syzbot


BUG: unable to handle kernel paging request in diFree

Status: upstream: reported C repro on 2020/09/23 16:53
Reported-by: syzbot+d17404b64177c0bd1ab7@syzkaller.appspotmail.com
First crash: 1369d, last: 489d
Similar bugs (10)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: unable to handle kernel paging request in diFree C done 18 1071d 1363d 1/1 fixed on 2021/08/17 00:59
upstream BUG: unable to handle kernel paging request in diFree jfs C done 13 1093d 1364d 20/27 fixed on 2021/11/10 00:50
linux-4.19 KASAN: use-after-free Read in diFree jfs C error 21 511d 1349d 0/1 upstream: reported C repro on 2020/10/13 01:51
upstream KASAN: use-after-free Read in diFree jfs C inconclusive unreliable 110 176d 824d 0/27 auto-obsoleted due to no activity on 2024/03/22 04:27
linux-6.1 KASAN: use-after-free Read in diFree origin:lts-only C done 7 269d 430d 3/3 fixed on 2023/10/30 11:46
linux-4.14 general protection fault in diFree 1 1241d 1241d 0/1 auto-closed as invalid on 2021/05/28 19:31
linux-4.14 general protection fault in diFree (2) C 2 481d 886d 0/1 upstream: reported C repro on 2022/01/18 19:31
linux-5.15 KASAN: use-after-free Read in diFree C error 5 370d 442d 0/3 auto-obsoleted due to no activity on 2023/10/07 20:25
upstream UBSAN: array-index-out-of-bounds in diFree jfs C inconclusive 194 21m 60d 0/27 upstream: reported C repro on 2024/04/23 22:25
linux-4.14 KASAN: use-after-free Read in diFree jfs C error 3 489d 1362d 0/1 upstream: reported C repro on 2020/09/30 00:31
Fix bisection attempts (25)
Created Duration User Patch Repo Result
2023/02/20 03:44 24m bisect fix linux-4.14.y job log (0) log
2023/01/21 02:54 26m bisect fix linux-4.14.y job log (0) log
2022/10/30 08:52 23m bisect fix linux-4.14.y job log (0) log
2022/09/14 08:37 20m bisect fix linux-4.14.y job log (0) log
2022/08/15 08:09 26m bisect fix linux-4.14.y job log (0) log
2022/07/16 07:26 21m bisect fix linux-4.14.y job log (0) log
2022/06/16 07:01 24m bisect fix linux-4.14.y job log (0) log
2022/05/17 06:33 27m bisect fix linux-4.14.y job log (0) log
2022/04/17 04:59 27m bisect fix linux-4.14.y job log (0) log
2022/03/17 09:49 31m bisect fix linux-4.14.y job log (0) log
2022/02/15 09:19 29m bisect fix linux-4.14.y job log (0) log
2022/01/16 08:50 29m bisect fix linux-4.14.y job log (0) log
2021/12/17 07:00 32m bisect fix linux-4.14.y job log (0) log
2021/11/17 06:27 23m bisect fix linux-4.14.y job log (0) log
2021/10/18 05:49 27m bisect fix linux-4.14.y job log (0) log
2021/09/18 05:09 30m bisect fix linux-4.14.y job log (0) log
2021/08/19 04:32 29m bisect fix linux-4.14.y job log (0) log
2021/07/20 03:57 29m bisect fix linux-4.14.y job log (0) log
2021/06/20 03:17 27m bisect fix linux-4.14.y job log (0) log
2021/05/21 02:38 23m bisect fix linux-4.14.y job log (0) log
2021/04/21 01:21 21m bisect fix linux-4.14.y job log (0) log
2021/03/21 23:38 21m bisect fix linux-4.14.y job log (0) log
2021/02/19 19:23 21m bisect fix linux-4.14.y job log (0) log
2021/02/17 14:11 18m bisect fix linux-4.14.y error job log (0)
2021/01/31 00:24 0m bisect fix linux-4.14.y error job log (0)

