ci2 starts bisection 2023-05-01 20:53:14.711733503 +0000 UTC m=+277848.732104693 bisecting cause commit starting from 58390c8ce1bddb6c623f62e7ed36383e7fa5c02f building syzkaller on 62df2017e3b1edd786a4c737bd4ccba2b4581d88 ensuring issue is reproducible on original commit 58390c8ce1bddb6c623f62e7ed36383e7fa5c02f testing commit 58390c8ce1bddb6c623f62e7ed36383e7fa5c02f gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 98439e9a3c6bacb484843435b50cac0fd9164656eb7369442cbb9c398b65d48a all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_getbmap testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5c5ebe39ea3162f9417ae663228703a0cfdd4be9145a29625a6b6341a7b9905d all runs: OK # git bisect start 58390c8ce1bddb6c623f62e7ed36383e7fa5c02f 457391b0380335d5e9a5babdec90ac53928b23b4 Bisecting: 6406 revisions left to test after this (roughly 13 steps) [b68ee1c6131c540a62ecd443be89c406401df091] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit b68ee1c6131c540a62ecd443be89c406401df091 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 32063cec6b3b2ec9f6b9709da21573d800bd60c2da4428a215b9b0fc030493f3 all runs: OK # git bisect good b68ee1c6131c540a62ecd443be89c406401df091 Bisecting: 3108 revisions left to test after this (roughly 12 steps) [fc2e58b8b7c94b8fe23977775550de00472f6a74] Merge tag 'spi-v6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit fc2e58b8b7c94b8fe23977775550de00472f6a74 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5efa24940e2ead6a31d71975f671db46bb8e781f020f6740ce8d9d52b8f08695 all runs: OK # git bisect good fc2e58b8b7c94b8fe23977775550de00472f6a74 Bisecting: 1477 revisions left to test after this (roughly 11 steps) [7fa8a8ee9400fe8ec188426e40e481717bc5e924] Merge tag 'mm-stable-2023-04-27-15-30' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 7fa8a8ee9400fe8ec188426e40e481717bc5e924 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: eadfd9c44d31918b6035239598f07823edc11bcbd14a733ae52f2f3d95f05603 all runs: OK # git bisect good 7fa8a8ee9400fe8ec188426e40e481717bc5e924 Bisecting: 745 revisions left to test after this (roughly 10 steps) [1ae78a14516b9372e4c90a89ac21b259339a3a3a] Merge tag '6.4-rc-ksmbd-server-fixes' of git://git.samba.org/ksmbd testing commit 1ae78a14516b9372e4c90a89ac21b259339a3a3a gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 102b37e96cf0b36b7636d537fb23e340bcf4fd63eba7b5a9164e5c94783bc459 all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_getbmap # git bisect bad 1ae78a14516b9372e4c90a89ac21b259339a3a3a Bisecting: 346 revisions left to test after this (roughly 9 steps) [70cc1b5307e8ee3076fdf2ecbeb89eb973aa0ff7] Merge tag 'powerpc-6.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 70cc1b5307e8ee3076fdf2ecbeb89eb973aa0ff7 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 854451e84cd0519318ca600525913d6b7b8134e9f2060d12e464c91235296505 all runs: OK # git bisect good 70cc1b5307e8ee3076fdf2ecbeb89eb973aa0ff7 Bisecting: 218 revisions left to test after this (roughly 8 steps) [9419092fb2630c30e4ffeb9ef61007ef0c61827a] xfs: fix livelock in delayed allocation at ENOSPC testing commit 9419092fb2630c30e4ffeb9ef61007ef0c61827a gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2b329fd3bfff7a637b63a2893692d2551e5a22d31d53eb9fd0de1520a9ee6286 all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_getbmap # git bisect bad 9419092fb2630c30e4ffeb9ef61007ef0c61827a Bisecting: 63 revisions left to test after this (roughly 6 steps) [46e0dd89659923dd02cfa45080675fc4f0926528] xfs: rename xchk_get_inode -> xchk_iget_for_scrubbing testing commit 46e0dd89659923dd02cfa45080675fc4f0926528 