syzbot


BUG: unable to handle kernel paging request in take_dentry_name_snapshot

Status: closed as dup on 2023/10/04 08:35
Subsystems: reiserfs overlayfs
[Documentation on labels]
Reported-by: syzbot+90392eaed540afcc8fc3@syzkaller.appspotmail.com
First crash: 542d, last: 45d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 1784fbc2ed9c888ea4e895f30a53207ed7ee8208
Author: Christian Brauner <brauner@kernel.org>
Date: Fri Jun 16 12:53:58 2023 +0000

  ovl: port to new mount api

  
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
WARNING: locking bug in take_dentry_name_snapshot reiserfs overlayfs C error done 14 404d 465d
Discussions (4)
Title Replies (including bot) Last reply
[syzbot] BUG: unable to handle kernel paging request in take_dentry_name_snapshot 1 (4) 2023/10/04 08:35
[syzbot] Monthly overlayfs report (Oct 2023) 0 (1) 2023/10/04 07:30
[syzbot] Monthly overlayfs report (May 2023) 0 (1) 2023/05/06 08:19
[syzbot] Monthly overlayfs report 0 (1) 2023/04/05 08:55
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: spinlock bad magic in lock_sock_nested (2) bluetooth 1 855d 855d 0/26 auto-closed as invalid on 2022/04/18 01:34
upstream BUG: spinlock bad magic in lock_sock_nested bluetooth 26 996d 1352d 0/26 auto-closed as invalid on 2021/12/27 15:41
upstream BUG: spinlock bad magic in skb_queue_tail afs net 1 519d 515d 0/26 auto-obsoleted due to no activity on 2023/03/19 17:50
Last patch testing requests (3)
Created Duration User Patch Repo Result
2023/08/24 06:51 16m retest repro linux-next report log
2023/08/24 06:51 16m retest repro upstream report log
2023/08/24 06:51 14m retest repro linux-next report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2023/07/30 07:01 7h31m bisect fix upstream job log (1)
2023/06/24 03:19 1h00m bisect fix upstream job log (0) log

Sample crash report:
loop0: detected capacity change from 0 to 32768
read_mapping_page failed!
ERROR: (device loop0): txCommit: 
ERROR: (device loop0): remounting filesystem as read-only
BUG: spinlock bad magic on CPU#0, syz-executor256/5058
==================================================================
BUG: KASAN: slab-out-of-bounds in string_nocheck lib/vsprintf.c:646 [inline]
BUG: KASAN: slab-out-of-bounds in string+0x218/0x2b0 lib/vsprintf.c:728
Read of size 1 at addr ffff8880111e9be0 by task syz-executor256/5058

CPU: 0 PID: 5058 Comm: syz-executor256 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 string_nocheck lib/vsprintf.c:646 [inline]
 string+0x218/0x2b0 lib/vsprintf.c:728
 vsnprintf+0x1101/0x1da0 lib/vsprintf.c:2824
 vprintk_store+0x480/0x1160 kernel/printk/printk.c:2222
 vprintk_emit+0x1a7/0x770 kernel/printk/printk.c:2323
 _printk+0xd5/0x120 kernel/printk/printk.c:2367
 spin_dump kernel/locking/spinlock_debug.c:64 [inline]
 spin_bug+0x13b/0x1d0 kernel/locking/spinlock_debug.c:78
 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
 do_raw_spin_lock+0x209/0x370 kernel/locking/spinlock_debug.c:115
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0xe1/0x120 kernel/locking/spinlock.c:162
 __wake_up_common_lock+0x25/0x1e0 kernel/sched/wait.c:105
 unlock_metapage fs/jfs/jfs_metapage.c:38 [inline]
 release_metapage+0xbb/0x870 fs/jfs/jfs_metapage.c:765
 xtTruncate+0x1006/0x3270
 jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:759
 jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
 evict+0x2a8/0x630 fs/inode.c:667
 __dentry_kill+0x20d/0x630 fs/dcache.c:603
 shrink_kill+0xa9/0x2c0 fs/dcache.c:1048
 shrink_dentry_list+0x2c0/0x5b0 fs/dcache.c:1075
 shrink_dcache_parent+0xcb/0x3b0
 do_one_tree+0x23/0xe0 fs/dcache.c:1538
 shrink_dcache_for_umount+0x7d/0x130 fs/dcache.c:1555
 generic_shutdown_super+0x6a/0x2d0 fs/super.c:619
 kill_block_super+0x44/0x90 fs/super.c:1675
 deactivate_locked_super+0xc4/0x130 fs/super.c:472
 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1267
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xa1b/0x27e0 kernel/exit.c:878
 do_group_exit+0x207/0x2c0 kernel/exit.c:1027
 __do_sys_exit_group kernel/exit.c:1038 [inline]
 __se_sys_exit_group kernel/exit.c:1036 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
 do_syscall_64+0xfb/0x240
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f9a6c9f67c9
Code: Unable to access opcode bytes at 0x7f9a6c9f679f.
RSP: 002b:00007ffcd4e72d88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f9a6c9f67c9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 00007f9a6ca772d0 R08: ffffffffffffffb8 R09: 00007ffcd4e72e60
R10: 0000000020000980 R11: 0000000000000246 R12: 00007f9a6ca772d0
R13: 0000000000000000 R14: 00007f9a6ca78040 R15: 00007f9a6c9c4d00
 </TASK>

