8880359c8000
RDX: 0000000000000000 RSI: ffffffff8ef57290 RDI: 0000000000000004
RBP: ffffc9000b0967a8 R08: 0000000000000001 R09: ffffffff842d8324
R10: 0000000000000004 R11: ffff8880359c8000 R12: dffffc0000000000
R13: ffffc9000b0966c0 R14: ffff888044c00000 R15: ffff888044c00000
FS:  00005555742e5380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe064e9e68 CR3: 000000003df88000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_topology_error+0x83/0xc0 fs/bcachefs/error.c:37
 __btree_err+0x610/0x760 fs/bcachefs/btree_io.c:597
 validate_bset+0x157b/0x2640 fs/bcachefs/btree_io.c:807
 bch2_btree_node_read_done+0x2108/0x5e90 fs/bcachefs/btree_io.c:1126
 btree_node_read_work+0x68b/0x1260 fs/bcachefs/btree_io.c:1327
 bch2_btree_node_read+0x2433/0x2a10
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1753 [inline]
 bch2_btree_root_read+0x617/0x7a0 fs/bcachefs/btree_io.c:1775
 read_btree_roots+0x296/0x840 fs/bcachefs/recovery.c:524
 bch2_fs_recovery+0x2585/0x39c0 fs/bcachefs/recovery.c:854
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2174
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1aa39038fa
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffddefb1b08 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffddefb1b20 RCX: 00007f1aa39038fa
RDX: 0000000020000300 RSI: 0000000020005900 RDI: 00007ffddefb1b20
RBP: 0000000000000004 R08: 00007ffddefb1b60 R09: 00000000000058c4
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 00007ffddefb1b60 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_inconsistent_error+0x14c/0x150 fs/bcachefs/error.c:29
Code: fb 02 75 20 e8 f5 53 67 fd 49 81 c7 cc 01 00 00 e8 09 0c d1 fd 48 c7 c7 20 74 53 8c 4c 89 fe e8 2a cb 95 07 e8 d5 53 67 fd 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f
RSP: 0018:ffffc9000b0965f8 EFLAGS: 00010293
RAX: ffffffff842d840b RBX: 0000000000000004 RCX: ffff8880359c8000
RDX: 0000000000000000 RSI: ffffffff8ef57290 RDI: 0000000000000004
RBP: ffffc9000b0967a8 R08: 0000000000000001 R09: ffffffff842d8324
R10: 0000000000000004 R11: ffff8880359c8000 R12: dffffc0000000000
R13: ffffc9000b0966c0 R14: ffff888044c00000 R15: ffff888044c00000
FS:  00005555742e5380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe064e9e68 CR3: 000000003df88000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Change OPT_STR max to be 1 less than the size of choices array

[syzbot] [bcachefs?] kernel BUG in bch2_bkey_pack_pos_lossy

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c2ee9f594da8 KVM: selftests: Fix build on on non-x86 archi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1051ca5f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=e8bd437eb38c35c5f35a
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16e1a640580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15344287980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-c2ee9f59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8a3541902b13/vmlinux-c2ee9f59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a00efacc2604/bzImage-c2ee9f59.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e27719dd0715/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e8bd437eb38c35c5f35a@syzkaller.appspotmail.com

bcachefs (loop0): alloc_read... done
bcachefs (loop0): stripes_read... done
bcachefs (loop0): snapshots_read... done
bcachefs (loop0): check_allocations...
------------[ cut here ]------------
kernel BUG at fs/bcachefs/bkey.c:130!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5096 Comm: syz-executor440 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:pack_state_finish fs/bcachefs/bkey.c:130 [inline]
RIP: 0010:bch2_bkey_pack_pos_lossy+0x1956/0x1990 fs/bcachefs/bkey.c:525
Code: fd 90 0f 0b e8 5b b8 83 fd 90 0f 0b e8 53 b8 83 fd 90 0f 0b e8 4b b8 83 fd 90 0f 0b e8 43 b8 83 fd 90 0f 0b e8 3b b8 83 fd 90 <0f> 0b e8 33 47 b5 07 e8 2e b8 83 fd 90 0f 0b e8 26 b8 83 fd 90 0f
RSP: 0018:ffffc90002c3dd20 EFLAGS: 00010293
RAX: ffffffff84111fa5 RBX: ffffc90802c3e0b8 RCX: ffff88801fa9a440
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002c3df58 R08: ffffffff84110ea6 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880408320c0 R14: 0000000000000000 R15: ffffc90002c3e0c0
FS:  0000555561411380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055cccf015d88 CR3: 0000000040a32000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_btree_node_iter_init+0x894/0x4280 fs/bcachefs/bset.c:1313
 __btree_path_level_init fs/bcachefs/btree_iter.c:615 [inline]
 bch2_btree_path_level_init+0x4d2/0x9f0 fs/bcachefs/btree_iter.c:635
 btree_path_lock_root fs/bcachefs/btree_iter.c:769 [inline]
 bch2_btree_path_traverse_one+0x10de/0x2940 fs/bcachefs/btree_iter.c:1170
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 __bch2_btree_iter_peek fs/bcachefs/btree_iter.c:2197 [inline]
 bch2_btree_iter_peek_upto+0xb58/0x70e0 fs/bcachefs/btree_iter.c:2297
 bch2_btree_iter_peek_upto_type fs/bcachefs/btree_iter.h:685 [inline]
 bch2_gc_btree fs/bcachefs/btree_gc.c:670 [inline]
 bch2_gc_btrees fs/bcachefs/btree_gc.c:729 [inline]
 bch2_check_allocations+0x1a8b/0x6e80 fs/bcachefs/btree_gc.c:1123
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:862
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2174
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f354cc85c3a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff33d28828 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff33d28840 RCX: 00007f354cc85c3a
RDX: 00000000200058c0 RSI: 0000000020005900 RDI: 00007fff33d28840
RBP: 0000000000000004 R08: 00007fff33d28880 R09: 0000000000005932
R10: 0000000000010000 R11: 0000000000000282 R12: 0000000000010000
R13: 00007fff33d28880 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pack_state_finish fs/bcachefs/bkey.c:130 [inline]
RIP: 0010:bch2_bkey_pack_pos_lossy+0x1956/0x1990 fs/bcachefs/bkey.c:525
Code: fd 90 0f 0b e8 5b b8 83 fd 90 0f 0b e8 53 b8 83 fd 90 0f 0b e8 4b b8 83 fd 90 0f 0b e8 43 b8 83 fd 90 0f 0b e8 3b b8 83 fd 90 <0f> 0b e8 33 47 b5 07 e8 2e b8 83 fd 90 0f 0b e8 26 b8 83 fd 90 0f
RSP: 0018:ffffc90002c3dd20 EFLAGS: 00010293
RAX: ffffffff84111fa5 RBX: ffffc90802c3e0b8 RCX: ffff88801fa9a440
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002c3df58 R08: ffffffff84110ea6 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880408320c0 R14: 0000000000000000 R15: ffffc90002c3e0c0
FS:  0000555561411380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055cccf015d88 CR3: 0000000040a32000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix validate_bset() repair path

[syzbot] [bcachefs?] kernel BUG in bch2_trans_node_iter_init

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c2ee9f594da8 KVM: selftests: Fix build on on non-x86 archi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=109288a7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=b17df21b4d370f2dc330
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=178dd640580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=176b2a5f980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-c2ee9f59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8a3541902b13/vmlinux-c2ee9f59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a00efacc2604/bzImage-c2ee9f59.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c3f485acb30c/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b17df21b4d370f2dc330@syzkaller.appspotmail.com

  got:   u64s 5 type deleted 0:8388608:0 len 0 ver 0
  want:  u64s 9 type backpointer 0:8388608:0 len 0 ver 0: bucket=0:32:0 btree=snapshots l=1 offset=0:0 len=256 pos=SPOS_MAX, fixing
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_iter.c:2916!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5092 Comm: syz-executor289 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:bch2_trans_node_iter_init+0x61d/0x630 fs/bcachefs/btree_iter.c:2916
Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c aa fd ff ff 48 89 df e8 46 5f e3 fd e9 9d fd ff ff e8 2c 9a 79 fd 90 0f 0b e8 24 9a 79 fd 90 <0f> 0b e8 1c 9a 79 fd 90 0f 0b e8 14 29 ab 07 0f 1f 40 00 90 90 90
RSP: 0018:ffffc9000b1e6020 EFLAGS: 00010293
RAX: ffffffff841b3dbc RBX: 0000000000000003 RCX: ffff88801ef8c880
RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000003
RBP: ffffc9000b1e6158 R08: ffffffff841b3b8b R09: ffffffffffffffff
R10: ffffffffffffffff R11: ffffffffffffffff R12: dffffc0000000000
R13: 000000000000000b R14: 0000000000000000 R15: 0000000000000000
FS:  0000555558106380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d8cc97e028 CR3: 000000004113e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_backpointer_get_node+0x2c6/0x880 fs/bcachefs/backpointers.c:358
 bch2_backpointer_get_key+0x61c/0x970 fs/bcachefs/backpointers.c:335
 check_bp_exists fs/bcachefs/backpointers.c:579 [inline]
 check_extent_to_backpointers+0x21f9/0x46b0 fs/bcachefs/backpointers.c:683
 check_btree_root_to_backpointers fs/bcachefs/backpointers.c:717 [inline]
 bch2_check_extents_to_backpointers_pass fs/bcachefs/backpointers.c:868 [inline]
 bch2_check_extents_to_backpointers+0xeb8/0x1bf0 fs/bcachefs/backpointers.c:932
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:862
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2174
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffaca565dba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd941c4cb8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd941c4cd0 RCX: 00007ffaca565dba
RDX: 0000000020000040 RSI: 0000000020005900 RDI: 00007ffd941c4cd0
RBP: 0000000000000004 R08: 00007ffd941c4d10 R09: 002c647261637350
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 00007ffd941c4d10 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_trans_node_iter_init+0x61d/0x630 fs/bcachefs/btree_iter.c:2916
Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c aa fd ff ff 48 89 df e8 46 5f e3 fd e9 9d fd ff ff e8 2c 9a 79 fd 90 0f 0b e8 24 9a 79 fd 90 <0f> 0b e8 1c 9a 79 fd 90 0f 0b e8 14 29 ab 07 0f 1f 40 00 90 90 90
RSP: 0018:ffffc9000b1e6020 EFLAGS: 00010293
RAX: ffffffff841b3dbc RBX: 0000000000000003 RCX: ffff88801ef8c880
RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000003
RBP: ffffc9000b1e6158 R08: ffffffff841b3b8b R09: ffffffffffffffff
R10: ffffffffffffffff R11: ffffffffffffffff R12: dffffc0000000000
R13: 000000000000000b R14: 0000000000000000 R15: 0000000000000000
FS:  0000555558106380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d8cc97e028 CR3: 000000004113e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix missing validation for bch_backpointer.level

[syzbot] [bcachefs?] kernel BUG in __bch2_bkey_cmp_packed_format_checked

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    4e46774408d9 Merge tag 'for-6.12-rc4-tag' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=151d5e40580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=8761afeaaf2249358b14
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1622a8a7980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12de3287980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-4e467744.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/058a92aaf61a/vmlinux-4e467744.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0b79757fbe5e/bzImage-4e467744.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/8081b555fd65/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8761afeaaf2249358b14@syzkaller.appspotmail.com

  fragmentation     134217728
  bp_start          8
, fixing
 done
bcachefs (loop0): check_inodes...
------------[ cut here ]------------
kernel BUG at fs/bcachefs/bkey_cmp.h:104!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5092 Comm: syz-executor201 Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__bch2_bkey_cmp_packed_format_checked_inlined fs/bcachefs/bkey_cmp.h:103 [inline]
RIP: 0010:__bch2_bkey_cmp_packed_format_checked+0x7ef/0x800 fs/bcachefs/bkey.c:1021
Code: fd 90 0f 0b e8 02 8e 83 fd 90 0f 0b e8 fa 8d 83 fd 90 0f 0b e8 f2 8d 83 fd 90 0f 0b e8 ea 8d 83 fd 90 0f 0b e8 e2 8d 83 fd 90 <0f> 0b e8 5a 5c b5 07 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc9000af8de20 EFLAGS: 00010293
RAX: ffffffff841149fe RBX: 1ffff920015f1bcc RCX: ffff888000898000
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000001
RBP: ffffc9000af8df50 R08: ffffffff8411470b R09: 0000000000000000
R10: ffffc9000af8dec0 R11: fffff520015f1bda R12: dffffc0000000000
R13: ffffc9000af8dec0 R14: 0000000000000001 R15: 00000000ffffffff
FS:  0000555577522380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b92594a008 CR3: 000000003e38e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bkey_cmp_p_or_unp fs/bcachefs/bset.h:291 [inline]
 bkey_iter_cmp_p_or_unp fs/bcachefs/bset.h:400 [inline]
 bch2_bset_search_linear fs/bcachefs/bset.c:1189 [inline]
 bch2_btree_node_iter_init+0x234b/0x4280 fs/bcachefs/bset.c:1334
 __btree_path_level_init fs/bcachefs/btree_iter.c:615 [inline]
 bch2_btree_path_level_init+0x4d2/0x9f0 fs/bcachefs/btree_iter.c:635
 btree_path_lock_root fs/bcachefs/btree_iter.c:769 [inline]
 bch2_btree_path_traverse_one+0x10de/0x2940 fs/bcachefs/btree_iter.c:1170
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 bch2_btree_iter_peek_slot+0x84f/0x2550 fs/bcachefs/btree_iter.c:2616
 __bch2_bkey_get_iter+0x10d/0x2a0 fs/bcachefs/btree_iter.h:575
 dirent_get_by_pos fs/bcachefs/fsck.c:1173 [inline]
 inode_get_dirent fs/bcachefs/fsck.c:1188 [inline]
 check_inode_dirent_inode fs/bcachefs/fsck.c:1209 [inline]
 check_inode fs/bcachefs/fsck.c:1312 [inline]
 bch2_check_inodes+0x18f9/0x5080 fs/bcachefs/fsck.c:1466
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:862
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9d0165ee2a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc0ef30e48 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc0ef30e60 RCX: 00007f9d0165ee2a
RDX: 0000000020000040 RSI: 0000000020000080 RDI: 00007ffc0ef30e60
RBP: 0000000000000004 R08: 00007ffc0ef30ea0 R09: 00000000000059c8
R10: 0000000002200006 R11: 0000000000000282 R12: 0000000002200006
R13: 00007ffc0ef30ea0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__bch2_bkey_cmp_packed_format_checked_inlined fs/bcachefs/bkey_cmp.h:103 [inline]
RIP: 0010:__bch2_bkey_cmp_packed_format_checked+0x7ef/0x800 fs/bcachefs/bkey.c:1021
Code: fd 90 0f 0b e8 02 8e 83 fd 90 0f 0b e8 fa 8d 83 fd 90 0f 0b e8 f2 8d 83 fd 90 0f 0b e8 ea 8d 83 fd 90 0f 0b e8 e2 8d 83 fd 90 <0f> 0b e8 5a 5c b5 07 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc9000af8de20 EFLAGS: 00010293
RAX: ffffffff841149fe RBX: 1ffff920015f1bcc RCX: ffff888000898000
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000001
RBP: ffffc9000af8df50 R08: ffffffff8411470b R09: 0000000000000000
R10: ffffc9000af8dec0 R11: fffff520015f1bda R12: dffffc0000000000
R13: ffffc9000af8dec0 R14: 0000000000000001 R15: 00000000ffffffff
FS:  0000555577522380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b92594a008 CR3: 000000003e38e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Ancient versions with bad bkey_formats are no longer supported

[syzbot] [bcachefs?] general protection fault in bch2_btree_path_traverse_one

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c2ee9f594da8 KVM: selftests: Fix build on on non-x86 archi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=126cd0a7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=e22007d6acb9c87c2362
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=166cd0a7980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15378287980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-c2ee9f59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8a3541902b13/vmlinux-c2ee9f59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a00efacc2604/bzImage-c2ee9f59.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1b5cb4a585a3/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e22007d6acb9c87c2362@syzkaller.appspotmail.com

bcachefs (loop0): stripes_read... done
bcachefs (loop0): snapshots_read... done
bcachefs (loop0): check_allocations... done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay...
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000098-0x000000000000009f]
CPU: 0 UID: 0 PID: 5090 Comm: syz-executor250 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:btree_path_lock_root fs/bcachefs/btree_iter.c:732 [inline]
RIP: 0010:bch2_btree_path_traverse_one+0x94a/0x2940 fs/bcachefs/btree_iter.c:1170
Code: 89 44 24 60 42 80 3c 20 00 74 08 4c 89 ef e8 cd ea e5 fd 49 8b 45 00 48 89 44 24 48 48 8d 90 98 00 00 00 48 89 d0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 48 89 94 24 80 00 00 00 0f 85 ee 10 00 00 4c
RSP: 0018:ffffc9000aebcf40 EFLAGS: 00010202
RAX: 0000000000000013 RBX: 0000000000000000 RCX: ffff8880008da440
RDX: 0000000000000098 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000aebd230 R08: ffffffff8418b260 R09: ffffffff841892d9
R10: 0000000000000002 R11: ffff8880008da440 R12: dffffc0000000000
R13: ffff888041d014d8 R14: ffff888040254408 R15: 000000000000110b
FS:  0000555564217380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005564fb1350d0 CR3: 0000000040b92000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 __bch2_btree_iter_peek fs/bcachefs/btree_iter.c:2197 [inline]
 bch2_btree_iter_peek_upto+0xb58/0x70e0 fs/bcachefs/btree_iter.c:2297
 bch2_btree_iter_peek_upto_type fs/bcachefs/btree_iter.h:685 [inline]
 bch2_bucket_alloc_freelist fs/bcachefs/alloc_foreground.c:491 [inline]
 bch2_bucket_alloc_trans+0x1122/0x3a50 fs/bcachefs/alloc_foreground.c:644
 bch2_bucket_alloc_set_trans+0x517/0xd30 fs/bcachefs/alloc_foreground.c:804
 __open_bucket_add_buckets+0x10dc/0x1b60 fs/bcachefs/alloc_foreground.c:1049
 open_bucket_add_buckets+0x33a/0x410 fs/bcachefs/alloc_foreground.c:1093
 bch2_alloc_sectors_start_trans+0xce9/0x2030
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:343 [inline]
 bch2_btree_reserve_get+0x612/0x1890 fs/bcachefs/btree_update_interior.c:554
 bch2_btree_update_start+0xe56/0x14e0 fs/bcachefs/btree_update_interior.c:1252
 bch2_btree_split_leaf+0x123/0x840 fs/bcachefs/btree_update_interior.c:1850
 bch2_trans_commit_error+0x212/0x1390 fs/bcachefs/btree_trans_commit.c:942
 __bch2_trans_commit+0x7ead/0x93c0 fs/bcachefs/btree_trans_commit.c:1140
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 bch2_journal_replay+0x1a3a/0x2a40 fs/bcachefs/recovery.c:318
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:862
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2174
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4a8f435cba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc0b30fb48 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc0b30fb60 RCX: 00007f4a8f435cba
RDX: 00000000200058c0 RSI: 0000000020005900 RDI: 00007ffc0b30fb60
RBP: 0000000000000004 R08: 00007ffc0b30fba0 R09: 00000000000058dd
R10: 0000000000010000 R11: 0000000000000282 R12: 0000000000010000
R13: 00007ffc0b30fba0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btree_path_lock_root fs/bcachefs/btree_iter.c:732 [inline]
RIP: 0010:bch2_btree_path_traverse_one+0x94a/0x2940 fs/bcachefs/btree_iter.c:1170
Code: 89 44 24 60 42 80 3c 20 00 74 08 4c 89 ef e8 cd ea e5 fd 49 8b 45 00 48 89 44 24 48 48 8d 90 98 00 00 00 48 89 d0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 48 89 94 24 80 00 00 00 0f 85 ee 10 00 00 4c
RSP: 0018:ffffc9000aebcf40 EFLAGS: 00010202
RAX: 0000000000000013 RBX: 0000000000000000 RCX: ffff8880008da440
RDX: 0000000000000098 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000aebd230 R08: ffffffff8418b260 R09: ffffffff841892d9
R10: 0000000000000002 R11: ffff8880008da440 R12: dffffc0000000000
R13: ffff888041d014d8 R14: ffff888040254408 R15: 000000000000110b
FS:  0000555564217380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005564fb1350d0 CR3: 0000000040b92000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	89 44 24 60          	mov    %eax,0x60(%rsp)
   4:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1)
   9:	74 08                	je     0x13
   b:	4c 89 ef             	mov    %r13,%rdi
   e:	e8 cd ea e5 fd       	call   0xfde5eae0
  13:	49 8b 45 00          	mov    0x0(%r13),%rax
  17:	48 89 44 24 48       	mov    %rax,0x48(%rsp)
  1c:	48 8d 90 98 00 00 00 	lea    0x98(%rax),%rdx
  23:	48 89 d0             	mov    %rdx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 20       	movzbl (%rax,%r12,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	48 89 94 24 80 00 00 	mov    %rdx,0x80(%rsp)
  38:	00
  39:	0f 85 ee 10 00 00    	jne    0x112d
  3f:	4c                   	rex.WR


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Ignore empty btree root journal entries

[syzbot] [bcachefs?] kernel BUG in bch2_journal_res_get (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    526116b79e8c KVM: arm64: Shave a few bytes from the EL2 id..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=17e78c30580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e39b0b4b1ace5bc0
dashboard link: https://syzkaller.appspot.com/bug?extid=859300e61790263514a3
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164488a7980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17052a5f980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2f7b2b08fdad/disk-526116b7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b69595b63015/vmlinux-526116b7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/39fd415ada60/Image-526116b7.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/bc1232192aa1/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+859300e61790263514a3@syzkaller.appspotmail.com

bcachefs (loop0): bch2_write_super(): fatal error  loop0: Superblock write was silently dropped! (seq 0 expected 53)
bcachefs (loop0): fatal error - emergency read only
------------[ cut here ]------------
kernel BUG at fs/bcachefs/journal.h:375!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.12.0-rc4-syzkaller-g526116b79e8c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btree_update btree_interior_update_work
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : bch2_journal_res_get+0x6fc/0x710 fs/bcachefs/journal.h:375
lr : bch2_journal_res_get+0x6fc/0x710 fs/bcachefs/journal.h:375
sp : ffff8000978b7560
x29: ffff8000978b7650 x28: 000000000000000e x27: ffff0000e0aca500
x26: 1fffe0001b9a901a x25: dfff800000000000 x24: 1ffff00012f16ebc
x23: 0000000000000044 x22: ffff8000978b75e0 x21: ffff0000e0aca500
x20: 0000000000000004 x19: ffff0000dcd480d0 x18: ffff8000978b6740
x17: 0000000000000000 x16: ffff80008b3d3d08 x15: ffff700012f16e9c
x14: 1ffff00012f16e9c x13: 0000000000000004 x12: ffffffffffffffff
x11: ffff700012f16e9c x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000c19dbc80 x7 : 0000000000000000 x6 : 0000000000000105
x5 : ffff8000978b7308 x4 : 0000000000000000 x3 : 000000000000000e
x2 : 0000000000000044 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 bch2_journal_res_get+0x6fc/0x710 fs/bcachefs/journal.h:375 (P)
 bch2_journal_res_get+0x6fc/0x710 fs/bcachefs/journal.h:375 (L)
 bch2_trans_journal_res_get fs/bcachefs/btree_trans_commit.c:350 [inline]
 bch2_trans_commit_write_locked fs/bcachefs/btree_trans_commit.c:668 [inline]
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:900 [inline]
 __bch2_trans_commit+0x2a00/0x6604 fs/bcachefs/btree_trans_commit.c:1121
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:728 [inline]
 btree_interior_update_work+0xd40/0x1e00 fs/bcachefs/btree_update_interior.c:866
 process_one_work+0x7bc/0x1600 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x97c/0xeec kernel/workqueue.c:3391
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862
Code: 955b1ed6 97749ac7 d4210000 97749ac5 (d4210000) 
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: bch2_btree_write_buffer_flush_going_ro()

[syzbot] [bcachefs?] kernel BUG in bch2_run_recovery_pass

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    715ca9dd687f Merge tag 'io_uring-6.12-20241019' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15afa0a7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=16e543edc81a3008
dashboard link: https://syzkaller.appspot.com/bug?extid=a27c3aaa3640dd3e1dfb
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16a8ec87980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14b7425f980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-715ca9dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ba436e2363b6/vmlinux-715ca9dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3ac78a7a1a30/bzImage-715ca9dd.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/44b65c0cea47/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a27c3aaa3640dd3e1dfb@syzkaller.appspotmail.com

bcachefs (loop0): check_lrus... done
bcachefs (loop0): check_btree_backpointers... done
bcachefs (loop0): check_backpointers_to_extents...
------------[ cut here ]------------
kernel BUG at fs/bcachefs/bkey_types.h:210!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5098 Comm: syz-executor177 Not tainted 6.12.0-rc3-syzkaller-00420-g715ca9dd687f #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:bkey_s_c_to_backpointer fs/bcachefs/bkey_types.h:210 [inline]
RIP: 0010:bch2_check_backpointers_to_extents_pass fs/bcachefs/backpointers.c:1003 [inline]
RIP: 0010:bch2_check_backpointers_to_extents+0x240a/0x2430 fs/bcachefs/backpointers.c:1049
Code: 48 8b 4c 24 38 80 e1 07 38 c1 0f 8c b7 dd ff ff be 18 00 00 00 48 8b 7c 24 38 e8 11 7e ee fd e9 a3 dd ff ff e8 27 b8 84 fd 90 <0f> 0b e8 1f b8 84 fd 90 0f 0b e8 f7 56 b6 07 e8 12 b8 84 fd 90 0f
RSP: 0018:ffffc90002d9ed80 EFLAGS: 00010293
RAX: ffffffff84102fd9 RBX: ffff888041da01d0 RCX: ffff8880003e2440
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 000000000000001c
RBP: ffffc90002d9f488 R08: ffffffff84101b4e R09: 0000000000000000
R10: ffffc90002d9e780 R11: fffff520005b3cfd R12: 0000000000000003
R13: ffffc90002d9f280 R14: dffffc0000000000 R15: ffff8880401a8000
FS:  000055556e26c380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffda68deef8 CR3: 000000004091a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:862
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2174
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4055 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4032
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1f62c028fa
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe477ec068 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffe477ec080 RCX: 00007f1f62c028fa
RDX: 00000000200058c0 RSI: 0000000020001040 RDI: 00007ffe477ec080
RBP: 0000000000000004 R08: 00007ffe477ec0c0 R09: 002c647261637350
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 00007ffe477ec0c0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bkey_s_c_to_backpointer fs/bcachefs/bkey_types.h:210 [inline]
RIP: 0010:bch2_check_backpointers_to_extents_pass fs/bcachefs/backpointers.c:1003 [inline]
RIP: 0010:bch2_check_backpointers_to_extents+0x240a/0x2430 fs/bcachefs/backpointers.c:1049
Code: 48 8b 4c 24 38 80 e1 07 38 c1 0f 8c b7 dd ff ff be 18 00 00 00 48 8b 7c 24 38 e8 11 7e ee fd e9 a3 dd ff ff e8 27 b8 84 fd 90 <0f> 0b e8 1f b8 84 fd 90 0f 0b e8 f7 56 b6 07 e8 12 b8 84 fd 90 0f
RSP: 0018:ffffc90002d9ed80 EFLAGS: 00010293
RAX: ffffffff84102fd9 RBX: ffff888041da01d0 RCX: ffff8880003e2440
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 000000000000001c
RBP: ffffc90002d9f488 R08: ffffffff84101b4e R09: 0000000000000000
R10: ffffc90002d9e780 R11: fffff520005b3cfd R12: 0000000000000003
R13: ffffc90002d9f280 R14: dffffc0000000000 R15: ffff8880401a8000
FS:  000055556e26c380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffda68deef8 CR3: 000000004091a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Allow for unknown key types in backpointers fsck

