Re: [PATCH] f2fs: fix invalid memory access
On 08/01, Chao Yu wrote: > From: Chao Yu > > syzbot found the following crash on: > > HEAD commit:d9bd94c0bcaa Add linux-next specific files for 20180801 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=1001189c40 > kernel config: https://syzkaller.appspot.com/x/.config?x=cc8964ea4d04518c > dashboard link: https://syzkaller.appspot.com/bug?extid=c966a82db0b14aa37e81 > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+c966a82db0b14aa37...@syzkaller.appspotmail.com > > loop7: rw=12288, want=8200, limit=20 > netlink: 65342 bytes leftover after parsing attributes in process > `syz-executor4'. > openvswitch: netlink: Message has 8 unknown bytes. > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > CPU: 1 PID: 7615 Comm: syz-executor7 Not tainted 4.18.0-rc7-next-20180801+ #29 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] > RIP: 0010:compound_head include/linux/page-flags.h:142 [inline] > RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline] > RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline] > RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835 > Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df > 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 > 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00 > RSP: 0018:8801937cebe8 EFLAGS: 00010246 > RAX: dc00 RBX: 8801937cef30 RCX: c90006035000 > RDX: RSI: 82fd9658 RDI: 0005 > RBP: 8801937cef58 R08: 8801ab254700 R09: f94000d9e026 > R10: f94000d9e026 R11: ea0006cf0137 R12: fffb > R13: 8801937ceeb0 R14: 0003 R15: 880193419b40 > FS: 7f36a61d5700() GS:8801db10() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 7fc04ff93000 CR3: 0001d0562000 CR4: 001426e0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Call Trace: > f2fs_get_valid_checkpoint+0x436/0x1ec0 fs/f2fs/checkpoint.c:860 > f2fs_fill_super+0x2d42/0x8110 fs/f2fs/super.c:2883 > mount_bdev+0x314/0x3e0 fs/super.c:1344 > f2fs_mount+0x3c/0x50 fs/f2fs/super.c:3133 > legacy_get_tree+0x131/0x460 fs/fs_context.c:729 > vfs_get_tree+0x1cb/0x5c0 fs/super.c:1743 > do_new_mount fs/namespace.c:2603 [inline] > do_mount+0x6f2/0x1e20 fs/namespace.c:2927 > ksys_mount+0x12d/0x140 fs/namespace.c:3143 > __do_sys_mount fs/namespace.c:3157 [inline] > __se_sys_mount fs/namespace.c:3154 [inline] > __x64_sys_mount+0xbe/0x150 fs/namespace.c:3154 > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x45943a > Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 bd 8a fb ff c3 66 2e 0f 1f > 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f > 83 9a 8a fb ff c3 66 0f 1f 84 00 00 00 00 00 > RSP: 002b:7f36a61d4a88 EFLAGS: 0206 ORIG_RAX: 00a5 > RAX: ffda RBX: 7f36a61d4b30 RCX: 0045943a > RDX: 7f36a61d4ad0 RSI: 2100 RDI: 7f36a61d4af0 > RBP: 2100 R08: 7f36a61d4b30 R09: 7f36a61d4ad0 > R10: R11: 0206 R12: 0013 > R13: R14: 004c8ea0 R15: > Modules linked in: > Dumping ftrace buffer: >(ftrace buffer empty) > ---[ end trace bd8550c129352286 ]--- > RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] > RIP: 0010:compound_head include/linux/page-flags.h:142 [inline] > RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline] > RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline] > RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835 > Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df > 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 > 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00 > RSP: 0018:8801937cebe8 EFLAGS: 00010246 > RAX: dc00 RBX: 8801937cef30 RCX: c90006035000 > RDX: RSI: 82fd9658 RDI: 0005 > netlink: 65342 bytes leftover after parsing attributes in process > `syz-executor4'. > RBP: 8801937cef58 R08: 8801ab254700 R09: f94000d9e026 > openvswitch: netlink: Message has 8 unknown bytes. > R10: f94000d9e026 R11: ea0006cf0137 R12: fffb > R13: 8801937ceeb0 R14: 0003 R15: 880193419b40 > FS: 7f36a61d5700()