The buggy address belongs to the object at ffff8880111e9bc0
 which belongs to the cache jfs_ip of size 2240
The buggy address is located 32 bytes inside of
 allocated 2240-byte region [ffff8880111e9bc0, ffff8880111ea480)

The buggy address belongs to the physical page:
page:ffffea0000447a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111e8
head:ffffea0000447a00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff88801932d780 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5058, tgid 5058 (syz-executor256), ts 57103346413, free_ts 16196088355
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
 prep_new_page mm/page_alloc.c:1540 [inline]
 get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
 __alloc_pages+0x256/0x680 mm/page_alloc.c:4569
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page+0x5f/0x160 mm/slub.c:2175
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0x84/0x2f0 mm/slub.c:2391
 ___slab_alloc+0xc73/0x1260 mm/slub.c:3525
 __slab_alloc mm/slub.c:3610 [inline]
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 kmem_cache_alloc_lru+0x253/0x350 mm/slub.c:3864
 alloc_inode_sb include/linux/fs.h:3088 [inline]
 jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
 alloc_inode fs/inode.c:261 [inline]
 iget_locked+0x1ad/0x850 fs/inode.c:1280
 jfs_iget+0x22/0x3b0 fs/jfs/inode.c:29
 jfs_lookup+0x226/0x410 fs/jfs/namei.c:1469
 __lookup_slow+0x28c/0x3f0 fs/namei.c:1692
 lookup_slow+0x53/0x70 fs/namei.c:1709
 walk_component+0x2e1/0x410 fs/namei.c:2004
 lookup_last fs/namei.c:2461 [inline]
 path_lookupat+0x16f/0x450 fs/namei.c:2485
 filename_lookup+0x256/0x610 fs/namei.c:2514
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1140 [inline]
 free_unref_page_prepare+0x95d/0xa80 mm/page_alloc.c:2346
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2486
 free_reserved_page include/linux/mm.h:3117 [inline]
 free_reserved_area+0x198/0x240 mm/page_alloc.c:5708
 free_init_pages arch/x86/mm/init.c:930 [inline]
 free_kernel_image_pages arch/x86/mm/init.c:946 [inline]
 free_initmem+0x9a/0x110 arch/x86/mm/init.c:973
 kernel_init+0x31/0x2a0 init/main.c:1448
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243

Memory state around the buggy address:
 ffff8880111e9a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880111e9b00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8880111e9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                       ^
 ffff8880111e9c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880111e9c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (30):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/06 11:38 upstream fe46a7dd189e ca620dd8 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs BUG: spinlock bad magic in release_metapage
2024/04/06 11:07 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 ca620dd8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 BUG: spinlock bad magic in release_metapage
2023/03/27 08:51 upstream 197b6b60ae7b fbf0499a .config console log report syz [mounted in repro] ci-upstream-kasan-gce-root BUG: spinlock bad magic in take_dentry_name_snapshot
2023/03/03 18:47 linux-next 1acf39ef8f14 f8902b57 .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root BUG: spinlock bad magic in take_dentry_name_snapshot
2023/01/25 16:13 linux-next 691781f561e9 9dfcf09c .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root BUG: spinlock bad magic in take_dentry_name_snapshot
2022/12/23 05:31 upstream 8395ae05cb5a 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/05/17 08:16 upstream f1fcbaa18b28 eaac4681 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/04/24 19:40 upstream 1a0beef98b58 c778c7f4 .config console log report info ci-qemu-upstream BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/03/18 18:06 upstream 478a351ce0d6 7939252e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/02/20 03:56 upstream c9c3395d5e3d bcdf85f8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/02/07 14:15 upstream 05ecb680708a 7d00f0e1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/02/07 12:18 upstream 05ecb680708a 7d00f0e1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/02/03 08:31 upstream 66a87fff1a87 16d19e30 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/01/26 19:08 upstream 7c46948a6e9c 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/01/11 10:04 upstream 7dd4b804e080 1dac8c7a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2022/12/26 22:00 upstream 1b929c02afd3 9da18ae8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/02/16 07:03 upstream 033c40a89f55 6be0f1f5 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/02/07 02:59 upstream 05ecb680708a 5bc3be51 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/01/15 15:52 upstream f0f70ddb8f3b a63719e7 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/01/15 00:18 upstream 7c6984405241 a63719e7 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/01/14 23:24 upstream 7c6984405241 a63719e7 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2022/11/29 00:35 upstream b7b275e60bcd ca9683b8 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2022/11/26 21:23 upstream 644e9524388a f4470a7b .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2022/12/20 02:31 linux-next e45fb347b630 c52b2efb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2022/12/18 15:34 linux-next ca39c4daa6f7 05494336 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2022/11/29 17:39 linux-next 9e46a7996732 05dc7993 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root BUG: unable to handle kernel paging request in take_dentry_name_snapshot
2023/10/04 02:47 upstream 5e62ed3b1c8a 65faba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: spinlock bad magic in release_metapage
2023/03/16 20:16 upstream 0ddc84d2dd43 18b58603 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: spinlock bad magic in take_dentry_name_snapshot
2023/01/19 07:21 upstream 7287904c8771 66fca3ae .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: wild-memory-access Read in take_dentry_name_snapshot
2024/04/06 10:37 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: spinlock bad magic in release_metapage
* Struck through repros no longer work on HEAD.