[syzbot] [bcachefs?] possible deadlock in __bch2_trans_relock

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    3d5ad2d4eca3 Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16b13240580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cfbd94c114a3d407
dashboard link: https://syzkaller.appspot.com/bug?extid=e088be3c2d5c05aaac35
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f9f487980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11b13240580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-3d5ad2d4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fa98c9bf74f4/vmlinux-3d5ad2d4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/029d128be142/bzImage-3d5ad2d4.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/1c3229c22f75/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/4506ace47d8b/mount_10.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e088be3c2d5c05aaac35@syzkaller.appspotmail.com

======================================================
WARNING: possible circular locking dependency detected
6.12.0-rc3-syzkaller-00389-g3d5ad2d4eca3 #0 Not tainted
------------------------------------------------------
syz-executor733/5115 is trying to acquire lock:
ffff888038550128 (bcachefs_btree){+.+.}-{0:0}, at: trans_set_locked fs/bcachefs/btree_locking.h:194 [inline]
ffff888038550128 (bcachefs_btree){+.+.}-{0:0}, at: __bch2_trans_relock+0x382/0x5f0 fs/bcachefs/btree_locking.c:785

but task is already holding lock:
ffff8880424e1548 (&c->fsck_error_msgs_lock){+.+.}-{3:3}, at: __bch2_fsck_err+0x3dc/0x15f0 fs/bcachefs/error.c:279

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&c->fsck_error_msgs_lock){+.+.}-{3:3}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
       __bch2_fsck_err+0x3dc/0x15f0 fs/bcachefs/error.c:279
       bch2_check_alloc_hole_freespace+0x816/0x1180 fs/bcachefs/alloc_background.c:1278
       bch2_check_alloc_info+0x20f8/0x5330 fs/bcachefs/alloc_background.c:1547
       bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
       bch2_run_online_recovery_passes+0x85/0x150 fs/bcachefs/recovery_passes.c:206
       bch2_fsck_online_thread_fn+0x1da/0x410 fs/bcachefs/chardev.c:798
       thread_with_stdio_fn+0x5f/0x130 fs/bcachefs/thread_with_file.c:298
       kthread+0x2f0/0x390 kernel/kthread.c:389
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-> #0 (bcachefs_btree){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3161 [inline]
       check_prevs_add kernel/locking/lockdep.c:3280 [inline]
       validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
       __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
       trans_set_locked fs/bcachefs/btree_locking.h:194 [inline]
       __bch2_trans_relock+0x397/0x5f0 fs/bcachefs/btree_locking.c:785
       __bch2_fsck_err+0x131d/0x15f0 fs/bcachefs/error.c:360
       bch2_check_alloc_hole_freespace+0x816/0x1180 fs/bcachefs/alloc_background.c:1278
       bch2_check_alloc_info+0x20f8/0x5330 fs/bcachefs/alloc_background.c:1547
       bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
       bch2_run_online_recovery_passes+0x85/0x150 fs/bcachefs/recovery_passes.c:206
       bch2_fsck_online_thread_fn+0x1da/0x410 fs/bcachefs/chardev.c:798
       thread_with_stdio_fn+0x5f/0x130 fs/bcachefs/thread_with_file.c:298
       kthread+0x2f0/0x390 kernel/kthread.c:389
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&c->fsck_error_msgs_lock);
                               lock(bcachefs_btree);
                               lock(&c->fsck_error_msgs_lock);
  lock(bcachefs_btree);

 *** DEADLOCK ***

3 locks held by syz-executor733/5115:
 #0: ffff888042480278 (&c->state_lock){++++}-{3:3}, at: bch2_run_online_recovery_passes+0x32/0x150 fs/bcachefs/recovery_passes.c:198
 #1: ffff888042484398 (&c->btree_trans_barrier){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:151 [inline]
 #1: ffff888042484398 (&c->btree_trans_barrier){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:250 [inline]
 #1: ffff888042484398 (&c->btree_trans_barrier){.+.+}-{0:0}, at: __bch2_trans_get+0x7de/0xd20 fs/bcachefs/btree_iter.c:3215
 #2: ffff8880424e1548 (&c->fsck_error_msgs_lock){+.+.}-{3:3}, at: __bch2_fsck_err+0x3dc/0x15f0 fs/bcachefs/error.c:279

stack backtrace:
CPU: 0 UID: 0 PID: 5115 Comm: syz-executor733 Not tainted 6.12.0-rc3-syzkaller-00389-g3d5ad2d4eca3 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
 check_prev_add kernel/locking/lockdep.c:3161 [inline]
 check_prevs_add kernel/locking/lockdep.c:3280 [inline]
 validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
 trans_set_locked fs/bcachefs/btree_locking.h:194 [inline]
 __bch2_trans_relock+0x397/0x5f0 fs/bcachefs/btree_locking.c:785
 __bch2_fsck_err+0x131d/0x15f0 fs/bcachefs/error.c:360
 bch2_check_alloc_hole_freespace+0x816/0x1180 fs/bcachefs/alloc_background.c:1278
 bch2_check_alloc_info+0x20f8/0x5330 fs/bcachefs/alloc_background.c:1547
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_online_recovery_passes+0x85/0x150 fs/bcachefs/recovery_passes.c:206
 bch2_fsck_online_thread_fn+0x1da/0x410 fs/bcachefs/chardev.c:798
 thread_with_stdio_fn+0x5f/0x130 fs/bcachefs/thread_with_file.c:298
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
syz-executor733 (5115) used greatest stack depth: 11824 bytes left


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: bch2_trans_relock() is trylock for lockdep

[syzbot] [bcachefs?] UBSAN: shift-out-of-bounds in validate_sb_layout

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c2ee9f594da8 KVM: selftests: Fix build on on non-x86 archi..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16acc287980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=41330fd2db03893d
dashboard link: https://syzkaller.appspot.com/bug?extid=089fad5a3a5e77825426
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=109dd640580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14f288a7980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d116f71ad0eb/disk-c2ee9f59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdd6f545b105/vmlinux-c2ee9f59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0d26b05e3d7c/bzImage-c2ee9f59.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b13b1120386a/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+089fad5a3a5e77825426@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 32768
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/bcachefs/super-io.c:290:18
shift exponent 255 is too large for 32-bit type 'int'
CPU: 0 UID: 0 PID: 5220 Comm: syz-executor166 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468
 validate_sb_layout+0xafa/0xb10 fs/bcachefs/super-io.c:290
 bch2_sb_validate+0x8e4/0xf70 fs/bcachefs/super-io.c:442
 __bch2_read_super+0xc24/0x1380 fs/bcachefs/super-io.c:832
 bch2_fs_open+0x270/0x2f80 fs/bcachefs/super.c:2032
 bch2_fs_get_tree+0x738/0x1710 fs/bcachefs/fs.c:2161
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f55733ccb7a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5b40e1e8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff5b40e1f0 RCX: 00007f55733ccb7a
RDX: 00000000200058c0 RSI: 0000000020005900 RDI: 00007fff5b40e1f0
RBP: 0000000000000004 R08: 00007fff5b40e230 R09: 000000000000594e
R10: 0000000000014001 R11: 0000000000000282 R12: 00007fff5b40e230
R13: 0000000000000003 R14: 0000000001000000 R15: 0000000000000001
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Fix invalid shift in validate_sb_layout()

[syzbot] [bcachefs?] kernel BUG in bch2_btree_path_level_init (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    b04ae0f45168 Merge tag 'v6.12-rc3-smb3-client-fixes' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15ff7c5f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cfbd94c114a3d407
dashboard link: https://syzkaller.appspot.com/bug?extid=eff0acb9087ee995577a
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11ded240580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16d04430580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-b04ae0f4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3e40a4ec7885/vmlinux-b04ae0f4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9312d8ec05d3/bzImage-b04ae0f4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/237d810e5baf/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+eff0acb9087ee995577a@syzkaller.appspotmail.com

bucket 0:29 data type btree ptr gen 0 missing in alloc btree
while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq e81e1ed936acf3df written 32 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0, fixing
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_iter.c:631!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5089 Comm: syz-executor300 Not tainted 6.12.0-rc3-syzkaller-00319-gb04ae0f45168 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:bch2_btree_path_level_init+0x9ca/0x9f0 fs/bcachefs/btree_iter.c:631
Code: f5 fa ff ff e8 a7 73 7c fd 90 0f 0b e8 9f 73 7c fd 90 0f 0b e8 97 73 7c fd 90 0f 0b e8 8f 73 7c fd 90 0f 0b e8 87 73 7c fd 90 <0f> 0b e8 7f 73 7c fd 90 0f 0b e8 77 73 7c fd 90 0f 0b e8 6f 73 7c
RSP: 0018:ffffc9000ae2e200 EFLAGS: 00010293
RAX: ffffffff84187479 RBX: 0000000000000000 RCX: ffff88801cca8000
RDX: 0000000000000000 RSI: 0000000001000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff84186ccc R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff203a006 R12: ffff88803d76a000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888048b60033
FS:  000055555b46c380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f38bec7120 CR3: 0000000040558000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 btree_path_lock_root fs/bcachefs/btree_iter.c:769 [inline]
 bch2_btree_path_traverse_one+0x10de/0x2940 fs/bcachefs/btree_iter.c:1170
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 __bch2_btree_iter_peek fs/bcachefs/btree_iter.c:2197 [inline]
 bch2_btree_iter_peek_upto+0xb58/0x70e0 fs/bcachefs/btree_iter.c:2297
 bch2_btree_iter_peek_upto_type fs/bcachefs/btree_iter.h:685 [inline]
 bch2_gc_btree fs/bcachefs/btree_gc.c:670 [inline]
 bch2_gc_btrees fs/bcachefs/btree_gc.c:729 [inline]
 bch2_check_allocations+0x1a8b/0x6e80 fs/bcachefs/btree_gc.c:1123
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:862
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2174
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4055 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4032
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6a8cd1b93a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffa2315728 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fffa2315740 RCX: 00007f6a8cd1b93a
RDX: 0000000020000080 RSI: 0000000020000000 RDI: 00007fffa2315740
RBP: 0000000000000004 R08: 00007fffa2315780 R09: 0027e461d5230a6f
R10: 0000000000000844 R11: 0000000000000282 R12: 0000000000000844
R13: 00007fffa2315780 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_btree_path_level_init+0x9ca/0x9f0 fs/bcachefs/btree_iter.c:631
Code: f5 fa ff ff e8 a7 73 7c fd 90 0f 0b e8 9f 73 7c fd 90 0f 0b e8 97 73 7c fd 90 0f 0b e8 8f 73 7c fd 90 0f 0b e8 87 73 7c fd 90 <0f> 0b e8 7f 73 7c fd 90 0f 0b e8 77 73 7c fd 90 0f 0b e8 6f 73 7c
RSP: 0018:ffffc9000ae2e200 EFLAGS: 00010293
RAX: ffffffff84187479 RBX: 0000000000000000 RCX: ffff88801cca8000
RDX: 0000000000000000 RSI: 0000000001000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff84186ccc R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff203a006 R12: ffff88803d76a000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888048b60033
FS:  000055555b46c380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005654e5f57008 CR3: 0000000040558000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix missing validation for bch_backpointer.level

[syzbot] [bcachefs?] kernel BUG in bch2_ptr_swab

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    b04ae0f45168 Merge tag 'v6.12-rc3-smb3-client-fixes' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14bfbc5f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cfbd94c114a3d407
dashboard link: https://syzkaller.appspot.com/bug?extid=4f29c3f12f864d8a8d17
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11241f27980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12bfbc5f980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-b04ae0f4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3e40a4ec7885/vmlinux-b04ae0f4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9312d8ec05d3/bzImage-b04ae0f4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4ecaa2a54f31/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4f29c3f12f864d8a8d17@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/bcachefs/extents.h:62!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5090 Comm: syz-executor228 Not tainted 6.12.0-rc3-syzkaller-00319-gb04ae0f45168 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:extent_entry_type fs/bcachefs/extents.h:62 [inline]
RIP: 0010:bch2_ptr_swab+0x4f6/0x510 fs/bcachefs/extents.c:1313
Code: 60 60 cf fd e9 ae fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c 5f fc ff ff 4c 89 f7 e8 45 60 cf fd e9 52 fc ff ff e8 db aa 65 fd 90 <0f> 0b e8 d3 aa 65 fd 90 0f 0b e8 cb aa 65 fd 90 0f 0b 0f 1f 84 00
RSP: 0018:ffffc9000aee64a0 EFLAGS: 00010293
RAX: ffffffff842f3d25 RBX: 0000000000000024 RCX: ffff888000d22440
RDX: 0000000000000000 RSI: 0000000000000024 RDI: 0000000000000005
RBP: 1e0e005000000000 R08: ffffffff842f3a13 R09: ffffffff842f387e
R10: 0000000000000005 R11: ffff888000d22440 R12: dffffc0000000000
R13: ffff888047881050 R14: ffff888047881060 R15: 1ffff11008f1020a
FS:  000055557cc8e380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b528cde220 CR3: 000000004105a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_bkey_swab_val fs/bcachefs/bkey_methods.c:323 [inline]
 __bch2_bkey_compat+0x4a2/0xfe0 fs/bcachefs/bkey_methods.c:469
 bch2_bkey_compat fs/bcachefs/bkey_methods.h:133 [inline]
 validate_bset_keys+0x617/0x1610 fs/bcachefs/btree_io.c:908
 bch2_btree_node_read_done+0x2402/0x5e90 fs/bcachefs/btree_io.c:1134
 btree_node_read_work+0x68b/0x1260 fs/bcachefs/btree_io.c:1327
 bch2_btree_node_read+0x2433/0x2a10
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1753 [inline]
 bch2_btree_root_read+0x617/0x7a0 fs/bcachefs/btree_io.c:1775
 read_btree_roots+0x296/0x840 fs/bcachefs/recovery.c:524
 bch2_fs_recovery+0x2585/0x39c0 fs/bcachefs/recovery.c:854
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2174
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4055 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4032
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff1b36c0b7a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc62e862b8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc62e862d0 RCX: 00007ff1b36c0b7a
RDX: 0000000020000000 RSI: 0000000020005900 RDI: 00007ffc62e862d0
RBP: 0000000000000004 R08: 00007ffc62e86310 R09: 000000000000590d
R10: 0000000000010000 R11: 0000000000000282 R12: 0000000000010000
R13: 00007ffc62e86310 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:extent_entry_type fs/bcachefs/extents.h:62 [inline]
RIP: 0010:bch2_ptr_swab+0x4f6/0x510 fs/bcachefs/extents.c:1313
Code: 60 60 cf fd e9 ae fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c 5f fc ff ff 4c 89 f7 e8 45 60 cf fd e9 52 fc ff ff e8 db aa 65 fd 90 <0f> 0b e8 d3 aa 65 fd 90 0f 0b e8 cb aa 65 fd 90 0f 0b 0f 1f 84 00
RSP: 0018:ffffc9000aee64a0 EFLAGS: 00010293
RAX: ffffffff842f3d25 RBX: 0000000000000024 RCX: ffff888000d22440
RDX: 0000000000000000 RSI: 0000000000000024 RDI: 0000000000000005
RBP: 1e0e005000000000 R08: ffffffff842f3a13 R09: ffffffff842f387e
R10: 0000000000000005 R11: ffff888000d22440 R12: dffffc0000000000
R13: ffff888047881050 R14: ffff888047881060 R15: 1ffff11008f1020a
FS:  000055557cc8e380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b528cde220 CR3: 000000004105a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix assertion pop in bch2_ptr_swab()

[syzbot] [bcachefs?] kernel BUG in bch2_dev_btree_bitmap_mark

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    6efbea77b390 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11c38240580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cfbd94c114a3d407
dashboard link: https://syzkaller.appspot.com/bug?extid=e8eff054face85d7ea41
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14b10487980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15f8af27980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-6efbea77.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aa4b0fb0c7f0/vmlinux-6efbea77.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7128c5b0c0b5/bzImage-6efbea77.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/459a008a6b91/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e8eff054face85d7ea41@syzkaller.appspotmail.com

bcachefs (loop0): alloc_read... done
bcachefs (loop0): stripes_read... done
bcachefs (loop0): snapshots_read... done
bcachefs (loop0): check_allocations...
------------[ cut here ]------------
kernel BUG at fs/bcachefs/sb-members.c:453!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5100 Comm: syz-executor307 Not tainted 6.12.0-rc3-syzkaller-00183-g6efbea77b390 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__bch2_dev_btree_bitmap_mark fs/bcachefs/sb-members.c:453 [inline]
RIP: 0010:bch2_dev_btree_bitmap_mark+0xfd2/0xff0 fs/bcachefs/sb-members.c:473
Code: b3 f1 ff ff e8 af 9f 4c fd 90 0f 0b e8 a7 9f 4c fd 90 0f 0b e8 9f 9f 4c fd 90 0f 0b e8 97 9f 4c fd 90 0f 0b e8 8f 9f 4c fd 90 <0f> 0b e8 87 9f 4c fd 90 0f 0b e8 7f 0d 7e 07 66 2e 0f 1f 84 00 00
RSP: 0018:ffffc90002dfe5a0 EFLAGS: 00010293
RAX: ffffffff84484871 RBX: 00000000ffffffc8 RCX: ffff88801e284880
RDX: 0000000000000000 RSI: 000000000000003f RDI: 0000000000000039
RBP: ffffc90002dfe7b0 R08: ffffffff844844f1 R09: 0000000000000000
R10: 0000042098000000 R11: 0000000000000000 R12: 000000000000003f
R13: 0000042098000000 R14: ffff88803f7839d0 R15: 000000000000003f
FS:  0000555592498380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561dbfb3d000 CR3: 00000000400e8000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_gc_mark_key+0xc9b/0x10e0 fs/bcachefs/btree_gc.c:622
 bch2_gc_btree fs/bcachefs/btree_gc.c:698 [inline]
 bch2_gc_btrees fs/bcachefs/btree_gc.c:729 [inline]
 bch2_check_allocations+0x22e8/0x6e80 fs/bcachefs/btree_gc.c:1123
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:185
 bch2_run_recovery_passes+0x387/0x870 fs/bcachefs/recovery_passes.c:232
 bch2_fs_recovery+0x25cc/0x39c0 fs/bcachefs/recovery.c:862
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2174
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4055 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4032
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa72a53cf2a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd5b715e88 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd5b715ea0 RCX: 00007fa72a53cf2a
RDX: 00000000200000c0 RSI: 0000000020000000 RDI: 00007ffd5b715ea0
RBP: 0000000000000004 R08: 00007ffd5b715ee0 R09: 0000000000005901
R10: 0000000000808016 R11: 0000000000000282 R12: 0000000000808016
R13: 00007ffd5b715ee0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__bch2_dev_btree_bitmap_mark fs/bcachefs/sb-members.c:453 [inline]
RIP: 0010:bch2_dev_btree_bitmap_mark+0xfd2/0xff0 fs/bcachefs/sb-members.c:473
Code: b3 f1 ff ff e8 af 9f 4c fd 90 0f 0b e8 a7 9f 4c fd 90 0f 0b e8 9f 9f 4c fd 90 0f 0b e8 97 9f 4c fd 90 0f 0b e8 8f 9f 4c fd 90 <0f> 0b e8 87 9f 4c fd 90 0f 0b e8 7f 0d 7e 07 66 2e 0f 1f 84 00 00
RSP: 0018:ffffc90002dfe5a0 EFLAGS: 00010293
RAX: ffffffff84484871 RBX: 00000000ffffffc8 RCX: ffff88801e284880
RDX: 0000000000000000 RSI: 000000000000003f RDI: 0000000000000039
RBP: ffffc90002dfe7b0 R08: ffffffff844844f1 R09: 0000000000000000
R10: 0000042098000000 R11: 0000000000000000 R12: 000000000000003f
R13: 0000042098000000 R14: ffff88803f7839d0 R15: 000000000000003f
FS:  0000555592498380(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561dbfb3d000 CR3: 00000000400e8000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix bch_member.btree_bitmap_shift validation

[syzbot] [bcachefs?] UBSAN: shift-out-of-bounds in bch2_alloc_to_text

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c964ced77262 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12d9745f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cfbd94c114a3d407
dashboard link: https://syzkaller.appspot.com/bug?extid=7f45fa9805c40db3f108
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12637887980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12a1e830580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-c964ced7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e937ef58569a/vmlinux-c964ced7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f1df9880ca4b/bzImage-c964ced7.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/00439b875347/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f45fa9805c40db3f108@syzkaller.appspotmail.com

bcachefs (loop0): fatal error - emergency read only
bcachefs (loop0): insufficient writeable journal devices available: have 0, need 1
rw journal devs: loop0
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/bcachefs/alloc_background.h:165:13
shift exponent 129 is too large for 32-bit type 'unsigned int'
CPU: 0 UID: 0 PID: 5104 Comm: syz-executor159 Not tainted 6.12.0-rc3-syzkaller-00087-gc964ced77262 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468
 data_type_movable fs/bcachefs/alloc_background.h:165 [inline]
 alloc_lru_idx_fragmentation fs/bcachefs/alloc_background.h:171 [inline]
 bch2_alloc_to_text+0xc79/0xce0 fs/bcachefs/alloc_background.c:369
 __bch2_bkey_fsck_err+0x1c8/0x280 fs/bcachefs/error.c:454
 bch2_alloc_v4_validate+0x931/0xef0 fs/bcachefs/alloc_background.c:259
 bch2_btree_node_read_done+0x3e7e/0x5e90 fs/bcachefs/btree_io.c:1223
 btree_node_read_work+0x68b/0x1260 fs/bcachefs/btree_io.c:1327
 bch2_btree_node_read+0x2433/0x2a10
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1753 [inline]
 bch2_btree_root_read+0x617/0x7a0 fs/bcachefs/btree_io.c:1775
 read_btree_roots+0x296/0x840 fs/bcachefs/recovery.c:524
 bch2_fs_recovery+0x2585/0x39c0 fs/bcachefs/recovery.c:854
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2174
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4055 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4032
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7b61a11dea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff7f9a888 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffff7f9a8a0 RCX: 00007f7b61a11dea
RDX: 00000000200058c0 RSI: 0000000020000100 RDI: 00007ffff7f9a8a0
RBP: 0000000000000004 R08: 00007ffff7f9a8e0 R09: 00000000000058c6
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 00007ffff7f9a8e0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: fix shift oob in alloc_lru_idx_fragmentation

[syzbot] [bcachefs?] kernel BUG in __bch2_trans_commit

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    715ca9dd687f Merge tag 'io_uring-6.12-20241019' of git://g..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=113e6430580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=78db40d8379956d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f074d2e31d8d35a6a38c
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=110560a7980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17bdc25f980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bf3787869b5a/disk-715ca9dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b938d885bc17/vmlinux-715ca9dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9c039de0dde2/bzImage-715ca9dd.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b049575f12e2/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f074d2e31d8d35a6a38c@syzkaller.appspotmail.com

bcachefs (loop1): fatal error - emergency read only
------------[ cut here ]------------
kernel BUG at fs/bcachefs/journal.h:375!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.12.0-rc3-syzkaller-00420-g715ca9dd687f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btree_update btree_interior_update_work
RIP: 0010:bch2_journal_res_get fs/bcachefs/journal.h:375 [inline]
RIP: 0010:bch2_trans_journal_res_get fs/bcachefs/btree_trans_commit.c:350 [inline]
RIP: 0010:bch2_trans_commit_write_locked fs/bcachefs/btree_trans_commit.c:668 [inline]
RIP: 0010:do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:900 [inline]
RIP: 0010:__bch2_trans_commit+0x9232/0x93c0 fs/bcachefs/btree_trans_commit.c:1121
Code: fd 90 0f 0b e8 3f bb 78 fd 90 0f 0b e8 37 bb 78 fd 90 0f 0b e8 2f bb 78 fd 90 0f 0b e8 27 bb 78 fd 90 0f 0b e8 1f bb 78 fd 90 <0f> 0b e8 17 bb 78 fd 90 0f 0b e8 0f bb 78 fd 90 0f 0b e8 07 bb 78
RSP: 0018:ffffc900001076c0 EFLAGS: 00010293
RAX: ffffffff841c2c91 RBX: 0000000000000000 RCX: ffff88801cebbc00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000107890 R08: ffffffff841bcfc8 R09: 1ffff1100cd494a8
R10: dffffc0000000000 R11: ffffed100cd494a9 R12: ffff888066a00000
R13: ffff888066a4a500 R14: 0000000000000044 R15: ffff88803060c0d0
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff942fe8000 CR3: 000000007bcb8000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_trans_commit fs/bcachefs/btree_update.h:184 [inline]
 btree_update_nodes_written fs/bcachefs/btree_update_interior.c:728 [inline]
 btree_interior_update_work+0x1492/0x2b10 fs/bcachefs/btree_update_interior.c:866
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_journal_res_get fs/bcachefs/journal.h:375 [inline]
RIP: 0010:bch2_trans_journal_res_get fs/bcachefs/btree_trans_commit.c:350 [inline]
RIP: 0010:bch2_trans_commit_write_locked fs/bcachefs/btree_trans_commit.c:668 [inline]
RIP: 0010:do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:900 [inline]
RIP: 0010:__bch2_trans_commit+0x9232/0x93c0 fs/bcachefs/btree_trans_commit.c:1121
Code: fd 90 0f 0b e8 3f bb 78 fd 90 0f 0b e8 37 bb 78 fd 90 0f 0b e8 2f bb 78 fd 90 0f 0b e8 27 bb 78 fd 90 0f 0b e8 1f bb 78 fd 90 <0f> 0b e8 17 bb 78 fd 90 0f 0b e8 0f bb 78 fd 90 0f 0b e8 07 bb 78
RSP: 0018:ffffc900001076c0 EFLAGS: 00010293
RAX: ffffffff841c2c91 RBX: 0000000000000000 RCX: ffff88801cebbc00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000107890 R08: ffffffff841bcfc8 R09: 1ffff1100cd494a8
R10: dffffc0000000000 R11: ffffed100cd494a9 R12: ffff888066a00000
R13: ffff888066a4a500 R14: 0000000000000044 R15: ffff88803060c0d0
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff942fff000 CR3: 000000002ce04000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: -o norecovery now bails out of recovery earlier

[syzbot] [bcachefs?] kernel BUG in bch2_fs_btree_cache_exit

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c964ced77262 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17f10240580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=164d2822debd8b0d
dashboard link: https://syzkaller.appspot.com/bug?extid=4deac4f47f33e16f82b7
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10090240580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=113be830580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fb46e19c1a07/disk-c964ced7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/521abb58e739/vmlinux-c964ced7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ea079e4ac77f/bzImage-c964ced7.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f2414169f0cc/mount_0.gz

The issue was bisected to:

commit bf4baaa087e2be0279991f1dbf9acaa7a4c9148c
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Sat Oct 5 21:37:02 2024 +0000

    bcachefs: Fix lockdep splat in bch2_accounting_read

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=166b0487980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=156b0487980000
console output: https://syzkaller.appspot.com/x/log.txt?x=116b0487980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4deac4f47f33e16f82b7@syzkaller.appspotmail.com
Fixes: bf4baaa087e2 ("bcachefs: Fix lockdep splat in bch2_accounting_read")

