Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported |
---|---|---|---|---|---|---|
KASAN: use-after-free Read in nilfs_mdt_destroy nilfs | C | error | 20 | 754d | 770d |
syzbot |
sign-in | mailing list | source | docs |
Title | Replies (including bot) | Last reply |
---|---|---|
[syzbot] WARNING: ODEBUG bug in nilfs_mdt_destroy | 1 (2) | 2022/10/13 09:28 |
WARNING: CPU: 1 PID: 11637 at lib/debugobjects.c:505 debug_print_object lib/debugobjects.c:502 [inline] WARNING: CPU: 1 PID: 11637 at lib/debugobjects.c:505 __debug_check_no_obj_freed lib/debugobjects.c:989 [inline] WARNING: CPU: 1 PID: 11637 at lib/debugobjects.c:505 debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020 Modules linked in: CPU: 1 PID: 11637 Comm: syz-executor.2 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : debug_print_object lib/debugobjects.c:502 [inline] pc : __debug_check_no_obj_freed lib/debugobjects.c:989 [inline] pc : debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020 lr : debug_print_object lib/debugobjects.c:502 [inline] lr : __debug_check_no_obj_freed lib/debugobjects.c:989 [inline] lr : debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020 sp : ffff800021bf3ad0 x29: ffff800021bf3af0 x28: ffff0001526a4000 x27: ffff0001526a5090 x26: ffff000118d0f780 x25: ffff00011c294410 x24: ffff80000bfff5b8 x23: ffff0001526a4e90 x22: ffff80000bfff5b8 x21: 0000000000000002 x20: dead000000000100 x19: ffff0001526a4e90 x18: 00000000000000e2 x17: ffff80000bffd6bc x16: ffff80000db49158 x15: ffff0001129b8000 x14: 0000000000000000 x13: 00000000ffffffff x12: 0000000000040000 x11: 00000000000032e7 x10: ffff800017e91000 x9 : ede74df8178f9200 x8 : ede74df8178f9200 x7 : ffff800008161d1c x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000100000000 x0 : 0000000000000076 Call trace: debug_print_object lib/debugobjects.c:502 [inline] __debug_check_no_obj_freed lib/debugobjects.c:989 [inline] debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020 slab_free_hook mm/slub.c:1734 [inline] slab_free_freelist_hook mm/slub.c:1785 [inline] slab_free mm/slub.c:3539 [inline] kfree+0x14c/0x348 mm/slub.c:4567 nilfs_mdt_destroy+0x24/0x3c fs/nilfs2/mdt.c:497 nilfs_free_inode+0x2c/0x54 fs/nilfs2/super.c:168 i_callback fs/inode.c:249 [inline] alloc_inode+0xdc/0x104 fs/inode.c:274 iget5_locked+0x5c/0xc8 fs/inode.c:1242 nilfs_iget_locked fs/nilfs2/inode.c:588 [inline] nilfs_iget+0x64/0x33c fs/nilfs2/inode.c:597 nilfs_lookup+0x78/0xa0 fs/nilfs2/namei.c:63 __lookup_hash+0xa0/0x164 fs/namei.c:1601 do_rmdir+0xf0/0x2a4 fs/namei.c:4147 __do_sys_unlinkat fs/namei.c:4339 [inline] __se_sys_unlinkat fs/namei.c:4333 [inline] __arm64_sys_unlinkat+0x90/0xa8 fs/namei.c:4333 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581 irq event stamp: 2876 hardirqs last enabled at (2875): [<ffff800008161dac>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline] hardirqs last enabled at (2875): [<ffff800008161dac>] finish_lock_switch+0x94/0xe8 kernel/sched/core.c:4942 hardirqs last disabled at (2876): [<ffff80000bfb5fbc>] el1_dbg+0x24/0x5c arch/arm64/kernel/entry-common.c:404 softirqs last enabled at (2854): [<ffff8000080102e4>] _stext+0x2e4/0x37c softirqs last disabled at (2765): [<ffff800008017c14>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ ODEBUG: free active (active state 0) object type: timer_list hint: __refcount_inc_not_zero include/linux/refcount.h:227 [inline] ODEBUG: free active (active state 0) object type: timer_list hint: refcount_inc_not_zero include/linux/refcount.h:245 [inline] ODEBUG: free active (active state 0) object type: timer_list hint: kref_get_unless_zero include/linux/kref.h:111 [inline] ODEBUG: free active (active state 0) object type: timer_list hint: batadv_iv_send_outstanding_bat_ogm_packet+0x0/0x428 