* WARNING in ovl_real_fdget_meta @ 2019-07-24 19:18 syzbot 2019-07-25 4:24 ` syzbot 0 siblings, 1 reply; 6+ messages in thread From: syzbot @ 2019-07-24 19:18 UTC (permalink / raw) To: linux-kernel, linux-unionfs, miklos, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: c6dd78fc Merge branch 'x86-urgent-for-linus' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1346d53fa00000 kernel config: https://syzkaller.appspot.com/x/.config?x=3c8985c08e1f9727 dashboard link: https://syzkaller.appspot.com/bug?extid=032bc63605089a199d30 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15855334600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fcc4c8600000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+032bc63605089a199d30@syzkaller.appspotmail.com ------------[ cut here ]------------ WARNING: CPU: 1 PID: 8471 at fs/overlayfs/file.c:55 ovl_change_flags fs/overlayfs/file.c:55 [inline] WARNING: CPU: 1 PID: 8471 at fs/overlayfs/file.c:55 ovl_real_fdget_meta.cold+0x11/0x1e fs/overlayfs/file.c:106 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 8471 Comm: syz-executor111 Not tainted 5.2.0+ #71 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16f/0x1f0 lib/dump_stack.c:113 panic+0x2dc/0x755 kernel/panic.c:219 __warn.cold+0x20/0x4c kernel/panic.c:576 report_bug+0x263/0x2b0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:179 [inline] fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026 RIP: 0010:ovl_change_flags fs/overlayfs/file.c:55 [inline] RIP: 0010:ovl_real_fdget_meta.cold+0x11/0x1e fs/overlayfs/file.c:106 Code: e9 b3 fd ff ff e8 0c 68 4f ff e9 fb fd ff ff e8 02 68 4f ff e9 15 fe ff ff e8 b8 a6 15 ff 48 c7 c7 a0 45 b3 87 e8 c0 db ff fe <0f> 0b 41 bc fb ff ff ff e9 68 c6 ff ff e8 9a a6 15 ff 48 c7 c7 a0 RSP: 0018:ffff8880a1bffdc0 EFLAGS: 00010286 RAX: 0000000000000024 RBX: 0000000004048000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff815b9de2 RDI: ffffed101437ffaa RBP: ffff8880a1bffdf0 R08: 0000000000000024 R09: ffffed1015d26079 R10: ffffed1015d26078 R11: ffff8880ae9303c7 R12: 000000000000a000 R13: ffff88809bc592c0 R14: ffff88809bc59338 R15: ffff8880898e0460 ovl_real_fdget fs/overlayfs/file.c:113 [inline] ovl_llseek+0x105/0x3b0 fs/overlayfs/file.c:163 vfs_llseek fs/read_write.c:300 [inline] ksys_lseek+0x116/0x1b0 fs/read_write.c:313 __do_sys_lseek fs/read_write.c:324 [inline] __se_sys_lseek fs/read_write.c:322 [inline] __x64_sys_lseek+0x73/0xb0 fs/read_write.c:322 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x441ce9 Code: e8 1c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffcff68e398 EFLAGS: 00000246 ORIG_RAX: 0000000000000008 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441ce9 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000402af0 R14: 0000000000000000 R15: 0000000000000000 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in ovl_real_fdget_meta 2019-07-24 19:18 WARNING in ovl_real_fdget_meta syzbot @ 2019-07-25 4:24 ` syzbot 2019-07-26 8:11 ` Amir Goldstein 0 siblings, 1 reply; 6+ messages in thread From: syzbot @ 2019-07-25 4:24 UTC (permalink / raw) To: amir73il, bfields, jlayton, linux-fsdevel, linux-kernel, linux-unionfs, miklos, syzkaller-bugs, viro syzbot has bisected this bug to: commit 387e3746d01c34457d6a73688acd90428725070b Author: Amir Goldstein <amir73il@gmail.com> Date: Fri Jun 7 14:24:38 2019 +0000 locks: eliminate false positive conflicts for write lease bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15a79594600000 start commit: c6dd78fc Merge branch 'x86-urgent-for-linus' of git://git... git tree: upstream final crash: https://syzkaller.appspot.com/x/report.txt?x=17a79594600000 console output: https://syzkaller.appspot.com/x/log.txt?x=13a79594600000 kernel config: https://syzkaller.appspot.com/x/.config?x=3c8985c08e1f9727 dashboard link: https://syzkaller.appspot.com/bug?extid=032bc63605089a199d30 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15855334600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fcc4c8600000 Reported-by: syzbot+032bc63605089a199d30@syzkaller.appspotmail.com Fixes: 387e3746d01c ("locks: eliminate false positive conflicts for write lease") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in ovl_real_fdget_meta 2019-07-25 4:24 ` syzbot @ 2019-07-26 8:11 ` Amir Goldstein 2019-07-26 10:06 ` Amir Goldstein 0 siblings, 1 reply; 6+ messages in thread From: Amir Goldstein @ 2019-07-26 8:11 UTC (permalink / raw) To: syzbot Cc: J. Bruce Fields, Jeff Layton, linux-fsdevel, linux-kernel, overlayfs, Miklos Szeredi, syzkaller-bugs, Al Viro On Thu, Jul 25, 2019 at 7:24 AM syzbot <syzbot+032bc63605089a199d30@syzkaller.appspotmail.com> wrote: > > syzbot has bisected this bug to: > > commit 387e3746d01c34457d6a73688acd90428725070b > Author: Amir Goldstein <amir73il@gmail.com> > Date: Fri Jun 7 14:24:38 2019 +0000 > > locks: eliminate false positive conflicts for write lease > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15a79594600000 > start commit: c6dd78fc Merge branch 'x86-urgent-for-linus' of git://git... > git tree: upstream > final crash: https://syzkaller.appspot.com/x/report.txt?x=17a79594600000 > console output: https://syzkaller.appspot.com/x/log.txt?x=13a79594600000 > kernel config: https://syzkaller.appspot.com/x/.config?x=3c8985c08e1f9727 > dashboard link: https://syzkaller.appspot.com/bug?extid=032bc63605089a199d30 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15855334600000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fcc4c8600000 > > Reported-by: syzbot+032bc63605089a199d30@syzkaller.appspotmail.com > Fixes: 387e3746d01c ("locks: eliminate false positive conflicts for write > lease") > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection The repro: #{"repeat":true,"procs":1,"sandbox":"none","fault_call":-1,"cgroups":true,"close_fds":true,"tmpdir":true} mkdir(&(0x7f0000000100)='./file0\x00', 0x0) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.net/syz1\x00', 0x1ff) mount$fuse(0x20000000, &(0x7f0000000140)='./file0\x00', 0x0, 0x1004, 0x0) mount$overlay(0x400000, &(0x7f0000000100)='./file0\x00', &(0x7f00000001c0)='overlay\x00', 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB=',lowerdir=.:file0']) r0 = open(&(0x7f0000000500)='./file0\x00', 0x0, 0x0) r1 = openat$cgroup_procs(r0, &(0x7f00000004c0)='cgroup.procs\x00', 0x48, 0x0) dup3(r1, r0, 0x0) fcntl$setlease(r0, 0x400, 0x1) lseek(r0, 0x4, 0x0) I though we would stop these family of overlapping layers fuzzers with: 146d62e5a586 ("ovl: detect overlapping layers") But syzbot got the upper hand, because we do not check for overlapping layers that cross fs boundary. Not sure if we should (?). ./ is a tmpfs dir and ./file0/ is some kind of fuse mount (?) then after one cycle, ./file0/ itself is an overlapping overlay mount (lowerdir=./:./file0/) and after another cycle, ./file0/ is a nested overlapping overlayfs mount. Fine. Whatever. What I don't understand is if dup3 succeeds r0 should not be an overlayfs fd and even if dup3 fails r0 should be an overlayfs directory fd (./file0/), so how the hell did we get to ovl_llseek => ... ovl_change_flags() with this repro?? There is not a single regular file in this test. Thanks, Amir. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in ovl_real_fdget_meta 2019-07-26 8:11 ` Amir Goldstein @ 2019-07-26 10:06 ` Amir Goldstein 2019-07-26 16:31 ` Amir Goldstein 0 siblings, 1 reply; 6+ messages in thread From: Amir Goldstein @ 2019-07-26 10:06 UTC (permalink / raw) To: syzbot Cc: J. Bruce Fields, Jeff Layton, linux-fsdevel, linux-kernel, overlayfs, Miklos Szeredi, syzkaller-bugs, Al Viro On Fri, Jul 26, 2019 at 11:11 AM Amir Goldstein <amir73il@gmail.com> wrote: > > On Thu, Jul 25, 2019 at 7:24 AM syzbot > <syzbot+032bc63605089a199d30@syzkaller.appspotmail.com> wrote: > > > > syzbot has bisected this bug to: > > > > commit 387e3746d01c34457d6a73688acd90428725070b > > Author: Amir Goldstein <amir73il@gmail.com> > > Date: Fri Jun 7 14:24:38 2019 +0000 > > > > locks: eliminate false positive conflicts for write lease > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15a79594600000 > > start commit: c6dd78fc Merge branch 'x86-urgent-for-linus' of git://git... > > git tree: upstream > > final crash: https://syzkaller.appspot.com/x/report.txt?x=17a79594600000 > > console output: https://syzkaller.appspot.com/x/log.txt?x=13a79594600000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3c8985c08e1f9727 > > dashboard link: https://syzkaller.appspot.com/bug?extid=032bc63605089a199d30 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15855334600000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fcc4c8600000 > > > > Reported-by: syzbot+032bc63605089a199d30@syzkaller.appspotmail.com > > Fixes: 387e3746d01c ("locks: eliminate false positive conflicts for write > > lease") > > > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > The repro: > #{"repeat":true,"procs":1,"sandbox":"none","fault_call":-1,"cgroups":true,"close_fds":true,"tmpdir":true} > mkdir(&(0x7f0000000100)='./file0\x00', 0x0) > mkdirat$cgroup_root(0xffffffffffffff9c, > &(0x7f0000000000)='./cgroup.net/syz1\x00', 0x1ff) > mount$fuse(0x20000000, &(0x7f0000000140)='./file0\x00', 0x0, 0x1004, 0x0) > mount$overlay(0x400000, &(0x7f0000000100)='./file0\x00', > &(0x7f00000001c0)='overlay\x00', 0x0, > &(0x7f0000000040)=ANY=[@ANYBLOB=',lowerdir=.:file0']) > r0 = open(&(0x7f0000000500)='./file0\x00', 0x0, 0x0) > r1 = openat$cgroup_procs(r0, &(0x7f00000004c0)='cgroup.procs\x00', 0x48, 0x0) > dup3(r1, r0, 0x0) > fcntl$setlease(r0, 0x400, 0x1) > lseek(r0, 0x4, 0x0) > > I though we would stop these family of overlapping layers fuzzers with: > 146d62e5a586 ("ovl: detect overlapping layers") > > But syzbot got the upper hand, because we do not check for overlapping layers > that cross fs boundary. Not sure if we should (?). No, we shouldn't care about that. overlayfs doesn't follow cross-fs in underlying layers. > > ./ is a tmpfs dir and ./file0/ is some kind of fuse mount (?) > then after one cycle, ./file0/ itself is an overlapping overlay mount > (lowerdir=./:./file0/) > and after another cycle, ./file0/ is a nested overlapping overlayfs mount. > Fine. Whatever. But damage can still be created if a lower overlayfs layer overlaps with the another nested overlay lower underlying layer. It actually shouldn't be too hard to add a guard also on the nested overlay lower underlying layer inode. > > What I don't understand is if dup3 succeeds r0 should not be an overlayfs fd > and even if dup3 fails r0 should be an overlayfs directory fd (./file0/), so how > the hell did we get to ovl_llseek => ... ovl_change_flags() with this repro?? > > There is not a single regular file in this test. > I was wrong here of course. ./file0/cgroup.procs is a regular overlayfs file (I was confused by the name) which is later also exposed at ./file0/file0/cgroup.procs in the nested overlay mount. Still not sure about the rest of the way to ovl_change_flags() failure, but I think I'll try to block this new syzbot overlap attack. Thanks, Amir. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in ovl_real_fdget_meta 2019-07-26 10:06 ` Amir Goldstein @ 2019-07-26 16:31 ` Amir Goldstein 2019-07-27 2:41 ` syzbot 0 siblings, 1 reply; 6+ messages in thread From: Amir Goldstein @ 2019-07-26 16:31 UTC (permalink / raw) To: syzbot Cc: J. Bruce Fields, Jeff Layton, linux-fsdevel, linux-kernel, overlayfs, Miklos Szeredi, syzkaller-bugs, Al Viro On Fri, Jul 26, 2019 at 1:06 PM Amir Goldstein <amir73il@gmail.com> wrote: > > On Fri, Jul 26, 2019 at 11:11 AM Amir Goldstein <amir73il@gmail.com> wrote: > > > > On Thu, Jul 25, 2019 at 7:24 AM syzbot > > <syzbot+032bc63605089a199d30@syzkaller.appspotmail.com> wrote: > > > > > > syzbot has bisected this bug to: > > > > > > commit 387e3746d01c34457d6a73688acd90428725070b > > > Author: Amir Goldstein <amir73il@gmail.com> > > > Date: Fri Jun 7 14:24:38 2019 +0000 > > > > > > locks: eliminate false positive conflicts for write lease > > > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15a79594600000 > > > start commit: c6dd78fc Merge branch 'x86-urgent-for-linus' of git://git... > > > git tree: upstream > > > final crash: https://syzkaller.appspot.com/x/report.txt?x=17a79594600000 > > > console output: https://syzkaller.appspot.com/x/log.txt?x=13a79594600000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3c8985c08e1f9727 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=032bc63605089a199d30 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15855334600000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fcc4c8600000 > > > > > > Reported-by: syzbot+032bc63605089a199d30@syzkaller.appspotmail.com > > > Fixes: 387e3746d01c ("locks: eliminate false positive conflicts for write > > > lease") > > > > > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > > > The repro: > > #{"repeat":true,"procs":1,"sandbox":"none","fault_call":-1,"cgroups":true,"close_fds":true,"tmpdir":true} > > mkdir(&(0x7f0000000100)='./file0\x00', 0x0) > > mkdirat$cgroup_root(0xffffffffffffff9c, > > &(0x7f0000000000)='./cgroup.net/syz1\x00', 0x1ff) > > mount$fuse(0x20000000, &(0x7f0000000140)='./file0\x00', 0x0, 0x1004, 0x0) > > mount$overlay(0x400000, &(0x7f0000000100)='./file0\x00', > > &(0x7f00000001c0)='overlay\x00', 0x0, > > &(0x7f0000000040)=ANY=[@ANYBLOB=',lowerdir=.:file0']) > > r0 = open(&(0x7f0000000500)='./file0\x00', 0x0, 0x0) > > r1 = openat$cgroup_procs(r0, &(0x7f00000004c0)='cgroup.procs\x00', 0x48, 0x0) > > dup3(r1, r0, 0x0) > > fcntl$setlease(r0, 0x400, 0x1) > > lseek(r0, 0x4, 0x0) > > > > I though we would stop these family of overlapping layers fuzzers with: > > 146d62e5a586 ("ovl: detect overlapping layers") > > > > But syzbot got the upper hand, because we do not check for overlapping layers > > that cross fs boundary. Not sure if we should (?). > > No, we shouldn't care about that. > overlayfs doesn't follow cross-fs in underlying layers. > > > > > ./ is a tmpfs dir and ./file0/ is some kind of fuse mount (?) > > then after one cycle, ./file0/ itself is an overlapping overlay mount > > (lowerdir=./:./file0/) > > and after another cycle, ./file0/ is a nested overlapping overlayfs mount. > > Fine. Whatever. > > But damage can still be created if a lower overlayfs layer > overlaps with the another nested overlay lower underlying layer. > It actually shouldn't be too hard to add a guard also on the > nested overlay lower underlying layer inode. > Here's a draft #syz test: https://github.com/amir73il/linux.git ovl-check-nested-overlap Thanks, Amir. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in ovl_real_fdget_meta 2019-07-26 16:31 ` Amir Goldstein @ 2019-07-27 2:41 ` syzbot 0 siblings, 0 replies; 6+ messages in thread From: syzbot @ 2019-07-27 2:41 UTC (permalink / raw) To: amir73il, bfields, jlayton, linux-fsdevel, linux-kernel, linux-unionfs, miklos, syzkaller-bugs, viro Hello, syzbot tried to test the proposed patch but build/boot failed: vmalloc) [ 6.623186][ T1] TCP established hash table entries: 65536 (order: 7, 524288 bytes, vmalloc) [ 6.629001][ T1] TCP bind hash table entries: 65536 (order: 10, 4194304 bytes, vmalloc) [ 6.633571][ T1] TCP: Hash tables configured (established 65536 bind 65536) [ 6.635510][ T1] UDP hash table entries: 4096 (order: 7, 655360 bytes, vmalloc) [ 6.637367][ T1] UDP-Lite hash table entries: 4096 (order: 7, 655360 bytes, vmalloc) [ 6.639861][ T1] NET: Registered protocol family 1 [ 6.642372][ T1] RPC: Registered named UNIX socket transport module. [ 6.643458][ T1] RPC: Registered udp transport module. [ 6.644319][ T1] RPC: Registered tcp transport module. [ 6.645199][ T1] RPC: Registered tcp NFSv4.1 backchannel transport module. [ 6.647753][ T1] NET: Registered protocol family 44 [ 6.648732][ T1] pci 0000:00:00.0: Limiting direct PCI/PCI transfers [ 6.649837][ T1] PCI: CLS 0 bytes, default 64 [ 6.654238][ T1] PCI-DMA: Using software bounce buffering for IO (SWIOTLB) [ 6.655433][ T1] software IO TLB: mapped [mem 0xaa800000-0xae800000] (64MB) [ 6.660080][ T1] RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer [ 6.663698][ T1] kvm: already loaded the other module [ 6.664750][ T1] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x212735223b2, max_idle_ns: 440795277976 ns [ 6.666833][ T1] clocksource: Switched to clocksource tsc [ 6.667884][ T1] mce: Machine check injector initialized [ 6.672842][ T1] check: Scanning for low memory corruption every 60 seconds [ 6.784695][ T1] Initialise system trusted keyrings [ 6.786453][ T1] workingset: timestamp_bits=40 max_order=21 bucket_order=0 [ 6.788062][ T1] zbud: loaded [ 6.793680][ T1] DLM installed [ 6.795747][ T1] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 6.799822][ T1] FS-Cache: Netfs 'nfs' registered for caching [ 6.802062][ T1] NFS: Registering the id_resolver key type [ 6.803162][ T1] Key type id_resolver registered [ 6.804299][ T1] Key type id_legacy registered [ 6.805300][ T1] nfs4filelayout_init: NFSv4 File Layout Driver Registering... [ 6.806905][ T1] Installing knfsd (copyright (C) 1996 okir@monad.swb.de). [ 6.811461][ T1] ntfs: driver 2.1.32 [Flags: R/W]. [ 6.813297][ T1] fuse: init (API version 7.31) [ 6.816259][ T1] JFS: nTxBlock = 8192, nTxLock = 65536 [ 6.826202][ T1] SGI XFS with ACLs, security attributes, realtime, no debug enabled [ 6.832172][ T1] 9p: Installing v9fs 9p2000 file system support [ 6.833515][ T1] FS-Cache: Netfs '9p' registered for caching [ 6.838070][ T1] gfs2: GFS2 installed [ 6.841163][ T1] FS-Cache: Netfs 'ceph' registered for caching [ 6.842969][ T1] ceph: loaded (mds proto 32) [ 6.850819][ T1] NET: Registered protocol family 38 [ 6.852584][ T1] async_tx: api initialized (async) [ 6.853585][ T1] Key type asymmetric registered [ 6.854272][ T1] Asymmetric key parser 'x509' registered [ 6.855126][ T1] Asymmetric key parser 'pkcs8' registered [ 6.855903][ T1] Key type pkcs7_test registered [ 6.856598][ T1] Asymmetric key parser 'tpm_parser' registered [ 6.857618][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 246) [ 6.859381][ T1] io scheduler mq-deadline registered [ 6.860444][ T1] io scheduler kyber registered [ 6.861501][ T1] io scheduler bfq registered [ 6.866618][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 [ 6.869055][ T1] ACPI: Power Button [PWRF] [ 6.870629][ T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1 [ 6.872202][ T1] ACPI: Sleep Button [SLPF] [ 6.877520][ T1] ioatdma: Intel(R) QuickData Technology Driver 5.00 [ 6.889497][ T1] PCI Interrupt Link [LNKC] enabled at IRQ 11 [ 6.890599][ T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver [ 6.903444][ T1] PCI Interrupt Link [LNKD] enabled at IRQ 10 [ 6.904470][ T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver [ 7.222239][ T1] HDLC line discipline maxframe=4096 [ 7.223063][ T1] N_HDLC line discipline registered. [ 7.223876][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled [ 7.247483][ T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A [ 7.273815][ T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A [ 7.299513][ T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A [ 7.325004][ T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A [ 7.335983][ T1] Non-volatile memory driver v1.3 [ 7.337472][ T1] Linux agpgart interface v0.103 [ 7.346738][ T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0 [ 7.349029][ T1] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013). [ 7.350502][ T1] [drm] Driver supports precise vblank timestamp query. [ 7.354001][ T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1 [ 7.355696][ T1] usbcore: registered new interface driver udl [ 7.404586][ T1] brd: module loaded [ 7.438411][ T1] loop: module loaded [ 7.503377][ T1] zram: Added device: zram0 [ 7.509773][ T1] null: module loaded [ 7.515580][ T1] nfcsim 0.2 initialized [ 7.518129][ T1] Loading iSCSI transport class v2.0-870. [ 7.540589][ T1] scsi host0: Virtio SCSI HBA [ 7.575807][ T1] st: Version 20160209, fixed bufsize 32768, s/g segs 256 [ 7.578700][ T329] kasan: CONFIG_KASAN_INLINE enabled [ 7.580010][ T329] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 7.580030][ T329] general protection fault: 0000 [#1] SMP KASAN [ 7.582310][ T1] kobject: 'sd' (000000007348a90e): kobject_uevent_env [ 7.583865][ T329] CPU: 1 PID: 329 Comm: kworker/u4:5 Not tainted 5.3.0-rc1+ #1 [ 7.586388][ T1] kobject: 'sd' (000000007348a90e): fill_kobj_path: path = '/bus/scsi/drivers/sd' [ 7.588218][ T329] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 7.588218][ T329] Workqueue: events_unbound async_run_entry_fn [ 7.588218][ T329] RIP: 0010:dma_direct_max_mapping_size+0x7c/0x1a7 [ 7.588218][ T329] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 23 01 00 00 49 8b 9c 24 38 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 0a 01 00 00 49 8d bc 24 48 03 00 00 48 8b 1b 48 [ 7.588218][ T329] RSP: 0000:ffff8880a8e9f768 EFLAGS: 00010246 [ 7.591132][ T1] kobject: 'sr' (000000004b6a2965): kobject_add_internal: parent: 'drivers', set: 'drivers' [ 7.588218][ T329] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff816007b1 [ 7.595790][ T1] kobject: 'sr' (000000004b6a2965): kobject_uevent_env [ 7.588218][ T329] RDX: 0000000000000000 RSI: ffffffff816007d0 RDI: ffff8882195030b8 [ 7.602756][ T1] kobject: 'sr' (000000004b6a2965): fill_kobj_path: path = '/bus/scsi/drivers/sr' [ 7.588218][ T329] RBP: ffff8880a8e9f780 R08: ffff8880a8e8c000 R09: ffffed10146244ec [ 7.607121][ T1] kobject: 'scsi_generic' (000000007500b938): kobject_add_internal: parent: 'class', set: 'class' [ 7.588218][ T329] R10: ffffed10146244eb R11: ffff8880a312275f R12: ffff888219502d80 [ 7.588218][ T329] R13: ffff888219502d80 R14: ffff88821930e4f0 R15: 0000000000000200 [ 7.588218][ T329] FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 [ 7.588218][ T329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7.588218][ T329] CR2: 0000000000000000 CR3: 0000000008c6d000 CR4: 00000000001406e0 [ 7.610920][ T1] kobject: 'scsi_generic' (000000007500b938): kobject_uevent_env [ 7.588218][ T329] Call Trace: [ 7.615395][ T1] kobject: 'scsi_generic' (000000007500b938): fill_kobj_path: path = '/class/scsi_generic' [ 7.588218][ T329] dma_max_mapping_size+0xba/0x100 [ 7.621502][ T1] kobject: 'nvme-wq' (0000000069c1aed7): kobject_add_internal: parent: 'workqueue', set: 'devices' [ 7.620612][ T329] __scsi_init_queue+0x1cb/0x580 [ 7.624658][ T1] kobject: 'nvme-wq' (0000000069c1aed7): kobject_uevent_env [ 7.620612][ T329] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 7.628596][ T1] kobject: 'nvme-wq' (0000000069c1aed7): kobject_uevent_env: uevent_suppress caused the event to drop! [ 7.620612][ T329] scsi_mq_alloc_queue+0xd2/0x180 [ 7.632674][ T1] kobject: 'nvme-wq' (0000000069c1aed7): kobject_uevent_env [ 7.620612][ T329] scsi_alloc_sdev+0x837/0xc60 [ 7.635988][ T1] kobject: 'nvme-wq' (0000000069c1aed7): fill_kobj_path: path = '/devices/virtual/workqueue/nvme-wq' [ 