------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_cache.c:594!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 5223 Comm: syz-executor386 Not tainted 6.12.0-rc3-syzkaller-00087-gc964ced77262 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:bch2_fs_btree_cache_exit+0x1124/0x1130 fs/bcachefs/btree_cache.c:593
Code: fd 90 0f 0b e8 dd 66 84 fd 90 0f 0b e8 d5 66 84 fd 90 0f 0b e8 cd 66 84 fd 90 0f 0b e8 c5 66 84 fd 90 0f 0b e8 bd 66 84 fd 90 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003b37b20 EFLAGS: 00010293
RAX: ffffffff84108043 RBX: 0000000000000002 RCX: ffff888024728000
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 1ffff11005c49016 R08: ffffffff841076e7 R09: 1ffff1100bc503b6
R10: dffffc0000000000 R11: ffffed100bc503b7 R12: ffff88805e281c78
R13: ffff88805e280000 R14: 0000000000000000 R15: dffffc0000000000
FS:  000055558a7d6380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc6ecbff000 CR3: 0000000074002000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __bch2_fs_free fs/bcachefs/super.c:556 [inline]
 bch2_fs_release+0x20e/0x7d0 fs/bcachefs/super.c:610
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x22f/0x480 lib/kobject.c:737
 deactivate_locked_super+0xc4/0x130 fs/super.c:473
 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
 task_work_run+0x24f/0x310 kernel/task_work.c:228
 ptrace_notify+0x2d2/0x380 kernel/signal.c:2403
 ptrace_report_syscall include/linux/ptrace.h:415 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
 syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
 syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc6f42275f7
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffdf9e61628 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc6f42275f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffdf9e616e0
RBP: 00007ffdf9e616e0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffdf9e62750
R13: 000055558a7d76c0 R14: 431bde82d7b634db R15: 00007ffdf9e62770
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_fs_btree_cache_exit+0x1124/0x1130 fs/bcachefs/btree_cache.c:593
Code: fd 90 0f 0b e8 dd 66 84 fd 90 0f 0b e8 d5 66 84 fd 90 0f 0b e8 cd 66 84 fd 90 0f 0b e8 c5 66 84 fd 90 0f 0b e8 bd 66 84 fd 90 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003b37b20 EFLAGS: 00010293
RAX: ffffffff84108043 RBX: 0000000000000002 RCX: ffff888024728000
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 1ffff11005c49016 R08: ffffffff841076e7 R09: 1ffff1100bc503b6
R10: dffffc0000000000 R11: ffffed100bc503b7 R12: ffff88805e281c78
R13: ffff88805e280000 R14: 0000000000000000 R15: dffffc0000000000
FS:  000055558a7d6380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc6ecbff000 CR3: 0000000074002000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: bch2_btree_write_buffer_flush_going_ro()

[syzbot] [bcachefs?] possible deadlock in bch2_replicas_entry_validate

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e32cde8d2bd7 Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=105b939f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1f009dd80b3799c2
dashboard link: https://syzkaller.appspot.com/bug?extid=4d24267b490e2b68a5fa
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1366e927980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=111c7dd0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/08f3ba449e03/disk-e32cde8d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/17bcace1ab90/vmlinux-e32cde8d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/da9183ac0145/bzImage-e32cde8d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4c7b8b3c4819/mount_0.gz

The issue was bisected to:

commit 49fd90b2cc332b8607a616d99d4bb792f18208b9
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Wed Sep 25 22:17:31 2024 +0000

    bcachefs: Fix unlocked access to c->disk_sb.sb in bch2_replicas_entry_validate()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14b8a3d0580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=16b8a3d0580000
console output: https://syzkaller.appspot.com/x/log.txt?x=12b8a3d0580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4d24267b490e2b68a5fa@syzkaller.appspotmail.com
Fixes: 49fd90b2cc33 ("bcachefs: Fix unlocked access to c->disk_sb.sb in bch2_replicas_entry_validate()")

WARNING: The mand mount option has been deprecated and
         and is ignored by this kernel. Remove the mand
         option from the mount to silence this warning.
=======================================================
bcachefs (loop0): starting version 1.7: mi_btree_bitmap opts=errors=continue,compression=zstd,norecovery,recovery_pass_last=check_dirents,nojournal_transaction_names,version_upgrade=none
============================================
WARNING: possible recursive locking detected
6.12.0-rc1-syzkaller-00031-ge32cde8d2bd7 #0 Not tainted
--------------------------------------------
syz-executor340/5221 is trying to acquire lock:
ffff888078a80908 (&c->sb_lock){+.+.}-{3:3}, at: bch2_replicas_entry_validate+0x2a/0x80 fs/bcachefs/replicas.c:101

but task is already holding lock:
ffff888078a80908 (&c->sb_lock){+.+.}-{3:3}, at: bch2_read_superblock_clean+0x36/0x520 fs/bcachefs/sb-clean.c:149

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&c->sb_lock);
  lock(&c->sb_lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

2 locks held by syz-executor340/5221:
 #0: ffff888078a80278 (&c->state_lock){+.+.}-{3:3}, at: bch2_fs_start+0x45/0x5b0 fs/bcachefs/super.c:1007
 #1: ffff888078a80908 (&c->sb_lock){+.+.}-{3:3}, at: bch2_read_superblock_clean+0x36/0x520 fs/bcachefs/sb-clean.c:149

stack backtrace:
CPU: 0 UID: 0 PID: 5221 Comm: syz-executor340 Not tainted 6.12.0-rc1-syzkaller-00031-ge32cde8d2bd7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
 check_deadlock kernel/locking/lockdep.c:3089 [inline]
 validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
 __mutex_lock_common kernel/locking/mutex.c:608 [inline]
 __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
 bch2_replicas_entry_validate+0x2a/0x80 fs/bcachefs/replicas.c:101
 journal_entry_data_usage_validate+0x2b6/0x690 fs/bcachefs/journal_io.c:608
 bch2_sb_clean_validate_late fs/bcachefs/sb-clean.c:40 [inline]
 bch2_read_superblock_clean+0x207/0x520 fs/bcachefs/sb-clean.c:168
 bch2_fs_recovery+0x1f4/0x39c0 fs/bcachefs/recovery.c:639
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2071
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4055 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4032
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2478bb0c3a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffecc9ae478 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffecc9ae490 RCX: 00007f2478bb0c3a
RDX: 0000000020005d80 RSI: 0000000020000240 RDI: 00007ffecc9ae490
RBP: 0000000000000004 R08: 00007ffecc9ae4d0 R09: 0000000000005daf
R10: 0000000000000044 R11: 0000000000000282 R12: 0000000000000044
R13: 00007ffecc9ae4d0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix bcachefs: Fix lockdep splat in bch2_accounting_read

[syzbot] [bcachefs?] kernel BUG in __bch2_btree_node_write

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    3efc57369a0c Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142bf6a9980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a4fcb065287cdb84
dashboard link: https://syzkaller.appspot.com/bug?extid=dedbd67513939979f84f
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-3efc5736.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d0988c372a39/vmlinux-3efc5736.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8547f30d7e9d/bzImage-3efc5736.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dedbd67513939979f84f@syzkaller.appspotmail.com

bcachefs (loop0): starting version 1.7: mi_btree_bitmap opts=errors=continue,compression=lz4,nojournal_transaction_names
bcachefs (loop0): recovering from clean shutdown, journal seq 7
bcachefs (loop0): Doing compatible version upgrade from 1.7: mi_btree_bitmap to 1.12: rebalance_work_acct_fix
  running recovery passes: check_allocations
invalid bkey u64s 11 type alloc_v4 0:14:0 len 0 ver 0: 
  gen 0 oldest_gen 0 data_type journal
  journal_seq       1
  need_discard      1
  need_inc_gen      1
  dirty_sectors     256
  stripe_sectors    0
  cached_sectors    0
  stripe            67108864
  stripe_redundancy 0
  io_time[READ]     1
  io_time[WRITE]    1
  fragmentation     0
  bp_start          8
  invalid data type (got 2 should be 7): delete?, fixing
bcachefs (loop0): accounting_read... done
bcachefs (loop0): alloc_read... done
bcachefs (loop0): stripes_read... done
bcachefs (loop0): snapshots_read... done
bcachefs (loop0): check_allocations...
btree ptr not marked in member info btree allocated bitmap
  u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 75277f57b0c8c24 written 32 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0, fixing
btree ptr not marked in member info btree allocated bitmap
  u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 19bc58a6c09b6540 written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0, fixing
btree ptr not marked in member info btree allocated bitmap
  u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq c18f4a4face03c6 written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0, fixing
btree ptr not marked in member info btree allocated bitmap
  u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 7675f41d391e5d36 written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0, fixing
btree ptr not marked in member info btree allocated bitmap
  u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq bcb9905dfb2993d5 written 16 min_key POS_MIN durability: 1 ptr: 0:32:0 gen 0, fixing
btree ptr not marked in member info btree allocated bitmap
  u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 9a831b4a3f983356 written 32 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0, fixing
bucket 0:1 gen 0 has wrong data_type: got free, should be sb, fixing
bucket 0:1 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
bucket 0:14 gen 0 has wrong data_type: got free, should be journal, fixing
bucket 0:14 gen 0 data type journal has wrong dirty_sectors: got 0, should be 256, fixing
 done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay... done
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): Fixed errors, running fsck a second time to verify fs is clean
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): scanning for old btree nodes: min_version 0.9: (unknown version)
------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_io.c:2099!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5116 Comm: syz.0.0 Not tainted 6.11.0-syzkaller-11993-g3efc57369a0c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__bch2_btree_node_write+0x43d8/0x4400 fs/bcachefs/btree_io.c:2099
Code: fd 90 0f 0b e8 e9 a7 7d fd 90 0f 0b e8 e1 a7 7d fd 90 0f 0b e8 d9 a7 7d fd 90 0f 0b e8 d1 a7 7d fd 90 0f 0b e8 c9 a7 7d fd 90 <0f> 0b e8 c1 a7 7d fd 90 0f 0b e8 b9 a7 7d fd 90 0f 0b e8 b1 a7 7d
RSP: 0018:ffffc9000b346ac0 EFLAGS: 00010246
RAX: ffffffff84173e57 RBX: 00000000000001e2 RCX: 0000000000040000
RDX: ffffc9000b379000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: ffffc9000b346da0 R08: ffffffff84171d58 R09: 0000000000000000
R10: ffffc9000b346860 R11: fffff52001668d0e R12: dffffc0000000000
R13: ffff88804eb2809e R14: 00000000000001eb R15: 00000000000001e2
FS:  00007f445f9486c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005607e3ef4011 CR3: 000000001eaf8000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_btree_node_write+0x63/0x1f0 fs/bcachefs/btree_io.c:2283
 bch2_btree_node_rewrite+0xcac/0x1280 fs/bcachefs/btree_update_interior.c:2173
 bch2_move_btree+0x7af/0xde0 fs/bcachefs/move.c:865
 bch2_scan_old_btree_nodes+0x14b/0x3c0 fs/bcachefs/move.c:995
 bch2_fs_recovery+0x33da/0x38b0 fs/bcachefs/recovery.c:962
 bch2_fs_start+0x356/0x5b0 fs/bcachefs/super.c:1037
 bch2_fs_get_tree+0xd68/0x1710 fs/bcachefs/fs.c:2071
 vfs_get_tree+0x90/0x2b0 fs/super.c:1800
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4055 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4032
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f445eb7f79a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f445f947e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f445f947ef0 RCX: 00007f445eb7f79a
RDX: 0000000020005d80 RSI: 0000000020005dc0 RDI: 00007f445f947eb0
RBP: 0000000020005d80 R08: 00007f445f947ef0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020005dc0
R13: 00007f445f947eb0 R14: 0000000000005d7d R15: 0000000020000280
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__bch2_btree_node_write+0x43d8/0x4400 fs/bcachefs/btree_io.c:2099
Code: fd 90 0f 0b e8 e9 a7 7d fd 90 0f 0b e8 e1 a7 7d fd 90 0f 0b e8 d9 a7 7d fd 90 0f 0b e8 d1 a7 7d fd 90 0f 0b e8 c9 a7 7d fd 90 <0f> 0b e8 c1 a7 7d fd 90 0f 0b e8 b9 a7 7d fd 90 0f 0b e8 b1 a7 7d
RSP: 0018:ffffc9000b346ac0 EFLAGS: 00010246
RAX: ffffffff84173e57 RBX: 00000000000001e2 RCX: 0000000000040000
RDX: ffffc9000b379000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: ffffc9000b346da0 R08: ffffffff84171d58 R09: 0000000000000000
R10: ffffc9000b346860 R11: fffff52001668d0e R12: dffffc0000000000
R13: ffff88804eb2809e R14: 00000000000001eb R15: 00000000000001e2
FS:  00007f445f9486c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f445f9279a0 CR3: 000000001eaf8000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix dup/misordered check in btree node read

[syzbot] [bcachefs?] kernel BUG in bch2_fs_btree_write_buffer_exit

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    5f5673607153 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=11ef8507980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dedbcb1ff4387972
dashboard link: https://syzkaller.appspot.com/bug?extid=e4b5080f1e963225063e
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/40172aed5414/disk-5f567360.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/58372f305e9d/vmlinux-5f567360.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d2aae6fa798f/Image-5f567360.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e4b5080f1e963225063e@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/bcachefs/btree_write_buffer.c:801!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 UID: 0 PID: 6419 Comm: syz-executor Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : bch2_fs_btree_write_buffer_exit+0x1dc/0x1e0 fs/bcachefs/btree_write_buffer.c:800
lr : bch2_fs_btree_write_buffer_exit+0x1dc/0x1e0 fs/bcachefs/btree_write_buffer.c:800
sp : ffff8000a3217a80
x29: ffff8000a3217a80 x28: 1fffe0001e5b0010 x27: 1fffe0001e5b000d
x26: dfff800000000000 x25: ffff0000f2d80000 x24: dfff800000000000
x23: ffff0000f2dcb174 x22: 00000000000fffff x21: 00000000000ffffe
x20: ffff0000f2d80000 x19: ffff0000f2d845a0 x18: 1fffe000366d79ee
x17: ffff80008f56d000 x16: ffff80008b274880 x15: 0000000000000001
x14: 1fffe0001e5b962e x13: 0000000000000000 x12: 0000000000000000
x11: ffff60001e5b962f x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000ea698000 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : 0000000000000000 x3 : ffff800082a3a0cc
x2 : 0000000000000000 x1 : 00000000000ffffe x0 : 00000000000fffff
Call trace:
 bch2_fs_btree_write_buffer_exit+0x1dc/0x1e0 fs/bcachefs/btree_write_buffer.c:800
 __bch2_fs_free fs/bcachefs/super.c:564 [inline]
 bch2_fs_release+0x2d4/0x720 fs/bcachefs/super.c:608
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x2a8/0x41c lib/kobject.c:737
 bch2_fs_free+0x2c4/0x334 fs/bcachefs/super.c:672
 bch2_kill_sb+0x48/0x58 fs/bcachefs/fs.c:2055
 deactivate_locked_super+0xc4/0x12c fs/super.c:473
 deactivate_super+0xe0/0x100 fs/super.c:506
 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1373
 __cleanup_mnt+0x20/0x30 fs/namespace.c:1380
 task_work_run+0x230/0x2e0 kernel/task_work.c:228
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: d65f03c0 9774c432 17ffffc0 9774c430 (d4210000) 
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: bch2_btree_write_buffer_flush_going_ro()

[syzbot] [bcachefs?] WARNING in bch2_journal_flush_seq_async

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    5f5673607153 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14a284a9980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dedbcb1ff4387972
dashboard link: https://syzkaller.appspot.com/bug?extid=d119b445ec739e7f3068
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12a9869f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16a9869f980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/40172aed5414/disk-5f567360.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/58372f305e9d/vmlinux-5f567360.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d2aae6fa798f/Image-5f567360.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a5dce0e82b0d/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d119b445ec739e7f3068@syzkaller.appspotmail.com

bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): done starting filesystem
------------[ cut here ]------------
requested to flush journal seq 36028797018963972, but currently at 14
WARNING: CPU: 1 PID: 6404 at fs/bcachefs/journal.c:672 bch2_journal_flush_seq_async+0x668/0x6c0
Modules linked in:
CPU: 1 UID: 0 PID: 6404 Comm: syz-executor187 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : bch2_journal_flush_seq_async+0x668/0x6c0
lr : bch2_journal_flush_seq_async+0x664/0x6c0 fs/bcachefs/journal.c:670
sp : ffff80009cb678e0
x29: ffff80009cb67960 x28: dfff800000000000 x27: 1fffe0001bb69537
x26: 1ffff0001396cf20 x25: 000000000000000e x24: ffff0000ddb4a9c8
x23: 0000000000000000 x22: 1fffe0001bb69539 x21: ffff0000ddb4a9b8
x20: ffff0000ddb4a380 x19: ffff8000927b7000 x18: 0000000000000008
x17: 0000000000000000 x16: ffff800083032784 x15: 0000000000000001
x14: 1fffe000366d7a5a x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000003 x10: 0000000000ff0100 x9 : ab30ddaea468da00
x8 : ab30ddaea468da00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80009cb67038 x4 : ffff80008f65b620 x3 : ffff8000806051a0
x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000000
Call trace:
 bch2_journal_flush_seq_async+0x668/0x6c0
 bch2_journal_flush_seq+0xe8/0x280 fs/bcachefs/journal.c:759
 bch2_flush_inode+0x220/0x390 fs/bcachefs/fs-io.c:185
 bch2_fsync+0x1a0/0x44c fs/bcachefs/fs-io.c:205
 vfs_fsync_range fs/sync.c:188 [inline]
 vfs_fsync fs/sync.c:202 [inline]
 do_fsync fs/sync.c:212 [inline]
 __do_sys_fsync fs/sync.c:220 [inline]
 __se_sys_fsync fs/sync.c:218 [inline]
 __arm64_sys_fsync+0x178/0x1c0 fs/sync.c:218
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 71336
hardirqs last  enabled at (71335): [<ffff800080388420>] __up_console_sem kernel/printk/printk.c:341 [inline]
hardirqs last  enabled at (71335): [<ffff800080388420>] __console_unlock kernel/printk/printk.c:2801 [inline]
hardirqs last  enabled at (71335): [<ffff800080388420>] console_unlock+0x18c/0x3d4 kernel/printk/printk.c:3120
hardirqs last disabled at (71336): [<ffff80008b3363f4>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
softirqs last  enabled at (70998): [<ffff8000800307f8>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (70996): [<ffff8000800307c4>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Check for inode journal seq in the future

[syzbot] [sound?] WARNING in snd_pcm_open

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    6a7917c89f21 Add linux-next specific files for 20240822
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11a72e09980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=897bd7c53a10fcfc
dashboard link: https://syzkaller.appspot.com/bug?extid=d2b696e5cb7a92fee831
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/47820545bc51/disk-6a7917c8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e300f3a38860/vmlinux-6a7917c8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9146afef58aa/bzImage-6a7917c8.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d2b696e5cb7a92fee831@syzkaller.appspotmail.com

------------[ cut here ]------------
do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffff89468b6f>] snd_pcm_open+0x2ff/0x7a0 sound/core/pcm_native.c:2860
WARNING: CPU: 1 PID: 5346 at kernel/sched/core.c:8556 __might_sleep+0xb9/0xe0 kernel/sched/core.c:8552
Modules linked in:
CPU: 1 UID: 0 PID: 5346 Comm: syz.4.9 Not tainted 6.11.0-rc4-next-20240822-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:__might_sleep+0xb9/0xe0 kernel/sched/core.c:8552
Code: a1 0e 01 90 42 80 3c 23 00 74 08 48 89 ef e8 ce e6 97 00 48 8b 4d 00 48 c7 c7 c0 60 0a 8c 44 89 ee 48 89 ca e8 f8 02 f1 ff 90 <0f> 0b 90 90 eb b5 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 70 ff ff ff
RSP: 0018:ffffc90004457408 EFLAGS: 00010246
RAX: 0dea8fe797fdb300 RBX: 1ffff11002cf16ac RCX: 0000000000040000
RDX: ffffc90009dd9000 RSI: 00000000000085c7 RDI: 00000000000085c8
RBP: ffff88801678b560 R08: ffffffff8155a632 R09: fffffbfff1cfa364
R10: dffffc0000000000 R11: fffffbfff1cfa364 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000000000000249 R15: ffffffff8c0ab880
FS:  00007fa51e6226c0(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32715ff8 CR3: 00000000771dc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __mutex_lock_common kernel/locking/mutex.c:585 [inline]
 __mutex_lock+0xc1/0xd70 kernel/locking/mutex.c:752
 snd_pcm_open+0x34b/0x7a0 sound/core/pcm_native.c:2863
 snd_pcm_playback_open+0x6e/0xe0 sound/core/pcm_native.c:2810
 chrdev_open+0x523/0x600 fs/char_dev.c:414
 do_dentry_open+0x928/0x13f0 fs/open.c:959
 vfs_open+0x3e/0x330 fs/open.c:1089
 do_open fs/namei.c:3774 [inline]
 path_openat+0x2c87/0x3590 fs/namei.c:3933
 do_filp_open+0x235/0x490 fs/namei.c:3960
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1416
 do_sys_open fs/open.c:1431 [inline]
 __do_sys_openat fs/open.c:1447 [inline]
 __se_sys_openat fs/open.c:1442 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1442
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa51d778810
Code: 48 89 44 24 20 75 93 44 89 54 24 0c e8 19 8f 02 00 44 8b 54 24 0c 89 da 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 38 44 89 c7 89 44 24 0c e8 6c 8f 02 00 8b 44
RSP: 002b:00007fa51e621b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa51d778810
RDX: 0000000000000000 RSI: 00007fa51e621c10 RDI: 00000000ffffff9c
RBP: 00007fa51e621c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fa51d915f80 R15: 00007ffc16ca31f8
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

[syzbot] [bcachefs?] KASAN: slab-out-of-bounds Read in journal_entry_dev_usage_to_text

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    1722389b0d86 Merge tag 'net-6.11-rc1' of git://git.kernel...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1544b603980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b698a1b2fcd7ef5f
dashboard link: https://syzkaller.appspot.com/bug?extid=05d7520be047c9be86e0
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1686c69d980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=150a1611980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e3f4ec8ccf7c/disk-1722389b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f19bcd908282/vmlinux-1722389b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d93604974a98/bzImage-1722389b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f4a9cf51fd0b/mount_0.gz

The issue was bisected to:

commit 03ef80b469d5d83530ce1ce15be78a40e5300f9b
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Sat Sep 23 22:41:51 2023 +0000

    bcachefs: Ignore unknown mount options

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=147b3b0d980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=167b3b0d980000
console output: https://syzkaller.appspot.com/x/log.txt?x=127b3b0d980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+05d7520be047c9be86e0@syzkaller.appspotmail.com
Fixes: 03ef80b469d5 ("bcachefs: Ignore unknown mount options")

loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in journal_entry_dev_usage_to_text+0x109/0x1d0 fs/bcachefs/journal_io.c:731
Read of size 8 at addr ffff88807a286000 by task syz-executor816/5214

CPU: 1 UID: 0 PID: 5214 Comm: syz-executor816 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 journal_entry_dev_usage_to_text+0x109/0x1d0 fs/bcachefs/journal_io.c:731
 bch2_sb_clean_to_text+0x138/0x240 fs/bcachefs/sb-clean.c:251
 bch2_sb_field_validate+0x201/0x2e0 fs/bcachefs/super-io.c:1229
 bch2_sb_validate+0xa69/0xe00 fs/bcachefs/super-io.c:468
 __bch2_read_super+0xc1b/0x1370 fs/bcachefs/super-io.c:823
 bch2_fs_open+0x246/0xdf0 fs/bcachefs/super.c:2084
 bch2_fs_get_tree+0x731/0x1700 fs/bcachefs/fs.c:1933
 vfs_get_tree+0x90/0x2a0 fs/super.c:1789
 do_new_mount+0x2be/0xb40 fs/namespace.c:3472
 do_mount fs/namespace.c:3812 [inline]
 __do_sys_mount fs/namespace.c:4020 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f14389cf06a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe1945e9d8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffe1945e9f0 RCX: 00007f14389cf06a
RDX: 0000000020005b00 RSI: 0000000020005b40 RDI: 00007ffe1945e9f0
RBP: 0000000000000004 R08: 00007ffe1945ea30 R09: 0000000000005b72
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 00007ffe1945ea30 R14: 0000000000000003 R15: 0000000001000000
 </TASK>

Allocated by task 5214:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4158 [inline]
 __kmalloc_node_track_caller_noprof+0x225/0x440 mm/slub.c:4177
 __do_krealloc mm/slab_common.c:1280 [inline]
 krealloc_noprof+0x7d/0x120 mm/slab_common.c:1313
 bch2_sb_realloc+0x2d2/0x660 fs/bcachefs/super-io.c:189
 read_one_super+0x73b/0xf40 fs/bcachefs/super-io.c:660
 __bch2_read_super+0x873/0x1370 fs/bcachefs/super-io.c:751
 bch2_fs_open+0x246/0xdf0 fs/bcachefs/super.c:2084
 bch2_fs_get_tree+0x731/0x1700 fs/bcachefs/fs.c:1933
 vfs_get_tree+0x90/0x2a0 fs/super.c:1789
 do_new_mount+0x2be/0xb40 fs/namespace.c:3472
 do_mount fs/namespace.c:3812 [inline]
 __do_sys_mount fs/namespace.c:4020 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807a284000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 0 bytes to the right of
 allocated 8192-byte region [ffff88807a284000, ffff88807a286000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7a280
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff888015442280 ffffea0000948200 0000000000000003
raw: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff888015442280 ffffea0000948200 0000000000000003
head: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001e8a001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4879, tgid 4879 (rcS), ts 34538747384, free_ts 34514158572
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
 prep_new_page mm/page_alloc.c:1501 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3438
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4696
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2321
 allocate_slab+0x5a/0x2f0 mm/slub.c:2484
 new_slab mm/slub.c:2537 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3723
 __slab_alloc+0x58/0xa0 mm/slub.c:3813
 __slab_alloc_node mm/slub.c:3866 [inline]
 slab_alloc_node mm/slub.c:4025 [inline]
 __kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4184
 kmalloc_noprof include/linux/slab.h:681 [inline]
 kzalloc_noprof include/linux/slab.h:807 [inline]
 tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
 tomoyo_init_log+0x11ce/0x2050 security/tomoyo/audit.c:264
 tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x1384/0x1cf0 security/tomoyo/domain.c:878
 tomoyo_bprm_check_security+0x115/0x180 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x65/0x90 security/security.c:1191
 search_binary_handler fs/exec.c:1809 [inline]
 exec_binprm fs/exec.c:1863 [inline]
 bprm_execve+0xa56/0x1770 fs/exec.c:1914
 do_execveat_common+0x55f/0x6f0 fs/exec.c:2021
page last free pid 4878 tgid 4878 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1094 [inline]
 free_unref_page+0xd19/0xea0 mm/page_alloc.c:2608
 discard_slab mm/slub.c:2583 [inline]
 __put_partials+0xeb/0x130 mm/slub.c:3051
 put_cpu_partial+0x17c/0x250 mm/slub.c:3126
 __slab_free+0x2ea/0x3d0 mm/slub.c:4343
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3988 [inline]
 slab_alloc_node mm/slub.c:4037 [inline]
 kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
 vm_area_alloc+0x24/0x1d0 kernel/fork.c:471
 mmap_region+0xc3d/0x2090 mm/mmap.c:2944
 do_mmap+0x8f9/0x1010 mm/mmap.c:1468
 vm_mmap_pgoff+0x1dd/0x3d0 mm/util.c:588
 ksys_mmap_pgoff+0x4f1/0x720 mm/mmap.c:1514
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88807a285f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88807a285f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807a286000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff88807a286080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807a286100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix journal_entry_dev_usage_to_text() overrun

[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_sync

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d7e78951a8b8 Merge tag 'net-6.11-rc0' of git://git.kernel...
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=126a9fc3980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8d1cf7c29e32ce12
dashboard link: https://syzkaller.appspot.com/bug?extid=479aff51bb361ef5aa18
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3c208b51873e/disk-d7e78951.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/adec146cf41c/vmlinux-d7e78951.xz
kernel image: https://storage.googleapis.com/syzbot-assets/52f09b8f7356/bzImage-d7e78951.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+479aff51bb361ef5aa18@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5444
Read of size 8 at addr ffff88802aac0f18 by task kworker/u9:0/54