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 87c71b6e48eec829b48a846e9072e17860dabed678752c4bf1fc642473e89cb5 all runs: OK # git bisect good 46e0dd89659923dd02cfa45080675fc4f0926528 Bisecting: 31 revisions left to test after this (roughly 5 steps) [4f5e304248ab4939e9aef58244041c194f01f0b5] xfs: cross-reference rmap records with refcount btrees testing commit 4f5e304248ab4939e9aef58244041c194f01f0b5 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 56ae46077568b8c2ce8270606d0ce4a453f95732ba5afa2f83e75ec7f2875056 all runs: OK # git bisect good 4f5e304248ab4939e9aef58244041c194f01f0b5 Bisecting: 15 revisions left to test after this (roughly 4 steps) [f1121b995c9825f3267ad4f586b2ac644d87d5a8] Merge tag 'scrub-detect-inobt-gaps-6.4_2023-04-11' of git://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfs-linux into guilt/xfs-for-next testing commit f1121b995c9825f3267ad4f586b2ac644d87d5a8 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9a0f61bd4cf564c0049a1a39b4c9958b629b12db75797f51f59bec5ddaa2c6b5 all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_getbmap # git bisect bad f1121b995c9825f3267ad4f586b2ac644d87d5a8 Bisecting: 7 revisions left to test after this (roughly 3 steps) [1e5ffdc57d7e0b213219f9e6bb0fb0ba5ef13da8] Merge tag 'pass-perag-refs-6.4_2023-04-11' of git://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfs-linux into guilt/xfs-for-next testing commit 1e5ffdc57d7e0b213219f9e6bb0fb0ba5ef13da8 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b3ed09aee9ff8b4f674cad60d99960f308bdb12a8b8fb212ab266f8221f6315e all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_getbmap # git bisect bad 1e5ffdc57d7e0b213219f9e6bb0fb0ba5ef13da8 Bisecting: 3 revisions left to test after this (roughly 2 steps) [22ed903eee23a5b174e240f1cdfa9acf393a5210] xfs: verify buffer contents when we skip log replay testing commit 22ed903eee23a5b174e240f1cdfa9acf393a5210 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 86259b471181966d45a5a2f8db08a552e75a946161997ad5408852c6238bf1b4 all runs: OK # git bisect good 22ed903eee23a5b174e240f1cdfa9acf393a5210 Bisecting: 1 revision left to test after this (roughly 1 step) [bed25d8010bcf48de626545a89ea58550fb5e95b] Merge tag 'online-fsck-design-6.4_2023-04-11' of git://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfs-linux into guilt/xfs-for-next testing commit bed25d8010bcf48de626545a89ea58550fb5e95b gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ace8a93025ef5bff59945d18d19bf9fcae8bf271b9df49dd3d3d590c39e717ef all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_getbmap # git bisect bad bed25d8010bcf48de626545a89ea58550fb5e95b Bisecting: 0 revisions left to test after this (roughly 0 steps) [8ee81ed581ff35882b006a5205100db0b57bf070] xfs: fix BUG_ON in xfs_getbmap() testing commit 8ee81ed581ff35882b006a5205100db0b57bf070 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5a8cbf529b5d884e3a9862a1ec57f2eef13ffeb5a54db47ff4c952ae0f96eb8a all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_getbmap # git bisect bad 8ee81ed581ff35882b006a5205100db0b57bf070 8ee81ed581ff35882b006a5205100db0b57bf070 is the first bad commit commit 8ee81ed581ff35882b006a5205100db0b57bf070 Author: Ye Bin Date: Wed Apr 12 15:49:44 2023 +1000 xfs: fix BUG_ON in xfs_getbmap() There's issue as follows: XFS: Assertion failed: (bmv->bmv_iflags & BMV_IF_DELALLOC) != 0, file: fs/xfs/xfs_bmap_util.c, line: 329 ------------[ cut here ]------------ kernel BUG at fs/xfs/xfs_message.c:102! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 14612 Comm: xfs_io Not tainted 6.3.0-rc2-next-20230315-00006-g2729d23ddb3b-dirty #422 RIP: 0010:assfail+0x96/0xa0 RSP: 0018:ffffc9000fa178c0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff888179a18000 RDX: 0000000000000000 RSI: ffff888179a18000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffffffff8321aab6 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed1105f85139 R12: ffffffff8aacc4c0 R13: 0000000000000149 R14: ffff888269f58000 R15: 000000000000000c FS: 00007f42f27a4740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000b92388 CR3: 000000024f006000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: xfs_getbmap+0x1a5b/0x1e40 xfs_ioc_getbmap+0x1fd/0x5b0 xfs_file_ioctl+0x2cb/0x1d50 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Above issue may happen as follows: ThreadA ThreadB do_shared_fault __do_fault xfs_filemap_fault __xfs_filemap_fault filemap_fault xfs_ioc_getbmap -> Without BMV_IF_DELALLOC flag xfs_getbmap xfs_ilock(ip, XFS_IOLOCK_SHARED); filemap_write_and_wait do_page_mkwrite xfs_filemap_page_mkwrite __xfs_filemap_fault xfs_ilock(XFS_I(inode), XFS_MMAPLOCK_SHARED); iomap_page_mkwrite ... xfs_buffered_write_iomap_begin xfs_bmapi_reserve_delalloc -> Allocate delay extent xfs_ilock_data_map_shared(ip) xfs_getbmap_report_one ASSERT((bmv->bmv_iflags & BMV_IF_DELALLOC) != 0) -> trigger BUG_ON As xfs_filemap_page_mkwrite() only hold XFS_MMAPLOCK_SHARED lock, there's small window mkwrite can produce delay extent after file write in xfs_getbmap(). To solve above issue, just skip delalloc extents. Signed-off-by: Ye Bin Reviewed-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/xfs/xfs_bmap_util.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) culprit signature: 5a8cbf529b5d884e3a9862a1ec57f2eef13ffeb5a54db47ff4c952ae0f96eb8a parent signature: 86259b471181966d45a5a2f8db08a552e75a946161997ad5408852c6238bf1b4 revisions tested: 15, total time: 7h12m57.14769018s (build: 5h14m43.011528351s, test: 1h55m9.730595943s) first bad commit: 8ee81ed581ff35882b006a5205100db0b57bf070 xfs: fix BUG_ON in xfs_getbmap() recipients (to): ["david@fromorbit.com" "dchinner@redhat.com" "djwong@kernel.org" "yebin10@huawei.com"] recipients (cc): [] crash: KASAN: slab-out-of-bounds Read in xfs_getbmap XFS (loop0): Mounting V5 Filesystem ca7e2101-b8f1-4838-8e2d-7637b90620e6 XFS (loop0): Ending clean mount XFS (loop0): Quotacheck needed: Please wait. XFS (loop0): Quotacheck: Done. ================================================================== BUG: KASAN: slab-out-of-bounds in xfs_getbmap+0x180e/0x1890 fs/xfs/xfs_bmap_util.c:561 Read of size 4 at addr ffff888027399e78 by task syz-executor.0/5448 CPU: 0 PID: 5448 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x167/0x220 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:319 [inline] print_report+0x163/0x540 mm/kasan/report.c:430 kasan_report+0x176/0x1b0 mm/kasan/report.c:536 xfs_getbmap+0x180e/0x1890 fs/xfs/xfs_bmap_util.c:561 xfs_ioc_getbmap+0x216/0x600 fs/xfs/xfs_ioctl.c:1481 xfs_file_ioctl+0x1fa/0x1130 fs/xfs/xfs_ioctl.c:1949 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xa7/0xf0 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f377808c169 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3778edb168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f37781abf80 RCX: 00007f377808c169 RDX: 0000000020000140 RSI: 00000000c0205826 RDI: 0000000000000005 RBP: 00007f37780e7ca1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffb975d21f R14: 00007f3778edb300 R15: 0000000000022000 Allocated by task 5135: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4f/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:196 [inline] __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc+0xb9/0x230 mm/slab_common.c:980 kmalloc include/linux/slab.h:584 [inline] kzalloc include/linux/slab.h:720 [inline] tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] tomoyo_encode+0xaa/0x480 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x4a6/0x4e0 security/tomoyo/realpath.c:283 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x230/0x620 security/tomoyo/file.c:822 security_inode_getattr+0x7f/0xf0 security/security.c:1375 vfs_getattr fs/stat.c:167 [inline] vfs_statx+0x134/0x3f0 fs/stat.c:242 vfs_fstatat fs/stat.c:276 [inline] __do_sys_newfstatat fs/stat.c:446 [inline] __se_sys_newfstatat fs/stat.c:440 [inline] __x64_sys_newfstatat+0x150/0x1c0 fs/stat.c:440 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff888027399e00 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 56 bytes to the right of allocated 64-byte region [ffff888027399e00, ffff888027399e40) The buggy address belongs to the physical page: page:ffffea00009ce640 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27399 anon flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffff888011041640 0000000000000000 dead000000000001 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 4449, tgid 4449 (udevd), ts 22395466491, free_ts 22321768450 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:2546 prep_new_page mm/page_alloc.c:2553 [inline] get_page_from_freelist+0x3246/0x33c0 mm/page_alloc.c:4326 __alloc_pages+0x255/0x670 mm/page_alloc.c:5592 alloc_slab_page+0x6a/0x160 mm/slub.c:1851 allocate_slab mm/slub.c:1998 [inline] new_slab+0x84/0x2f0 mm/slub.c:2051 ___slab_alloc+0xa85/0x10a0 mm/slub.c:3193 __slab_alloc mm/slub.c:3292 [inline] __slab_alloc_node mm/slub.c:3345 [inline] slab_alloc_node mm/slub.c:3442 [inline] __kmem_cache_alloc_node+0x1b8/0x290 mm/slub.c:3491 __do_kmalloc_node mm/slab_common.c:966 [inline] __kmalloc+0xa8/0x230 mm/slab_common.c:980 kmalloc include/linux/slab.h:584 [inline] kzalloc include/linux/slab.h:720 [inline] tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] tomoyo_encode+0xaa/0x480 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x4a6/0x4e0 security/tomoyo/realpath.c:283 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x230/0x620 security/tomoyo/file.c:822 security_inode_getattr+0x7f/0xf0 security/security.c:1375 vfs_getattr fs/stat.c:167 [inline] vfs_statx+0x134/0x3f0 fs/stat.c:242 vfs_fstatat fs/stat.c:276 [inline] __do_sys_newfstatat fs/stat.c:446 [inline] __se_sys_newfstatat fs/stat.c:440 [inline] __x64_sys_newfstatat+0x150/0x1c0 fs/stat.c:440 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1454 [inline] free_pcp_prepare mm/page_alloc.c:1504 [inline] free_unref_page_prepare+0xe34/0xe90 mm/page_alloc.c:3388 free_unref_page+0x37/0x3f0 mm/page_alloc.c:3483 qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:769 slab_alloc_node mm/slub.c:3452 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc+0x11f/0x2e0 mm/slub.c:3476 getname_flags+0xa0/0x430 fs/namei.c:140 user_path_at_empty+0x22/0x140 fs/namei.c:2876 do_readlinkat+0x107/0x310 fs/stat.c:477 __do_sys_readlink fs/stat.c:510 [inline] __se_sys_readlink fs/stat.c:507 [inline] __x64_sys_readlink+0x7a/0x90 fs/stat.c:507 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff888027399d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888027399d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888027399e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff888027399e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888027399f00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================