Re: [PATCH] f2fs: fix invalid memory access
On 08/01, Chao Yu wrote: > From: Chao Yu > > syzbot found the following crash on: > > HEAD commit:d9bd94c0bcaa Add linux-next specific files for 20180801 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=1001189c40 > kernel config: https://syzkaller.appspot.com/x/.config?x=cc8964ea4d04518c > dashboard link: https://syzkaller.appspot.com/bug?extid=c966a82db0b14aa37e81 > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+c966a82db0b14aa37...@syzkaller.appspotmail.com > > loop7: rw=12288, want=8200, limit=20 > netlink: 65342 bytes leftover after parsing attributes in process > `syz-executor4'. > openvswitch: netlink: Message has 8 unknown bytes. > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > CPU: 1 PID: 7615 Comm: syz-executor7 Not tainted 4.18.0-rc7-next-20180801+ #29 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] > RIP: 0010:compound_head include/linux/page-flags.h:142 [inline] > RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline] > RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline] > RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835 > Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df > 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 > 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00 > RSP: 0018:8801937cebe8 EFLAGS: 00010246 > RAX: dc00 RBX: 8801937cef30 RCX: c90006035000 > RDX: RSI: 82fd9658 RDI: 0005 > RBP: 8801937cef58 R08: 8801ab254700 R09: f94000d9e026 > R10: f94000d9e026 R11: ea0006cf0137 R12: fffb > R13: 8801937ceeb0 R14: 0003 R15: 880193419b40 > FS: 7f36a61d5700() GS:8801db10() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 7fc04ff93000 CR3: 0001d0562000 CR4: 001426e0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Call Trace: > f2fs_get_valid_checkpoint+0x436/0x1ec0 fs/f2fs/checkpoint.c:860 > f2fs_fill_super+0x2d42/0x8110 fs/f2fs/super.c:2883 > mount_bdev+0x314/0x3e0 fs/super.c:1344 > f2fs_mount+0x3c/0x50 fs/f2fs/super.c:3133 > legacy_get_tree+0x131/0x460 fs/fs_context.c:729 > vfs_get_tree+0x1cb/0x5c0 fs/super.c:1743 > do_new_mount fs/namespace.c:2603 [inline] > do_mount+0x6f2/0x1e20 fs/namespace.c:2927 > ksys_mount+0x12d/0x140 fs/namespace.c:3143 > __do_sys_mount fs/namespace.c:3157 [inline] > __se_sys_mount fs/namespace.c:3154 [inline] > __x64_sys_mount+0xbe/0x150 fs/namespace.c:3154 > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x45943a > Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 bd 8a fb ff c3 66 2e 0f 1f > 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f > 83 9a 8a fb ff c3 66 0f 1f 84 00 00 00 00 00 > RSP: 002b:7f36a61d4a88 EFLAGS: 0206 ORIG_RAX: 00a5 > RAX: ffda RBX: 7f36a61d4b30 RCX: 0045943a > RDX: 7f36a61d4ad0 RSI: 2100 RDI: 7f36a61d4af0 > RBP: 2100 R08: 7f36a61d4b30 R09: 7f36a61d4ad0 > R10: R11: 0206 R12: 0013 > R13: R14: 004c8ea0 R15: > Modules linked in: > Dumping ftrace buffer: >(ftrace buffer empty) > ---[ end trace bd8550c129352286 ]--- > RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] > RIP: 0010:compound_head include/linux/page-flags.h:142 [inline] > RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline] > RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline] > RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835 > Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df > 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 > 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00 > RSP: 0018:8801937cebe8 EFLAGS: 00010246 > RAX: dc00 RBX: 8801937cef30 RCX: c90006035000 > RDX: RSI: 82fd9658 RDI: 0005 > netlink: 65342 bytes leftover after parsing attributes in process > `syz-executor4'. > RBP: 8801937cef58 R08: 8801ab254700 R09: f94000d9e026 > openvswitch: netlink: Message has 8 unknown bytes. > R10: f94000d9e026 R11: ea0006cf0137 R12: fffb > R13: 8801937ceeb0 R14: 0003 R15: 880193419b40 > FS: 7f36a61d5700()
