syzbot


kernel BUG in reiserfs_update_sd_size

Status: upstream: reported C repro on 2022/12/21 23:39
Subsystems: reiserfs (incorrect?)
Reported-by: syzbot+7d78ccda251bc1bdbaed@syzkaller.appspotmail.com
First crash: 94d, last: 19h49m

Cause bisection: failed (error log, bisect log)
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 kernel BUG in reiserfs_update_sd_size reiserfs C 1 18d 86d 0/1 upstream: reported C repro on 2022/12/26 01:36
linux-4.19 kernel BUG at fs/reiserfs/journal.c:LINE! reiserfs C error 139 25d 912d 0/1 upstream: reported C repro on 2020/09/21 00:32

Sample crash report:
REISERFS (device loop0): Using r5 hash to sort names
REISERFS panic (device loop0): vs-13065 update_stat_data: key [1 2 0x0 DIRECT], found item *3.6* [1 2 0x0 DIRECT], item_len 44, item_location 4052, free_space(entry_count) 0
------------[ cut here ]------------
kernel BUG at fs/reiserfs/prints.c:390!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5067 Comm: syz-executor406 Not tainted 6.1.0-syzkaller-13031-g77856d911a8c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:__reiserfs_panic+0x12f/0x140 fs/reiserfs/prints.c:390
Code: 80 4d 03 8b 48 0f 44 c8 48 0f 44 d8 48 c7 c7 40 4e 03 8b 4c 89 fe 48 89 da 4d 89 f0 49 c7 c1 40 d6 15 92 31 c0 e8 41 3e 72 08 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90003b1f560 EFLAGS: 00010246
RAX: 00000000000000ad RBX: ffffffff8b02f3a0 RCX: 13eb6dc0ca851900
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003b1f650 R08: ffffffff816f29ad R09: fffff52000763e25
R10: fffff52000763e25 R11: 1ffff92000763e24 R12: ffffffff8b02f3c0
R13: ffffc90003b1f580 R14: ffffffff8cc6e3d9 R15: ffff88802b39a6a8
FS:  0000555555d45300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd11fff5a70 CR3: 000000007d5eb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 update_stat_data fs/reiserfs/inode.c:1424 [inline]
 reiserfs_update_sd_size+0xfc6/0x10a0 fs/reiserfs/inode.c:1497
 reiserfs_update_sd fs/reiserfs/reiserfs.h:3099 [inline]
 reiserfs_mkdir+0x723/0x8c0 fs/reiserfs/namei.c:877
 xattr_mkdir fs/reiserfs/xattr.c:76 [inline]
 create_privroot fs/reiserfs/xattr.c:882 [inline]
 reiserfs_xattr_init+0x34b/0x730 fs/reiserfs/xattr.c:1005
 reiserfs_fill_super+0x20b5/0x24a0 fs/reiserfs/super.c:2175
 mount_bdev+0x26c/0x3a0 fs/super.c:1359
 legacy_get_tree+0xea/0x180 fs/fs_context.c:610
 vfs_get_tree+0x88/0x270 fs/super.c:1489
 do_new_mount+0x289/0xad0 fs/namespace.c:3145
 do_mount fs/namespace.c:3488 [inline]
 __do_sys_mount fs/namespace.c:3697 [inline]
 __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f13e308daea
Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe033aa0a8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f13e308daea
RDX: 0000000020000000 RSI: 0000000020000040 RDI: 00007ffe033aa0c0
RBP: 00007ffe033aa0c0 R08: 00007ffe033aa100 R09: 0000000000001105
R10: 0000000000208000 R11: 0000000000000286 R12: 0000000000000004
R13: 0000555555d452c0 R14: 0000000000208000 R15: 00007ffe033aa100
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__reiserfs_panic+0x12f/0x140 fs/reiserfs/prints.c:390
Code: 80 4d 03 8b 48 0f 44 c8 48 0f 44 d8 48 c7 c7 40 4e 03 8b 4c 89 fe 48 89 da 4d 89 f0 49 c7 c1 40 d6 15 92 31 c0 e8 41 3e 72 08 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90003b1f560 EFLAGS: 00010246
RAX: 00000000000000ad RBX: ffffffff8b02f3a0 RCX: 13eb6dc0ca851900
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003b1f650 R08: ffffffff816f29ad R09: fffff52000763e25
R10: fffff52000763e25 R11: 1ffff92000763e24 R12: ffffffff8b02f3c0
R13: ffffc90003b1f580 R14: ffffffff8cc6e3d9 R15: ffff88802b39a6a8
FS:  0000555555d45300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ce843f1078 CR3: 000000007d5eb000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-upstream-fs 2023/02/28 05:28 upstream ae3419fbac84 05494336 .config console log report syz C
* Struck through repros no longer work on HEAD.
Crashes (6):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-upstream-fs 2022/12/17 23:37 upstream 77856d911a8c 05494336 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in reiserfs_update_sd_size
ci2-upstream-fs 2023/01/26 08:50 upstream 7c46948a6e9c 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in reiserfs_update_sd_size
ci-upstream-kasan-gce-root 2023/01/12 00:33 upstream 7dd4b804e080 96166539 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in reiserfs_update_sd_size
ci2-upstream-fs 2022/12/20 03:00 upstream aeba12b26c79 c52b2efb .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in reiserfs_update_sd_size
ci2-upstream-fs 2022/12/18 23:31 upstream f9ff5644bcc0 05494336 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in reiserfs_update_sd_size
ci-upstream-linux-next-kasan-gce-root 2023/03/21 23:08 linux-next f3594f0204b7 8b4eb097 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in reiserfs_update_sd_size
* Struck through repros no longer work on HEAD.