CPU: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.10.0-syzkaller-09703-gd7e78951a8b8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5444
 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 7112:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4180
 kmalloc_noprof include/linux/slab.h:681 [inline]
 kzalloc_noprof include/linux/slab.h:807 [inline]
 mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
 remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5469
 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:745
 sock_write_iter+0x2dd/0x400 net/socket.c:1160
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xa72/0xc90 fs/read_write.c:590
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 7179:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2235 [inline]
 slab_free mm/slub.c:4464 [inline]
 kfree+0x149/0x360 mm/slub.c:4585
 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
 __mgmt_power_off+0x187/0x420 net/bluetooth/mgmt.c:9458
 hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5118
 hci_dev_do_close net/bluetooth/hci_core.c:490 [inline]
 hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:515
 sock_do_ioctl+0x158/0x460 net/socket.c:1222
 sock_ioctl+0x629/0x8e0 net/socket.c:1341
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802aac0f00
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 24 bytes inside of
 freed 96-byte region [ffff88802aac0f00, ffff88802aac0f60)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802aac0b80 pfn:0x2aac0
flags: 0xfff00000000200(workingset|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000200 ffff888015041280 ffffea00007c85d0 ffffea0001a17590
raw: ffff88802aac0b80 000000000020000a 00000001ffffefff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x352800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_THISNODE), pid 5330, tgid 5329 (syz.3.37), ts 87033405855, free_ts 86894920419
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2304
 allocate_slab+0x5a/0x2f0 mm/slub.c:2467
 new_slab mm/slub.c:2520 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3706
 __slab_alloc+0x58/0xa0 mm/slub.c:3796
 __slab_alloc_node mm/slub.c:3849 [inline]
 slab_alloc_node mm/slub.c:4016 [inline]
 __do_kmalloc_node mm/slub.c:4148 [inline]
 __kmalloc_node_noprof+0x286/0x440 mm/slub.c:4155
 kmalloc_array_node_noprof include/linux/slab.h:788 [inline]
 alloc_slab_obj_exts mm/slub.c:1959 [inline]
 account_slab mm/slub.c:2430 [inline]
 allocate_slab+0xb6/0x2f0 mm/slub.c:2485
 new_slab mm/slub.c:2520 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3706
 __slab_alloc+0x58/0xa0 mm/slub.c:3796
 __slab_alloc_node mm/slub.c:3849 [inline]
 slab_alloc_node mm/slub.c:4016 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x2a0 mm/slub.c:4035
 sk_prot_alloc+0x58/0x210 net/core/sock.c:2090
 sk_alloc+0x38/0x370 net/core/sock.c:2149
 inet_create+0x652/0xe70 net/ipv4/af_inet.c:326
 __sock_create+0x490/0x920 net/socket.c:1571
page last free pid 5318 tgid 5318 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_folios+0xf23/0x19e0 mm/page_alloc.c:2637
 folios_put_refs+0x93a/0xa60 mm/swap.c:1024
 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:332
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
 exit_mmap+0x44f/0xc80 mm/mmap.c:3354
 __mmput+0x115/0x390 kernel/fork.c:1343
 exit_mm+0x220/0x310 kernel/exit.c:566
 do_exit+0x9b2/0x27f0 kernel/exit.c:864
 do_group_exit+0x207/0x2c0 kernel/exit.c:1026
 __do_sys_exit_group kernel/exit.c:1037 [inline]
 __se_sys_exit_group kernel/exit.c:1035 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035
 x64_sys_call+0x26c3/0x26d0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802aac0e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88802aac0e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff88802aac0f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                            ^
 ffff88802aac0f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88802aac1000: 04 fc fc fc 04 fc fc fc 04 fc fc fc 04 fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [bcachefs?] general protection fault in bch2_checksum

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    0434dbe32053 Merge tag 'linux_kselftest-next-6.11-rc1' of ..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16061f4e980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4b8bd5292e033239
dashboard link: https://syzkaller.appspot.com/bug?extid=dd3d9835055dacb66f35
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10d9ccb5980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12633a79980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3766752b5090/disk-0434dbe3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e3608abc3f91/vmlinux-0434dbe3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c133560ad498/bzImage-0434dbe3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ff0cf9ecbd00/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dd3d9835055dacb66f35@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 32768
Oops: general protection fault, probably for non-canonical address 0xdffffc000000900d: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000000048068-0x000000000004806f]
CPU: 0 PID: 5080 Comm: syz-executor457 Not tainted 6.10.0-syzkaller-02711-g0434dbe32053 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:gen_poly_key fs/bcachefs/checksum.c:191 [inline]
RIP: 0010:bch2_checksum+0x1c5/0x770 fs/bcachefs/checksum.c:227
Code: f6 e8 3f c5 dc fd 48 8b 44 24 28 4c 8d b0 68 80 04 00 ba 20 00 00 00 48 8d 7c 24 60 31 f6 e8 22 c5 dc fd 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 3c c2 dc fd 49 8b 3e 48 b8 00 00
RSP: 0018:ffffc90003536d40 EFLAGS: 00010202
RAX: 000000000000900d RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003536dc0
RBP: ffffc900035370b0 R08: ffffc90003536dbf R09: 0000000000000000
R10: ffffc90003536da0 R11: fffff520006a6db8 R12: ffffc90003536de0
R13: dffffc0000000000 R14: 0000000000048068 R15: 1ffff920006a6db0
FS:  000055558465b380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005568164b48e0 CR3: 0000000020ce4000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 read_one_super+0xd87/0xf40 fs/bcachefs/super-io.c:673
 __bch2_read_super+0x873/0x1370 fs/bcachefs/super-io.c:751
 bch2_fs_open+0x246/0xdf0 fs/bcachefs/super.c:2082
 bch2_mount+0x6b0/0x13c0 fs/bcachefs/fs.c:1931
 legacy_get_tree+0xee/0x190 fs/fs_context.c:662
 vfs_get_tree+0x90/0x2a0 fs/super.c:1789
 do_new_mount+0x2be/0xb40 fs/namespace.c:3472
 do_mount fs/namespace.c:3812 [inline]
 __do_sys_mount fs/namespace.c:4020 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7feb9e3d106a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd63a40f78 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd63a40f90 RCX: 00007feb9e3d106a
RDX: 0000000020005b00 RSI: 0000000020000040 RDI: 00007ffd63a40f90
RBP: 0000000000000004 R08: 00007ffd63a40fd0 R09: 0000000000005b4e
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 00007ffd63a40fd0 R14: 0000000000000003 R15: 0000000001000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:gen_poly_key fs/bcachefs/checksum.c:191 [inline]
RIP: 0010:bch2_checksum+0x1c5/0x770 fs/bcachefs/checksum.c:227
Code: f6 e8 3f c5 dc fd 48 8b 44 24 28 4c 8d b0 68 80 04 00 ba 20 00 00 00 48 8d 7c 24 60 31 f6 e8 22 c5 dc fd 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 3c c2 dc fd 49 8b 3e 48 b8 00 00
RSP: 0018:ffffc90003536d40 EFLAGS: 00010202
RAX: 000000000000900d RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003536dc0
RBP: ffffc900035370b0 R08: ffffc90003536dbf R09: 0000000000000000
R10: ffffc90003536da0 R11: fffff520006a6db8 R12: ffffc90003536de0
R13: dffffc0000000000 R14: 0000000000048068 R15: 1ffff920006a6db0
FS:  000055558465b380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005568163d0fb0 CR3: 0000000020ce4000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 3f c5 dc fd       	call   0xfddcc544
   5:	48 8b 44 24 28       	mov    0x28(%rsp),%rax
   a:	4c 8d b0 68 80 04 00 	lea    0x48068(%rax),%r14
  11:	ba 20 00 00 00       	mov    $0x20,%edx
  16:	48 8d 7c 24 60       	lea    0x60(%rsp),%rdi
  1b:	31 f6                	xor    %esi,%esi
  1d:	e8 22 c5 dc fd       	call   0xfddcc544
  22:	4c 89 f0             	mov    %r14,%rax
  25:	48 c1 e8 03          	shr    $0x3,%rax
* 29:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	4c 89 f7             	mov    %r14,%rdi
  33:	e8 3c c2 dc fd       	call   0xfddcc274
  38:	49 8b 3e             	mov    (%r14),%rdi
  3b:	48                   	rex.W
  3c:	b8                   	.byte 0xb8


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: cryptographic MACs on superblock are not (yet?) supported

[syzbot] [bpf?] [trace?] possible deadlock in console_flush_all (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    40ab9e0dc865 netxen_nic: Use {low,upp}er_32_bits() helpers
git tree:       net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10a186a5980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=db697e01efa9d1d7
dashboard link: https://syzkaller.appspot.com/bug?extid=18cfb7f63482af8641df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11bf8535980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1412869e980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/82323446a05a/disk-40ab9e0d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9ef73ffa3427/vmlinux-40ab9e0d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/38572b425814/bzImage-40ab9e0d.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+18cfb7f63482af8641df@syzkaller.appspotmail.com

FAULT_INJECTION: forcing a failure.
name fail_usercopy, interval 1, probability 0, space 0, times 1
======================================================
WARNING: possible circular locking dependency detected
6.10.0-rc6-syzkaller-01403-g40ab9e0dc865 #0 Not tainted
------------------------------------------------------
syz-executor394/5097 is trying to acquire lock:
ffffffff8e328140 (console_owner){....}-{0:0}, at: rcu_try_lock_acquire include/linux/rcupdate.h:334 [inline]
ffffffff8e328140 (console_owner){....}-{0:0}, at: srcu_read_lock_nmisafe include/linux/srcu.h:232 [inline]
ffffffff8e328140 (console_owner){....}-{0:0}, at: console_srcu_read_lock kernel/printk/printk.c:286 [inline]
ffffffff8e328140 (console_owner){....}-{0:0}, at: console_flush_all+0x152/0xfd0 kernel/printk/printk.c:2971

but task is already holding lock:
ffff8880b943e858 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:559

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #4 (&rq->__lock){-.-.}-{2:2}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
       _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
       raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:559
       raw_spin_rq_lock kernel/sched/sched.h:1406 [inline]
       rq_lock kernel/sched/sched.h:1702 [inline]
       task_fork_fair+0x61/0x1e0 kernel/sched/fair.c:12710
       sched_cgroup_fork+0x37c/0x410 kernel/sched/core.c:4844
       copy_process+0x2217/0x3dc0 kernel/fork.c:2499
       kernel_clone+0x226/0x8f0 kernel/fork.c:2797
       user_mode_thread+0x132/0x1a0 kernel/fork.c:2875
       rest_init+0x23/0x300 init/main.c:712
       start_kernel+0x47a/0x500 init/main.c:1103
       x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:507
       x86_64_start_kernel+0x99/0xa0 arch/x86/kernel/head64.c:488
       common_startup_64+0x13e/0x147

-> #3 (&p->pi_lock){-.-.}-{2:2}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
       class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:553 [inline]
       try_to_wake_up+0xb0/0x1470 kernel/sched/core.c:4262
       __wake_up_common kernel/sched/wait.c:89 [inline]
       __wake_up_common_lock+0x130/0x1e0 kernel/sched/wait.c:106
       tty_port_default_wakeup+0xa6/0xf0 drivers/tty/tty_port.c:69
       serial8250_tx_chars+0x6e2/0x930 drivers/tty/serial/8250/8250_port.c:1821
       serial8250_handle_irq+0x558/0x710 drivers/tty/serial/8250/8250_port.c:1929
       serial8250_default_handle_irq+0xd1/0x1f0 drivers/tty/serial/8250/8250_port.c:1949
       serial8250_interrupt+0xa9/0x1f0 drivers/tty/serial/8250/8250_core.c:127
       __handle_irq_event_percpu+0x29a/0xa80 kernel/irq/handle.c:158
       handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
       handle_irq_event+0x89/0x1f0 kernel/irq/handle.c:210
       handle_edge_irq+0x25f/0xc20 kernel/irq/chip.c:831
       generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
       handle_irq arch/x86/kernel/irq.c:247 [inline]
       call_irq_handler arch/x86/kernel/irq.c:259 [inline]
       __common_interrupt+0x136/0x230 arch/x86/kernel/irq.c:285
       common_interrupt+0xa5/0xd0 arch/x86/kernel/irq.c:278
       asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
       rcu_read_unlock include/linux/rcupdate.h:810 [inline]
       count_memcg_event_mm+0x334/0x420 include/linux/memcontrol.h:1078
       mm_account_fault mm/memory.c:5558 [inline]
       handle_mm_fault+0x16c4/0x1ba0 mm/memory.c:5705
       do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
       handle_page_fault arch/x86/mm/fault.c:1481 [inline]
       exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
       asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

-> #2 (&tty->write_wait){-.-.}-{2:2}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
       __wake_up_common_lock+0x25/0x1e0 kernel/sched/wait.c:105
       tty_port_default_wakeup+0xa6/0xf0 drivers/tty/tty_port.c:69
       serial8250_tx_chars+0x6e2/0x930 drivers/tty/serial/8250/8250_port.c:1821
       serial8250_handle_irq+0x558/0x710 drivers/tty/serial/8250/8250_port.c:1929
       serial8250_default_handle_irq+0xd1/0x1f0 drivers/tty/serial/8250/8250_port.c:1949
       serial8250_interrupt+0xa9/0x1f0 drivers/tty/serial/8250/8250_core.c:127
       __handle_irq_event_percpu+0x29a/0xa80 kernel/irq/handle.c:158
       handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
       handle_irq_event+0x89/0x1f0 kernel/irq/handle.c:210
       handle_edge_irq+0x25f/0xc20 kernel/irq/chip.c:831
       generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
       handle_irq arch/x86/kernel/irq.c:247 [inline]
       call_irq_handler arch/x86/kernel/irq.c:259 [inline]
       __common_interrupt+0x136/0x230 arch/x86/kernel/irq.c:285
       common_interrupt+0xa5/0xd0 arch/x86/kernel/irq.c:278
       asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
       __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
       _raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
       spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
       uart_port_unlock_irqrestore include/linux/serial_core.h:669 [inline]
       uart_write+0x15d/0x380 drivers/tty/serial/serial_core.c:634
       process_output_block drivers/tty/n_tty.c:574 [inline]
       n_tty_write+0xd6a/0x1230 drivers/tty/n_tty.c:2389
       iterate_tty_write drivers/tty/tty_io.c:1021 [inline]
       file_tty_write+0x54f/0x9b0 drivers/tty/tty_io.c:1096
       new_sync_write fs/read_write.c:497 [inline]
       vfs_write+0xa72/0xc90 fs/read_write.c:590
       ksys_write+0x1a0/0x2c0 fs/read_write.c:643
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&port_lock_key){-.-.}-{2:2}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
       uart_port_lock_irqsave include/linux/serial_core.h:618 [inline]
       serial8250_console_write+0x1a8/0x1770 drivers/tty/serial/8250/8250_port.c:3352
       console_emit_next_record kernel/printk/printk.c:2913 [inline]
       console_flush_all+0x867/0xfd0 kernel/printk/printk.c:2979
       console_unlock+0x13b/0x4d0 kernel/printk/printk.c:3048
       vprintk_emit+0x5a6/0x770 kernel/printk/printk.c:2348
       _printk+0xd5/0x120 kernel/printk/printk.c:2373
       register_console+0x727/0xcf0 kernel/printk/printk.c:3581
       univ8250_console_init+0x49/0x50 drivers/tty/serial/8250/8250_core.c:714
       console_init+0x1b8/0x6f0 kernel/printk/printk.c:3727
       start_kernel+0x2d3/0x500 init/main.c:1038
       x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:507
       x86_64_start_kernel+0x99/0xa0 arch/x86/kernel/head64.c:488
       common_startup_64+0x13e/0x147

-> #0 (console_owner){....}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3869
       __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
       console_lock_spinning_enable kernel/printk/printk.c:1873 [inline]
       console_emit_next_record kernel/printk/printk.c:2907 [inline]
       console_flush_all+0x810/0xfd0 kernel/printk/printk.c:2979
       console_unlock+0x13b/0x4d0 kernel/printk/printk.c:3048
       vprintk_emit+0x5a6/0x770 kernel/printk/printk.c:2348
       _printk+0xd5/0x120 kernel/printk/printk.c:2373
       fail_dump lib/fault-inject.c:45 [inline]
       should_fail_ex+0x391/0x4e0 lib/fault-inject.c:153
       strncpy_from_user+0x36/0x2f0 lib/strncpy_from_user.c:118
       strncpy_from_user_nofault+0x71/0x140 mm/maccess.c:186
       bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:216 [inline]
       ____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:311 [inline]
       bpf_probe_read_compat_str+0xe9/0x180 kernel/trace/bpf_trace.c:307
       bpf_prog_f2ce78ec2d45df6f+0x3d/0x3f
       bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
       __bpf_prog_run include/linux/filter.h:691 [inline]
       bpf_prog_run include/linux/filter.h:698 [inline]
       __bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
       bpf_trace_run4+0x334/0x590 kernel/trace/bpf_trace.c:2449
       trace_sched_switch include/trace/events/sched.h:222 [inline]
       __schedule+0x2587/0x4a20 kernel/sched/core.c:6742
       __schedule_loop kernel/sched/core.c:6822 [inline]
       schedule+0x14b/0x320 kernel/sched/core.c:6837
       synchronize_rcu_expedited+0x684/0x830 kernel/rcu/tree_exp.h:954
       synchronize_rcu+0x11b/0x360 kernel/rcu/tree.c:3986
       __nf_tables_abort net/netfilter/nf_tables_api.c:10786 [inline]
       nf_tables_abort+0x6569/0x7a10 net/netfilter/nf_tables_api.c:10805
       nfnetlink_rcv_batch net/netfilter/nfnetlink.c:590 [inline]
       nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:644 [inline]
       nfnetlink_rcv+0x20cf/0x2a90 net/netfilter/nfnetlink.c:662
       netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
       netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357
       netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x221/0x270 net/socket.c:745
       ____sys_sendmsg+0x525/0x7d0 net/socket.c:2585
       ___sys_sendmsg net/socket.c:2639 [inline]
       __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2668
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  console_owner --> &p->pi_lock --> &rq->__lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&rq->__lock);
                               lock(&p->pi_lock);
                               lock(&rq->__lock);
  lock(console_owner);

 *** DEADLOCK ***

6 locks held by syz-executor394/5097:
 #0: ffff888029a9bcb8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid+0x32/0x100 net/netfilter/nf_tables_api.c:10828
 #1: ffffffff8e3392f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:291 [inline]
 #1: ffffffff8e3392f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x381/0x830 kernel/rcu/tree_exp.h:939
 #2: ffff8880b943e858 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:559
 #3: ffffffff8e333f20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #3: ffffffff8e333f20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #3: ffffffff8e333f20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2405 [inline]
 #3: ffffffff8e333f20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run4+0x244/0x590 kernel/trace/bpf_trace.c:2449
 #4: ffffffff8e20fa60 (console_lock){+.+.}-{0:0}, at: _printk+0xd5/0x120 kernel/printk/printk.c:2373
 #5: ffffffff8e20f690 (console_srcu){....}-{0:0}, at: rcu_try_lock_acquire include/linux/rcupdate.h:334 [inline]
 #5: ffffffff8e20f690 (console_srcu){....}-{0:0}, at: srcu_read_lock_nmisafe include/linux/srcu.h:232 [inline]
 #5: ffffffff8e20f690 (console_srcu){....}-{0:0}, at: console_srcu_read_lock kernel/printk/printk.c:286 [inline]
 #5: ffffffff8e20f690 (console_srcu){....}-{0:0}, at: console_flush_all+0x152/0xfd0 kernel/printk/printk.c:2971

stack backtrace:
CPU: 0 PID: 5097 Comm: syz-executor394 Not tainted 6.10.0-rc6-syzkaller-01403-g40ab9e0dc865 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3869
 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
 console_lock_spinning_enable kernel/printk/printk.c:1873 [inline]
 console_emit_next_record kernel/printk/printk.c:2907 [inline]
 console_flush_all+0x810/0xfd0 kernel/printk/printk.c:2979
 console_unlock+0x13b/0x4d0 kernel/printk/printk.c:3048
 vprintk_emit+0x5a6/0x770 kernel/printk/printk.c:2348
 _printk+0xd5/0x120 kernel/printk/printk.c:2373
 fail_dump lib/fault-inject.c:45 [inline]
 should_fail_ex+0x391/0x4e0 lib/fault-inject.c:153
 strncpy_from_user+0x36/0x2f0 lib/strncpy_from_user.c:118
 strncpy_from_user_nofault+0x71/0x140 mm/maccess.c:186
 bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:216 [inline]
 ____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:311 [inline]
 bpf_probe_read_compat_str+0xe9/0x180 kernel/trace/bpf_trace.c:307
 bpf_prog_f2ce78ec2d45df6f+0x3d/0x3f
 bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
 __bpf_prog_run include/linux/filter.h:691 [inline]
 bpf_prog_run include/linux/filter.h:698 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
 bpf_trace_run4+0x334/0x590 kernel/trace/bpf_trace.c:2449
 trace_sched_switch include/trace/events/sched.h:222 [inline]
 __schedule+0x2587/0x4a20 kernel/sched/core.c:6742
 __schedule_loop kernel/sched/core.c:6822 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6837
 synchronize_rcu_expedited+0x684/0x830 kernel/rcu/tree_exp.h:954
 synchronize_rcu+0x11b/0x360 kernel/rcu/tree.c:3986
 __nf_tables_abort net/netfilter/nf_tables_api.c:10786 [inline]
 nf_tables_abort+0x6569/0x7a10 net/netfilter/nf_tables_api.c:10805
 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:590 [inline]
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:644 [inline]
 nfnetlink_rcv+0x20cf/0x2a90 net/netfilter/nfnetlink.c:662
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:745
 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2585
 ___sys_sendmsg net/socket.c:2639 [inline]
 __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2668
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa3b968c9e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd3e026948 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007ffd3e026960 RCX: 00007fa3b968c9e9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000005
RBP: 0000000000000002 R08: 00007ffd3e0266e6 R09: 00000000000000a0
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
CPU: 0 PID: 5097 Comm: syz-executor394 Not tainted 6.10.0-rc6-syzkaller-01403-g40ab9e0dc865 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 fail_dump lib/fault-inject.c:52 [inline]
 should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:153
 strncpy_from_user+0x36/0x2f0 lib/strncpy_from_user.c:118
 strncpy_from_user_nofault+0x71/0x140 mm/maccess.c:186
 bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:216 [inline]
 ____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:311 [inline]
 bpf_probe_read_compat_str+0xe9/0x180 kernel/trace/bpf_trace.c:307
 bpf_prog_f2ce78ec2d45df6f+0x3d/0x3f
 bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
 __bpf_prog_run include/linux/filter.h:691 [inline]
 bpf_prog_run include/linux/filter.h:698 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
 bpf_trace_run4+0x334/0x590 kernel/trace/bpf_trace.c:2449
 trace_sched_switch include/trace/events/sched.h:222 [inline]
 __schedule+0x2587/0x4a20 kernel/sched/core.c:6742
 __schedule_loop kernel/sched/core.c:6822 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6837
 synchronize_rcu_expedited+0x684/0x830 kernel/rcu/tree_exp.h:954
 synchronize_rcu+0x11b/0x360 kernel/rcu/tree.c:3986
 __nf_tables_abort net/netfilter/nf_tables_api.c:10786 [inline]
 nf_tables_abort+0x6569/0x7a10 net/netfilter/nf_tables_api.c:10805
 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:590 [inline]
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:644 [inline]
 nfnetlink_rcv+0x20cf/0x2a90 net/netfilter/nfnetlink.c:662
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:745
 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2585
 ___sys_sendmsg net/socket.c:2639 [inline]
 __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2668
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa3b968c9e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd3e026948 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007ffd3e026960 RCX: 00007fa3b968c9e9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000005
RBP: 0000000000000002 R08: 00007ffd3e0266e6 R09: 00000000000000a0
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix possible console lock involved deadlock

[syzbot] [bcachefs?] kernel BUG in bch2_journal_noflush_seq

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    1dd28064d416 Merge tag 'integrity-v6.10-fix' of ssh://ra.k..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17d3d4a5980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1ace69f521989b1f
dashboard link: https://syzkaller.appspot.com/bug?extid=85700120f75fc10d4e18
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=120f9c9e980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=158b8d69980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a42549877f5c/disk-1dd28064.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f2b9c801a744/vmlinux-1dd28064.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c16f617bb3d0/bzImage-1dd28064.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f0142c51dc8c/mount_0.gz

The issue was bisected to:

commit f7643bc9749f270d487c32dc35b578575bf1adb0
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Wed Apr 17 05:26:02 2024 +0000

    bcachefs: make btree read errors silent during scan

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14e4c7c1980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=16e4c7c1980000
console output: https://syzkaller.appspot.com/x/log.txt?x=12e4c7c1980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+85700120f75fc10d4e18@syzkaller.appspotmail.com
Fixes: f7643bc9749f ("bcachefs: make btree read errors silent during scan")

------------[ cut here ]------------
kernel BUG at fs/bcachefs/journal.c:105!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 PID: 5083 Comm: syz-executor282 Not tainted 6.10.0-rc6-syzkaller-00212-g1dd28064d416 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:journal_seq_to_buf fs/bcachefs/journal.c:105 [inline]
RIP: 0010:bch2_journal_noflush_seq+0x320/0x330 fs/bcachefs/journal.c:805
Code: e8 f5 ba 65 fd 48 8b 3c 24 e8 6c a3 57 07 44 89 f0 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 d1 ba 65 fd 90 <0f> 0b e8 c9 ba 65 fd 90 0f 0b 66 0f 1f 44 00 00 90 90 90 90 90 90
RSP: 0018:ffffc90002eeed78 EFLAGS: 00010293
RAX: ffffffff84306bef RBX: 000000000000000e RCX: ffff8880264f0000
RDX: 0000000000000000 RSI: 000000000000000f RDI: 000000000000000e
RBP: ffff888076a4aa80 R08: ffffffff84306a49 R09: 1ffff1100ed4954f
R10: dffffc0000000000 R11: ffffed100ed49550 R12: ffff888076a4a548
R13: dffffc0000000000 R14: 008bf40000000001 R15: 000000000000000f
FS:  0000555572c0e380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555572c1f738 CR3: 000000007ab70000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_trigger_alloc+0xa4a/0x3e10 fs/bcachefs/alloc_background.c:854
 run_one_mem_trigger+0x7e9/0xb90
 bch2_trans_commit_write_locked fs/bcachefs/btree_trans_commit.c:713 [inline]
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:876 [inline]
 __bch2_trans_commit+0x5083/0x88e0 fs/bcachefs/btree_trans_commit.c:1119
 bch2_trans_commit fs/bcachefs/btree_update.h:170 [inline]
 bch2_inode_delete_keys+0xae8/0x1440 fs/bcachefs/inode.c:845
 bch2_inode_rm+0x165/0xd40 fs/bcachefs/inode.c:874
 bch2_evict_inode+0x21c/0x3c0 fs/bcachefs/fs.c:1588
 evict+0x2a8/0x630 fs/inode.c:667
 do_unlinkat+0x512/0x830 fs/namei.c:4420
 __do_sys_unlink fs/namei.c:4461 [inline]
 __se_sys_unlink fs/namei.c:4459 [inline]
 __x64_sys_unlink+0x49/0x60 fs/namei.c:4459
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8443dc9b17
Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc4d875828 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8443dc9b17
RDX: 00007ffc4d875850 RSI: 00007ffc4d8758e0 RDI: 00007ffc4d8758e0
RBP: 00007ffc4d8758e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffc4d8769d0
R13: 0000555572c17700 R14: 0000000000000001 R15: 431bde82d7b634db
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:journal_seq_to_buf fs/bcachefs/journal.c:105 [inline]
RIP: 0010:bch2_journal_noflush_seq+0x320/0x330 fs/bcachefs/journal.c:805
Code: e8 f5 ba 65 fd 48 8b 3c 24 e8 6c a3 57 07 44 89 f0 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 d1 ba 65 fd 90 <0f> 0b e8 c9 ba 65 fd 90 0f 0b 66 0f 1f 44 00 00 90 90 90 90 90 90
RSP: 0018:ffffc90002eeed78 EFLAGS: 00010293
RAX: ffffffff84306bef RBX: 000000000000000e RCX: ffff8880264f0000
RDX: 0000000000000000 RSI: 000000000000000f RDI: 000000000000000e
RBP: ffff888076a4aa80 R08: ffffffff84306a49 R09: 1ffff1100ed4954f
R10: dffffc0000000000 R11: ffffed100ed49550 R12: ffff888076a4a548
R13: dffffc0000000000 R14: 008bf40000000001 R15: 000000000000000f
FS:  0000555572c0e380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555572c1f738 CR3: 000000007ab70000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Check for bucket journal sequence numbers from the future

