syzbot


BUG: unable to handle kernel paging request in diFree

Status: fixed on 2021/11/10 00:50
Subsystems: jfs
[Documentation on labels]
Reported-by: syzbot+0a89a7b56db04c21a656@syzkaller.appspotmail.com
Fix commit: 9d574f985fe3 jfs: fix GPF in diFree
First crash: 1478d, last: 1202d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config
  
Discussions (17)
Title Replies (including bot) Last reply
[PATCH 5.12 000/242] 5.12.18-rc1 review 258 (258) 2021/07/22 14:12
[PATCH 4.4 000/188] 4.4.276-rc1 review 195 (195) 2021/07/21 10:42
[PATCH 4.9 000/245] 4.9.276-rc1 review 250 (250) 2021/07/21 10:29
[PATCH 4.14 000/315] 4.14.240-rc1 review 321 (321) 2021/07/20 08:21
[PATCH 4.19 000/421] 4.19.198-rc1 review 423 (423) 2021/07/19 16:00
[PATCH AUTOSEL 4.19 01/39] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero 42 (42) 2021/07/18 09:13
[PATCH 5.4 000/122] 5.4.133-rc1 review 131 (131) 2021/07/17 01:21
[PATCH 5.10 000/215] 5.10.51-rc1 review 225 (225) 2021/07/17 01:20
[PATCH 5.13 000/266] 5.13.3-rc1 review 276 (276) 2021/07/16 18:08
[PATCH AUTOSEL 5.10 01/93] leds: tlc591xx: fix return value check in tlc591xx_probe() 95 (95) 2021/07/12 21:48
[PATCH AUTOSEL 4.9 01/26] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero 27 (27) 2021/07/10 09:16
[PATCH AUTOSEL 4.14 01/33] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero 34 (34) 2021/07/10 09:14
[PATCH AUTOSEL 5.12 001/104] leds: tlc591xx: fix return value check in tlc591xx_probe() 105 (105) 2021/07/10 05:16
[PATCH AUTOSEL 4.4 01/23] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero 23 (23) 2021/07/10 02:39
[PATCH AUTOSEL 5.4 01/63] dmaengine: fsl-qdma: check dma_set_mask return value 63 (63) 2021/07/10 02:27
[PATCH] jfs: fix GPF in diFree 4 (4) 2021/06/23 16:46
BUG: unable to handle kernel paging request in diFree 0 (1) 2020/09/28 07:48
Similar bugs (11)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: unable to handle kernel paging request in diFree C done 18 1181d 1473d 1/1 fixed on 2021/08/17 00:59
linux-4.19 KASAN: use-after-free Read in diFree jfs C error 21 621d 1459d 0/1 upstream: reported C repro on 2020/10/13 01:51
linux-4.14 BUG: unable to handle kernel paging request in diFree C 5 599d 1478d 0/1 upstream: reported C repro on 2020/09/23 16:53
upstream KASAN: use-after-free Read in diFree jfs C inconclusive unreliable 110 285d 933d 0/28 auto-obsoleted due to no activity on 2024/03/22 04:27
linux-6.1 KASAN: use-after-free Read in diFree origin:lts-only C done 7 379d 539d 3/3 fixed on 2023/10/30 11:46
linux-4.14 general protection fault in diFree 1 1351d 1351d 0/1 auto-closed as invalid on 2021/05/28 19:31
linux-4.14 general protection fault in diFree (2) C 2 591d 996d 0/1 upstream: reported C repro on 2022/01/18 19:31
linux-5.15 KASAN: use-after-free Read in diFree C error 5 480d 551d 0/3 auto-obsoleted due to no activity on 2023/10/07 20:25
linux-5.15 UBSAN: array-index-out-of-bounds in diFree origin:upstream missing-backport C done 13 56d 102d 3/3 fixed on 2024/09/19 18:24
upstream UBSAN: array-index-out-of-bounds in diFree jfs C inconclusive 226 59d 170d 27/28 fixed on 2024/08/14 03:44
linux-4.14 KASAN: use-after-free Read in diFree jfs C error 3 599d 1472d 0/1 upstream: reported C repro on 2020/09/30 00:31
Last patch testing requests (1)
Created Duration User Patch Repo Result
2021/06/06 13:53 15m paskripkin@gmail.com patch upstream OK
Fix bisection attempts (6)
Created Duration User Patch Repo Result
2021/06/24 10:54 19m bisect fix upstream OK (0) job log log
2021/04/01 07:19 19m bisect fix upstream OK (0) job log log
2021/03/01 04:53 19m bisect fix upstream OK (0) job log log
2021/02/01 15:31 0m bisect fix upstream error job log
2021/01/02 13:56 16m bisect fix upstream OK (0) job log log
2020/11/07 15:25 15m bisect fix upstream OK (0) job log log

