syzbot


BUG: unable to handle kernel NULL pointer dereference in jbd2_alloc

Status: moderation: reported on 2024/11/24 23:53
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+623df1c39958c2b2e97c@syzkaller.appspotmail.com
First crash: 148d, last: 53d

Sample crash report:
loop2: detected capacity change from 0 to 32768
ocfs2: Mounting device (7,2) on (node local, slot 0) with ordered data mode.
BUG: kernel NULL pointer dereference, address: 0000000000000011
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000002a9fd067 P4D 800000002a9fd067 PUD 0 
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 6033 Comm: syz.2.21 Not tainted 6.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:___slab_alloc+0x595/0x14a0 mm/slub.c:3769
Code: 85 fb 00 00 00 65 4c 8b 2c 25 00 d5 03 00 4c 89 6b 28 49 83 7e 10 00 0f 85 82 01 00 00 49 8b 5e 18 48 85 db 0f 84 ea 04 00 00 <48> 8b 43 10 49 89 46 18 8b 4c 24 10 83 f9 ff 74 15 48 8b 03 48 83
RSP: 0018:ffffc9000454e150 EFLAGS: 00010002
RAX: f1be6b6da9c57000 RBX: 0000000000000001 RCX: ffff888031a446e8
RDX: dffffc0000000000 RSI: ffffffff8c2ab680 RDI: ffffffff8c801a80
RBP: 0000000000000202 R08: ffffffff94511847 R09: 1ffffffff28a2308
R10: dffffc0000000000 R11: fffffbfff28a2309 R12: ffff8880330c4780
R13: ffff888031a43c00 R14: ffffe8ffffc6d0a0 R15: ffffffff821b60af
FS:  00007fdc89a226c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000011 CR3: 000000007b4bc000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __slab_alloc+0x58/0xa0 mm/slub.c:3916
 __slab_alloc_node mm/slub.c:3991 [inline]
 slab_alloc_node mm/slub.c:4152 [inline]
 kmem_cache_alloc_noprof+0x268/0x380 mm/slub.c:4171
 jbd2_alloc+0x155/0x1b0 fs/jbd2/journal.c:2763
 jbd2_journal_get_undo_access+0x1d1/0x310 fs/jbd2/transaction.c:1395
 __ocfs2_journal_access+0x4de/0x8b0 fs/ocfs2/journal.c:692
 ocfs2_block_group_set_bits+0x29e/0x9a0 fs/ocfs2/suballoc.c:1387
 ocfs2_search_chain+0x1b27/0x26c0 fs/ocfs2/suballoc.c:1900
 ocfs2_claim_suballoc_bits+0x11ef/0x2560 fs/ocfs2/suballoc.c:1985
 __ocfs2_claim_clusters+0x332/0xa40 fs/ocfs2/suballoc.c:2395
 ocfs2_claim_clusters fs/ocfs2/suballoc.c:2432 [inline]
 ocfs2_block_group_alloc_contig fs/ocfs2/suballoc.c:432 [inline]
 ocfs2_block_group_alloc fs/ocfs2/suballoc.c:699 [inline]
 ocfs2_reserve_suballoc_bits+0x115e/0x4e70 fs/ocfs2/suballoc.c:832
 ocfs2_reserve_new_metadata_blocks+0x41c/0x9c0 fs/ocfs2/suballoc.c:982
 ocfs2_mknod+0x143a/0x2b30 fs/ocfs2/namei.c:347
 ocfs2_create+0x1ab/0x470 fs/ocfs2/namei.c:673
 lookup_open fs/namei.c:3651 [inline]
 open_last_lookups fs/namei.c:3750 [inline]
 path_openat+0x193c/0x3590 fs/namei.c:3986
 do_filp_open+0x27f/0x4e0 fs/namei.c:4016
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1428
 do_sys_open fs/open.c:1443 [inline]
 __do_sys_openat fs/open.c:1459 [inline]
 __se_sys_openat fs/open.c:1454 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1454
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdc88b8d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdc89a22038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fdc88da5fa0 RCX: 00007fdc88b8d169
RDX: 00000000001c5442 RSI: 0000400000000240 RDI: ffffffffffffff9c
RBP: 00007fdc88c0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fdc88da5fa0 R15: 00007ffd61224f88
 </TASK>
Modules linked in:
CR2: 0000000000000011
---[ end trace 0000000000000000 ]---
RIP: 0010:___slab_alloc+0x595/0x14a0 mm/slub.c:3769
Code: 85 fb 00 00 00 65 4c 8b 2c 25 00 d5 03 00 4c 89 6b 28 49 83 7e 10 00 0f 85 82 01 00 00 49 8b 5e 18 48 85 db 0f 84 ea 04 00 00 <48> 8b 43 10 49 89 46 18 8b 4c 24 10 83 f9 ff 74 15 48 8b 03 48 83
RSP: 0018:ffffc9000454e150 EFLAGS: 00010002
RAX: f1be6b6da9c57000 RBX: 0000000000000001 RCX: ffff888031a446e8
RDX: dffffc0000000000 RSI: ffffffff8c2ab680 RDI: ffffffff8c801a80
RBP: 0000000000000202 R08: ffffffff94511847 R09: 1ffffffff28a2308
R10: dffffc0000000000 R11: fffffbfff28a2309 R12: ffff8880330c4780
R13: ffff888031a43c00 R14: ffffe8ffffc6d0a0 R15: ffffffff821b60af
FS:  00007fdc89a226c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000011 CR3: 000000007b4bc000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	85 fb                	test   %edi,%ebx
   2:	00 00                	add    %al,(%rax)
   4:	00 65 4c             	add    %ah,0x4c(%rbp)
   7:	8b 2c 25 00 d5 03 00 	mov    0x3d500,%ebp
   e:	4c 89 6b 28          	mov    %r13,0x28(%rbx)
  12:	49 83 7e 10 00       	cmpq   $0x0,0x10(%r14)
  17:	0f 85 82 01 00 00    	jne    0x19f
  1d:	49 8b 5e 18          	mov    0x18(%r14),%rbx
  21:	48 85 db             	test   %rbx,%rbx
  24:	0f 84 ea 04 00 00    	je     0x514
* 2a:	48 8b 43 10          	mov    0x10(%rbx),%rax <-- trapping instruction
  2e:	49 89 46 18          	mov    %rax,0x18(%r14)
  32:	8b 4c 24 10          	mov    0x10(%rsp),%ecx
  36:	83 f9 ff             	cmp    $0xffffffff,%ecx
  39:	74 15                	je     0x50
  3b:	48 8b 03             	mov    (%rbx),%rax
  3e:	48                   	rex.W
  3f:	83                   	.byte 0x83

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/02/24 08:49 upstream d082ecbc71e9 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs BUG: unable to handle kernel NULL pointer dereference in jbd2_alloc
2024/12/03 07:27 upstream cdd30ebb1b9f 578925bc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: unable to handle kernel NULL pointer dereference in jbd2_alloc
2024/11/20 23:45 upstream bf9aa14fc523 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root BUG: unable to handle kernel NULL pointer dereference in jbd2_alloc
* Struck through repros no longer work on HEAD.