syzbot


WARNING in __brelse

Status: upstream: reported C repro on 2022/09/28 20:43
Reported-by: syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com
Fix commit: udf: Avoid double brelse() in udf_rename()
Patched on: [ci-upstream-linux-next-kasan-gce-root], missing on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 65d, last: 17d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in __brelse (log)
Repro: C syz .config
similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 WARNING in __brelse C 6 1339d 1328d 0/3 public: reported C repro on 2019/04/14 00:00
linux-4.14 WARNING in __brelse C 1 31d 31d 0/1 upstream: reported C repro on 2022/10/31 19:01
android-414 WARNING in __brelse C 10 1339d 1330d 0/1 public: reported C repro on 2019/04/12 00:00
linux-4.19 WARNING in __brelse C 6 3d18h 62d 0/1 upstream: reported C repro on 2022/10/01 01:04

Sample crash report:
------------[ cut here ]------------
VFS: brelse: Trying to free free buffer
WARNING: CPU: 0 PID: 0 at fs/buffer.c:1145 __brelse fs/buffer.c:1145 [inline]
WARNING: CPU: 0 PID: 0 at fs/buffer.c:1145 __brelse+0x67/0xa0 fs/buffer.c:1139
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc5-syzkaller-00008-ge01d50cbd6ee #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:__brelse fs/buffer.c:1145 [inline]
RIP: 0010:__brelse+0x67/0xa0 fs/buffer.c:1139
Code: 7c 04 84 d2 75 4e 44 8b 63 60 31 ff 44 89 e6 e8 af 12 95 ff 45 85 e4 75 1c e8 d5 15 95 ff 48 c7 c7 a0 c6 fc 89 e8 50 29 62 07 <0f> 0b 5b 5d 41 5c e9 be 15 95 ff e8 b9 15 95 ff be 04 00 00 00 48
RSP: 0018:ffffc90000007f40 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff888070cc90e8 RCX: 0000000000000000
RDX: ffffffff8bcbc9c0 RSI: ffffffff81622b98 RDI: fffff52000000fda
RBP: ffff888070cc9148 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080010002 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8880b9a35fc0 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561499cb4318 CR3: 0000000079fd9000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 brelse include/linux/buffer_head.h:326 [inline]
 __invalidate_bh_lrus fs/buffer.c:1380 [inline]
 invalidate_bh_lru+0x99/0x150 fs/buffer.c:1393
 __flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630
 __sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248
 sysvec_call_function_single+0x8e/0xc0 arch/x86/kernel/smp.c:243
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:113 [inline]
RIP: 0010:acpi_idle_do_entry+0x1fd/0x2a0 drivers/acpi/processor_idle.c:572
Code: 89 de e8 86 93 ea f7 84 db 75 ac e8 ed 96 ea f7 e8 48 0e f1 f7 eb 0c e8 e1 96 ea f7 0f 00 2d ba 93 c2 00 e8 d5 96 ea f7 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 b0 93 ea f7 48 85 db
RSP: 0018:ffffffff8bc07d28 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff8bcbc9c0 RSI: ffffffff899215ab RDI: 0000000000000000
RBP: ffff888017601864 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffff888017601800 R14: ffff888017601864 R15: ffff888145fe4004
 acpi_idle_enter+0x364/0x500 drivers/acpi/processor_idle.c:709
 cpuidle_enter_state+0x1ab/0xd30 drivers/cpuidle/cpuidle.c:239
 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:356
 call_cpuidle kernel/sched/idle.c:155 [inline]
 cpuidle_idle_call kernel/sched/idle.c:236 [inline]
 do_idle+0x3f7/0x590 kernel/sched/idle.c:303
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:400
 rest_init+0x169/0x270 init/main.c:729
 arch_call_rest_init+0xf/0x14 init/main.c:890
 start_kernel+0x478/0x499 init/main.c:1145
 secondary_startup_64_no_verify+0xce/0xdb
 </TASK>
----------------
Code disassembly (best guess):
   0:	89 de                	mov    %ebx,%esi
   2:	e8 86 93 ea f7       	callq  0xf7ea938d
   7:	84 db                	test   %bl,%bl
   9:	75 ac                	jne    0xffffffb7
   b:	e8 ed 96 ea f7       	callq  0xf7ea96fd
  10:	e8 48 0e f1 f7       	callq  0xf7f10e5d
  15:	eb 0c                	jmp    0x23
  17:	e8 e1 96 ea f7       	callq  0xf7ea96fd
  1c:	0f 00 2d ba 93 c2 00 	verw   0xc293ba(%rip)        # 0xc293dd
  23:	e8 d5 96 ea f7       	callq  0xf7ea96fd
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	9c                   	pushfq <-- trapping instruction
  2b:	5b                   	pop    %rbx
  2c:	81 e3 00 02 00 00    	and    $0x200,%ebx
  32:	fa                   	cli
  33:	31 ff                	xor    %edi,%edi
  35:	48 89 de             	mov    %rbx,%rsi
  38:	e8 b0 93 ea f7       	callq  0xf7ea93ed
  3d:	48 85 db             	test   %rbx,%rbx

Crashes (10):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2022/11/15 16:30 upstream e01d50cbd6ee 97de9cfc .config log report syz C WARNING in __brelse
ci-upstream-kasan-gce-root 2022/11/09 04:37 upstream f141df371335 060f945e .config log report syz C WARNING in __brelse
ci-upstream-kasan-gce-root 2022/10/09 22:20 upstream a6afa4199d3d aea5da89 .config log report syz C WARNING in __brelse
ci-upstream-kasan-gce-root 2022/10/05 17:51 upstream 2bca25eaeba6 267e3bb1 .config log report syz C WARNING in __brelse
ci-upstream-kasan-gce-root 2022/09/28 09:33 upstream 46452d3786a8 75c78242 .config log report syz C WARNING in __brelse
ci-upstream-linux-next-kasan-gce-root 2022/10/31 08:19 linux-next 4d48f589d294 2a71366b .config log report syz C WARNING in __brelse
ci-upstream-kasan-gce-root 2022/11/11 05:48 upstream 1767a722a708 3ead01ad .config log report info WARNING in __brelse
ci-upstream-kasan-gce-root 2022/11/05 15:56 upstream 10d916c86eca 6d752409 .config log report info WARNING in __brelse
ci-upstream-linux-next-kasan-gce-root 2022/10/09 23:00 linux-next aaa11ce2ffc8 aea5da89 .config log report info WARNING in __brelse
ci-upstream-gce-arm64 2022/10/06 19:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 131b38ac .config log report info WARNING in __brelse
* Struck through repros no longer work on HEAD.