Sample crash report:
ERROR: (device loop0): xtSearch: XT_GETPAGE: xtree page corrupt
BUG: unable to handle page fault for address: ffffffffffffff80
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD b08f067 P4D b08f067 PUD b091067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8472 Comm: syz-executor936 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853
Code: 28 48 8d 78 80 48 89 44 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ef 23 00 00 48 8b 44 24 18 <4c> 8b 60 80 48 8b 44 24 20 49 8d 6c 24 04 48 c1 e8 0c 48 89 ea 48
RSP: 0018:ffffc900011cf960 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88801c1aa600 RCX: ffffffff82a84967
RDX: 1ffffffffffffff0 RSI: ffffffff82aa7952 RDI: ffffffffffffff80
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88802f75090f
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88802f750db8
R13: ffff88802f750d08 R14: ffffffff89829b80 R15: ffff88802f750ce0
FS:  0000000000ca5880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff80 CR3: 000000001424e000 CR4: 0000000000350ee0
Call Trace:
 jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154
 evict+0x2ed/0x750 fs/inode.c:578
 iput_final fs/inode.c:1654 [inline]
 iput.part.0+0x3fe/0x820 fs/inode.c:1680
 iput+0x58/0x70 fs/inode.c:1670
 diFreeSpecial fs/jfs/jfs_imap.c:550 [inline]
 diFreeSpecial+0x6f/0x90 fs/jfs/jfs_imap.c:542
 jfs_mount+0x23f/0x3d0 fs/jfs/jfs_mount.c:210
 jfs_fill_super+0x5b1/0xbc0 fs/jfs/super.c:562
 mount_bdev+0x32e/0x3f0 fs/super.c:1419
 legacy_get_tree+0x105/0x220 fs/fs_context.c:592
 vfs_get_tree+0x89/0x2f0 fs/super.c:1549
 do_new_mount fs/namespace.c:2875 [inline]
 path_mount+0x13ad/0x20c0 fs/namespace.c:3205
 do_mount fs/namespace.c:3218 [inline]
 __do_sys_mount fs/namespace.c:3426 [inline]
 __se_sys_mount fs/namespace.c:3403 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3403
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x446dea
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007ffd1d0fafe8 EFLAGS: 00000283 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd1d0fb030 RCX: 0000000000446dea
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd1d0faff0
RBP: 00007ffd1d0faff0 R08: 00007ffd1d0fb030 R09: 6f6f6c2f7665642f
R10: 0000000000008001 R11: 0000000000000283 R12: 0000000000000004
R13: 0000000000000003 R14: 0000000000000003 R15: 0000000000000006
Modules linked in:
CR2: ffffffffffffff80
---[ end trace 79bc54c5fb4624ff ]---
RIP: 0010:diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853
Code: 28 48 8d 78 80 48 89 44 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ef 23 00 00 48 8b 44 24 18 <4c> 8b 60 80 48 8b 44 24 20 49 8d 6c 24 04 48 c1 e8 0c 48 89 ea 48
RSP: 0018:ffffc900011cf960 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88801c1aa600 RCX: ffffffff82a84967
RDX: 1ffffffffffffff0 RSI: ffffffff82aa7952 RDI: ffffffffffffff80
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88802f75090f
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88802f750db8
R13: ffff88802f750d08 R14: ffffffff89829b80 R15: ffff88802f750ce0
FS:  0000000000ca5880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff80 CR3: 000000001424e000 CR4: 0000000000350ee0

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/03 13:56 upstream 34816d20f173 e6b0d314 .config console log report syz C ci-upstream-kasan-gce-root
2020/11/23 23:44 upstream 418baf2c28f3 878fb17a .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/10/08 12:39 upstream c85fb28b6f99 1880b4a9 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/09/27 12:59 upstream eeddbe6841cd 5dd8aee8 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/09/24 02:11 upstream 805c6d3c1921 287cd75a .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/11/19 03:55 linux-next 205292332779 0767f13f .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/11/16 18:35 linux-next 034307507118 1bf9a662 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2021/06/26 12:02 upstream b7050b242430 9d2ab5df .config console log report info ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in diFree
2021/05/03 08:13 upstream d2b6f8a17919 77e2b668 .config console log report info ci-upstream-kasan-gce-selinux-root BUG: unable to handle kernel paging request in diFree
2021/04/23 07:33 upstream 90c911ad7445 590921a5 .config console log report info ci-upstream-kasan-gce-selinux-root BUG: unable to handle kernel paging request in diFree
2021/04/15 04:55 upstream 7f75285ca572 fcdb12ba .config console log report info ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in diFree
2021/05/25 10:22 linux-next a1f92694393a 3c7fef33 .config console log report info ci-upstream-linux-next-kasan-gce-root BUG: unable to handle kernel paging request in diFree
2020/09/24 01:56 upstream 805c6d3c1921 287cd75a .config console log report info ci-upstream-kasan-gce-smack-root
* Struck through repros no longer work on HEAD.