[syzbot] [crypto?] [bcachefs?] BUG: unable to handle kernel paging request in crypto_skcipher_encrypt

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ac2193b4b460 Merge branches 'for-next/misc', 'for-next/kse..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=120a2a56980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2ce2e16ea9422f82
dashboard link: https://syzkaller.appspot.com/bug?extid=026f1857b12f5eb3f9e9
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12e534a2980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16e15446980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1a058064a7f1/disk-ac2193b4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/71fd113f4bcf/vmlinux-ac2193b4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a4603f3a4756/Image-ac2193b4.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ea4906e9262d/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+026f1857b12f5eb3f9e9@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 32768
bcachefs (loop0): mounting version 1.7: mi_btree_bitmap opts=compression=lz4,nojournal_transaction_names
bcachefs (loop0): recovering from clean shutdown, journal seq 7
Unable to handle kernel paging request at virtual address dfff800000000004
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000004] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 6250 Comm: syz-executor983 Tainted: G        W          6.10.0-rc3-syzkaller-gac2193b4b460 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : crypto_skcipher_alg include/crypto/skcipher.h:375 [inline]
pc : crypto_skcipher_encrypt+0x48/0x124 crypto/skcipher.c:637
lr : crypto_skcipher_encrypt+0x24/0x124 crypto/skcipher.c:635
sp : ffff80009a2759d0
x29: ffff80009a2759d0 x28: 0000000000000000 x27: dfff800000000000
x26: ffff80009a275fe0 x25: ffff80009a275a80 x24: ffff80009a275a60
x23: ffff0000c8482a80 x22: 0000000000000020 x21: dfff800000000000
x20: 0000000000000008 x19: ffff80009a275a80 x18: ffff0000d67d9a30
x17: 2065657274622074 x16: ffff80008ae35f00 x15: 0000000000000002
x14: 1ffff0001344eb56 x13: 0000000000000000 x12: 0000000000000000
x11: ffff70001344eb58 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000004 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : 0000000000000000 x3 : 0000000000000010
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000020
Call trace:
 crypto_skcipher_alg include/crypto/skcipher.h:375 [inline]
 crypto_skcipher_encrypt+0x48/0x124 crypto/skcipher.c:637
 do_encrypt_sg fs/bcachefs/checksum.c:108 [inline]
 do_encrypt+0x558/0x6a0 fs/bcachefs/checksum.c:150
 gen_poly_key fs/bcachefs/checksum.c:191 [inline]
 bch2_checksum+0x1c0/0x784 fs/bcachefs/checksum.c:227
 bch2_btree_node_read_done+0x119c/0x4ac8 fs/bcachefs/btree_io.c:1074
 btree_node_read_work+0x50c/0xe04 fs/bcachefs/btree_io.c:1345
 bch2_btree_node_read+0x1f50/0x280c fs/bcachefs/btree_io.c:1730
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1769 [inline]
 bch2_btree_root_read+0x2a8/0x534 fs/bcachefs/btree_io.c:1793
 read_btree_roots+0x21c/0x730 fs/bcachefs/recovery.c:475
 bch2_fs_recovery+0x31c4/0x5488 fs/bcachefs/recovery.c:803
 bch2_fs_start+0x30c/0x53c fs/bcachefs/super.c:1031
 bch2_fs_open+0x8b4/0xb64 fs/bcachefs/super.c:2123
 bch2_mount+0x4fc/0xe18 fs/bcachefs/fs.c:1917
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
 vfs_get_tree+0x90/0x288 fs/super.c:1780
 do_new_mount+0x278/0x900 fs/namespace.c:3352
 path_mount+0x590/0xe04 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount fs/namespace.c:3875 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3875
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: 977849b2 f9400294 91006280 d343fc08 (38756908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	977849b2 	bl	0xfffffffffde126c8
   4:	f9400294 	ldr	x20, [x20]
   8:	91006280 	add	x0, x20, #0x18
   c:	d343fc08 	lsr	x8, x0, #3
* 10:	38756908 	ldrb	w8, [x8, x21] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't try to en/decrypt when encryption not available

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazin@getstate.dev

#syz test

[syzbot] upstream build error (21)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ab5f3fcb7c72 Merge tag 'arm64-upstream' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14b14623e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbc445445a022fff
dashboard link: https://syzkaller.appspot.com/bug?extid=aec7bcbf48a6073f3591
compiler:       aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aec7bcbf48a6073f3591@syzkaller.appspotmail.com

./arch/arm64/include/asm/unistd32.h:922:24: error: array index in initializer exceeds array bounds
./arch/arm64/include/asm/unistd32.h:924:24: error: array index in initializer exceeds array bounds

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

[syzbot] [net?] memory leak in ___neigh_create (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    2258c2dc850b Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16f67b44480000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a4fb7ad9185f1501
dashboard link: https://syzkaller.appspot.com/bug?extid=42cfec52b6508887bbe8
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e23d44480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0e65a45877eb/disk-2258c2dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7617adf885a8/vmlinux-2258c2dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/43fb89ea894a/bzImage-2258c2dc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+42cfec52b6508887bbe8@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff88810b8ea400 (size 512):
  comm "kworker/0:3", pid 4440, jiffies 4294938594 (age 1132.680s)
  hex dump (first 32 bytes):
    00 9c f8 0a 81 88 ff ff 80 29 23 86 ff ff ff ff  .........)#.....
    c0 79 79 44 81 88 ff ff 72 78 ff ff 00 00 00 00  .yyD....rx......
  backtrace:
    [<ffffffff814f9fe6>] __do_kmalloc_node mm/slab_common.c:967 [inline]
    [<ffffffff814f9fe6>] __kmalloc+0x46/0x120 mm/slab_common.c:981
    [<ffffffff83b5234f>] kmalloc include/linux/slab.h:584 [inline]
    [<ffffffff83b5234f>] kzalloc include/linux/slab.h:720 [inline]
    [<ffffffff83b5234f>] neigh_alloc net/core/neighbour.c:476 [inline]
    [<ffffffff83b5234f>] ___neigh_create+0xdf/0xd60 net/core/neighbour.c:661
    [<ffffffff83f9f886>] ip6_finish_output2+0x776/0x9b0 net/ipv6/ip6_output.c:125
    [<ffffffff83fa5530>] __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
    [<ffffffff83fa5530>] ip6_finish_output+0x270/0x530 net/ipv6/ip6_output.c:206
    [<ffffffff83fa5893>] NF_HOOK_COND include/linux/netfilter.h:291 [inline]
    [<ffffffff83fa5893>] ip6_output+0xa3/0x1b0 net/ipv6/ip6_output.c:227
    [<ffffffff83ff16d9>] dst_output include/net/dst.h:444 [inline]
    [<ffffffff83ff16d9>] NF_HOOK include/linux/netfilter.h:302 [inline]
    [<ffffffff83ff16d9>] NF_HOOK.constprop.0+0x49/0x110 include/linux/netfilter.h:296
    [<ffffffff83ff19c4>] mld_sendpack+0x224/0x350 net/ipv6/mcast.c:1820
    [<ffffffff83ff5403>] mld_send_cr net/ipv6/mcast.c:2121 [inline]
    [<ffffffff83ff5403>] mld_ifc_work+0x2a3/0x750 net/ipv6/mcast.c:2653
    [<ffffffff8129519a>] process_one_work+0x2ba/0x5f0 kernel/workqueue.c:2289
    [<ffffffff81295ab9>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2436
    [<ffffffff8129fb05>] kthread+0x125/0x160 kernel/kthread.c:376
    [<ffffffff8100224f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

BUG: memory leak
unreferenced object 0xffff888109a7fa00 (size 512):
  comm "kworker/0:3", pid 4440, jiffies 4294938594 (age 1132.680s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 80 29 23 86 ff ff ff ff  .........)#.....
    00 79 79 44 81 88 ff ff 72 78 ff ff 00 00 00 00  .yyD....rx......
  backtrace:
    [<ffffffff814f9fe6>] __do_kmalloc_node mm/slab_common.c:967 [inline]
    [<ffffffff814f9fe6>] __kmalloc+0x46/0x120 mm/slab_common.c:981
    [<ffffffff83b5234f>] kmalloc include/linux/slab.h:584 [inline]
    [<ffffffff83b5234f>] kzalloc include/linux/slab.h:720 [inline]
    [<ffffffff83b5234f>] neigh_alloc net/core/neighbour.c:476 [inline]
    [<ffffffff83b5234f>] ___neigh_create+0xdf/0xd60 net/core/neighbour.c:661
    [<ffffffff83f9f886>] ip6_finish_output2+0x776/0x9b0 net/ipv6/ip6_output.c:125
    [<ffffffff83fa5530>] __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
    [<ffffffff83fa5530>] ip6_finish_output+0x270/0x530 net/ipv6/ip6_output.c:206
    [<ffffffff83fa5893>] NF_HOOK_COND include/linux/netfilter.h:291 [inline]
    [<ffffffff83fa5893>] ip6_output+0xa3/0x1b0 net/ipv6/ip6_output.c:227
    [<ffffffff83ff16d9>] dst_output include/net/dst.h:444 [inline]
    [<ffffffff83ff16d9>] NF_HOOK include/linux/netfilter.h:302 [inline]
    [<ffffffff83ff16d9>] NF_HOOK.constprop.0+0x49/0x110 include/linux/netfilter.h:296
    [<ffffffff83ff19c4>] mld_sendpack+0x224/0x350 net/ipv6/mcast.c:1820
    [<ffffffff83ff5403>] mld_send_cr net/ipv6/mcast.c:2121 [inline]
    [<ffffffff83ff5403>] mld_ifc_work+0x2a3/0x750 net/ipv6/mcast.c:2653
    [<ffffffff8129519a>] process_one_work+0x2ba/0x5f0 kernel/workqueue.c:2289
    [<ffffffff81295ab9>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2436
    [<ffffffff8129fb05>] kthread+0x125/0x160 kernel/kthread.c:376
    [<ffffffff8100224f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

BUG: memory leak
unreferenced object 0xffff88810a9fb400 (size 512):
  comm "dhcpcd", pid 4638, jiffies 4294938595 (age 1132.670s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 80 29 23 86 ff ff ff ff  .........)#.....
    c0 76 79 44 81 88 ff ff 73 78 ff ff 00 00 00 00  .vyD....sx......
  backtrace:
    [<ffffffff814f9fe6>] __do_kmalloc_node mm/slab_common.c:967 [inline]
    [<ffffffff814f9fe6>] __kmalloc+0x46/0x120 mm/slab_common.c:981
    [<ffffffff83b5234f>] kmalloc include/linux/slab.h:584 [inline]
    [<ffffffff83b5234f>] kzalloc include/linux/slab.h:720 [inline]
    [<ffffffff83b5234f>] neigh_alloc net/core/neighbour.c:476 [inline]
    [<ffffffff83b5234f>] ___neigh_create+0xdf/0xd60 net/core/neighbour.c:661
    [<ffffffff83f9f886>] ip6_finish_output2+0x776/0x9b0 net/ipv6/ip6_output.c:125
    [<ffffffff83fa5530>] __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
    [<ffffffff83fa5530>] ip6_finish_output+0x270/0x530 net/ipv6/ip6_output.c:206
    [<ffffffff83fa5893>] NF_HOOK_COND include/linux/netfilter.h:291 [inline]
    [<ffffffff83fa5893>] ip6_output+0xa3/0x1b0 net/ipv6/ip6_output.c:227
    [<ffffffff84062411>] dst_output include/net/dst.h:444 [inline]
    [<ffffffff84062411>] ip6_local_out+0x51/0x70 net/ipv6/output_core.c:155
    [<ffffffff83fa6285>] ip6_send_skb+0x25/0xc0 net/ipv6/ip6_output.c:1971
    [<ffffffff83fa6394>] ip6_push_pending_frames+0x74/0x90 net/ipv6/ip6_output.c:1991
    [<ffffffff83fec08c>] rawv6_push_pending_frames net/ipv6/raw.c:579 [inline]
    [<ffffffff83fec08c>] rawv6_sendmsg+0x16ac/0x1ba0 net/ipv6/raw.c:922
    [<ffffffff83ebe965>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:827
    [<ffffffff83af7116>] sock_sendmsg_nosec net/socket.c:714 [inline]
    [<ffffffff83af7116>] sock_sendmsg+0x56/0x80 net/socket.c:734
    [<ffffffff83af769d>] ____sys_sendmsg+0x38d/0x410 net/socket.c:2476
    [<ffffffff83afbfe8>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2530
    [<ffffffff83afc178>] __sys_sendmsg+0x88/0x100 net/socket.c:2559
    [<ffffffff848ed5b5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff848ed5b5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff88810a9fba00 (size 512):
  comm "dhcpcd", pid 4638, jiffies 4294938595 (age 1132.670s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 80 29 23 86 ff ff ff ff  .........)#.....
    80 77 79 44 81 88 ff ff 73 78 ff ff 00 00 00 00  .wyD....sx......
  backtrace:
    [<ffffffff814f9fe6>] __do_kmalloc_node mm/slab_common.c:967 [inline]
    [<ffffffff814f9fe6>] __kmalloc+0x46/0x120 mm/slab_common.c:981
    [<ffffffff83b5234f>] kmalloc include/linux/slab.h:584 [inline]
    [<ffffffff83b5234f>] kzalloc include/linux/slab.h:720 [inline]
    [<ffffffff83b5234f>] neigh_alloc net/core/neighbour.c:476 [inline]
    [<ffffffff83b5234f>] ___neigh_create+0xdf/0xd60 net/core/neighbour.c:661
    [<ffffffff83f9f886>] ip6_finish_output2+0x776/0x9b0 net/ipv6/ip6_output.c:125
    [<ffffffff83fa5530>] __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
    [<ffffffff83fa5530>] ip6_finish_output+0x270/0x530 net/ipv6/ip6_output.c:206
    [<ffffffff83fa5893>] NF_HOOK_COND include/linux/netfilter.h:291 [inline]
    [<ffffffff83fa5893>] ip6_output+0xa3/0x1b0 net/ipv6/ip6_output.c:227
    [<ffffffff84062411>] dst_output include/net/dst.h:444 [inline]
    [<ffffffff84062411>] ip6_local_out+0x51/0x70 net/ipv6/output_core.c:155
    [<ffffffff83fa6285>] ip6_send_skb+0x25/0xc0 net/ipv6/ip6_output.c:1971
    [<ffffffff83fa6394>] ip6_push_pending_frames+0x74/0x90 net/ipv6/ip6_output.c:1991
    [<ffffffff83fec08c>] rawv6_push_pending_frames net/ipv6/raw.c:579 [inline]
    [<ffffffff83fec08c>] rawv6_sendmsg+0x16ac/0x1ba0 net/ipv6/raw.c:922
    [<ffffffff83ebe965>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:827
    [<ffffffff83af7116>] sock_sendmsg_nosec net/socket.c:714 [inline]
    [<ffffffff83af7116>] sock_sendmsg+0x56/0x80 net/socket.c:734
    [<ffffffff83af769d>] ____sys_sendmsg+0x38d/0x410 net/socket.c:2476
    [<ffffffff83afbfe8>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2530
    [<ffffffff83afc178>] __sys_sendmsg+0x88/0x100 net/socket.c:2559
    [<ffffffff848ed5b5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff848ed5b5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

[syzbot] [kernel?] inconsistent lock state in __lock_task_sighand

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f31817cbcf48 Add linux-next specific files for 20231116
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14d9b938e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f59345f1d0a928c
dashboard link: https://syzkaller.appspot.com/bug?extid=cf93299f5a30fb4c3829
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/987488cb251e/disk-f31817cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d4a82d8bd4b/vmlinux-f31817cb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fc43dee9cb86/bzImage-f31817cb.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cf93299f5a30fb4c3829@syzkaller.appspotmail.com

================================
WARNING: inconsistent lock state
6.7.0-rc1-next-20231116-syzkaller #0 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
syz-executor.5/8605 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffff888037a9c0d8 (&sighand->siglock){?.+.}-{2:2}, at: __lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
{HARDIRQ-ON-W} state was registered at:
  lock_acquire kernel/locking/lockdep.c:5753 [inline]
  lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
  __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
  _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
  spin_lock include/linux/spinlock.h:351 [inline]
  class_spinlock_constructor include/linux/spinlock.h:530 [inline]
  ptrace_set_stopped kernel/ptrace.c:391 [inline]
  ptrace_attach+0x401/0x650 kernel/ptrace.c:478
  __do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x62/0x6a
irq event stamp: 100
hardirqs last  enabled at (99): [<ffffffff8a84a34e>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (99): [<ffffffff8a84a34e>] _raw_spin_unlock_irqrestore+0x4e/0x70 kernel/locking/spinlock.c:194
hardirqs last disabled at (100): [<ffffffff8a81011e>] sysvec_apic_timer_interrupt+0xe/0xb0 arch/x86/kernel/apic/apic.c:1076
softirqs last  enabled at (0): [<ffffffff814d679c>] copy_process+0x244c/0x9770 kernel/fork.c:2466
softirqs last disabled at (0): [<0000000000000000>] 0x0

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&sighand->siglock);
  <Interrupt>
    lock(&sighand->siglock);

 *** DEADLOCK ***

3 locks held by syz-executor.5/8605:
 #0: ffff88801d3321b0 (&new_timer->it_lock){-...}-{2:2}, at: posix_timer_fn+0x2d/0x3d0 kernel/time/posix-timers.c:318
 #1: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:301 [inline]
 #1: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]
 #1: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: send_sigqueue+0x10c/0x840 kernel/signal.c:1978
 #2: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:301 [inline]
 #2: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]
 #2: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: __lock_task_sighand+0x3f/0x340 kernel/signal.c:1405

stack backtrace:
CPU: 0 PID: 8605 Comm: syz-executor.5 Not tainted 6.7.0-rc1-next-20231116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_usage_bug kernel/locking/lockdep.c:3970 [inline]
 valid_state kernel/locking/lockdep.c:4012 [inline]
 mark_lock_irq kernel/locking/lockdep.c:4215 [inline]
 mark_lock+0x91a/0xc50 kernel/locking/lockdep.c:4677
 mark_usage kernel/locking/lockdep.c:4563 [inline]
 __lock_acquire+0x1347/0x3b10 kernel/locking/lockdep.c:5090
 lock_acquire kernel/locking/lockdep.c:5753 [inline]
 lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
 __lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
 lock_task_sighand include/linux/sched/signal.h:748 [inline]
 send_sigqueue+0x1d4/0x840 kernel/signal.c:1996
 posix_timer_event kernel/time/posix-timers.c:298 [inline]
 posix_timer_fn+0x181/0x3d0 kernel/time/posix-timers.c:324
 __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
 __hrtimer_run_queues+0x20c/0xc20 kernel/time/hrtimer.c:1752
 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1814
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1065 [inline]
 __sysvec_apic_timer_interrupt+0x10c/0x410 arch/x86/kernel/apic/apic.c:1082
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1076
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x70 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 f6 c8 e3 f6 48 89 df e8 ae 40 e4 f6 f7 c5 00 02 00 00 75 1f 9c 58 f6 c4 02 75 2f <bf> 01 00 00 00 e8 65 ee d5 f6 65 8b 05 86 19 7f 75 85 c0 74 12 5b
RSP: 0018:ffffc9000a037d70 EFLAGS: 00000246
RAX: 0000000000000006 RBX: ffff88801d332198 RCX: 1ffffffff1e315d1
RDX: 0000000000000000 RSI: ffffffff8accbfe0 RDI: ffffffff8b2f13e0
RBP: 0000000000000287 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8f18e117 R11: 0000000000000002 R12: 0000000000000000
R13: 1ffff92001406fb3 R14: ffffffff81789850 R15: dffffc0000000000
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 unlock_timer kernel/time/posix-timers.c:128 [inline]
 do_timer_settime+0x260/0x2f0 kernel/time/posix-timers.c:934
 __do_sys_timer_settime kernel/time/posix-timers.c:954 [inline]
 __se_sys_timer_settime kernel/time/posix-timers.c:940 [inline]
 __x64_sys_timer_settime+0x266/0x2c0 kernel/time/posix-timers.c:940
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x62/0x6a
RIP: 0033:0x7fc1e4a7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc1e57d40c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000df
RAX: ffffffffffffffda RBX: 00007fc1e4b9c120 RCX: 00007fc1e4a7cae9
RDX: 0000000020000340 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007fc1e4ac847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fc1e4b9c120 R15: 00007ffd3001cd48
 </TASK>
----------------
Code disassembly (best guess):
   0:	f5                   	cmc
   1:	53                   	push   %rbx
   2:	48 8b 74 24 10       	mov    0x10(%rsp),%rsi
   7:	48 89 fb             	mov    %rdi,%rbx
   a:	48 83 c7 18          	add    $0x18,%rdi
   e:	e8 f6 c8 e3 f6       	call   0xf6e3c909
  13:	48 89 df             	mov    %rbx,%rdi
  16:	e8 ae 40 e4 f6       	call   0xf6e440c9
  1b:	f7 c5 00 02 00 00    	test   $0x200,%ebp
  21:	75 1f                	jne    0x42
  23:	9c                   	pushf
  24:	58                   	pop    %rax
  25:	f6 c4 02             	test   $0x2,%ah
  28:	75 2f                	jne    0x59
* 2a:	bf 01 00 00 00       	mov    $0x1,%edi <-- trapping instruction
  2f:	e8 65 ee d5 f6       	call   0xf6d5ee99
  34:	65 8b 05 86 19 7f 75 	mov    %gs:0x757f1986(%rip),%eax        # 0x757f19c1
  3b:	85 c0                	test   %eax,%eax
  3d:	74 12                	je     0x51
  3f:	5b                   	pop    %rbx


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

[syzbot] [dri?] divide error in drm_mode_debug_printmodeline

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ac347a0655db Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=101ba588e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11252f97680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10fd2498e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8fcb90d89768/disk-ac347a06.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/360d9341a71c/vmlinux-ac347a06.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a370aa406c63/bzImage-ac347a06.xz

The issue was bisected to:

commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Fri Oct 9 23:21:56 2020 +0000

    drm/vkms: fbdev emulation support

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1058223f680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1258223f680000
console output: https://syzkaller.appspot.com/x/log.txt?x=1458223f680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")

divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS:  0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
 drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
 drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:871 [inline]
 __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f6c63dd6729
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcde0dd0e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcde0dd2b8 RCX: 00007f6c63dd6729
RDX: 0000000020000180 RSI: 00000000c06864a2 RDI: 0000000000000003
RBP: 00007f6c63e49610 R08: 00000000fffff4e6 R09: 00007ffcde0dd2b8
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffcde0dd2a8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS:  0000555556932380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000064392c CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 41 0f             	add    %al,0xf(%rcx)
   3:	b7 07                	mov    $0x7,%bh
   5:	66 83 f8 02          	cmp    $0x2,%ax
   9:	b9 01 00 00 00       	mov    $0x1,%ecx
   e:	0f 43 c8             	cmovae %eax,%ecx
  11:	0f b7 c1             	movzwl %cx,%eax
  14:	0f af e8             	imul   %eax,%ebp
  17:	44 89 f0             	mov    %r14d,%eax
  1a:	48 69 c8 e8 03 00 00 	imul   $0x3e8,%rax,%rcx
  21:	89 e8                	mov    %ebp,%eax
  23:	d1 e8                	shr    %eax
  25:	48 01 c8             	add    %rcx,%rax
  28:	31 d2                	xor    %edx,%edx
* 2a:	48 f7 f5             	div    %rbp <-- trapping instruction
  2d:	49 89 c6             	mov    %rax,%r14
  30:	eb 0c                	jmp    0x3e
  32:	e8 fb 07 66 fc       	call   0xfc660832
  37:	eb 05                	jmp    0x3e
  39:	e8 f4 07 66 fc       	call   0xfc660832
  3e:	48                   	rex.W
  3f:	89                   	.byte 0x89


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazinalhaddad05@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: mazinalhaddad05@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

[syzbot] [kernel?] KASAN: slab-use-after-free Read in reweight_entity

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9a3dad63edbe Merge tag '6.6-rc5-ksmbd-server-fixes' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1413e691680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5d83dadac33c08b7
dashboard link: https://syzkaller.appspot.com/bug?extid=3908cdfd655fd839c82f
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12a055f9680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=103ef619680000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-9a3dad63.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/98467f6633b7/vmlinux-9a3dad63.xz
kernel image: https://storage.googleapis.com/syzbot-assets/93b5cb4a26b0/bzImage-9a3dad63.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3908cdfd655fd839c82f@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in __update_min_deadline kernel/sched/fair.c:805 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_update kernel/sched/fair.c:819 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
BUG: KASAN: slab-use-after-free in reweight_entity+0x8e3/0xa60 kernel/sched/fair.c:3660
Read of size 8 at addr ffff888022a59a70 by task syz-executor206/5331

CPU: 3 PID: 5331 Comm: syz-executor206 Not tainted 6.6.0-rc5-syzkaller-00267-g9a3dad63edbe #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 __update_min_deadline kernel/sched/fair.c:805 [inline]
 min_deadline_update kernel/sched/fair.c:819 [inline]
 min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
 reweight_entity+0x8e3/0xa60 kernel/sched/fair.c:3660
 entity_tick kernel/sched/fair.c:5317 [inline]
 task_tick_fair+0xee/0xcd0 kernel/sched/fair.c:12392
 scheduler_tick+0x210/0x650 kernel/sched/core.c:5657
 update_process_times+0x19f/0x220 kernel/time/timer.c:2076
 tick_sched_handle+0x8e/0x170 kernel/time/tick-sched.c:254
 tick_sched_timer+0xe9/0x110 kernel/time/tick-sched.c:1492
 __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
 __hrtimer_run_queues+0x647/0xc10 kernel/time/hrtimer.c:1752
 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1814
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1063 [inline]
 __sysvec_apic_timer_interrupt+0x105/0x3f0 arch/x86/kernel/apic/apic.c:1080
 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1074
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:rcu_dynticks_curr_cpu_in_eqs include/linux/context_tracking.h:122 [inline]
RIP: 0010:rcu_is_watching+0x39/0xb0 kernel/rcu/tree.c:699
Code: a5 cf 08 48 c7 c3 e8 6d 03 00 83 f8 07 89 c5 77 7a 48 8d 3c ed 40 ba 5c 8c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 54 48 03 1c ed 40 ba 5c 8c 48 b8 00 00 00 00 00 fc
RSP: 0018:ffffc90003cc73d8 EFLAGS: 00000a06
RAX: dffffc0000000000 RBX: 0000000000036de8 RCX: 1ffffffff1d9a7c0
RDX: 1ffffffff18b974b RSI: ffffffff8ae90aa0 RDI: ffffffff8c5cba58
RBP: 0000000000000003 R08: 0000000000000007 R09: ffffffffff600000
R10: 00007fcac0348000 R11: dffffc0000000000 R12: ffffc90003cc7488
R13: ffffffff81747dc0 R14: ffffc90003cc7500 R15: ffff88802787c780
 kernel_text_address kernel/extable.c:113 [inline]
 kernel_text_address+0x62/0xd0 kernel/extable.c:94
 __kernel_text_address+0xd/0x30 kernel/extable.c:79
 unwind_get_return_address+0x78/0xe0 arch/x86/kernel/unwind_orc.c:369
 arch_stack_walk+0xbe/0x170 arch/x86/kernel/stacktrace.c:26
 stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slab.c:3237 [inline]
 slab_alloc mm/slab.c:3246 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3423 [inline]
 kmem_cache_alloc+0x159/0x400 mm/slab.c:3432
 kmem_cache_zalloc include/linux/slab.h:710 [inline]
 alloc_buffer_head+0x21/0x140 fs/buffer.c:3023
 folio_alloc_buffers+0x2e7/0x7f0 fs/buffer.c:935
 folio_create_empty_buffers+0x36/0x470 fs/buffer.c:1648
 ext4_block_write_begin+0xcc4/0xf10 fs/ext4/inode.c:1024
 ext4_da_write_begin+0x40a/0x8c0 fs/ext4/inode.c:2890
 generic_perform_write+0x278/0x600 mm/filemap.c:3969
 ext4_buffered_write_iter+0x11f/0x3c0 fs/ext4/file.c:299
 ext4_file_write_iter+0x7f7/0x1860 fs/ext4/file.c:717
 call_write_iter include/linux/fs.h:1956 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x650/0xe40 fs/read_write.c:584
 ksys_write+0x12f/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fcac0348789
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff03860d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcac0348789
RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff03860d7c
R13: 00007fff03860d90 R14: 00007fff03860dd0 R15: 0000000000000015
 </TASK>