net/batman-adv/hard-interface.h:114 WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 debug_print_object lib/debugobjects.c:502 [inline] WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 __debug_check_no_obj_freed lib/debugobjects.c:989 [inline] WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020 Modules linked in: CPU: 0 PID: 11637 Comm: syz-executor.2 Tainted: G W 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : debug_print_object lib/debugobjects.c:502 [inline] pc : __debug_check_no_obj_freed lib/debugobjects.c:989 [inline] pc : debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020 lr : debug_print_object lib/debugobjects.c:502 [inline] lr : __debug_check_no_obj_freed lib/debugobjects.c:989 [inline] lr : debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020 sp : ffff800021bf3ad0 x29: ffff800021bf3af0 x28: ffff0001526a5000 x27: ffff0001526a5c00 x26: ffff0001503306e0 x25: ffff00014f2f06e0 x24: ffff80000bfff5b8 x23: ffff0001526a5a90 x22: ffff80000bfff5b8 x21: 0000000000000001 x20: dead000000000100 x19: ffff0001526a5a00 x18: 000000000000023f x17: ffff80000bffd6bc x16: ffff80000db49158 x15: ffff0001129b8000 x14: 0000000000000000 x13: 00000000ffffffff x12: 0000000000040000 x11: 000000000003ffff x10: ffff800017e91000 x9 : ede74df8178f9200 x8 : ede74df8178f9200 x7 : ffff800008161d1c x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000100000000 x0 : 0000000000000076 Call trace: debug_print_object lib/debugobjects.c:502 [inline] __debug_check_no_obj_freed lib/debugobjects.c:989 [inline] debug_check_no_obj_freed+0x214/0x2b0 lib/debugobjects.c:1020 slab_free_hook mm/slub.c:1734 [inline] slab_free_freelist_hook mm/slub.c:1785 [inline] slab_free mm/slub.c:3539 [inline] kfree+0x14c/0x348 mm/slub.c:4567 nilfs_mdt_destroy+0x2c/0x3c fs/nilfs2/mdt.c:498 nilfs_free_inode+0x2c/0x54 fs/nilfs2/super.c:168 i_callback fs/inode.c:249 [inline] alloc_inode+0xdc/0x104 fs/inode.c:274 iget5_locked+0x5c/0xc8 fs/inode.c:1242 nilfs_iget_locked fs/nilfs2/inode.c:588 [inline] nilfs_iget+0x64/0x33c fs/nilfs2/inode.c:597 nilfs_lookup+0x78/0xa0 fs/nilfs2/namei.c:63 __lookup_hash+0xa0/0x164 fs/namei.c:1601 do_rmdir+0xf0/0x2a4 fs/namei.c:4147 __do_sys_unlinkat fs/namei.c:4339 [inline] __se_sys_unlinkat fs/namei.c:4333 [inline] __arm64_sys_unlinkat+0x90/0xa8 fs/namei.c:4333 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581 irq event stamp: 3018 hardirqs last enabled at (3017): [<ffff800008161dac>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline] hardirqs last enabled at (3017): [<ffff800008161dac>] finish_lock_switch+0x94/0xe8 kernel/sched/core.c:4942 hardirqs last disabled at (3018): [<ffff80000bfb5fbc>] el1_dbg+0x24/0x5c arch/arm64/kernel/entry-common.c:404 softirqs last enabled at (2962): [<ffff8000080102e4>] _stext+0x2e4/0x37c softirqs last disabled at (2879): [<ffff800008017c14>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ ODEBUG: assert_init not available (active state 0) object type: timer_list hint: __refcount_inc_not_zero include/linux/refcount.h:227 [inline] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: refcount_inc_not_zero include/linux/refcount.h:245 [inline] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: kref_get_unless_zero include/linux/kref.h:111 [inline] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: batadv_iv_send_outstanding_bat_ogm_packet+0x0/0x428 net/batman-adv/hard-interface.h:114 WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 debug_print_object lib/debugobjects.c:502 [inline] WARNING: CPU: 0 PID: 11637 at lib/debugobjects.c:505 debug_object_assert_init+0x144/0x198 lib/debugobjects.c:892 Modules linked in: CPU: 0 PID: 11637 Comm: syz-executor.2 Tainted: G W 