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
ERROR: (device loop0): xtTruncate_pmap: XT_GETPAGE: xtree page corrupt
ERROR: (device loop0): txAbort: 
ERROR: (device loop0): xtTruncate: XT_GETPAGE: xtree page corrupt
BUG: unable to handle kernel paging request at ffff887c8cc30d08
IP: __lock_acquire+0x1d6/0x3f20 kernel/locking/lockdep.c:3369
PGD 0 P4D 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7985 Comm: syz-executor390 Not tainted 4.14.295-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
task: ffff88809589a100 task.stack: ffff8880b36b8000
RIP: 0010:__lock_acquire+0x1d6/0x3f20 kernel/locking/lockdep.c:3369
RSP: 0018:ffff8880b36bf530 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 1ffff10f919861a1 RSI: 0000000000000000 RDI: ffff887c8cc30d08
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff88809589a100 R12: ffff887c8cc30d08
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8becddc0
FS:  00005555570a5300(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff887c8cc30d08 CR3: 0000000008e6a000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 diFree+0x229/0x2830 fs/jfs/jfs_imap.c:906
 jfs_evict_inode+0x198/0x210 fs/jfs/inode.c:166
 evict+0x2c8/0x700 fs/inode.c:555
 iput_final fs/inode.c:1524 [inline]
 iput+0x458/0x7e0 fs/inode.c:1551
 dentry_unlink_inode+0x25c/0x310 fs/dcache.c:387
 __dentry_kill+0x320/0x550 fs/dcache.c:591
 shrink_dentry_list+0x2ab/0xac0 fs/dcache.c:1043
 shrink_dcache_parent+0x5f/0xe0 fs/dcache.c:1473
 do_one_tree fs/dcache.c:1504 [inline]
 shrink_dcache_for_umount+0x66/0x270 fs/dcache.c:1521
 generic_shutdown_super+0x68/0x370 fs/super.c:431
 kill_block_super+0x95/0xe0 fs/super.c:1161
 deactivate_locked_super+0x6c/0xd0 fs/super.c:319
 deactivate_super+0x7f/0xa0 fs/super.c:350
 cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:868
 do_group_exit+0x100/0x2e0 kernel/exit.c:965
 SYSC_exit_group kernel/exit.c:976 [inline]
 SyS_exit_group+0x19/0x20 kernel/exit.c:974
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f5874e1c4f9
RSP: 002b:00007ffe6ce35df8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f5874e9f330 RCX: 00007f5874e1c4f9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 00005555570a52c0 R11: 0000000000000246 R12: 00007f5874e9f330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Code: 00 00 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 80 3c 02 00 0f 85 67 2a 00 00 <49> 81 3c 24 e0 97 2f 8b 0f 84 5f ff ff ff 83 fe 01 0f 87 62 ff 
RIP: __lock_acquire+0x1d6/0x3f20 kernel/locking/lockdep.c:3369 RSP: ffff8880b36bf530
CR2: ffff887c8cc30d08
---[ end trace b1e0a49315b602db ]---
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	44 89 e8             	mov    %r13d,%eax
   5:	5b                   	pop    %rbx
   6:	5d                   	pop    %rbp
   7:	41 5c                	pop    %r12
   9:	41 5d                	pop    %r13
   b:	41 5e                	pop    %r14
   d:	41 5f                	pop    %r15
   f:	c3                   	retq
  10:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  17:	fc ff df
  1a:	4c 89 e2             	mov    %r12,%rdx
  1d:	48 c1 ea 03          	shr    $0x3,%rdx
  21:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
  25:	0f 85 67 2a 00 00    	jne    0x2a92
* 2b:	49 81 3c 24 e0 97 2f 	cmpq   $0xffffffff8b2f97e0,(%r12) <-- trapping instruction
  32:	8b
  33:	0f 84 5f ff ff ff    	je     0xffffff98
  39:	83 fe 01             	cmp    $0x1,%esi
  3c:	0f                   	.byte 0xf
  3d:	87 62 ff             	xchg   %esp,-0x1(%rdx)

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/09/30 08:51 linux-4.14.y 9d5c0b3a8e1a 45fd7169 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-14 BUG: unable to handle kernel paging request in diFree
2020/10/02 22:30 linux-4.14.y cbfa1702aaf6 062c9832 .config console log report syz C ci2-linux-4-14
2020/10/01 23:47 linux-4.14.y cbfa1702aaf6 9602ddf4 .config console log report syz C ci2-linux-4-14
2020/09/23 17:06 linux-4.14.y cbfa1702aaf6 287cd75a .config console log report syz C ci2-linux-4-14
2020/09/23 16:52 linux-4.14.y cbfa1702aaf6 287cd75a .config console log report info ci2-linux-4-14
* Struck through repros no longer work on HEAD.