7.620612][ T329] scsi_probe_and_add_lun+0x2440/0x39f0 [ 7.640733][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04): kobject_add_internal: parent: 'workqueue', set: 'devices' [ 7.620612][ T329] ? __kasan_check_read+0x11/0x20 [ 7.643507][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04): kobject_uevent_env [ 7.620612][ T329] ? mark_lock+0xc0/0x11e0 [ 7.647798][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04): kobject_uevent_env: uevent_suppress caused the event to drop! [ 7.620612][ T329] ? scsi_alloc_sdev+0xc60/0xc60 [ 7.620612][ T329] ? mark_held_locks+0xa4/0xf0 [ 7.620612][ T329] ? _raw_spin_unlock_irqrestore+0x67/0xd0 [ 7.620612][ T329] ? __pm_runtime_resume+0x11b/0x180 [ 7.620612][ T329] ? _raw_spin_unlock_irqrestore+0x67/0xd0 [ 7.651058][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04): kobject_uevent_env [ 7.620612][ T329] ? lockdep_hardirqs_on+0x418/0x5d0 [ 7.654901][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04): fill_kobj_path: path = '/devices/virtual/workqueue/nvme-reset-wq' [ 7.620612][ T329] ? trace_hardirqs_on+0x67/0x220 [ 7.659728][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41): kobject_add_internal: parent: 'workqueue', set: 'devices' [ 7.620612][ T329] ? __kasan_check_read+0x11/0x20 [ 7.662725][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41): kobject_uevent_env [ 7.620612][ T329] ? __pm_runtime_resume+0x11b/0x180 [ 7.666955][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41): kobject_uevent_env: uevent_suppress caused the event to drop! [ 7.620612][ T329] __scsi_scan_target+0x29a/0xfa0 [ 7.620612][ T329] ? __pm_runtime_resume+0x11b/0x180 [ 7.620612][ T329] ? __kasan_check_read+0x11/0x20 [ 7.620612][ T329] ? mark_lock+0xc0/0x11e0 [ 7.620612][ T329] ? scsi_probe_and_add_lun+0x39f0/0x39f0 [ 7.669473][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41): kobject_uevent_env [ 7.620612][ T329] ? mark_held_locks+0xa4/0xf0 [ 7.672293][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41): fill_kobj_path: path = '/devices/virtual/workqueue/nvme-delete-wq' [ 7.620612][ T329] ? _raw_spin_unlock_irqrestore+0x67/0xd0 [ 7.676309][ T1] kobject: 'nvme' (00000000c0971fdf): kobject_add_internal: parent: 'class', set: 'class' [ 7.620612][ T329] ? __pm_runtime_resume+0x11b/0x180 [ 7.680625][ T1] kobject: 'nvme' (00000000c0971fdf): kobject_uevent_env [ 7.620612][ T329] ? _raw_spin_unlock_irqrestore+0x67/0xd0 [ 7.684795][ T1] kobject: 'nvme' (00000000c0971fdf): fill_kobj_path: path = '/class/nvme' [ 7.620612][ T329] ? lockdep_hardirqs_on+0x418/0x5d0 [ 7.688010][ T1] kobject: 'nvme-subsystem' (00000000670d508f): kobject_add_internal: parent: 'class', set: 'class' [ 7.620612][ T329] ? trace_hardirqs_on+0x67/0x220 [ 7.620612][ T329] scsi_scan_channel.part.0+0x11a/0x190 [ 7.620612][ T329] scsi_scan_host_selected+0x313/0x450 [ 7.620612][ T329] ? scsi_scan_host+0x450/0x450 [ 7.620612][ T329] do_scsi_scan_host+0x1ef/0x260 [ 7.620612][ T329] ? scsi_scan_host+0x450/0x450 [ 7.692543][ T1] kobject: 'nvme-subsystem' (00000000670d508f): kobject_uevent_env [ 7.620612][ T329] do_scan_async+0x41/0x500 [ 7.695135][ T1] kobject: 'nvme-subsystem' (00000000670d508f): fill_kobj_path: path = '/class/nvme-subsystem' [ 7.620612][ T329] ? scsi_scan_host+0x450/0x450 [ 7.698176][ T1] kobject: 'nvme' (000000005d460dc8): kobject_add_internal: parent: 'drivers', set: 'drivers' [ 7.620612][ T329] async_run_entry_fn+0x124/0x570 [ 7.620612][ T329] process_one_work+0x9af/0x16d0 [ 7.620612][ T329] ? pwq_dec_nr_in_flight+0x320/0x320 [ 7.620612][ T329] ? lock_acquire+0x190/0x400 [ 7.701606][ T1] kobject: 'drivers' (00000000924ddeb2): kobject_add_internal: parent: 'nvme', set: '<NULL>' [ 7.620612][ T329] worker_thread+0x98/0xe40 [ 7.705786][ T1] kobject: 'nvme' (000000005d460dc8): kobject_uevent_env [ 7.620612][ T329] kthread+0x361/0x430 [ 7.709956][ T1] kobject: 'nvme' (000000005d460dc8): fill_kobj_path: path = '/bus/pci/drivers/nvme' [ 7.620612][ T329] ? process_one_work+0x16d0/0x16d0 [ 7.713199][ T1] kobject: 'ahci' (0000000029da3508): kobject_add_internal: parent: 'drivers', set: 'drivers' [ 7.620612][ T329] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 7.717072][ T1] kobject: 'drivers' (00000000357f3c8d): kobject_add_internal: parent: 'ahci', set: '<NULL>' [ 7.620612][ T329] ret_from_fork+0x24/0x30 [ 7.620612][ T329] Modules linked in: [ 7.718371][ T329] ---[ end trace bbfdfa526202cca4 ]--- [ 7.721471][ T1] kobject: 'ahci' (0000000029da3508): kobject_uevent_env [ 7.722768][ T329] RIP: 0010:dma_direct_max_mapping_size+0x7c/0x1a7 [ 7.724195][ T1] kobject: 'ahci' (0000000029da3508): fill_kobj_path: path = '/bus/pci/drivers/ahci' [ 7.725517][ T329] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 23 01 00 00 49 8b 9c 24 38 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 0a 01 00 00 49 8d bc 24 48 03 00 00 48 8b 1b 48 [ 7.727823][ T1] kobject: 'ata_piix' (000000002393ac60): kobject_add_internal: parent: 'drivers', set: 'drivers' [ 7.729067][ T329] RSP: 0000:ffff8880a8e9f768 EFLAGS: 00010246 [ 7.730452][ T1] kobject: 'drivers' (00000000071486d0): kobject_add_internal: parent: 'ata_piix', set: '<NULL>' [ 7.732312][ T329] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff816007b1 [ 7.733561][ T1] kobject: 'ata_piix' (000000002393ac60): kobject_uevent_env [ 7.736086][ T329] RDX: 0000000000000000 RSI: ffffffff816007d0 RDI: ffff8882195030b8 [ 7.737341][ T1] kobject: 'ata_piix' (000000002393ac60): fill_kobj_path: path = '/bus/pci/drivers/ata_piix' [ 7.739867][ T329] RBP: ffff8880a8e9f780 R08: ffff8880a8e8c000 R09: ffffed10146244ec [ 7.741306][ T1] kobject: 'pata_amd' (0000000066b08d7f): kobject_add_internal: parent: 'drivers', set: 'drivers' [ 7.742561][ T329] R10: ffffed10146244eb R11: ffff8880a312275f R12: ffff888219502d80 [ 7.743976][ T1] kobject: 'drivers' (00000000b292806e): kobject_add_internal: parent: 'pata_amd', set: '<NULL>' [ 7.745038][ T329] R13: ffff888219502d80 R14: ffff88821930e4f0 R15: 0000000000000200 [ 7.747615][ T1] kobject: 'pata_amd' (0000000066b08d7f): kobject_uevent_env [ 7.748706][ T329] FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 [ 7.750475][ T1] kobject: 'pata_amd' (0000000066b08d7f): fill_kobj_path: path = '/bus/pci/drivers/pata_amd' [ 7.751516][ T329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7.753904][ T1] kobject: 'pata_oldpiix' (00000000cf9a5442): kobject_add_internal: parent: 'drivers', set: 'drivers' [ 7.755108][ T329] CR2: 0000000000000000 CR3: 0000000008c6d000 CR4: 00000000001406e0 [ 7.757783][ T1] kobject: 'drivers' (00000000ec356fca): kobject_add_internal: parent: 'pata_oldpiix', set: '<NULL>' [ 7.759296][ T329] Kernel panic - not syncing: Fatal exception [ 7.761994][ T1] kobject: 'pata_oldpiix' (00000000cf9a5442): kobject_uevent_env [ 7.765044][ T329] Kernel Offset: disabled [ 7.769264][ T329] Rebooting in 86400 seconds.. Error text is too large and was truncated, full error text is at: https://syzkaller.appspot.com/x/error.txt?x=16eae0e8600000 Tested on: commit: a4a6f143 ovl: detect overlapping layers with nested lower .. git tree: https://github.com/amir73il/linux.git ovl-check-nested-overlap kernel config: https://syzkaller.appspot.com/x/.config?x=da585491c5226246 compiler: gcc (GCC) 9.0.0 20181231 (experimental) ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-07-27 2:41 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-07-24 19:18 WARNING in ovl_real_fdget_meta syzbot 2019-07-25 4:24 ` syzbot 2019-07-26 8:11 ` Amir Goldstein 2019-07-26 10:06 ` Amir Goldstein 2019-07-26 16:31 ` Amir Goldstein 2019-07-27 2:41 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox