syzbot


WARNING: ODEBUG bug in nilfs_mdt_destroy

Status: closed as dup on 2022/10/13 09:28
Subsystems: nilfs
[Documentation on labels]
Reported-by: syzbot+e67c6877ee7e6e68c45a@syzkaller.appspotmail.com
First crash: 772d, last: 763d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: use-after-free Read in nilfs_mdt_destroy nilfs C error 20 778d 793d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] WARNING: ODEBUG bug in nilfs_mdt_destroy 1 (2) 2022/10/13 09:28

Sample crash report:
WARNING: CPU: 1 PID: 11637 at lib/debugobjects.c:505 debug_print_object lib/debugobjects.c:502 [inline]
WARNING: CPU: 1 PID: 11637 at lib/debugobjects.c:505 __debug_check_no_obj_freed lib/debugobjects.c:989 [inline]
WARNING: CPU: 1 PID: 11637 at lib/debugobjects.c:505 debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020
Modules linked in:
CPU: 1 PID: 11637 Comm: syz-executor.2 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:502 [inline]
pc : __debug_check_no_obj_freed lib/debugobjects.c:989 [inline]
pc : debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020
lr : debug_print_object lib/debugobjects.c:502 [inline]
lr : __debug_check_no_obj_freed lib/debugobjects.c:989 [inline]
lr : debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020
sp : ffff800021bf3ad0
x29: ffff800021bf3af0 x28: ffff0001526a4000 x27: ffff0001526a5090
x26: ffff000118d0f780 x25: ffff00011c294410 x24: ffff80000bfff5b8
x23: ffff0001526a4e90 x22: ffff80000bfff5b8 x21: 0000000000000002
x20: dead000000000100 x19: ffff0001526a4e90 x18: 00000000000000e2
x17: ffff80000bffd6bc x16: ffff80000db49158 x15: ffff0001129b8000
x14: 0000000000000000 x13: 00000000ffffffff x12: 0000000000040000
x11: 00000000000032e7 x10: ffff800017e91000 x9 : ede74df8178f9200
x8 : ede74df8178f9200 x7 : ffff800008161d1c x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : 0000000100000000 x0 : 0000000000000076
Call trace:
 debug_print_object lib/debugobjects.c:502 [inline]
 __debug_check_no_obj_freed lib/debugobjects.c:989 [inline]
 debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020
 slab_free_hook mm/slub.c:1734 [inline]
 slab_free_freelist_hook mm/slub.c:1785 [inline]
 slab_free mm/slub.c:3539 [inline]
 kfree+0x14c/0x348 mm/slub.c:4567
 nilfs_mdt_destroy+0x24/0x3c fs/nilfs2/mdt.c:497
 nilfs_free_inode+0x2c/0x54 fs/nilfs2/super.c:168
 i_callback fs/inode.c:249 [inline]
 alloc_inode+0xdc/0x104 fs/inode.c:274
 iget5_locked+0x5c/0xc8 fs/inode.c:1242
 nilfs_iget_locked fs/nilfs2/inode.c:588 [inline]
 nilfs_iget+0x64/0x33c fs/nilfs2/inode.c:597
 nilfs_lookup+0x78/0xa0 fs/nilfs2/namei.c:63
 __lookup_hash+0xa0/0x164 fs/namei.c:1601
 do_rmdir+0xf0/0x2a4 fs/namei.c:4147
 __do_sys_unlinkat fs/namei.c:4339 [inline]
 __se_sys_unlinkat fs/namei.c:4333 [inline]
 __arm64_sys_unlinkat+0x90/0xa8 fs/namei.c:4333
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
irq event stamp: 2876
hardirqs last  enabled at (2875): [<ffff800008161dac>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline]
hardirqs last  enabled at (2875): [<ffff800008161dac>] finish_lock_switch+0x94/0xe8 kernel/sched/core.c:4942
hardirqs last disabled at (2876): [<ffff80000bfb5fbc>] el1_dbg+0x24/0x5c arch/arm64/kernel/entry-common.c:404
softirqs last  enabled at (2854): [<ffff8000080102e4>] _stext+0x2e4/0x37c
softirqs last disabled at (2765): [<ffff800008017c14>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: timer_list hint: __refcount_inc_not_zero include/linux/refcount.h:227 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: refcount_inc_not_zero include/linux/refcount.h:245 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: kref_get_unless_zero include/linux/kref.h:111 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: batadv_iv_send_outstanding_bat_ogm_packet+0x0/0x428 net/batman-adv/hard-interface.h:114
WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 debug_print_object lib/debugobjects.c:502 [inline]
WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 __debug_check_no_obj_freed lib/debugobjects.c:989 [inline]
WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020
Modules linked in:
CPU: 0 PID: 11637 Comm: syz-executor.2 Tainted: G        W          6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:502 [inline]
pc : __debug_check_no_obj_freed lib/debugobjects.c:989 [inline]
pc : debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020
lr : debug_print_object lib/debugobjects.c:502 [inline]
lr : __debug_check_no_obj_freed lib/debugobjects.c:989 [inline]
lr : debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020
sp : ffff800021bf3ad0
x29: ffff800021bf3af0 x28: ffff0001526a5000 x27: ffff0001526a5c00
x26: ffff0001503306e0 x25: ffff00014f2f06e0 x24: ffff80000bfff5b8
x23: ffff0001526a5a90 x22: ffff80000bfff5b8 x21: 0000000000000001
x20: dead000000000100 x19: ffff0001526a5a00 x18: 000000000000023f
x17: ffff80000bffd6bc x16: ffff80000db49158 x15: ffff0001129b8000
x14: 0000000000000000 x13: 00000000ffffffff x12: 0000000000040000
x11: 000000000003ffff x10: ffff800017e91000 x9 : ede74df8178f9200
x8 : ede74df8178f9200 x7 : ffff800008161d1c x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : 0000000100000000 x0 : 0000000000000076
Call trace:
 debug_print_object lib/debugobjects.c:502 [inline]
 __debug_check_no_obj_freed lib/debugobjects.c:989 [inline]
 debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020
 slab_free_hook mm/slub.c:1734 [inline]
 slab_free_freelist_hook mm/slub.c:1785 [inline]
 slab_free mm/slub.c:3539 [inline]
 kfree+0x14c/0x348 mm/slub.c:4567
 nilfs_mdt_destroy+0x2c/0x3c fs/nilfs2/mdt.c:498
 nilfs_free_inode+0x2c/0x54 fs/nilfs2/super.c:168
 i_callback fs/inode.c:249 [inline]
 alloc_inode+0xdc/0x104 fs/inode.c:274
 iget5_locked+0x5c/0xc8 fs/inode.c:1242
 nilfs_iget_locked fs/nilfs2/inode.c:588 [inline]
 nilfs_iget+0x64/0x33c fs/nilfs2/inode.c:597
 nilfs_lookup+0x78/0xa0 fs/nilfs2/namei.c:63
 __lookup_hash+0xa0/0x164 fs/namei.c:1601
 do_rmdir+0xf0/0x2a4 fs/namei.c:4147
 __do_sys_unlinkat fs/namei.c:4339 [inline]
 __se_sys_unlinkat fs/namei.c:4333 [inline]
 __arm64_sys_unlinkat+0x90/0xa8 fs/namei.c:4333
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
irq event stamp: 3018
hardirqs last  enabled at (3017): [<ffff800008161dac>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline]
hardirqs last  enabled at (3017): [<ffff800008161dac>] finish_lock_switch+0x94/0xe8 kernel/sched/core.c:4942
hardirqs last disabled at (3018): [<ffff80000bfb5fbc>] el1_dbg+0x24/0x5c arch/arm64/kernel/entry-common.c:404
softirqs last  enabled at (2962): [<ffff8000080102e4>] _stext+0x2e4/0x37c
softirqs last disabled at (2879): [<ffff800008017c14>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: __refcount_inc_not_zero include/linux/refcount.h:227 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: refcount_inc_not_zero include/linux/refcount.h:245 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: kref_get_unless_zero include/linux/kref.h:111 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: batadv_iv_send_outstanding_bat_ogm_packet+0x0/0x428 net/batman-adv/hard-interface.h:114
WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 debug_print_object lib/debugobjects.c:502 [inline]
WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 debug_object_assert_init+0x144/0x198 lib/debugobjects.c:892
Modules linked in:
CPU: 0 PID: 11637 Comm: syz-executor.2 Tainted: G        W          6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:502 [inline]
pc : debug_object_assert_init+0x144/0x198 lib/debugobjects.c:892
lr : debug_print_object lib/debugobjects.c:502 [inline]
lr : debug_object_assert_init+0x144/0x198 lib/debugobjects.c:892
sp : ffff800021bf39f0
x29: ffff800021bf39f0 x28: ffff0001526a5000 x27: ffff0001526a5c00
x26: ffff0001503306e0 x25: ffff00014f2f06e0 x24: ffff80000bfff5b8
x23: ffff80000ef87500 x22: ffff80000d30c000 x21: ffff80000f0a5000
x20: ffff80000bfff5b8 x19: ffff0001526a5a90 x18: 00000000000001b5
x17: 0000000000000000 x16: ffff80000db49158 x15: ffff0001129b8000
x14: 0000000000000000 x13: 00000000ffffffff x12: 0000000000040000
x11: 000000000003ffff x10: ffff800017e91000 x9 : ede74df8178f9200
x8 : ede74df8178f9200 x7 : ffff800008161d1c x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : 0000000100000000 x0 : 0000000000000084
Call trace:
 debug_print_object lib/debugobjects.c:502 [inline]
 debug_object_assert_init+0x144/0x198 lib/debugobjects.c:892
 debug_timer_assert_init kernel/time/timer.c:792 [inline]
 debug_assert_init kernel/time/timer.c:837 [inline]
 try_to_del_timer_sync+0x34/0x1ac kernel/time/timer.c:1282
 del_timer_sync+0x134/0x1ac kernel/time/timer.c:1435
 timer_fixup_free+0x3c/0x6c kernel/time/timer.c:740
 debug_object_fixup lib/debugobjects.c:518 [inline]
 __debug_check_no_obj_freed lib/debugobjects.c:990 [inline]
 debug_check_no_obj_freed+0x23c/0x2b0 lib/debugobjects.c:1020
 slab_free_hook mm/slub.c:1734 [inline]
 slab_free_freelist_hook mm/slub.c:1785 [inline]
 slab_free mm/slub.c:3539 [inline]
 kfree+0x14c/0x348 mm/slub.c:4567
 nilfs_mdt_destroy+0x2c/0x3c fs/nilfs2/mdt.c:498
 nilfs_free_inode+0x2c/0x54 fs/nilfs2/super.c:168
 i_callback fs/inode.c:249 [inline]
 alloc_inode+0xdc/0x104 fs/inode.c:274
 iget5_locked+0x5c/0xc8 fs/inode.c:1242
 nilfs_iget_locked fs/nilfs2/inode.c:588 [inline]
 nilfs_iget+0x64/0x33c fs/nilfs2/inode.c:597
 nilfs_lookup+0x78/0xa0 fs/nilfs2/namei.c:63
 __lookup_hash+0xa0/0x164 fs/namei.c:1601
 do_rmdir+0xf0/0x2a4 fs/namei.c:4147
 __do_sys_unlinkat fs/namei.c:4339 [inline]
 __se_sys_unlinkat fs/namei.c:4333 [inline]
 __arm64_sys_unlinkat+0x90/0xa8 fs/namei.c:4333
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
irq event stamp: 3332
hardirqs last  enabled at (3331): [<ffff800008161dac>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline]
hardirqs last  enabled at (3331): [<ffff800008161dac>] finish_lock_switch+0x94/0xe8 kernel/sched/core.c:4942
hardirqs last disabled at (3332): [<ffff80000bfb5fbc>] el1_dbg+0x24/0x5c arch/arm64/kernel/entry-common.c:404
softirqs last  enabled at (3292): [<ffff8000080102e4>] _stext+0x2e4/0x37c
softirqs last disabled at (3021): [<ffff800008017c14>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79
---[ end trace 0000000000000000 ]---

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/10/21 23:14 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 4bfd3c27 .config console log report info [disk image] [vmlinux] ci-upstream-gce-arm64 WARNING: ODEBUG bug in nilfs_mdt_destroy
2022/10/18 04:13 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 754863b4 .config console log report info [disk image] [vmlinux] ci-upstream-gce-arm64 WARNING: ODEBUG bug in nilfs_mdt_destroy
2022/10/16 14:08 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 67cb024c .config console log report info [disk image] [vmlinux] ci-upstream-gce-arm64 WARNING: ODEBUG bug in nilfs_mdt_destroy
2022/10/12 23:46 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 89b5a509 .config console log report info ci-upstream-gce-arm64 WARNING: ODEBUG bug in nilfs_mdt_destroy
* Struck through repros no longer work on HEAD.