Allocated by task 2:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slab.c:3237 [inline]
 kmem_cache_alloc_node+0x173/0x540 mm/slab.c:3509
 alloc_task_struct_node kernel/fork.c:173 [inline]
 dup_task_struct kernel/fork.c:1110 [inline]
 copy_process+0x41c/0x73f0 kernel/fork.c:2327
 kernel_clone+0xfd/0x920 kernel/fork.c:2909
 kernel_thread+0xc0/0x100 kernel/fork.c:2971
 create_kthread kernel/kthread.c:411 [inline]
 kthreadd+0x4fb/0x7d0 kernel/kthread.c:746
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

Freed by task 21:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x138/0x190 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 __cache_free mm/slab.c:3370 [inline]
 __do_kmem_cache_free mm/slab.c:3557 [inline]
 kmem_cache_free+0x104/0x380 mm/slab.c:3582
 put_task_struct include/linux/sched/task.h:136 [inline]
 put_task_struct include/linux/sched/task.h:123 [inline]
 delayed_put_task_struct+0x21b/0x2b0 kernel/exit.c:226
 rcu_do_batch kernel/rcu/tree.c:2139 [inline]
 rcu_core+0x805/0x1bb0 kernel/rcu/tree.c:2403
 __do_softirq+0x218/0x965 kernel/softirq.c:553

Last potentially related work creation:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:492
 __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2653
 put_task_struct_rcu_user kernel/exit.c:232 [inline]
 put_task_struct_rcu_user+0x87/0xc0 kernel/exit.c:229
 context_switch kernel/sched/core.c:5385 [inline]
 __schedule+0xee9/0x5a10 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_timeout+0x278/0x2c0 kernel/time/timer.c:2143
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common+0x3e0/0x5f0 kernel/sched/completion.c:116
 kthread_stop+0x18e/0x5f0 kernel/kthread.c:709
 kvm_mmu_pre_destroy_vm+0x44/0x60 arch/x86/kvm/mmu/mmu.c:7160
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1313 [inline]
 kvm_put_kvm+0x254/0xad0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1373
 kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1396
 __fput+0x3f7/0xa70 fs/file_table.c:384
 __fput_sync+0x47/0x50 fs/file_table.c:465
 __do_sys_close fs/open.c:1572 [inline]
 __se_sys_close fs/open.c:1557 [inline]
 __x64_sys_close+0x87/0xf0 fs/open.c:1557
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Second to last potentially related work creation:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:492
 __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2653
 put_task_struct_rcu_user kernel/exit.c:232 [inline]
 put_task_struct_rcu_user+0x87/0xc0 kernel/exit.c:229
 context_switch kernel/sched/core.c:5385 [inline]
 __schedule+0xee9/0x5a10 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_timeout+0x278/0x2c0 kernel/time/timer.c:2143
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common+0x3e0/0x5f0 kernel/sched/completion.c:116
 kthread_stop+0x18e/0x5f0 kernel/kthread.c:709
 kvm_mmu_pre_destroy_vm+0x44/0x60 arch/x86/kvm/mmu/mmu.c:7160
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1313 [inline]
 kvm_put_kvm+0x254/0xad0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1373
 kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1396
 __fput+0x3f7/0xa70 fs/file_table.c:384
 __fput_sync+0x47/0x50 fs/file_table.c:465
 __do_sys_close fs/open.c:1572 [inline]
 __se_sys_close fs/open.c:1557 [inline]
 __x64_sys_close+0x87/0xf0 fs/open.c:1557
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888022a599c0
 which belongs to the cache task_struct of size 8960
The buggy address is located 176 bytes inside of
 freed 8960-byte region [ffff888022a599c0, ffff888022a5bcc0)

The buggy address belongs to the physical page:
page:ffffea00008a9600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22a58
head:ffffea00008a9600 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0x1()
raw: 00fff00000000840 ffff88810005a500 ffffea00009ffb10 ffffea0000bf6410
raw: 0000000000000000 ffff888022a599c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 4949, tgid 4949 (dhcpcd-run-hook), ts 26983961004, free_ts 23254563577
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0xee0/0x2f20 mm/page_alloc.c:3170
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4426
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 kmem_getpages mm/slab.c:1356 [inline]
 cache_grow_begin+0x99/0x3a0 mm/slab.c:2550
 cache_alloc_refill+0x294/0x3a0 mm/slab.c:2923
 ____cache_alloc mm/slab.c:2999 [inline]
 ____cache_alloc mm/slab.c:2982 [inline]
 __do_cache_alloc mm/slab.c:3182 [inline]
 slab_alloc_node mm/slab.c:3230 [inline]
 kmem_cache_alloc_node+0x481/0x540 mm/slab.c:3509
 alloc_task_struct_node kernel/fork.c:173 [inline]
 dup_task_struct kernel/fork.c:1110 [inline]
 copy_process+0x41c/0x73f0 kernel/fork.c:2327
 kernel_clone+0xfd/0x920 kernel/fork.c:2909
 __do_sys_clone+0xba/0x100 kernel/fork.c:3052
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2312
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2405
 slab_destroy mm/slab.c:1608 [inline]
 slabs_destroy+0x85/0xc0 mm/slab.c:1628
 cache_flusharray mm/slab.c:3341 [inline]
 ___cache_free+0x2b7/0x420 mm/slab.c:3404
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x4c/0x1b0 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slab.c:3237 [inline]
 kmem_cache_alloc_node+0x173/0x540 mm/slab.c:3509
 __alloc_skb+0x287/0x330 net/core/skbuff.c:640
 alloc_skb include/linux/skbuff.h:1286 [inline]
 alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6313
 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2795
 unix_dgram_sendmsg+0x455/0x1c30 net/unix/af_unix.c:1953
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0xd5/0x180 net/socket.c:745
 sock_write_iter+0x29b/0x3d0 net/socket.c:1158
 call_write_iter include/linux/fs.h:1956 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x650/0xe40 fs/read_write.c:584
 ksys_write+0x1f0/0x250 fs/read_write.c:637

Memory state around the buggy address:
 ffff888022a59900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888022a59980: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff888022a59a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff888022a59a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888022a59b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	48 c7 c3 e8 6d 03 00 	mov    $0x36de8,%rbx
   7:	83 f8 07             	cmp    $0x7,%eax
   a:	89 c5                	mov    %eax,%ebp
   c:	77 7a                	ja     0x88
   e:	48 8d 3c ed 40 ba 5c 	lea    -0x73a345c0(,%rbp,8),%rdi
  15:	8c
  16:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1d:	fc ff df
  20:	48 89 fa             	mov    %rdi,%rdx
  23:	48 c1 ea 03          	shr    $0x3,%rdx
* 27:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2b:	75 54                	jne    0x81
  2d:	48 03 1c ed 40 ba 5c 	add    -0x73a345c0(,%rbp,8),%rbx
  34:	8c
  35:	48                   	rex.W
  36:	b8 00 00 00 00       	mov    $0x0,%eax
  3b:	00 fc                	add    %bh,%ah


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Repro triggers a different kind of an issue

[syzbot] [ext4?] WARNING: locking bug in ext4_move_extents

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9561de3a55be Linux 6.4-rc5
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14df9d7d280000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7474de833c217bf4
dashboard link: https://syzkaller.appspot.com/bug?extid=7f4a6f7f7051474e40ad
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/661f38eebc53/disk-9561de3a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d6c5afef083c/vmlinux-9561de3a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7506eac4fc9d/bzImage-9561de3a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f4a6f7f7051474e40ad@syzkaller.appspotmail.com

------------[ cut here ]------------
Looking for class "&ei->i_data_sem" with key init_once.__key.780, but found a different class "&ei->i_data_sem" with the same key
WARNING: CPU: 0 PID: 15140 at kernel/locking/lockdep.c:941 look_up_lock_class+0xc2/0x140 kernel/locking/lockdep.c:938
Modules linked in:
CPU: 0 PID: 15140 Comm: syz-executor.2 Not tainted 6.4.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
RIP: 0010:look_up_lock_class+0xc2/0x140 kernel/locking/lockdep.c:938
Code: 8b 16 48 c7 c0 60 91 1e 90 48 39 c2 74 46 f6 05 5d 02 92 03 01 75 3d c6 05 54 02 92 03 01 48 c7 c7 a0 ae ea 8a e8 de 8a a3 f6 <0f> 0b eb 26 e8 f5 d0 80 f9 48 c7 c7 e0 ad ea 8a 89 de e8 37 ca fd
RSP: 0018:ffffc9000356f410 EFLAGS: 00010046
RAX: 9c96f62a5d44cf00 RBX: ffffffff9009a460 RCX: 0000000000040000
RDX: ffffc9000cf9f000 RSI: 0000000000004e87 RDI: 0000000000004e88
RBP: ffffc9000356f518 R08: ffffffff81530142 R09: ffffed1017305163
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: 1ffff920006ade90 R14: ffff888074763488 R15: ffffffff91cac681
FS:  00007fe07ba3e700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d523000 CR3: 0000000021c7c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 register_lock_class+0x104/0x990 kernel/locking/lockdep.c:1290
 __lock_acquire+0xd3/0x2070 kernel/locking/lockdep.c:4965
 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5705
 down_write_nested+0x3d/0x50 kernel/locking/rwsem.c:1689
 ext4_move_extents+0x37d/0xe40 fs/ext4/move_extent.c:621
 __ext4_ioctl fs/ext4/ioctl.c:1352 [inline]
 ext4_ioctl+0x3870/0x5b60 fs/ext4/ioctl.c:1608
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fe07ac8c169
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe07ba3e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fe07adac120 RCX: 00007fe07ac8c169
RDX: 0000000020000280 RSI: 00000000c028660f RDI: 0000000000000007
RBP: 00007fe07ace7ca1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe5c49953f R14: 00007fe07ba3e300 R15: 0000000000022000
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: bottaawesome633@gmail.com

#syz test

[syzbot] possible deadlock in page_cache_ra_unbounded

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    6feb57c2fd7c Merge tag 'kbuild-v6.2' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13abf993880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d3fb546de56fbf8d
dashboard link: https://syzkaller.appspot.com/bug?extid=47c7e14e1bd09234d0ad
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/81556e491789/disk-6feb57c2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/065c943ec9de/vmlinux-6feb57c2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/66e98c522c1f/bzImage-6feb57c2.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+47c7e14e1bd09234d0ad@syzkaller.appspotmail.com

REISERFS (device loop4): Created .reiserfs_priv - reserved for xattr storage.
======================================================
WARNING: possible circular locking dependency detected
6.1.0-syzkaller-13822-g6feb57c2fd7c #0 Not tainted
------------------------------------------------------
syz-executor.4/3542 is trying to acquire lock:
ffff88803bf4f520 (mapping.invalidate_lock#11){.+.+}-{3:3}, at: filemap_invalidate_lock_shared include/linux/fs.h:811 [inline]
ffff88803bf4f520 (mapping.invalidate_lock#11){.+.+}-{3:3}, at: page_cache_ra_unbounded+0xe9/0x820 mm/readahead.c:226

but task is already holding lock:
ffff88802540e090 (&sbi->lock){+.+.}-{3:3}, at: reiserfs_write_lock+0x77/0xd0 fs/reiserfs/lock.c:27

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&sbi->lock){+.+.}-{3:3}:
       lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
       __mutex_lock_common+0x1bd/0x26e0 kernel/locking/mutex.c:603
       __mutex_lock kernel/locking/mutex.c:747 [inline]
       mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799
       reiserfs_write_lock+0x77/0xd0 fs/reiserfs/lock.c:27
       reiserfs_get_block+0x24e/0x5180 fs/reiserfs/inode.c:680
       do_mpage_readpage+0x970/0x1c50 fs/mpage.c:208
       mpage_readahead+0x210/0x380 fs/mpage.c:361
       read_pages+0x169/0x9c0 mm/readahead.c:161
       page_cache_ra_unbounded+0x703/0x820 mm/readahead.c:270
       page_cache_sync_readahead include/linux/pagemap.h:1210 [inline]
       filemap_get_pages+0x465/0x10d0 mm/filemap.c:2600
       filemap_read+0x3cf/0xea0 mm/filemap.c:2694
       call_read_iter include/linux/fs.h:2180 [inline]
       generic_file_splice_read+0x1ff/0x5d0 fs/splice.c:309
       do_splice_to fs/splice.c:793 [inline]
       splice_direct_to_actor+0x41b/0xc00 fs/splice.c:865
       do_splice_direct+0x279/0x3d0 fs/splice.c:974
       do_sendfile+0x5fb/0xf80 fs/read_write.c:1255
       __do_sys_sendfile64 fs/read_write.c:1323 [inline]
       __se_sys_sendfile64+0x14f/0x1b0 fs/read_write.c:1309
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #0 (mapping.invalidate_lock#11){.+.+}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3097 [inline]
       check_prevs_add kernel/locking/lockdep.c:3216 [inline]
       validate_chain+0x1898/0x6ae0 kernel/locking/lockdep.c:3831
       __lock_acquire+0x1292/0x1f60 kernel/locking/lockdep.c:5055
       lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
       down_read+0x39/0x50 kernel/locking/rwsem.c:1509
       filemap_invalidate_lock_shared include/linux/fs.h:811 [inline]
       page_cache_ra_unbounded+0xe9/0x820 mm/readahead.c:226
       do_sync_mmap_readahead+0x4b2/0x9a0
       filemap_fault+0x38d/0x1060 mm/filemap.c:3154
       __do_fault+0x136/0x4f0 mm/memory.c:4163
       do_shared_fault mm/memory.c:4569 [inline]
       do_fault mm/memory.c:4647 [inline]
       handle_pte_fault mm/memory.c:4931 [inline]
       __handle_mm_fault mm/memory.c:5073 [inline]
       handle_mm_fault+0x18bc/0x26b0 mm/memory.c:5219
       do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428
       handle_page_fault arch/x86/mm/fault.c:1519 [inline]
       exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575
       asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
       __put_user_4+0x12/0x20 arch/x86/lib/putuser.S:93
       reiserfs_ioctl+0x14b/0x340 fs/reiserfs/ioctl.c:96
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:870 [inline]
       __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sbi->lock);
                               lock(mapping.invalidate_lock#11);
                               lock(&sbi->lock);
  lock(mapping.invalidate_lock#11);

 *** DEADLOCK ***

1 lock held by syz-executor.4/3542:
 #0: ffff88802540e090 (&sbi->lock){+.+.}-{3:3}, at: reiserfs_write_lock+0x77/0xd0 fs/reiserfs/lock.c:27

stack backtrace:
CPU: 1 PID: 3542 Comm: syz-executor.4 Not tainted 6.1.0-syzkaller-13822-g6feb57c2fd7c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
 check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2177
 check_prev_add kernel/locking/lockdep.c:3097 [inline]
 check_prevs_add kernel/locking/lockdep.c:3216 [inline]
 validate_chain+0x1898/0x6ae0 kernel/locking/lockdep.c:3831
 __lock_acquire+0x1292/0x1f60 kernel/locking/lockdep.c:5055
 lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
 down_read+0x39/0x50 kernel/locking/rwsem.c:1509
 filemap_invalidate_lock_shared include/linux/fs.h:811 [inline]
 page_cache_ra_unbounded+0xe9/0x820 mm/readahead.c:226
 do_sync_mmap_readahead+0x4b2/0x9a0
 filemap_fault+0x38d/0x1060 mm/filemap.c:3154
 __do_fault+0x136/0x4f0 mm/memory.c:4163
 do_shared_fault mm/memory.c:4569 [inline]
 do_fault mm/memory.c:4647 [inline]
 handle_pte_fault mm/memory.c:4931 [inline]
 __handle_mm_fault mm/memory.c:5073 [inline]
 handle_mm_fault+0x18bc/0x26b0 mm/memory.c:5219
 do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428
 handle_page_fault arch/x86/mm/fault.c:1519 [inline]
 exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0010:__put_user_4+0x12/0x20 arch/x86/lib/putuser.S:95
Code: 01 31 c9 0f 01 ca c3 90 0f 01 cb 66 89 01 31 c9 0f 01 ca c3 0f 1f 40 00 48 bb fd ef ff ff ff 7f 00 00 48 39 d9 73 54 0f 01 cb <89> 01 31 c9 0f 01 ca c3 66 0f 1f 44 00 00 0f 01 cb 89 01 31 c9 0f
RSP: 0018:ffffc90014c97eb0 EFLAGS: 00050297
RAX: 0000000000000000 RBX: 00007fffffffeffd RCX: 0000000020000000
RDX: 0000000000000001 RSI: ffffffff8aedcc60 RDI: ffffffff8b4bc060
RBP: 1ffff110077e9e4b R08: dffffc0000000000 R09: fffffbfff1d2ccfe
R10: fffffbfff1d2ccfe R11: 1ffffffff1d2ccfd R12: 0000000020000000
R13: ffff88803bf4f698 R14: ffff88803bf4f258 R15: ffff8880205c9400
 reiserfs_ioctl+0x14b/0x340 fs/reiserfs/ioctl.c:96
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0a0548c0d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0a061d5168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f0a055abf80 RCX: 00007f0a0548c0d9
RDX: 0000000020000000 RSI: 0000000080087601 RDI: 0000000000000004
RBP: 00007f0a054e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc8aa2e79f R14: 00007f0a061d5300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess):
   0:	01 31                	add    %esi,(%rcx)
   2:	c9                   	leaveq
   3:	0f 01 ca             	clac
   6:	c3                   	retq
   7:	90                   	nop
   8:	0f 01 cb             	stac
   b:	66 89 01             	mov    %ax,(%rcx)
   e:	31 c9                	xor    %ecx,%ecx
  10:	0f 01 ca             	clac
  13:	c3                   	retq
  14:	0f 1f 40 00          	nopl   0x0(%rax)
  18:	48 bb fd ef ff ff ff 	movabs $0x7fffffffeffd,%rbx
  1f:	7f 00 00
  22:	48 39 d9             	cmp    %rbx,%rcx
  25:	73 54                	jae    0x7b
  27:	0f 01 cb             	stac
* 2a:	89 01                	mov    %eax,(%rcx) <-- trapping instruction
  2c:	31 c9                	xor    %ecx,%ecx
  2e:	0f 01 ca             	clac
  31:	c3                   	retq
  32:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  38:	0f 01 cb             	stac
  3b:	89 01                	mov    %eax,(%rcx)
  3d:	31 c9                	xor    %ecx,%ecx
  3f:	0f                   	.byte 0xf


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz set subsystems: mm, fs

[syzbot] possible deadlock in attr_data_get_block

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    bbed346d5a96 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=13ce2a7c880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3a4a45d2d827c1e
dashboard link: https://syzkaller.appspot.com/bug?extid=36bb70085ef6edc2ebb9
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e8e91bc79312/disk-bbed346d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c1cb3fb3b77e/vmlinux-bbed346d.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+36bb70085ef6edc2ebb9@syzkaller.appspotmail.com

ntfs3: loop4: Different NTFS' sector size (1024) and media sector size (512)
ntfs3: loop4: Mark volume as dirty due to NTFS errors
======================================================
WARNING: possible circular locking dependency detected
6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Not tainted
------------------------------------------------------
syz-executor.4/15497 is trying to acquire lock:
ffff000116476948 (&ni->file.run_lock#3){++++}-{3:3}, at: attr_data_get_block+0x84/0xa54 fs/ntfs3/attrib.c:899

but task is already holding lock:
ffff0000c7543ad8 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
ffff0000c7543ad8 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0xa0/0x1d0 mm/util.c:550

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&mm->mmap_lock){++++}-{3:3}:
       __might_fault+0x7c/0xb4 mm/memory.c:5577
       _copy_to_user include/linux/uaccess.h:134 [inline]
       copy_to_user include/linux/uaccess.h:160 [inline]
       fiemap_fill_next_extent+0xc4/0x1f8 fs/ioctl.c:144
       ni_fiemap+0x4cc/0x620 fs/ntfs3/frecord.c:2051
       ntfs_fiemap+0x9c/0xdc fs/ntfs3/file.c:1245
       ioctl_fiemap fs/ioctl.c:219 [inline]
       do_vfs_ioctl+0x10f0/0x16a4 fs/ioctl.c:810
       __do_sys_ioctl fs/ioctl.c:868 [inline]
       __se_sys_ioctl fs/ioctl.c:856 [inline]
       __arm64_sys_ioctl+0x98/0x140 fs/ioctl.c:856
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
       el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
       do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
       el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
       el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581

-> #0 (&ni->file.run_lock#3){++++}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3095 [inline]
       check_prevs_add kernel/locking/lockdep.c:3214 [inline]
       validate_chain kernel/locking/lockdep.c:3829 [inline]
       __lock_acquire+0x1530/0x30a4 kernel/locking/lockdep.c:5053
       lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5666
       down_read+0x5c/0x78 kernel/locking/rwsem.c:1499
       attr_data_get_block+0x84/0xa54 fs/ntfs3/attrib.c:899
       ntfs_file_mmap+0x1d0/0x2e4 fs/ntfs3/file.c:387
       call_mmap include/linux/fs.h:2192 [inline]
       mmap_region+0x7fc/0xc14 mm/mmap.c:1752
       do_mmap+0x644/0x97c mm/mmap.c:1540
       vm_mmap_pgoff+0xe8/0x1d0 mm/util.c:552
       ksys_mmap_pgoff+0x1cc/0x278 mm/mmap.c:1586
       __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
       __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
       __arm64_sys_mmap+0x58/0x6c arch/arm64/kernel/sys.c:21
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
       el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
       do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
       el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
       el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&mm->mmap_lock);
                               lock(&ni->file.run_lock#3);
                               lock(&mm->mmap_lock);
  lock(&ni->file.run_lock#3);

 *** DEADLOCK ***

1 lock held by syz-executor.4/15497:
 #0: ffff0000c7543ad8 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #0: ffff0000c7543ad8 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0xa0/0x1d0 mm/util.c:550

stack backtrace:
CPU: 0 PID: 15497 Comm: syz-executor.4 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
Call trace:
 dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
 show_stack+0x2c/0x54 arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 print_circular_bug+0x2c4/0x2c8 kernel/locking/lockdep.c:2053
 check_noncircular+0x14c/0x154 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3095 [inline]
 check_prevs_add kernel/locking/lockdep.c:3214 [inline]
 validate_chain kernel/locking/lockdep.c:3829 [inline]
 __lock_acquire+0x1530/0x30a4 kernel/locking/lockdep.c:5053
 lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5666
 down_read+0x5c/0x78 kernel/locking/rwsem.c:1499
 attr_data_get_block+0x84/0xa54 fs/ntfs3/attrib.c:899
 ntfs_file_mmap+0x1d0/0x2e4 fs/ntfs3/file.c:387
 call_mmap include/linux/fs.h:2192 [inline]
 mmap_region+0x7fc/0xc14 mm/mmap.c:1752
 do_mmap+0x644/0x97c mm/mmap.c:1540
 vm_mmap_pgoff+0xe8/0x1d0 mm/util.c:552
 ksys_mmap_pgoff+0x1cc/0x278 mm/mmap.c:1586
 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
 __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
 __arm64_sys_mmap+0x58/0x6c arch/arm64/kernel/sys.c:21
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: almaz.alexandrovich@paragon-software.com

#syz test: https://github.com/Paragon-Software-Group/linux-ntfs3.git 
d57431c6f511bf020e474026d9f3123d7bfbea8c

[syzbot] WARNING in __change_page_attr_set_clr

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    483fed3b5dc8 Add linux-next specific files for 20220921
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13450b0f080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=849cb9f70f15b1ba
dashboard link: https://syzkaller.appspot.com/bug?extid=cdcd5043ce8155d92ab1
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15e2a1b0880000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=154e7d08880000

Downloadable assets:
disk image: https://storage.googleapis.com/1cb3f4618323/disk-483fed3b.raw.xz
vmlinux: https://storage.googleapis.com/cc02cb30b495/vmlinux-483fed3b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdcd5043ce8155d92ab1@syzkaller.appspotmail.com

------------[ cut here ]------------
CPA refuse W^X violation: 8000000000000163 -> 0000000000000163 range: 0xffffffffa0401000 - 0xffffffffa0401fff PFN 7d8d5
WARNING: CPU: 0 PID: 3607 at arch/x86/mm/pat/set_memory.c:600 verify_rwx arch/x86/mm/pat/set_memory.c:600 [inline]
WARNING: CPU: 0 PID: 3607 at arch/x86/mm/pat/set_memory.c:600 __change_page_attr arch/x86/mm/pat/set_memory.c:1569 [inline]
WARNING: CPU: 0 PID: 3607 at arch/x86/mm/pat/set_memory.c:600 __change_page_attr_set_clr+0x1f40/0x2020 arch/x86/mm/pat/set_memory.c:1691
Modules linked in:
CPU: 0 PID: 3607 Comm: syz-executor178 Not tainted 6.0.0-rc6-next-20220921-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/16/2022
RIP: 0010:verify_rwx arch/x86/mm/pat/set_memory.c:600 [inline]
RIP: 0010:__change_page_attr arch/x86/mm/pat/set_memory.c:1569 [inline]
RIP: 0010:__change_page_attr_set_clr+0x1f40/0x2020 arch/x86/mm/pat/set_memory.c:1691
Code: 8b 44 24 50 4d 89 f1 4c 89 e2 4c 89 ee 48 c7 c7 80 0c ea 89 c6 05 1f 3b 94 0c 01 4c 8d 80 ff 0f 00 00 48 89 c1 e8 fd 62 10 08 <0f> 0b e9 8a fc ff ff e8 f4 a1 91 00 e9 14 f8 ff ff 48 8b 7c 24 08
RSP: 0018:ffffc90003c9ebf8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 800000007d8d5163 RCX: 0000000000000000
RDX: ffff8880217c57c0 RSI: ffffffff81620348 RDI: fffff52000793d71
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 7566657220415043 R12: 0000000000000163
R13: 8000000000000163 R14: 000000000007d8d5 R15: 0000000000000000
FS:  0000555556be0300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045b630 CR3: 0000000073ec9000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 change_page_attr_set_clr+0x333/0x500 arch/x86/mm/pat/set_memory.c:1784
 change_page_attr_clear arch/x86/mm/pat/set_memory.c:1821 [inline]
 set_memory_x+0xb2/0x110 arch/x86/mm/pat/set_memory.c:1999
 bpf_jit_alloc_exec_page+0x69/0x80 kernel/bpf/trampoline.c:131
 bpf_dispatcher_change_prog+0x303/0x8f0 kernel/bpf/dispatcher.c:143
 dev_xdp_install+0x198/0x2b0 net/core/dev.c:9134
 dev_xdp_attach+0xa30/0x12a0 net/core/dev.c:9274
 dev_change_xdp_fd+0x246/0x300 net/core/dev.c:9520
 do_setlink+0x31e3/0x3bb0 net/core/rtnetlink.c:3002
 rtnl_group_changelink net/core/rtnetlink.c:3303 [inline]
 __rtnl_newlink+0xb96/0x17e0 net/core/rtnetlink.c:3557
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594
 rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6091
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2540
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:734
 ____sys_sendmsg+0x712/0x8c0 net/socket.c:2482
 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fe786b1ce59
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffecfcfcf28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe786b1ce59
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003
RBP: 00007fe786ae1000 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00007fe786ae1090
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Repro triggers a different problem