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : debug_print_object lib/debugobjects.c:502 [inline] pc : debug_object_assert_init+0x144/0x198 lib/debugobjects.c:892 lr : debug_print_object lib/debugobjects.c:502 [inline] lr : debug_object_assert_init+0x144/0x198 lib/debugobjects.c:892 sp : ffff800021bf39f0 x29: ffff800021bf39f0 x28: ffff0001526a5000 x27: ffff0001526a5c00 x26: ffff0001503306e0 x25: ffff00014f2f06e0 x24: ffff80000bfff5b8 x23: ffff80000ef87500 x22: ffff80000d30c000 x21: ffff80000f0a5000 x20: ffff80000bfff5b8 x19: ffff0001526a5a90 x18: 00000000000001b5 x17: 0000000000000000 x16: ffff80000db49158 x15: ffff0001129b8000 x14: 0000000000000000 x13: 00000000ffffffff x12: 0000000000040000 x11: 000000000003ffff x10: ffff800017e91000 x9 : ede74df8178f9200 x8 : ede74df8178f9200 x7 : ffff800008161d1c x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000100000000 x0 : 0000000000000084 Call trace: debug_print_object lib/debugobjects.c:502 [inline] debug_object_assert_init+0x144/0x198 lib/debugobjects.c:892 debug_timer_assert_init kernel/time/timer.c:792 [inline] debug_assert_init kernel/time/timer.c:837 [inline] try_to_del_timer_sync+0x34/0x1ac kernel/time/timer.c:1282 del_timer_sync+0x134/0x1ac kernel/time/timer.c:1435 timer_fixup_free+0x3c/0x6c kernel/time/timer.c:740 debug_object_fixup lib/debugobjects.c:518 [inline] __debug_check_no_obj_freed lib/debugobjects.c:990 [inline] debug_check_no_obj_freed+0x23c/0x2b0 lib/debugobjects.c:1020 slab_free_hook mm/slub.c:1734 [inline] slab_free_freelist_hook mm/slub.c:1785 [inline] slab_free mm/slub.c:3539 [inline] kfree+0x14c/0x348 mm/slub.c:4567 nilfs_mdt_destroy+0x2c/0x3c fs/nilfs2/mdt.c:498 nilfs_free_inode+0x2c/0x54 fs/nilfs2/super.c:168 i_callback fs/inode.c:249 [inline] alloc_inode+0xdc/0x104 fs/inode.c:274 iget5_locked+0x5c/0xc8 fs/inode.c:1242 nilfs_iget_locked fs/nilfs2/inode.c:588 [inline] nilfs_iget+0x64/0x33c fs/nilfs2/inode.c:597 nilfs_lookup+0x78/0xa0 fs/nilfs2/namei.c:63 __lookup_hash+0xa0/0x164 fs/namei.c:1601 do_rmdir+0xf0/0x2a4 fs/namei.c:4147 __do_sys_unlinkat fs/namei.c:4339 [inline] __se_sys_unlinkat fs/namei.c:4333 [inline] __arm64_sys_unlinkat+0x90/0xa8 fs/namei.c:4333 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581 irq event stamp: 3332 hardirqs last enabled at (3331): [<ffff800008161dac>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline] hardirqs last enabled at (3331): [<ffff800008161dac>] finish_lock_switch+0x94/0xe8 kernel/sched/core.c:4942 hardirqs last disabled at (3332): [<ffff80000bfb5fbc>] el1_dbg+0x24/0x5c arch/arm64/kernel/entry-common.c:404 softirqs last enabled at (3292): [<ffff8000080102e4>] _stext+0x2e4/0x37c softirqs last disabled at (3021): [<ffff800008017c14>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79 ---[ end trace 0000000000000000 ]---
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2022/10/21 23:14 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | bbed346d5a96 | 4bfd3c27 | .config | console log | report | info | [disk image] [vmlinux] | ci-upstream-gce-arm64 | WARNING: ODEBUG bug in nilfs_mdt_destroy | ||
2022/10/18 04:13 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | bbed346d5a96 | 754863b4 | .config | console log | report | info | [disk image] [vmlinux] | ci-upstream-gce-arm64 | WARNING: ODEBUG bug in nilfs_mdt_destroy | ||
2022/10/16 14:08 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | bbed346d5a96 | 67cb024c | .config | console log | report | info | [disk image] [vmlinux] | ci-upstream-gce-arm64 | WARNING: ODEBUG bug in nilfs_mdt_destroy | ||
2022/10/12 23:46 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | bbed346d5a96 | 89b5a509 | .config | console log | report | info | ci-upstream-gce-arm64 | WARNING: ODEBUG bug in nilfs_mdt_destroy |