This crash appears to entirely ignore the provided filesystem images and just does tricky fallocate calls followed by a truncate, so it should be easier than normal to diagnose.
The cwd is opened with O_DIRECT. (or this is EFAULT because path is nullptr?) The victim file is created with O_NONBLOCK and O_SYNC; that fd is discarded. The victim file is opened again with O_SYNC and FALLOC_FL_ZERO_RANGE is called with a gargantuan size. The victim file is opened again with O_APPEND (!) and FALLOC_FL_INSERT_RANGE is called with a modest size. Truncate is called midway through the just-inserted range. Annotated calls below. # https://syzkaller.appspot.com/bug?id=7d29d6d7a773d4f608a33cf6a7593faadb1b5803 # See https://goo.gl/kgGztJ for information about syzkaller reproducers. #{"threaded":true,"repeat":true,"procs":5,"slowdown":1,"sandbox":"none","sandbox_arg":0,"tun":true,"netdev":true,"resetnet":true,"cgroups":true,"binfmt_misc":true,"close_fds":true,"usb":true,"vhci":true,"wifi":true,"ieee802154":true,"sysctl":true,"swap":true,"tmpdir":true,"segv":true} # mount file2 syz_mount_image$f2fs(&(0x7f0000000040), &(0x7f00000000c0)='./file2\x00', 0x0, &(0x7f0000000300)={[{@noinline_xattr}, {@noinline_dentry}, {@prjjquota={'prjjquota', 0x3d, 'active_logs=4'}}, {@jqfmt_vfsv1}, {@noinline_data}, {@noheap}, {@checkpoint_diasble}, {@fastboot}, {@fsync_mode_strict}, {@discard_unit_section}]}, 0x21, 0x552d, &(0x7f000000abc0)="$[removed]") # EBADF pread64(0xffffffffffffffff, 0x0, 0x0, 0xfff) # EBADF openat$cgroup_freezer_state(0xffffffffffffffff, &(0x7f0000000080), 0x2, 0x0) # openat(AT_FDCWD, nullptr, O_DIRECT, 0) # EFAULT? openat$nullb(0xffffffffffffff9c, 0x0, 0x4000, 0x0) # mount 'bus' syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f00000000c0)='./bus\x00', 0x20081e, &(0x7f0000000040)={[{@nodelalloc}, {@orlov}, {@auto_da_alloc}]}, 0x1, 0x4ef, &(0x7f00000003c0)="$[removed]") # open file1 # O_RDWR | O_CREAT | O_NOCTTY | O_NONBLOCK | FASYNC | O_LARGEFILE | O_SYNC # perm 0500 open(&(0x7f0000000080)='./file1\x00', 0x10b942, 0x140) # open file1 # O_RDWR | O_CREAT | O_LARGEFILE | O_SYNC # perm 0210 r0 = open(&(0x7f0000000100)='./file1\x00', 0x109042, 0x88) # fallocate FALLOC_FL_ZERO_RANGE, offset 0, size 0x7000000 fallocate(r0, 0x10, 0x0, 0x7000000) # openat(AT_FDCWD) file1 # O_WRONLY | O_CREAT | O_APPEND # perm 0512 r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x441, 0x14a) # fallocate file1 FALLOC_FL_INSERT_RANGE, offset x4000, size x8000 # EPERM? fallocate(r1, 0x20, 0x4000, 0x8000) # truncate file1 size x8001 truncate(&(0x7f00000000c0)='./file1\x00', 0x8001) _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
