syzbot


general protection fault in diFree (2)

Status: upstream: reported C repro on 2022/01/18 19:31
Reported-by: syzbot+e78b517fd809d2c5160d@syzkaller.appspotmail.com
First crash: 913d, last: 508d
Similar bugs (11)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 general protection fault in diFree 1 1268d 1268d 0/1 auto-closed as invalid on 2021/05/28 19:31
linux-4.19 KASAN: use-after-free Read in diFree jfs C error 21 538d 1376d 0/1 upstream: reported C repro on 2020/10/13 01:51
upstream KASAN: use-after-free Read in diFree jfs C inconclusive unreliable 110 202d 850d 0/27 auto-obsoleted due to no activity on 2024/03/22 04:27
linux-6.1 KASAN: use-after-free Read in diFree origin:lts-only C done 7 296d 456d 3/3 fixed on 2023/10/30 11:46
linux-4.19 BUG: unable to handle kernel paging request in diFree C done 18 1098d 1390d 1/1 fixed on 2021/08/17 00:59
linux-5.15 KASAN: use-after-free Read in diFree C error 5 397d 468d 0/3 auto-obsoleted due to no activity on 2023/10/07 20:25
upstream BUG: unable to handle kernel paging request in diFree jfs C done 13 1119d 1390d 20/27 fixed on 2021/11/10 00:50
linux-5.15 UBSAN: array-index-out-of-bounds in diFree origin:upstream C 4 2d13h 19d 0/3 upstream: reported C repro on 2024/06/30 08:16
linux-4.14 BUG: unable to handle kernel paging request in diFree C 5 516d 1395d 0/1 upstream: reported C repro on 2020/09/23 16:53
upstream UBSAN: array-index-out-of-bounds in diFree jfs C inconclusive 222 2d05h 87d 1/27 upstream: reported C repro on 2024/04/23 22:25
linux-4.14 KASAN: use-after-free Read in diFree jfs C error 3 516d 1389d 0/1 upstream: reported C repro on 2020/09/30 00:31
Fix bisection attempts (10)
Created Duration User Patch Repo Result
2023/02/27 16:56 4h16m bisect fix linux-4.14.y OK (0) job log log
2023/01/26 06:20 25m bisect fix linux-4.14.y OK (0) job log log
2022/11/17 12:20 20m bisect fix linux-4.14.y OK (0) job log log
2022/10/18 11:53 26m bisect fix linux-4.14.y OK (0) job log log
2022/09/14 22:51 22m bisect fix linux-4.14.y OK (0) job log log
2022/08/15 21:59 22m bisect fix linux-4.14.y OK (0) job log log
2022/07/16 21:36 22m bisect fix linux-4.14.y OK (0) job log log
2022/06/16 21:11 25m bisect fix linux-4.14.y OK (0) job log log
2022/05/17 20:34 25m bisect fix linux-4.14.y OK (0) job log log
2022/04/17 19:50 22m bisect fix linux-4.14.y OK (0) job log log

Sample crash report:
ERROR: (device loop0): xtSearch: XT_GETPAGE: xtree page corrupt
print_req_error: I/O error, dev loop0, sector 0
ERROR: (device loop0): xtSearch: XT_GETPAGE: xtree page corrupt
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 9575 Comm: syz-executor220 Not tainted 4.14.272-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff888092f28400 task.stack: ffff88808d978000
RIP: 0010:diFree+0x154/0x2830 fs/jfs/jfs_imap.c:892
RSP: 0018:ffff88808d97f9a0 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: ffff8880aa0098c0 RCX: ffff88808bc90a74
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88808bc6caa8
RBP: 0000000000000000 R08: ffffffff8b9e39d0 R09: 0000000000000001
R10: 0000000000000000 R11: ffff888092f28400 R12: ffff88808bc90a68
R13: 0000000000000004 R14: ffffffff87b68060 R15: ffff88808bc90c20
FS:  0000555556335300(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc4ea2d000 CR3: 00000000b0533000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 jfs_evict_inode+0x16f/0x1e0 fs/jfs/inode.c:165
 evict+0x2c8/0x700 fs/inode.c:555
 iput_final fs/inode.c:1524 [inline]
 iput+0x458/0x7e0 fs/inode.c:1551
 diFreeSpecial fs/jfs/jfs_imap.c:569 [inline]
 diFreeSpecial+0x63/0x80 fs/jfs/jfs_imap.c:561
 jfs_mount+0x20a/0x380 fs/jfs/jfs_mount.c:219
 jfs_fill_super+0x52a/0xab0 fs/jfs/super.c:589
 mount_bdev+0x2b3/0x360 fs/super.c:1134
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2572 [inline]
 do_mount+0xe65/0x2a10 fs/namespace.c:2902
 SYSC_mount fs/namespace.c:3118 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3095
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f1bf64e1dba
RSP: 002b:00007ffc4ea2c3b8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc4ea2c420 RCX: 00007f1bf64e1dba
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc4ea2c3e0
RBP: 00007ffc4ea2c3e0 R08: 00007ffc4ea2c420 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000020000260
R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000004
Code: 48 8b 44 24 18 48 8b 68 80 48 8b 44 24 20 4c 8d 6d 04 48 c1 e8 0c 4c 89 ea 48 c1 ea 03 48 89 04 24 48 b8 00 00 00 00 00 fc ff df <0f> b6 14 02 4c 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 
RIP: diFree+0x154/0x2830 fs/jfs/jfs_imap.c:892 RSP: ffff88808d97f9a0
---[ end trace 46662daa114d9f36 ]---
----------------
Code disassembly (best guess):
   0:	48 8b 44 24 18       	mov    0x18(%rsp),%rax
   5:	48 8b 68 80          	mov    -0x80(%rax),%rbp
   9:	48 8b 44 24 20       	mov    0x20(%rsp),%rax
   e:	4c 8d 6d 04          	lea    0x4(%rbp),%r13
  12:	48 c1 e8 0c          	shr    $0xc,%rax
  16:	4c 89 ea             	mov    %r13,%rdx
  19:	48 c1 ea 03          	shr    $0x3,%rdx
  1d:	48 89 04 24          	mov    %rax,(%rsp)
  21:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  28:	fc ff df
* 2b:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2f:	4c 89 e8             	mov    %r13,%rax
  32:	83 e0 07             	and    $0x7,%eax
  35:	83 c0 03             	add    $0x3,%eax
  38:	38 d0                	cmp    %dl,%al
  3a:	7c 08                	jl     0x44
  3c:	84 d2                	test   %dl,%dl
  3e:	0f                   	.byte 0xf
  3f:	85                   	.byte 0x85

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/03/18 19:50 linux-4.14.y eb045674aab3 e2d91b1d .config console log report syz C ci2-linux-4-14 general protection fault in diFree
2022/01/18 19:30 linux-4.14.y 4ba8e26127c3 731a2d23 .config console log report info ci2-linux-4-14 general protection fault in diFree
* Struck through repros no longer work on HEAD.