[syzbot] inconsistent lock state in find_vmap_area

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8affe37c525d usb: dwc3: gadget: fix high speed multiplier ..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=12742d1a080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ebec88088cc2071
dashboard link: https://syzkaller.appspot.com/bug?extid=8d19062486784d15dda9
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10357da2080000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=150e832a080000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8d19062486784d15dda9@syzkaller.appspotmail.com

 __do_sys_clock_nanosleep kernel/time/posix-timers.c:1267 [inline]
 __se_sys_clock_nanosleep kernel/time/posix-timers.c:1245 [inline]
 __x64_sys_clock_nanosleep+0x2f4/0x430 kernel/time/posix-timers.c:1245
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa84b6b7f7a
================================
WARNING: inconsistent lock state
5.19.0-rc4-syzkaller-00118-g8affe37c525d #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor629/1291 [HC0[0]:SC1[1]:HE0:SE0] takes:
ffffffff87b82078 (vmap_area_lock){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline]
ffffffff87b82078 (vmap_area_lock){+.?.}-{2:2}, at: find_vmap_area+0x1c/0x130 mm/vmalloc.c:1805
{SOFTIRQ-ON-W} state was registered at:
  lock_acquire kernel/locking/lockdep.c:5665 [inline]
  lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
  __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
  _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
  spin_lock include/linux/spinlock.h:349 [inline]
  alloc_vmap_area+0xa49/0x1f00 mm/vmalloc.c:1586
  __get_vm_area_node+0x142/0x3f0 mm/vmalloc.c:2453
  get_vm_area_caller+0x43/0x50 mm/vmalloc.c:2506
  __ioremap_caller.constprop.0+0x292/0x600 arch/x86/mm/ioremap.c:280
  acpi_os_ioremap include/acpi/acpi_io.h:13 [inline]
  acpi_map drivers/acpi/osl.c:296 [inline]
  acpi_os_map_iomem+0x463/0x550 drivers/acpi/osl.c:355
  acpi_tb_acquire_table+0xd8/0x209 drivers/acpi/acpica/tbdata.c:142
  acpi_tb_validate_table drivers/acpi/acpica/tbdata.c:317 [inline]
  acpi_tb_validate_table+0x50/0x8c drivers/acpi/acpica/tbdata.c:308
  acpi_tb_verify_temp_table+0x84/0x674 drivers/acpi/acpica/tbdata.c:504
  acpi_reallocate_root_table+0x374/0x3e0 drivers/acpi/acpica/tbxface.c:180
  acpi_early_init+0x13a/0x438 drivers/acpi/bus.c:1200
  start_kernel+0x3cf/0x48f init/main.c:1098
  secondary_startup_64_no_verify+0xce/0xdb
irq event stamp: 283923
hardirqs last  enabled at (283922): [<ffffffff85eff66f>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
hardirqs last  enabled at (283922): [<ffffffff85eff66f>] _raw_spin_unlock_irq+0x1f/0x40 kernel/locking/spinlock.c:202
hardirqs last disabled at (283923): [<ffffffff85eff49e>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (283923): [<ffffffff85eff49e>] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162
softirqs last  enabled at (268742): [<ffffffff811657c3>] invoke_softirq kernel/softirq.c:445 [inline]
softirqs last  enabled at (268742): [<ffffffff811657c3>] __irq_exit_rcu+0x113/0x170 kernel/softirq.c:650
softirqs last disabled at (283919): [<ffffffff811657c3>] invoke_softirq kernel/softirq.c:445 [inline]
softirqs last disabled at (283919): [<ffffffff811657c3>] __irq_exit_rcu+0x113/0x170 kernel/softirq.c:650

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(vmap_area_lock);
  <Interrupt>
    lock(vmap_area_lock);

 *** DEADLOCK ***

5 locks held by syz-executor629/1291:
 #0: ffffc90000178d70 ((&dum_hcd->timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:31 [inline]
 #0: ffffc90000178d70 ((&dum_hcd->timer)){+.-.}-{0:0}, at: call_timer_fn+0xd5/0x6b0 kernel/time/timer.c:1464
 #1: ffff88810fa80230 (&dev->event_lock){-.-.}-{2:2}, at: input_event drivers/input/input.c:456 [inline]
 #1: ffff88810fa80230 (&dev->event_lock){-.-.}-{2:2}, at: input_event+0x7b/0xb0 drivers/input/input.c:449
 #2: ffffffff87a94700 (rcu_read_lock){....}-{1:2}, at: input_pass_values.part.0+0x0/0x710 drivers/input/input.c:884
 #3: ffffffff87eb1e38 (kbd_event_lock){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline]
 #3: ffffffff87eb1e38 (kbd_event_lock){..-.}-{2:2}, at: kbd_event+0x86/0x1780 drivers/tty/vt/keyboard.c:1537
 #4: ffffffff87a94700 (rcu_read_lock){....}-{1:2}, at: show_state_filter+0x0/0x300 kernel/sched/core.c:8763

stack backtrace:
CPU: 1 PID: 1291 Comm: syz-executor629 Not tainted 5.19.0-rc4-syzkaller-00118-g8affe37c525d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_usage_bug kernel/locking/lockdep.c:3961 [inline]
 valid_state kernel/locking/lockdep.c:3973 [inline]
 mark_lock_irq kernel/locking/lockdep.c:4176 [inline]
 mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632
 mark_lock kernel/locking/lockdep.c:4596 [inline]
 mark_usage kernel/locking/lockdep.c:4527 [inline]
 __lock_acquire+0x11e7/0x5660 kernel/locking/lockdep.c:5007
 lock_acquire kernel/locking/lockdep.c:5665 [inline]
 lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:349 [inline]
 find_vmap_area+0x1c/0x130 mm/vmalloc.c:1805
 check_heap_object mm/usercopy.c:176 [inline]
 __check_object_size mm/usercopy.c:250 [inline]
 __check_object_size+0x1f8/0x700 mm/usercopy.c:212
 check_object_size include/linux/thread_info.h:199 [inline]
 __copy_from_user_inatomic include/linux/uaccess.h:62 [inline]
 copy_from_user_nmi arch/x86/lib/usercopy.c:47 [inline]
 copy_from_user_nmi+0xcb/0x130 arch/x86/lib/usercopy.c:31
 copy_code arch/x86/kernel/dumpstack.c:91 [inline]
 show_opcodes+0x59/0xb0 arch/x86/kernel/dumpstack.c:121
 show_iret_regs+0xd/0x33 arch/x86/kernel/dumpstack.c:149
 __show_regs+0x1e/0x60 arch/x86/kernel/process_64.c:74
 show_trace_log_lvl+0x25b/0x2ba arch/x86/kernel/dumpstack.c:292
 sched_show_task kernel/sched/core.c:8801 [inline]
 sched_show_task+0x44c/0x5c0 kernel/sched/core.c:8775
 show_state_filter+0x13e/0x300 kernel/sched/core.c:8846
 k_spec drivers/tty/vt/keyboard.c:667 [inline]
 k_spec+0xe1/0x130 drivers/tty/vt/keyboard.c:656
 kbd_keycode drivers/tty/vt/keyboard.c:1524 [inline]
 kbd_event+0xcdd/0x1780 drivers/tty/vt/keyboard.c:1543
 input_to_handler+0x3b9/0x4c0 drivers/input/input.c:129
 input_pass_values.part.0+0x230/0x710 drivers/input/input.c:156
 input_pass_values drivers/input/input.c:426 [inline]
 input_handle_event+0x67e/0x1440 drivers/input/input.c:426
 input_event drivers/input/input.c:457 [inline]
 input_event+0x8e/0xb0 drivers/input/input.c:449
 hidinput_hid_event+0x79d/0x2010 drivers/hid/hid-input.c:1631
 hid_process_event+0x491/0x570 drivers/hid/hid-core.c:1527
 hid_input_array_field+0x4d7/0x660 drivers/hid/hid-core.c:1639
 hid_process_report drivers/hid/hid-core.c:1681 [inline]
 hid_report_raw_event+0xa8a/0x1280 drivers/hid/hid-core.c:1998
 hid_input_report+0x360/0x4c0 drivers/hid/hid-core.c:2065
 hid_irq_in+0x50e/0x690 drivers/hid/usbhid/hid-core.c:284
 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
 usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1747
 dummy_timer+0x11f9/0x32b0 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers.part.0+0x679/0xa80 kernel/time/timer.c:1790
 __run_timers kernel/time/timer.c:1768 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
 __do_softirq+0x288/0x9a5 kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x113/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:finish_task_switch.isra.0+0x24d/0xa10 kernel/sched/core.c:5026
Code: 8b 3a 4c 89 e7 48 c7 02 00 00 00 00 ff d1 4d 85 ff 75 bf 4c 89 e7 e8 62 0d d0 04 e8 9d 6e 2b 00 fb 65 48 8b 1c 25 c0 6e 02 00 <48> 8d bb 98 14 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
RSP: 0018:ffffc90000597b30 EFLAGS: 00000202
RAX: 000000000004550d RBX: ffff888110e5d580 RCX: 1ffffffff11b9ef1
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000597b78 R08: 0000000000000001 R09: 0000000000000001
R10: ffffed103ed26f68 R11: 0000000000000001 R12: ffff8881f6937b40
R13: ffff8881002cd580 R14: ffff88810029a300 R15: 0000000000000002
 context_switch kernel/sched/core.c:5149 [inline]
 __schedule+0x947/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 freezable_schedule include/linux/freezer.h:172 [inline]
 do_nanosleep+0x24e/0x690 kernel/time/hrtimer.c:2044
 hrtimer_nanosleep+0x1f9/0x4a0 kernel/time/hrtimer.c:2097
 common_nsleep+0xa2/0xc0 kernel/time/posix-timers.c:1227
 __do_sys_clock_nanosleep kernel/time/posix-timers.c:1267 [inline]
 __se_sys_clock_nanosleep kernel/time/posix-timers.c:1245 [inline]
 __x64_sys_clock_nanosleep+0x2f4/0x430 kernel/time/posix-timers.c:1245
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa84b6b7f7a
Code: 83 ff 03 74 3b 48 83 ec 28 b8 fa ff ff ff 83 ff 02 49 89 ca 0f 44 f8 64 8b 04 25 18 00 00 00 85 c0 75 2d b8 e6 00 00 00 0f 05 <89> c2 f7 da 3d 00 f0 ff ff b8 00 00 00 00 0f 47 c2 48 83 c4 28 c3
RSP: 002b:00007ffe8fb1bdb0 EFLAGS: 00000246 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 0000000000053a09 RCX: 00007fa84b6b7f7a
RDX: 00007ffe8fb1bdf0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000005 R08: 0000000000000158 R09: 00007ffe8fba4080
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe8fb1be38
R13: 00007ffe8fb1be50 R14: 00007ffe8fb1be90 R15: 0000000000000003
 </TASK>
Code: 83 ff 03 74 3b 48 83 ec 28 b8 fa ff ff ff 83 ff 02 49 89 ca 0f 44 f8 64 8b 04 25 18 00 00 00 85 c0 75 2d b8 e6 00 00 00 0f 05 <89> c2 f7 da 3d 00 f0 ff ff b8 00 00 00 00 0f 47 c2 48 83 c4 28 c3
RSP: 002b:00007ffe8fb1bdb0 EFLAGS: 00000246 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 0000000000053a09 RCX: 00007fa84b6b7f7a
RDX: 00007ffe8fb1bdf0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000005 R08: 0000000000000158 R09: 00007ffe8fba4080
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe8fb1be38
R13: 00007ffe8fb1be50 R14: 00007ffe8fb1be90 R15: 0000000000000003
 </TASK>
task:kworker/1:2     state:I stack:29984 pid: 1743 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events_power_efficient)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/0:0     state:I stack:29672 pid: 1746 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/0:3     state:I stack:29800 pid: 1748 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:udevd           state:S stack:28160 pid: 1754 ppid:  1182 flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_hrtimeout_range_clock+0x343/0x390 kernel/time/hrtimer.c:2296
 ep_poll fs/eventpoll.c:1856 [inline]
 do_epoll_wait+0x1290/0x1930 fs/eventpoll.c:2234
 __do_sys_epoll_wait fs/eventpoll.c:2246 [inline]
 __se_sys_epoll_wait fs/eventpoll.c:2241 [inline]
 __x64_sys_epoll_wait+0x158/0x270 fs/eventpoll.c:2241
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6d14bdee46
RSP: 002b:00007ffe547bfe18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6d14bdee46
RDX: 0000000000000004 RSI: 00007ffe547bfe58 RDI: 0000000000000004
RBP: 00005558e52cc540 R08: 0000000000000007 R09: 00005558e52af720
R10: 00000000ffffffff R11: 0000000000000246 R12: 00005558e52b95f0
R13: 00007ffe547bfe58 R14: 00000000ffffffff R15: 00005558e5295910
 </TASK>
task:syz-executor629 state:S stack:28168 pid: 1755 ppid:  1291 flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_timeout+0x1db/0x2a0 kernel/time/timer.c:1911
 do_wait_for_common kernel/sched/completion.c:85 [inline]
 __wait_for_common+0x378/0x530 kernel/sched/completion.c:106
 wait_for_common kernel/sched/completion.c:117 [inline]
 wait_for_completion_interruptible+0x1b/0x30 kernel/sched/completion.c:206
 raw_process_ep_io+0x5ec/0xb20 drivers/usb/gadget/legacy/raw_gadget.c:1071
 raw_ioctl_ep_write drivers/usb/gadget/legacy/raw_gadget.c:1099 [inline]
 raw_ioctl+0x955/0x2780 drivers/usb/gadget/legacy/raw_gadget.c:1271
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa84b685d37
RSP: 002b:00007ffe8fb1adc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa84b685d37
RDX: 00007ffe8fb1ade0 RSI: 0000000040085507 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 00007fa84b6fb1e0 R11: 0000000000000246 R12: 00007ffe8fb1be38
R13: 00007ffe8fb1be50 R14: 00007ffe8fb1be90 R15: 0000000000000003
 </TASK>
task:udevd           state:S stack:27992 pid: 1756 ppid:  1182 flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_hrtimeout_range_clock+0x343/0x390 kernel/time/hrtimer.c:2296
 ep_poll fs/eventpoll.c:1856 [inline]
 do_epoll_wait+0x1290/0x1930 fs/eventpoll.c:2234
 __do_sys_epoll_wait fs/eventpoll.c:2246 [inline]
 __se_sys_epoll_wait fs/eventpoll.c:2241 [inline]
 __x64_sys_epoll_wait+0x158/0x270 fs/eventpoll.c:2241
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6d14bdee46
RSP: 002b:00007ffe547bfe18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6d14bdee46
RDX: 0000000000000004 RSI: 00007ffe547bfe58 RDI: 0000000000000004
RBP: 00005558e52c6770 R08: 0000000000000007 R09: 00005558e52b9280
R10: 00000000ffffffff R11: 0000000000000246 R12: 00005558e52d52a0
R13: 00007ffe547bfe58 R14: 00000000ffffffff R15: 00005558e5295910
 </TASK>
task:udevd           state:S stack:28440 pid: 1757 ppid:  1182 flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_hrtimeout_range_clock+0x343/0x390 kernel/time/hrtimer.c:2296
 ep_poll fs/eventpoll.c:1856 [inline]
 do_epoll_wait+0x1290/0x1930 fs/eventpoll.c:2234
 __do_sys_epoll_wait fs/eventpoll.c:2246 [inline]
 __se_sys_epoll_wait fs/eventpoll.c:2241 [inline]
 __x64_sys_epoll_wait+0x158/0x270 fs/eventpoll.c:2241
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6d14bdee46
RSP: 002b:00007ffe547bfe18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6d14bdee46
RDX: 0000000000000004 RSI: 00007ffe547bfe58 RDI: 0000000000000004
RBP: 00005558e52ab290 R08: 0000000000000007 R09: 00005558e52af720
R10: 00000000ffffffff R11: 0000000000000246 R12: 00005558e52be430
R13: 00007ffe547bfe58 R14: 00000000ffffffff R15: 00005558e5295910
 </TASK>
task:udevd           state:S stack:28328 pid: 1758 ppid:  1182 flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_hrtimeout_range_clock+0x343/0x390 kernel/time/hrtimer.c:2296
 ep_poll fs/eventpoll.c:1856 [inline]
 do_epoll_wait+0x1290/0x1930 fs/eventpoll.c:2234
 __do_sys_epoll_wait fs/eventpoll.c:2246 [inline]
 __se_sys_epoll_wait fs/eventpoll.c:2241 [inline]
 __x64_sys_epoll_wait+0x158/0x270 fs/eventpoll.c:2241
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6d14bdee46
RSP: 002b:00007ffe547bfe18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6d14bdee46
RDX: 0000000000000004 RSI: 00007ffe547bfe58 RDI: 0000000000000004
RBP: 00005558e52c8e80 R08: 0000000000000007 R09: 00005558e52af720
R10: 00000000ffffffff R11: 0000000000000246 R12: 00005558e52c0e40
R13: 00007ffe547bfe58 R14: 00000000ffffffff R15: 00005558e5295910
 </TASK>
INFO: lockdep is turned off.
task:init            state:S stack:22824 pid:    1 ppid:     0 flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_hrtimeout_range_clock+0x343/0x390 kernel/time/hrtimer.c:2296
 freezable_schedule_hrtimeout_range include/linux/freezer.h:250 [inline]
 do_sigtimedwait+0x48d/0x7b0 kernel/signal.c:3604
 __do_sys_rt_sigtimedwait kernel/signal.c:3648 [inline]
 __se_sys_rt_sigtimedwait kernel/signal.c:3626 [inline]
 __x64_sys_rt_sigtimedwait+0x1a2/0x2c0 kernel/signal.c:3626
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f2ea7f62ac4
RSP: 002b:00007ffcb0447100 EFLAGS: 00000246 ORIG_RAX: 0000000000000080
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2ea7f62ac4
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f2ea81ab498
RBP: 00007f2ea81ab490 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffcb0447168
R13: 00007ffcb044715c R14: 0000000000000000 R15: 0000000000000000
 </TASK>
task:kthreadd        state:S stack:28152 pid:    2 ppid:     0 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 kthreadd+0x592/0x750 kernel/kthread.c:733
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:rcu_gp          state:I stack:29904 pid:    3 ppid:     2 flags:0x00004000
Workqueue:  0x0 (rcu_gp)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:rcu_par_gp      state:I stack:30920 pid:    4 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:netns           state:I stack:30920 pid:    5 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/0:0H    state:I stack:29672 pid:    7 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events_highpri)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/0:1H    state:I stack:27816 pid:    9 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events_highpri)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:mm_percpu_wq    state:I stack:30920 pid:   10 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:rcu_tasks_kthre state:I stack:28992 pid:   11 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rcu_tasks_kthread+0x462/0xb40 kernel/rcu/tasks.h:520
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/0:1     state:I stack:29408 pid:   12 ppid:     2 flags:0x00004000
Workqueue:  0x0 (rcu_gp)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:ksoftirqd/0     state:S stack:25200 pid:   13 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 smpboot_thread_fn+0x2eb/0x9c0 kernel/smpboot.c:160
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:rcu_preempt     state:I stack:29528 pid:   14 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rcu_gp_kthread+0x1d4/0x250 kernel/rcu/tree.c:2171
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:migration/0     state:S stack:30376 pid:   15 ppid:     2 flags:0x00004000
Stopper: 0x0 <- 0x0
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 smpboot_thread_fn+0x2eb/0x9c0 kernel/smpboot.c:160
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:cpuhp/0         state:S stack:27920 pid:   16 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 smpboot_thread_fn+0x2eb/0x9c0 kernel/smpboot.c:160
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:cpuhp/1         state:S stack:27936 pid:   17 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 smpboot_thread_fn+0x2eb/0x9c0 kernel/smpboot.c:160
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:migration/1     state:S stack:30536 pid:   18 ppid:     2 flags:0x00004000
Stopper: 0x0 <- 0x0
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 smpboot_thread_fn+0x2eb/0x9c0 kernel/smpboot.c:160
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:ksoftirqd/1     state:S stack:25488 pid:   19 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 smpboot_thread_fn+0x2eb/0x9c0 kernel/smpboot.c:160
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/1:0     state:I stack:29592 pid:   20 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/1:0H    state:I stack:28952 pid:   21 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events_highpri)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kdevtmpfs       state:S stack:27808 pid:   22 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 devtmpfs_work_loop drivers/base/devtmpfs.c:415 [inline]
 devtmpfsd+0x286/0x2a3 drivers/base/devtmpfs.c:448
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:inet_frag_wq    state:I stack:30328 pid:   23 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/1:1     state:R  running task     stack:20672 pid:   24 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kauditd         state:S stack:30008 pid:   25 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 freezable_schedule include/linux/freezer.h:172 [inline]
 kauditd_thread+0x5f8/0xba0 kernel/audit.c:903
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:khungtaskd      state:S stack:30576 pid:   26 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1935
 watchdog+0xf9/0xf50 kernel/hung_task.c:373
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:oom_reaper      state:S stack:30320 pid:   27 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 freezable_schedule include/linux/freezer.h:172 [inline]
 oom_reaper+0xa66/0xd90 mm/oom_kill.c:646
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/u4:1    state:I stack:25632 pid:   28 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events_unbound)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:writeback       state:I stack:30112 pid:   29 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kcompactd0      state:S stack:29864 pid:   30 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1935
 freezable_schedule_timeout include/linux/freezer.h:192 [inline]
 kcompactd+0xa10/0xeb0 mm/compaction.c:2950
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kblockd         state:I stack:30112 pid:   31 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:blkcg_punt_bio  state:I stack:30920 pid:   32 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:tpm_dev_wq      state:I stack:30632 pid:   33 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:ata_sff         state:I stack:30328 pid:   34 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:md              state:I stack:30272 pid:   35 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:edac-poller     state:I stack:30632 pid:   36 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/1:1H    state:I stack:28368 pid:   37 ppid:     2 flags:0x00004000
Workqueue:  0x0 (kblockd)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:rpciod          state:I stack:30112 pid:   38 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:xprtiod         state:I stack:30920 pid:   39 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:cfg80211        state:I stack:30920 pid:   40 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kswapd0         state:S stack:30336 pid:   65 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 kswapd_try_to_sleep mm/vmscan.c:4382 [inline]
 kswapd+0xd39/0xf80 mm/vmscan.c:4444
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:nfsiod          state:I stack:30328 pid:   67 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/0:2     state:I stack:22480 pid:   71 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:acpi_thermal_pm state:I stack:30328 pid:  102 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:hwrng           state:S stack:30048 pid:  149 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1935
 add_hwgenerator_randomness+0x81/0xe0 drivers/char/random.c:856
 hwrng_fillfn+0x278/0x370 drivers/char/hw_random/core.c:529
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:scsi_eh_0       state:S stack:30352 pid:  193 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 scsi_error_handler+0x523/0xe30 drivers/scsi/scsi_error.c:2251
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:scsi_tmf_0      state:I stack:30632 pid:  194 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:target_completi state:I stack:30328 pid:  219 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:target_submissi state:I stack:30632 pid:  220 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:xcopy_wq        state:I stack:30328 pid:  221 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:libertastf      state:I stack:30632 pid:  289 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:zd1211rw        state:I stack:30328 pid:  308 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:u132            state:I stack:30392 pid:  372 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:uas             state:I stack:30328 pid:  384 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:usbip_event     state:I stack:30328 pid:  677 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:pvrusb2-context state:S stack:30584 pid:  886 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 pvr2_context_thread_func+0x5de/0x850 drivers/media/usb/pvrusb2/pvrusb2-context.c:160
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/u4:3    state:I stack:23408 pid:  898 ppid:     2 flags:0x00004000
Workqueue:  0x0 (flush-8:0)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kvub300c        state:I stack:30328 pid:  930 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kvub300p        state:I stack:30328 pid:  931 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kvub300d        state:I stack:30632 pid:  932 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kmemstick       state:I stack:30112 pid:  936 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:elousb          state:I stack:30920 pid:  945 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:kworker/u4:4    state:I stack:25144 pid: 1030 ppid:     2 flags:0x00004000
Workqueue:  0x0 (events_unbound)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 worker_thread+0x15c/0x1080 kernel/workqueue.c:2457
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:mld             state:I stack:30632 pid: 1097 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:ipv6_addrconf   state:I stack:30912 pid: 1098 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:jbd2/sda1-8     state:D stack:27344 pid: 1146 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 io_schedule+0xba/0x130 kernel/sched/core.c:8645
 bit_wait_io+0x12/0xd0 kernel/sched/wait_bit.c:209
 __wait_on_bit+0x60/0x190 kernel/sched/wait_bit.c:49
 out_of_line_wait_on_bit+0xd5/0x110 kernel/sched/wait_bit.c:64
 wait_on_bit_io include/linux/wait_bit.h:101 [inline]
 __wait_on_buffer+0x7a/0x90 fs/buffer.c:122
 wait_on_buffer include/linux/buffer_head.h:355 [inline]
 jbd2_journal_commit_transaction+0x38e5/0x6aa0 fs/jbd2/commit.c:849
 kjournald2+0x1d0/0x930 fs/jbd2/journal.c:213
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:ext4-rsv-conver state:I stack:30632 pid: 1147 ppid:     2 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 rescuer_thread+0x780/0xcf0 kernel/workqueue.c:2599
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
task:syslogd         state:S stack:26424 pid: 1164 ppid:     1 flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_timeout+0x1db/0x2a0 kernel/time/timer.c:1911
 __skb_wait_for_more_packets+0x35b/0x5e0 net/core/datagram.c:120
 __unix_dgram_recvmsg+0x202/0xb90 net/unix/af_unix.c:2403
 sock_recvmsg_nosec net/socket.c:995 [inline]
 sock_recvmsg net/socket.c:1013 [inline]
 sock_recvmsg net/socket.c:1009 [inline]
 sock_read_iter+0x337/0x470 net/socket.c:1086
 call_read_iter include/linux/fs.h:2052 [inline]
 new_sync_read+0x4f9/0x5f0 fs/read_write.c:401
 vfs_read+0x492/0x5d0 fs/read_write.c:482
 ksys_read+0x1e8/0x250 fs/read_write.c:620
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f51280c08fe
RSP: 002b:00007fff6ace0658 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f51280c08fe
RDX: 00000000000000ff RSI: 0000563be7f15950 RDI: 0000000000000000
RBP: 0000563be7f15910 R08: 00007f5128150040 R09: 00007f51281500c0
R10: 00007f512814ffc0 R11: 0000000000000246 R12: 0000563be7f159f2
R13: 0000563be7f15950 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
task:acpid           state:S stack:24392 pid: 1167 ppid:     1 flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0x93f/0x2630 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_hrtimeout_range_clock+0x343/0x390 kernel/time/hrtimer.c:2296
 poll_schedule_timeout.constprop.0+0xb9/0x190 fs/select.c:244
 do_select+0x11a1/0x16a0 fs/select.c:607
----------------
Code disassembly (best guess):
   0:	8b 3a                	mov    (%rdx),%edi
   2:	4c 89 e7             	mov    %r12,%rdi
   5:	48 c7 02 00 00 00 00 	movq   $0x0,(%rdx)
   c:	ff d1                	callq  *%rcx
   e:	4d 85 ff             	test   %r15,%r15
  11:	75 bf                	jne    0xffffffd2
  13:	4c 89 e7             	mov    %r12,%rdi
  16:	e8 62 0d d0 04       	callq  0x4d00d7d
  1b:	e8 9d 6e 2b 00       	callq  0x2b6ebd
  20:	fb                   	sti
  21:	65 48 8b 1c 25 c0 6e 	mov    %gs:0x26ec0,%rbx
  28:	02 00
* 2a:	48 8d bb 98 14 00 00 	lea    0x1498(%rbx),%rdi <-- trapping instruction
  31:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  38:	fc ff df
  3b:	48 89 fa             	mov    %rdi,%rdx
  3e:	48                   	rex.W
  3f:	c1                   	.byte 0xc1


