syzbot

 sign-in | mailing list | source | docs
🐞 Open [1159] Subsystems 🐞 Fixed [4412] 🐞 Invalid [9928] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

kernel BUG in clear_state_bit

Status: upstream: reported C repro on 2022/11/25 09:46
Subsystems: btrfs (incorrect?)
Reported-by: syzbot+78dbea1c214b5413bdd3@syzkaller.appspotmail.com
First crash: 125d, last: 9d22h

Cause bisection: introduced by (bisect log) :
commit 4444a06981af66a49cf0cd08fec9759e8dd0a0fc
Author: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Date: Thu Sep 1 02:23:32 2022 +0000

  hwmon: (emc2305) Remove unused including <linux/version.h>

Crash: kernel BUG in close_ctree (log)
Repro: C syz .config

Sample crash report:
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe41c06098 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f77f5f45ac9
RDX: 0000000020000100 RSI: 0000000040305829 RDI: 0000000000000005
RBP: 00007ffe41c060c0 R08: 0000000000000001 R09: 00007ffe41c060d0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00007ffe41c06100 R14: 00007ffe41c060e0 R15: 0000000000000003
 </TASK>
------------[ cut here ]------------
kernel BUG at fs/btrfs/extent-io-tree.c:515!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5149 Comm: syz-executor336 Not tainted 6.3.0-rc2-syzkaller-00405-ga3671bd86a97 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:clear_state_bit+0x328/0x330 fs/btrfs/extent-io-tree.c:515
Code: 34 fe e9 9a fd ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c c7 fe ff ff 4c 89 ef e8 a2 bc 34 fe e9 ba fe ff ff e8 d8 0b df fd <0f> 0b 66 0f 1f 44 00 00 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55
RSP: 0018:ffffc900040ae970 EFLAGS: 00010293
RAX: ffffffff83ab6148 RBX: 00000000fffffff4 RCX: ffff88802bf68000
RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff83ab5f73 R09: fffffbfff1a02ba3
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88801dcdf000
R13: ffffc900040aeb78 R14: 0000000000000800 R15: dffffc0000000000
FS:  0000555557300300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 000000001e73e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __clear_extent_bit+0x523/0xb20 fs/btrfs/extent-io-tree.c:674
 clear_record_extent_bits+0x52/0x80 fs/btrfs/extent-io-tree.c:1703
 __btrfs_qgroup_release_data+0x4a4/0xa60 fs/btrfs/qgroup.c:3901
 btrfs_add_ordered_extent+0xe2/0xc20 fs/btrfs/ordered-data.c:191
 cow_file_range+0x764/0xfe0 fs/btrfs/inode.c:1320
 btrfs_run_delalloc_range+0xe9b/0x11d0 fs/btrfs/inode.c:2249
 writepage_delalloc+0x261/0x590 fs/btrfs/extent_io.c:1424
 __extent_writepage+0x850/0x16d0 fs/btrfs/extent_io.c:1724
 extent_write_cache_pages fs/btrfs/extent_io.c:2635 [inline]
 extent_writepages+0xc31/0x1930 fs/btrfs/extent_io.c:2755
 do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
 filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:390
 __filemap_fdatawrite_range mm/filemap.c:423 [inline]
 filemap_fdatawrite_range+0x16e/0x1e0 mm/filemap.c:441
 btrfs_fdatawrite_range+0x4f/0x110 fs/btrfs/file.c:3857
 btrfs_wait_ordered_range+0x59/0x260 fs/btrfs/ordered-data.c:774
 btrfs_punch_hole fs/btrfs/file.c:2609 [inline]
 btrfs_fallocate+0x474/0x1fa0 fs/btrfs/file.c:3063
 vfs_fallocate+0x54b/0x6b0 fs/open.c:324
 do_vfs_ioctl+0x22aa/0x2b10 fs/ioctl.c:849
 __do_sys_ioctl fs/ioctl.c:868 [inline]
 __se_sys_ioctl+0x81/0x160 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f77f5f45ac9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe41c06098 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f77f5f45ac9
RDX: 0000000020000100 RSI: 0000000040305829 RDI: 0000000000000005
RBP: 00007ffe41c060c0 R08: 0000000000000001 R09: 00007ffe41c060d0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00007ffe41c06100 R14: 00007ffe41c060e0 R15: 0000000000000003
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:clear_state_bit+0x328/0x330 fs/btrfs/extent-io-tree.c:515
Code: 34 fe e9 9a fd ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c c7 fe ff ff 4c 89 ef e8 a2 bc 34 fe e9 ba fe ff ff e8 d8 0b df fd <0f> 0b 66 0f 1f 44 00 00 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55
RSP: 0018:ffffc900040ae970 EFLAGS: 00010293
RAX: ffffffff83ab6148 RBX: 00000000fffffff4 RCX: ffff88802bf68000
RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff83ab5f73 R09: fffffbfff1a02ba3
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88801dcdf000
R13: ffffc900040aeb78 R14: 0000000000000800 R15: dffffc0000000000
FS:  0000555557300300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 000000001e73e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	28 00                	sub    %al,(%rax)
   2:	00 00                	add    %al,(%rax)
   4:	75 05                	jne    0xb
   6:	48 83 c4 28          	add    $0x28,%rsp
   a:	c3                   	retq
   b:	e8 11 15 00 00       	callq  0x1521
  10:	90                   	nop
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall
* 2a:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax <-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq
  33:	48 c7 c1 c0 ff ff ff 	mov    $0xffffffffffffffc0,%rcx
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Crashes (24):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-smack-root 2023/03/19 12:07 upstream a3671bd86a97 7939252e .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci-upstream-kasan-gce-root 2022/12/25 05:22 upstream 72a85e2b0a1e 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci-upstream-kasan-gce-root 2022/12/20 22:36 upstream 6feb57c2fd7c d3e76707 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci-upstream-kasan-gce-root 2022/12/10 15:04 upstream 3ecc37918c80 67be1ae7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci2-upstream-fs 2022/12/02 19:34 upstream a4412fdd49dc e080de16 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci-upstream-kasan-gce-root 2022/12/01 05:53 upstream 04aa64375f48 4c2a66e8 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci2-upstream-fs 2022/11/30 21:40 upstream 01f856ae6d0c 4c2a66e8 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci2-upstream-fs 2022/11/25 08:39 upstream c3eb11fbb826 74a66371 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci-upstream-linux-next-kasan-gce-root 2023/01/21 09:39 linux-next d514392f17fd 559a440a .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci-upstream-linux-next-kasan-gce-root 2023/01/16 23:48 linux-next c12e2e5b76b2 a63719e7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci-upstream-linux-next-kasan-gce-root 2023/01/07 08:41 linux-next cc3c08b41a9c 1dac8c7a .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2022/11/30 12:12 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci cdb931b58ff5 4c2a66e8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2022/11/26 08:34 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6d464646530f 74a66371 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in clear_state_bit
ci2-upstream-fs 2023/02/28 02:46 upstream 982818426a0f 95aee97a .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci2-upstream-fs 2023/01/02 13:34 upstream 88603b6dc419 ab32d508 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci2-upstream-fs 2022/11/25 08:16 upstream c3eb11fbb826 74a66371 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2023/03/20 13:43 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fe15c26ee26e 7939252e .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2023/02/15 07:58 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2d3827b3f393 1d6b4af7 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2023/02/06 05:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci ca72d58361ee be607b78 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2023/01/30 18:14 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c62c88e05937 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2023/01/30 01:11 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c62c88e05937 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2022/12/15 08:07 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a5541c0811a0 b18f0a64 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2022/12/01 20:37 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci cdb931b58ff5 e080de16 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2022/11/30 03:08 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci cdb931b58ff5 05dc7993 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in clear_state_bit
* Struck through repros no longer work on HEAD.