syzbot


general protection fault in jfs_flush_journal

Status: upstream: reported C repro on 2022/10/02 18:56
Reported-by: syzbot+194bfe3476f96782c0b6@syzkaller.appspotmail.com
First crash: 64d, last: 1d08h

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: general protection fault in write_special_inodes (log)
Repro: C syz .config

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 3614 Comm: syz-executor157 Not tainted 6.1.0-rc1-syzkaller-00249-g4da34b7d175d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x7e7/0xec0 fs/jfs/jfs_logmgr.c:1573
Code: ae fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 17 b0 d6 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 fa af d6 fe 48 8b 3b e8 b2 99 ae
RSP: 0018:ffffc90003d8f9e0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: 9ca259ca3e16ec00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003d8fb10 R08: ffffffff81b3a473 R09: ffffc90003d8f930
R10: fffff520007b1f29 R11: 1ffff920007b1f26 R12: 1ffff920007b1f48
R13: dffffc0000000000 R14: ffff888027247000 R15: ffff888012f7b438
FS:  0000555556ca4300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb9f4534840 CR3: 00000000734d5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 jfs_umount+0xf3/0x370 fs/jfs/jfs_umount.c:58
 jfs_fill_super+0x911/0xc50 fs/jfs/super.c:600
 mount_bdev+0x26c/0x3a0 fs/super.c:1400
 legacy_get_tree+0xea/0x180 fs/fs_context.c:610
 vfs_get_tree+0x88/0x270 fs/super.c:1530
 do_new_mount+0x289/0xad0 fs/namespace.c:3040
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb9f45062aa
Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd601d06f8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb9f45062aa
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd601d0710
RBP: 00007ffd601d0710 R08: 00007ffd601d0750 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000004
R13: 00007ffd601d0750 R14: 000000000000035a R15: 0000000020005270
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x7e7/0xec0 fs/jfs/jfs_logmgr.c:1573
Code: ae fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 17 b0 d6 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 fa af d6 fe 48 8b 3b e8 b2 99 ae
RSP: 0018:ffffc90003d8f9e0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: 9ca259ca3e16ec00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003d8fb10 R08: ffffffff81b3a473 R09: ffffc90003d8f930
R10: fffff520007b1f29 R11: 1ffff920007b1f26 R12: 1ffff920007b1f48
R13: dffffc0000000000 R14: ffff888027247000 R15: ffff888012f7b438
FS:  0000555556ca4300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb9f4534840 CR3: 00000000734d5000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	ae                   	scas   %es:(%rdi),%al
   1:	fe 49 8d             	decb   -0x73(%rcx)
   4:	5f                   	pop    %rdi
   5:	f0 48 89 d8          	lock mov %rbx,%rax
   9:	48 c1 e8 03          	shr    $0x3,%rax
   d:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
  12:	74 08                	je     0x1c
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 17 b0 d6 fe       	callq  0xfed6b033
  1c:	48 8b 1b             	mov    (%rbx),%rbx
  1f:	48 83 c3 30          	add    $0x30,%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 fa af d6 fe       	callq  0xfed6b033
  39:	48 8b 3b             	mov    (%rbx),%rdi
  3c:	e8                   	.byte 0xe8
  3d:	b2 99                	mov    $0x99,%dl
  3f:	ae                   	scas   %es:(%rdi),%al

Crashes (43):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-upstream-fs 2022/10/23 10:01 upstream 4da34b7d175d c0b80a55 .config log report syz C general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/10/03 13:22 upstream a962b54e162c feb56351 .config log report syz C general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/10/02 16:35 upstream b357fd1c2afc feb56351 .config log report syz C general protection fault in jfs_flush_journal
ci-upstream-kasan-gce-smack-root 2022/10/02 15:53 upstream b357fd1c2afc feb56351 .config log report syz C general protection fault in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/23 08:39 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 c0b80a55 .config log report syz C BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/02 23:53 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 feb56351 .config log report syz C BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/02 22:40 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 feb56351 .config log report syz C BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-kasan-gce-smack-root 2022/12/04 08:20 upstream 97ee9d1c1696 e080de16 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/12/04 00:42 upstream 97ee9d1c1696 e080de16 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/12/01 18:18 upstream ef4d3ea40565 e080de16 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/29 23:45 upstream ca57f02295f1 579a3740 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/29 00:46 upstream b7b275e60bcd ca9683b8 .config log report info general protection fault in jfs_flush_journal
ci-upstream-kasan-gce-smack-root 2022/11/28 05:59 upstream bf82d38c91f8 74a66371 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/21 22:08 upstream eb7081409f94 1c576c23 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/20 03:48 upstream fe24a97cf254 5bb70014 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/18 02:32 upstream 81ac25651a62 4ba8ab94 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/16 08:33 upstream 81e7cfa3a9eb 3a127a31 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/14 01:54 upstream af7a05689189 7ba4d859 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/12 07:05 upstream eb037f16f7e8 f42ee5d8 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/11 08:45 upstream 4bbf3422df78 f42ee5d8 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/08 04:53 upstream 59f2f4b8a757 6feb842b .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/07 01:38 upstream 089d1c31224e 6d752409 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/06 00:01 upstream b208b9fbbcba 6d752409 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/05 00:50 upstream ee6050c8af96 6d752409 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/11/04 13:48 upstream ee6050c8af96 6d752409 .config log report info general protection fault in jfs_flush_journal
ci-upstream-kasan-gce-smack-root 2022/10/28 01:42 upstream b229b6ca5abb 86777b7f .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/10/13 09:04 upstream 493ffd6605b2 3f6b40a1 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/10/11 04:23 upstream 493ffd6605b2 5bcf0c31 .config log report info general protection fault in jfs_flush_journal
ci-upstream-kasan-gce-smack-root 2022/10/11 00:00 upstream 4899a36f91a9 aea5da89 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/10/09 02:30 upstream a6afa4199d3d aea5da89 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/10/04 22:38 upstream 4fe89d07dcc2 eab8f949 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/10/03 22:47 upstream 4fe89d07dcc2 feb56351 .config log report info general protection fault in jfs_flush_journal
ci2-upstream-fs 2022/10/02 15:50 upstream b357fd1c2afc feb56351 .config log report info general protection fault in jfs_flush_journal
ci-upstream-kasan-gce-smack-root 2022/10/02 15:19 upstream b357fd1c2afc feb56351 .config log report info general protection fault in jfs_flush_journal
ci-upstream-gce-arm64 2022/11/16 08:20 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 9500fc6e9e60 3a127a31 .config log report info BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/11/15 23:00 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 9e4ce762f0e7 97de9cfc .config log report info BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/28 16:17 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 ea12ae9b .config log report info BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/26 13:09 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 2159e4d2 .config log report info BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/25 09:20 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 45645420 .config log report info BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/25 00:23 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 ff2fe65d .config log report info BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/11 14:04 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 1353c374 .config log report info BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/05 19:13 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 267e3bb1 .config log report info BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
ci-upstream-gce-arm64 2022/10/04 22:20 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 eab8f949 .config log report info BUG: unable to handle kernel NULL pointer dereference in jfs_flush_journal
* Struck through repros no longer work on HEAD.