syzbot

 sign-in | mailing list | source | docs
🐞 Open [1163] Subsystems 🐞 Fixed [4400] 🐞 Invalid [9892] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

kernel BUG in reiserfs_cut_from_item

Status: upstream: reported C repro on 2023/01/06 19:16
Subsystems: reiserfs (incorrect?)
Reported-by: syzbot+b2c969f18c4ab30419f9@syzkaller.appspotmail.com
First crash: 78d, last: 26d

Cause bisection: failed (error log, bisect log)

Sample crash report:
1:  ".."           1              2              0              2              (VISIBLE)
-------------------------------------------------------------------------------
| 5| *3.6* [2 6 0x0 SD], item_len 44, item_location 340, free_space(entry_count) 65535 |
	mode | size | nlinks | first direct | mtime
	0100000 |     24 |  1 | 0 | 1672687496
===================================================================
REISERFS panic (device loop0): PAP-5580 reiserfs_cut_from_item: item to convert does not exist ([2 6 0x1 IND])
------------[ cut here ]------------
kernel BUG at fs/reiserfs/prints.c:390!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5065 Comm: syz-executor364 Not tainted 6.2.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:__reiserfs_panic+0x12f/0x140 fs/reiserfs/prints.c:390
Code: c0 50 03 8b 48 0f 44 c8 48 0f 44 d8 48 c7 c7 80 51 03 8b 4c 89 fe 48 89 da 4d 89 f0 49 c7 c1 40 46 16 92 31 c0 e8 01 ec 82 08 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90003c0f140 EFLAGS: 00010246
RAX: 000000000000006e RBX: ffffffff8b0376e0 RCX: bc42c5d171a4b400
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003c0f230 R08: ffffffff816f2c9d R09: fffff52000781de1
R10: fffff52000781de1 R11: 1ffff92000781de0 R12: ffffffff8b037700
R13: ffffc90003c0f160 R14: ffffffff8cc71f98 R15: ffff888079d1a6a8
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f2c5ae6c40 CR3: 0000000021dc5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 reiserfs_cut_from_item+0x219d/0x25b0 fs/reiserfs/stree.c:1729
 reiserfs_do_truncate+0x9d6/0x15a0 fs/reiserfs/stree.c:1973
 reiserfs_truncate_file+0x471/0x790 fs/reiserfs/inode.c:2310
 reiserfs_file_release+0x887/0xa30 fs/reiserfs/file.c:109
 __fput+0x3ba/0x880 fs/file_table.c:320
 task_work_run+0x243/0x300 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x644/0x2150 kernel/exit.c:867
 do_group_exit+0x1fd/0x2b0 kernel/exit.c:1012
 __do_sys_exit_group kernel/exit.c:1023 [inline]
 __se_sys_exit_group kernel/exit.c:1021 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1021
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6be3efd489
Code: Unable to access opcode bytes at 0x7f6be3efd45f.
RSP: 002b:00007ffec10dfdd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f6be3f72350 RCX: 00007f6be3efd489
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6be3f72350
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__reiserfs_panic+0x12f/0x140 fs/reiserfs/prints.c:390
Code: c0 50 03 8b 48 0f 44 c8 48 0f 44 d8 48 c7 c7 80 51 03 8b 4c 89 fe 48 89 da 4d 89 f0 49 c7 c1 40 46 16 92 31 c0 e8 01 ec 82 08 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90003c0f140 EFLAGS: 00010246
RAX: 000000000000006e RBX: ffffffff8b0376e0 RCX: bc42c5d171a4b400
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003c0f230 R08: ffffffff816f2c9d R09: fffff52000781de1
R10: fffff52000781de1 R11: 1ffff92000781de0 R12: ffffffff8b037700
R13: ffffc90003c0f160 R14: ffffffff8cc71f98 R15: ffff888079d1a6a8
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f2c5ae6c40 CR3: 0000000021dc5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-upstream-fs 2023/02/24 16:44 upstream d2980d8d8265 ab32d508 .config console log report syz C
* Struck through repros no longer work on HEAD.
Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-upstream-fs 2023/01/02 19:25 upstream 88603b6dc419 ab32d508 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] kernel BUG in reiserfs_cut_from_item
ci2-upstream-fs 2023/01/25 00:26 upstream fb6e71db53f3 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in reiserfs_cut_from_item
ci2-upstream-fs 2023/01/02 19:06 upstream 88603b6dc419 ab32d508 .config console log report info [disk image] [vmlinux] [kernel image] kernel BUG in reiserfs_cut_from_item
* Struck through repros no longer work on HEAD.