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Repro now triggers a different kind of problem

[syzbot] general protection fault in blk_mq_free_rqs

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    90c9e950c0de Merge tag 'for-linus-5.17a-rc3-tag' of git://..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=137905dc700000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ee3797346aa03884
dashboard link: https://syzkaller.appspot.com/bug?extid=7295389ef2000630244b
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10801462700000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=135d7524700000

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14b09d42700000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=16b09d42700000
console output: https://syzkaller.appspot.com/x/log.txt?x=12b09d42700000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7295389ef2000630244b@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 3605 Comm: syz-executor139 Not tainted 5.17.0-rc2-syzkaller-00353-g90c9e950c0de #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:blk_mq_clear_rq_mapping block/blk-mq.c:3061 [inline]
RIP: 0010:blk_mq_free_rqs+0x399/0x910 block/blk-mq.c:3106
Code: de e8 8b 83 ac fd 83 fb 3f 0f 87 04 c3 49 05 e8 5d 81 ac fd b8 00 10 00 00 89 d9 48 d3 e0 4c 01 e8 48 89 44 24 08 48 8b 04 24 <0f> b6 00 84 c0 74 08 3c 03 0f 8e bb 03 00 00 41 8b 1f 31 ff 31 ed
RSP: 0018:ffffc900027afaf8 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000004
RDX: ffff888074ef3a00 RSI: ffffffff83cbf733 RDI: 0000000000000003
RBP: ffff888071ce6000 R08: 000000000000003f R09: ffffffff8ffbf99f
R10: ffffffff83cbf725 R11: 0000000000000246 R12: dffffc0000000000
R13: ffff88801a380000 R14: ffff88801a23f000 R15: 0000000000000000
FS:  00007f894cb64700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f894cc20aa3 CR3: 0000000021f45000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 blk_mq_sched_free_rqs block/blk-mq-sched.c:629 [inline]
 blk_mq_sched_free_rqs+0x16c/0x270 block/blk-mq-sched.c:618
 elevator_switch_mq+0xed/0x720 block/elevator.c:600
 blk_mq_elv_switch_none block/blk-mq.c:4445 [inline]
 __blk_mq_update_nr_hw_queues block/blk-mq.c:4498 [inline]
 blk_mq_update_nr_hw_queues+0x3f1/0xd30 block/blk-mq.c:4548
 nbd_start_device+0x157/0xd10 drivers/block/nbd.c:1347
 nbd_start_device_ioctl drivers/block/nbd.c:1397 [inline]
 __nbd_ioctl drivers/block/nbd.c:1471 [inline]
 nbd_ioctl+0x5f3/0xb10 drivers/block/nbd.c:1511
 blkdev_ioctl+0x37a/0x800 block/ioctl.c:588
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f894cbb7349
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f894cb642e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f894cc3c4e0 RCX: 00007f894cbb7349
RDX: 0000000000000000 RSI: 000000000000ab03 RDI: 0000000000000007
RBP: 00007f894cc091ac R08: 0000000000000002 R09: 0000000000003331
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f894cc3c4ec
R13: 00007f894cb642f0 R14: 00007f894cc3c4e8 R15: 0000000000000002
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:blk_mq_clear_rq_mapping block/blk-mq.c:3061 [inline]
RIP: 0010:blk_mq_free_rqs+0x399/0x910 block/blk-mq.c:3106
Code: de e8 8b 83 ac fd 83 fb 3f 0f 87 04 c3 49 05 e8 5d 81 ac fd b8 00 10 00 00 89 d9 48 d3 e0 4c 01 e8 48 89 44 24 08 48 8b 04 24 <0f> b6 00 84 c0 74 08 3c 03 0f 8e bb 03 00 00 41 8b 1f 31 ff 31 ed
RSP: 0018:ffffc900027afaf8 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000004
RDX: ffff888074ef3a00 RSI: ffffffff83cbf733 RDI: 0000000000000003
RBP: ffff888071ce6000 R08: 000000000000003f R09: ffffffff8ffbf99f
R10: ffffffff83cbf725 R11: 0000000000000246 R12: dffffc0000000000
R13: ffff88801a380000 R14: ffff88801a23f000 R15: 0000000000000000
FS:  00007f894cb64700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f894cc20aa3 CR3: 0000000021f45000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 8b 83 ac fd       	callq  0xfdac8390
   5:	83 fb 3f             	cmp    $0x3f,%ebx
   8:	0f 87 04 c3 49 05    	ja     0x549c312
   e:	e8 5d 81 ac fd       	callq  0xfdac8170
  13:	b8 00 10 00 00       	mov    $0x1000,%eax
  18:	89 d9                	mov    %ebx,%ecx
  1a:	48 d3 e0             	shl    %cl,%rax
  1d:	4c 01 e8             	add    %r13,%rax
  20:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  25:	48 8b 04 24          	mov    (%rsp),%rax
* 29:	0f b6 00             	movzbl (%rax),%eax <-- trapping instruction
  2c:	84 c0                	test   %al,%al
  2e:	74 08                	je     0x38
  30:	3c 03                	cmp    $0x3,%al
  32:	0f 8e bb 03 00 00    	jle    0x3f3
  38:	41 8b 1f             	mov    (%r15),%ebx
  3b:	31 ff                	xor    %edi,%edi
  3d:	31 ed                	xor    %ebp,%ebp


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: yuran.pereira@hotmail.com

#syz test: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git master

general protection fault in try_to_wake_up (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7f206cf3 Add linux-next specific files for 20210225
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15280e32d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a1746d2802a82a05
dashboard link: https://syzkaller.appspot.com/bug?extid=b4a81dc8727e513f364d
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10bc8466d00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14f5bf5ad00000

The issue was bisected to:

commit 7c25c0d16ef3c37e49c593ac92f69fa3884d4bb9
Author: Jens Axboe <axboe@kernel.dk>
Date:   Tue Feb 16 14:17:00 2021 +0000

    io_uring: remove the need for relying on an io-wq fallback worker

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14269b96d00000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=16269b96d00000
console output: https://syzkaller.appspot.com/x/log.txt?x=12269b96d00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4a81dc8727e513f364d@syzkaller.appspotmail.com
Fixes: 7c25c0d16ef3 ("io_uring: remove the need for relying on an io-wq fallback worker")

general protection fault, probably for non-canonical address 0xdffffc000000011a: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000008d0-0x00000000000008d7]
CPU: 0 PID: 8677 Comm: iou-wrk-8423 Not tainted 5.11.0-next-20210225-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0xcfe/0x54c0 kernel/locking/lockdep.c:4770
Code: 0c 0e 41 bf 01 00 00 00 0f 86 8c 00 00 00 89 05 08 41 0c 0e e9 81 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 5b 31 00 00 49 81 3e 80 73 3a 8f 0f 84 d0 f3 ff
RSP: 0018:ffffc9000213f988 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000011a RSI: 1ffff92000427f42 RDI: 00000000000008d0
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801ae7d400
R13: 0000000000000000 R14: 00000000000008d0 R15: 0000000000000000
FS:  000000000088a400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa46e8f46c0 CR3: 000000001be5b000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 lock_acquire kernel/locking/lockdep.c:5510 [inline]
 lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:159
 try_to_wake_up+0x98/0x14a0 kernel/sched/core.c:3347
 io_wqe_wake_worker+0x51a/0x680 fs/io-wq.c:248
 io_wqe_dec_running.isra.0+0xe6/0x100 fs/io-wq.c:265
 __io_worker_busy fs/io-wq.c:296 [inline]
 io_worker_handle_work+0x34f/0x1950 fs/io-wq.c:449
 io_wqe_worker fs/io-wq.c:531 [inline]
 task_thread.isra.0+0xfa8/0x1340 fs/io-wq.c:608
 task_thread_bound+0x18/0x20 fs/io-wq.c:614
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
---[ end trace 1ccdee97cc2e65dd ]---
RIP: 0010:__lock_acquire+0xcfe/0x54c0 kernel/locking/lockdep.c:4770
Code: 0c 0e 41 bf 01 00 00 00 0f 86 8c 00 00 00 89 05 08 41 0c 0e e9 81 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 5b 31 00 00 49 81 3e 80 73 3a 8f 0f 84 d0 f3 ff
RSP: 0018:ffffc9000213f988 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000011a RSI: 1ffff92000427f42 RDI: 00000000000008d0
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801ae7d400
R13: 0000000000000000 R14: 00000000000008d0 R15: 0000000000000000
FS:  000000000088a400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa46e8f46c0 CR3: 000000001be5b000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: axboe@kernel.dk

#syz invalid

-- 
Jens Axboe

BUG: Bad page state (8)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d03154e8 Add linux-next specific files for 20210128
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16156808d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6953ffb584722a1
dashboard link: https://syzkaller.appspot.com/bug?extid=97ef6376738cb5104a71
compiler:       gcc (GCC) 10.1.0-syz 20200507

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+97ef6376738cb5104a71@syzkaller.appspotmail.com

BUG: Bad page state in process syz-executor.4  pfn:369c1
page:0000000025f15602 refcount:0 mapcount:0 mapping:0000000000000000 index:0x3d pfn:0x369c1
flags: 0xfff00000020005(locked|uptodate|mappedtodisk)
raw: 00fff00000020005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000003d 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Modules linked in:
CPU: 1 PID: 24274 Comm: syz-executor.4 Not tainted 5.11.0-rc5-next-20210128-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 bad_page.cold+0x9c/0xbd mm/page_alloc.c:643
 check_free_page_bad mm/page_alloc.c:1139 [inline]
 check_free_page mm/page_alloc.c:1149 [inline]
 free_pages_prepare mm/page_alloc.c:1265 [inline]
 free_pcp_prepare+0x300/0x400 mm/page_alloc.c:1306
 free_unref_page_prepare mm/page_alloc.c:3201 [inline]
 free_unref_page+0x12/0x1b0 mm/page_alloc.c:3249
 __put_single_page mm/swap.c:97 [inline]
 __put_page+0xe1/0x3e0 mm/swap.c:128
 put_page include/linux/mm.h:1216 [inline]
 filemap_update_page mm/filemap.c:2326 [inline]
 filemap_get_pages+0x1312/0x1920 mm/filemap.c:2415
 filemap_read+0x2c5/0xe40 mm/filemap.c:2475
 generic_file_read_iter+0x397/0x4f0 mm/filemap.c:2626
 ext4_file_read_iter+0x1d4/0x5d0 fs/ext4/file.c:130
 call_read_iter include/linux/fs.h:1971 [inline]
 generic_file_splice_read+0x450/0x6c0 fs/splice.c:311
 do_splice_to+0x1bf/0x250 fs/splice.c:796
 splice_direct_to_actor+0x2c2/0x8c0 fs/splice.c:870
 do_splice_direct+0x1b3/0x280 fs/splice.c:979
 do_sendfile+0x9f0/0x1110 fs/read_write.c:1261
 __do_sys_sendfile64 fs/read_write.c:1326 [inline]
 __se_sys_sendfile64 fs/read_write.c:1312 [inline]
 __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1312
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e219
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe714568c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000045e219
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 000000000119bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 00008400fffffff6 R11: 0000000000000246 R12: 000000000119bf8c
R13: 00007ffd78dca10f R14: 00007fe7145699c0 R15: 000000000119bf8c


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

WARNING in drop_nlink (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    583090b1 Merge tag 'block5.9-2020-10-08' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14531384500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=de7f697da23057c7
dashboard link: https://syzkaller.appspot.com/bug?extid=651ca866e5e2b4b5095b
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11126817900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1705b5bf900000

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=133e1210500000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10be1210500000
console output: https://syzkaller.appspot.com/x/log.txt?x=173e1210500000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+651ca866e5e2b4b5095b@syzkaller.appspotmail.com

MINIX-fs: mounting unchecked file system, running fsck is recommended
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6857 at fs/inode.c:303 drop_nlink+0xb9/0x100 fs/inode.c:303
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 6857 Comm: syz-executor857 Not tainted 5.9.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d6/0x29e lib/dump_stack.c:118
 panic+0x2c0/0x800 kernel/panic.c:231
 __warn+0x227/0x250 kernel/panic.c:600
 report_bug+0x1b1/0x2e0 lib/bug.c:198
 handle_bug+0x42/0x80 arch/x86/kernel/traps.c:234
 exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:254
 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:drop_nlink+0xb9/0x100 fs/inode.c:303
Code: 49 8b 1e 48 8d bb b8 07 00 00 be 08 00 00 00 e8 9d 46 ef ff f0 48 ff 83 b8 07 00 00 5b 41 5c 41 5e 41 5f 5d c3 e8 87 92 af ff <0f> 0b eb 8a 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c 63 ff ff ff 4c
RSP: 0018:ffffc900010d7c50 EFLAGS: 00010293
RAX: ffffffff81c56b69 RBX: 1ffff11010a15c21 RCX: ffff88809190c1c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff81c56aee R09: fffffbfff16c82b0
R10: fffffbfff16c82b0 R11: 0000000000000000 R12: ffff8880850ae108
R13: ffffc900010d7ca8 R14: ffff8880850ae0c0 R15: dffffc0000000000
 inode_dec_link_count include/linux/fs.h:2190 [inline]
 minix_rename+0x42b/0x7f0 fs/minix/namei.c:226
 vfs_rename+0xa5f/0x1500 fs/namei.c:4309
 do_renameat2+0x84a/0x1070 fs/namei.c:4456
 __do_sys_renameat fs/namei.c:4497 [inline]
 __se_sys_renameat fs/namei.c:4494 [inline]
 __x64_sys_renameat+0x9a/0xb0 fs/namei.c:4494
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x444729
Code: 8d d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffefa186b68 EFLAGS: 00000246 ORIG_RAX: 0000000000000108
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444729
RDX: 0000000000000009 RSI: 0000000020000500 RDI: 000000000000000a
RBP: 00000000006d0018 R08: 00000000004002e0 R09: 00000000004002e0
R10: 00000000200017c0 R11: 0000000000000246 R12: 0000000000402310
R13: 00000000004023a0 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

There will be no such crash title under the new report extraction rules

#syz invalid

KASAN: use-after-free Read in __queue_work (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c0842fbc random32: move the pseudo-random 32-bit definitio..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=127a8d66900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cf567e8c7428377e
dashboard link: https://syzkaller.appspot.com/bug?extid=77e5e02c6c81136cdaff
compiler:       gcc (GCC) 10.1.0-syz 20200507
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=140e36a4900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+77e5e02c6c81136cdaff@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in __queue_work+0xc6c/0xf20 kernel/workqueue.c:1412
Read of size 4 at addr ffff88809f1ab9c0 by task syz-executor.3/16144

CPU: 0 PID: 16144 Comm: syz-executor.3 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __queue_work+0xc6c/0xf20 kernel/workqueue.c:1412
 queue_work_on+0x18b/0x200 kernel/workqueue.c:1518
 queue_work include/linux/workqueue.h:507 [inline]
 req_run+0x2c5/0x4a0 net/bluetooth/hci_request.c:90
 hci_req_run_skb net/bluetooth/hci_request.c:102 [inline]
 __hci_req_sync+0x1dd/0x830 net/bluetooth/hci_request.c:215
 hci_req_sync+0x8a/0xc0 net/bluetooth/hci_request.c:282
 hci_dev_cmd+0x5b3/0x950 net/bluetooth/hci_core.c:2011
 hci_sock_ioctl+0x3fa/0x800 net/bluetooth/hci_sock.c:1053
 sock_do_ioctl+0xcb/0x2d0 net/socket.c:1048
 sock_ioctl+0x3b8/0x730 net/socket.c:1199
 vfs_ioctl fs/ioctl.c:48 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
 __do_sys_ioctl fs/ioctl.c:762 [inline]
 __se_sys_ioctl fs/ioctl.c:760 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45cce9
Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f18d49bfc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000001d300 RCX: 000000000045cce9
RDX: 0000000020000000 RSI: 00000000400448de RDI: 0000000000000004
RBP: 000000000078c080 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c04c
R13: 00007ffc84a6ab1f R14: 00007f18d49c09c0 R15: 000000000078c04c

Allocated by task 9187:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x17a/0x340 mm/slab.c:3665
 kmalloc include/linux/slab.h:560 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 alloc_workqueue+0x166/0xe50 kernel/workqueue.c:4265
 hci_register_dev+0x1b5/0x930 net/bluetooth/hci_core.c:3509
 __vhci_create_device+0x2ac/0x5b0 drivers/bluetooth/hci_vhci.c:124
 vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
 vhci_open_timeout+0x38/0x50 drivers/bluetooth/hci_vhci.c:305
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Freed by task 16170:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3757
 rcu_do_batch kernel/rcu/tree.c:2427 [inline]
 rcu_core+0x5c7/0x1190 kernel/rcu/tree.c:2655
 __do_softirq+0x2de/0xa24 kernel/softirq.c:298

The buggy address belongs to the object at ffff88809f1ab800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 448 bytes inside of
 1024-byte region [ffff88809f1ab800, ffff88809f1abc00)
The buggy address belongs to the page:
page:ffffea00027c6ac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00028becc8 ffffea00028ddbc8 ffff8880aa000c40
raw: 0000000000000000 ffff88809f1ab000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f1ab880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f1ab900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809f1ab980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88809f1aba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f1aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Repro triggers a different kind of problem

KASAN: use-after-free Read in __sco_sock_close

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    bcf87687 Linux 5.8
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=107dbe0a900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4b489d75d0c8859d
dashboard link: https://syzkaller.appspot.com/bug?extid=a9b58a6aa2a3e1d37f87
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145f6342900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a9b58a6aa2a3e1d37f87@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock+0x5e1/0x800 kernel/locking/spinlock_debug.c:112
Read of size 4 at addr ffff8880a74d4e8c by task syz-executor.5/18383

CPU: 1 PID: 18383 Comm: syz-executor.5 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 print_address_description+0x66/0x5a0 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 do_raw_spin_lock+0x5e1/0x800 kernel/locking/spinlock_debug.c:112
 spin_lock include/linux/spinlock.h:353 [inline]
 sco_chan_del net/bluetooth/sco.c:142 [inline]
 __sco_sock_close+0x408/0xed0 net/bluetooth/sco.c:433
 sco_sock_close net/bluetooth/sco.c:447 [inline]
 sco_sock_release+0x63/0x4f0 net/bluetooth/sco.c:1021
 __sock_release net/socket.c:605 [inline]
 sock_close+0xd8/0x260 net/socket.c:1278
 __fput+0x2f0/0x750 fs/file_table.c:281
 task_work_run+0x137/0x1c0 kernel/task_work.c:135
 get_signal+0x15ab/0x1d30 kernel/signal.c:2547
 do_signal+0x33/0x610 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop arch/x86/entry/common.c:235 [inline]
 __prepare_exit_to_usermode+0xd7/0x1e0 arch/x86/entry/common.c:269
 do_syscall_64+0x7f/0xe0 arch/x86/entry/common.c:393
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45cce9
Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ff2665afc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 0000000000002140 RCX: 000000000045cce9
RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000006
RBP: 000000000078bf40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bf0c
R13: 00007ffdf046a56f R14: 00007ff2665b09c0 R15: 000000000078bf0c

Allocated by task 18383:
 save_stack mm/kasan/common.c:48 [inline]
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
 kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 sco_conn_add net/bluetooth/sco.c:112 [inline]
 sco_connect net/bluetooth/sco.c:247 [inline]
 sco_sock_connect+0x3c6/0xaa0 net/bluetooth/sco.c:576
 __sys_connect_file net/socket.c:1854 [inline]
 __sys_connect+0x2da/0x360 net/socket.c:1871
 __do_sys_connect net/socket.c:1882 [inline]
 __se_sys_connect net/socket.c:1879 [inline]
 __x64_sys_connect+0x76/0x80 net/socket.c:1879
 do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 8113:
 save_stack mm/kasan/common.c:48 [inline]
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x220 mm/slab.c:3757
 sco_connect_cfm+0x96/0x7e0 net/bluetooth/sco.c:1136
 hci_connect_cfm include/net/bluetooth/hci_core.h:1340 [inline]
 hci_sco_setup+0xf0/0x3e0 net/bluetooth/hci_conn.c:399
 hci_conn_complete_evt net/bluetooth/hci_event.c:2641 [inline]
 hci_event_packet+0x1258e/0x18260 net/bluetooth/hci_event.c:6033
 hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

The buggy address belongs to the object at ffff8880a74d4e80
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 12 bytes inside of
 96-byte region [ffff8880a74d4e80, ffff8880a74d4ee0)
The buggy address belongs to the page:
page:ffffea00029d3500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00023cae88 ffffea000288c588 ffff8880aa400540
raw: 0000000000000000 ffff8880a74d4000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a74d4d80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8880a74d4e00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff8880a74d4e80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                      ^
 ffff8880a74d4f00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
 ffff8880a74d4f80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

The reproducer now hits

WARNING: CPU: 0 PID: 5640 at net/bluetooth/hci_conn.c:565
hci_conn_timeout+0xfb/0x290 net/bluetooth/hci_conn.c:565

for which we have a separate bug.

#syz invalid

WARNING in csum_and_copy_to_iter

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    edeca3a769ad Merge tag 'sound-4.20-rc4' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12bee26d400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446
dashboard link: https://syzkaller.appspot.com/bug?extid=ce18da013d76d837144d
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ccd1f5400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ce18da013d76d837144d@syzkaller.appspotmail.com

8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
WARNING: CPU: 1 PID: 7440 at lib/iov_iter.c:1443  
csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7440 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #345
kobject: 'loop0' (00000000da2348da): kobject_uevent_env
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
  panic+0x2ad/0x55c kernel/panic.c:188
kobject: 'loop0' (00000000da2348da): fill_kobj_path: path  
= '/devices/virtual/block/loop0'
  __warn.cold.8+0x20/0x45 kernel/panic.c:540
  report_bug+0x254/0x2d0 lib/bug.c:186
  fixup_bug arch/x86/kernel/traps.c:178 [inline]
  do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
  do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
WARNING: CPU: 0 PID: 7446 at lib/iov_iter.c:1443  
csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443
Modules linked in:
  invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
CPU: 0 PID: 7446 Comm: syz-executor0 Not tainted 4.20.0-rc3+ #345
RIP: 0010:csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Code: ee fd 48 83 bd b0 fe ff ff 00 0f 84 48 fc ff ff e9 91 fe ff ff e8 e6  
6d ee fd 49 83 c4 10 31 db e9 70 fc ff ff e8 d6 6d ee fd <0f> 0b 48 c7 85  
e8 fe ff ff 00 00 00 00 e9 70 fd ff ff 4c 89 f7 e8
RIP: 0010:csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443
RSP: 0018:ffff8881bc80f368 EFLAGS: 00010293
Code: ee fd 48 83 bd b0 fe ff ff 00 0f 84 48 fc ff ff e9 91 fe ff ff e8 e6  
6d ee fd 49 83 c4 10 31 db e9 70 fc ff ff e8 d6 6d ee fd <0f> 0b 48 c7 85  
e8 fe ff ff 00 00 00 00 e9 70 fd ff ff 4c 89 f7 e8
RAX: ffff8881c87ca080 RBX: 000000000000038a RCX: ffffffff839116c2
RSP: 0018:ffff8881bbabf368 EFLAGS: 00010293
RDX: 0000000000000000 RSI: ffffffff83911d1a RDI: 0000000000000005
RAX: ffff8881caf18080 RBX: 000000000000038a RCX: ffffffff839116c2
RBP: ffff8881bc80f4f8 R08: ffff8881c87ca080 R09: 0000000000000006
RDX: 0000000000000000 RSI: ffffffff83911d1a RDI: 0000000000000005
R10: 0000000000000000 R11: ffff8881c87ca080 R12: 0000000000000000
RBP: ffff8881bbabf4f8 R08: ffff8881caf18080 R09: 0000000000000006
R13: 0000000000000008 R14: ffff8881bc80fa50 R15: 000000000000038a
R10: 0000000000000000 R11: ffff8881caf18080 R12: 0000000000000000
R13: 0000000000000008 R14: ffff8881bbabfa50 R15: 000000000000038a
FS:  00007fed2599c700(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004cce48 CR3: 00000001cf367000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  skb_copy_and_csum_datagram+0x1ab/0xae0 net/core/datagram.c:662
  skb_copy_and_csum_datagram+0x1ab/0xae0 net/core/datagram.c:662
  skb_copy_and_csum_datagram_msg+0x246/0x420 net/core/datagram.c:802
  udpv6_recvmsg+0xd62/0x1d80 net/ipv6/udp.c:376
  skb_copy_and_csum_datagram_msg+0x246/0x420 net/core/datagram.c:802
  udpv6_recvmsg+0xd62/0x1d80 net/ipv6/udp.c:376
  inet_recvmsg+0x181/0x6d0 net/ipv4/af_inet.c:830
  inet_recvmsg+0x181/0x6d0 net/ipv4/af_inet.c:830
  sock_recvmsg_nosec net/socket.c:794 [inline]
  sock_recvmsg+0xd0/0x110 net/socket.c:801
  sock_read_iter+0x39b/0x570 net/socket.c:878
  call_read_iter include/linux/fs.h:1851 [inline]
  generic_file_splice_read+0x5a2/0x9a0 fs/splice.c:308
  sock_recvmsg_nosec net/socket.c:794 [inline]
  sock_recvmsg+0xd0/0x110 net/socket.c:801
  sock_read_iter+0x39b/0x570 net/socket.c:878
  sock_splice_read+0xef/0x110 net/socket.c:856
  do_splice_to+0x12e/0x190 fs/splice.c:880
  call_read_iter include/linux/fs.h:1851 [inline]
  generic_file_splice_read+0x5a2/0x9a0 fs/splice.c:308
  do_splice+0x1014/0x1430 fs/splice.c:1173
  sock_splice_read+0xef/0x110 net/socket.c:856
  __do_sys_splice fs/splice.c:1414 [inline]
  __se_sys_splice fs/splice.c:1394 [inline]
  __x64_sys_splice+0x2c1/0x330 fs/splice.c:1394
  do_splice_to+0x12e/0x190 fs/splice.c:880
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  do_splice+0x1014/0x1430 fs/splice.c:1173
  __do_sys_splice fs/splice.c:1414 [inline]
  __se_sys_splice fs/splice.c:1394 [inline]
  __x64_sys_splice+0x2c1/0x330 fs/splice.c:1394
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f6517086c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457569
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RBP: 000000000072bfa0 R08: 0000000010000200 R09: 0000000000000000
RIP: 0033:0x457569
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f65170876d4
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
R13: 00000000004c5719 R14: 00000000004d8c08 R15: 00000000ffffffff
RSP: 002b:00007fed2599bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457569
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000072bfa0 R08: 0000000010000200 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fed2599c6d4
R13: 00000000004c5719 R14: 00000000004d8c08 R15: 00000000ffffffff
irq event stamp: 352
hardirqs last  enabled at (351): [<ffffffff814ad030>]  
__local_bh_enable_ip+0x160/0x260 kernel/softirq.c:194
hardirqs last disabled at (352): [<ffffffff81007ced>]  
trace_hardirqs_off_thunk+0x1a/0x1c
softirqs last  enabled at (350): [<ffffffff86aef3ab>] spin_unlock_bh  
include/linux/spinlock.h:374 [inline]
softirqs last  enabled at (350): [<ffffffff86aef3ab>]  
__skb_recv_udp+0x4ab/0xaf0 net/ipv4/udp.c:1611
softirqs last disabled at (348): [<ffffffff86aef190>] spin_lock_bh  
include/linux/spinlock.h:334 [inline]
softirqs last disabled at (348): [<ffffffff86aef190>]  
__skb_recv_udp+0x290/0xaf0 net/ipv4/udp.c:1583
---[ end trace fcfb475d82d5a575 ]---
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

The issue has not been happening for >1800 days.

#syz invalid