[syzbot] [fs?] kernel BUG in submit_bh_wbc (3)
14 views
Skip to first unread message
syzbot
Oct 14, 2024, 9:02:31 AM10/14/24
Hello,
syzbot found the following issue on:
HEAD commit: 6485cf5ea253 Merge tag 'hid-for-linus-2024101301' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142f585f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=164d2822debd8b0d
dashboard link: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f39f2ba63ff0/disk-6485cf5e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1b68f3c352ce/vmlinux-6485cf5e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/38070176e828/bzImage-6485cf5e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
kernel BUG at fs/buffer.c:2785!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 5968 Comm: syz.0.65 Not tainted 6.12.0-rc3-syzkaller-00007-g6485cf5ea253 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
Code: 89 fa e8 dd d7 cb 02 e9 95 fe ff ff e8 63 9b 74 ff 90 0f 0b e8 5b 9b 74 ff 90 0f 0b e8 53 9b 74 ff 90 0f 0b e8 4b 9b 74 ff 90 <0f> 0b e8 43 9b 74 ff 90 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9000303e9f8 EFLAGS: 00010287
RAX: ffffffff82204bb5 RBX: 0000000000000154 RCX: 0000000000040000
RDX: ffffc900044b1000 RSI: 0000000000000a81 RDI: 0000000000000a82
RBP: 0000000000000100 R08: ffffffff82204779 R09: 1ffff1100ae83f79
R10: dffffc0000000000 R11: ffffed100ae83f7a R12: 0000000000000000
R13: ffff88805741fbc8 R14: 0000000000000000 R15: 1ffff1100ae83f79
FS: 00007fbfb2dcc6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f08b6361160 CR3: 000000005f354000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
submit_bh fs/buffer.c:2824 [inline]
block_read_full_folio+0x93b/0xcd0 fs/buffer.c:2451
do_mpage_readpage+0x1a73/0x1c80 fs/mpage.c:317
mpage_read_folio+0x108/0x1e0 fs/mpage.c:392
filemap_read_folio+0x14b/0x630 mm/filemap.c:2367
do_read_cache_folio+0x3f5/0x850 mm/filemap.c:3825
read_mapping_folio include/linux/pagemap.h:1011 [inline]
nilfs_get_folio+0x4b/0x240 fs/nilfs2/dir.c:190
nilfs_find_entry+0x138/0x650 fs/nilfs2/dir.c:313
nilfs_inode_by_name+0xa8/0x210 fs/nilfs2/dir.c:393
nilfs_lookup+0x76/0x110 fs/nilfs2/namei.c:62
__lookup_slow+0x28c/0x3f0 fs/namei.c:1732
lookup_slow fs/namei.c:1749 [inline]
lookup_one_unlocked+0x1a4/0x290 fs/namei.c:2912
ovl_lookup_positive_unlocked fs/overlayfs/namei.c:210 [inline]
ovl_lookup_single+0x200/0xbd0 fs/overlayfs/namei.c:240
ovl_lookup_layer+0x417/0x510 fs/overlayfs/namei.c:333
ovl_lookup+0x5d8/0x2a60 fs/overlayfs/namei.c:1068
lookup_open fs/namei.c:3573 [inline]
open_last_lookups fs/namei.c:3694 [inline]
path_openat+0x11a7/0x3590 fs/namei.c:3930
do_filp_open+0x235/0x490 fs/namei.c:3960
do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_open fs/open.c:1438 [inline]
__se_sys_open fs/open.c:1434 [inline]
__x64_sys_open+0x225/0x270 fs/open.c:1434
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbfb1f7dff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbfb2dcc038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fbfb2135f80 RCX: 00007fbfb1f7dff9
RDX: 0000000000000000 RSI: 000000000014d27e RDI: 0000000020000180
RBP: 00007fbfb1ff0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fbfb2135f80 R15: 00007ffe859206a8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
Code: 89 fa e8 dd d7 cb 02 e9 95 fe ff ff e8 63 9b 74 ff 90 0f 0b e8 5b 9b 74 ff 90 0f 0b e8 53 9b 74 ff 90 0f 0b e8 4b 9b 74 ff 90 <0f> 0b e8 43 9b 74 ff 90 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9000303e9f8 EFLAGS: 00010287
RAX: ffffffff82204bb5 RBX: 0000000000000154 RCX: 0000000000040000
RDX: ffffc900044b1000 RSI: 0000000000000a81 RDI: 0000000000000a82
RBP: 0000000000000100 R08: ffffffff82204779 R09: 1ffff1100ae83f79
R10: dffffc0000000000 R11: ffffed100ae83f7a R12: 0000000000000000
R13: ffff88805741fbc8 R14: 0000000000000000 R15: 1ffff1100ae83f79
FS: 00007fbfb2dcc6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f08b6361160 CR3: 000000005f354000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 6485cf5ea253 Merge tag 'hid-for-linus-2024101301' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142f585f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=164d2822debd8b0d
dashboard link: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f39f2ba63ff0/disk-6485cf5e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1b68f3c352ce/vmlinux-6485cf5e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/38070176e828/bzImage-6485cf5e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
kernel BUG at fs/buffer.c:2785!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 5968 Comm: syz.0.65 Not tainted 6.12.0-rc3-syzkaller-00007-g6485cf5ea253 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
Code: 89 fa e8 dd d7 cb 02 e9 95 fe ff ff e8 63 9b 74 ff 90 0f 0b e8 5b 9b 74 ff 90 0f 0b e8 53 9b 74 ff 90 0f 0b e8 4b 9b 74 ff 90 <0f> 0b e8 43 9b 74 ff 90 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9000303e9f8 EFLAGS: 00010287
RAX: ffffffff82204bb5 RBX: 0000000000000154 RCX: 0000000000040000
RDX: ffffc900044b1000 RSI: 0000000000000a81 RDI: 0000000000000a82
RBP: 0000000000000100 R08: ffffffff82204779 R09: 1ffff1100ae83f79
R10: dffffc0000000000 R11: ffffed100ae83f7a R12: 0000000000000000
R13: ffff88805741fbc8 R14: 0000000000000000 R15: 1ffff1100ae83f79
FS: 00007fbfb2dcc6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f08b6361160 CR3: 000000005f354000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
submit_bh fs/buffer.c:2824 [inline]
block_read_full_folio+0x93b/0xcd0 fs/buffer.c:2451
do_mpage_readpage+0x1a73/0x1c80 fs/mpage.c:317
mpage_read_folio+0x108/0x1e0 fs/mpage.c:392
filemap_read_folio+0x14b/0x630 mm/filemap.c:2367
do_read_cache_folio+0x3f5/0x850 mm/filemap.c:3825
read_mapping_folio include/linux/pagemap.h:1011 [inline]
nilfs_get_folio+0x4b/0x240 fs/nilfs2/dir.c:190
nilfs_find_entry+0x138/0x650 fs/nilfs2/dir.c:313
nilfs_inode_by_name+0xa8/0x210 fs/nilfs2/dir.c:393
nilfs_lookup+0x76/0x110 fs/nilfs2/namei.c:62
__lookup_slow+0x28c/0x3f0 fs/namei.c:1732
lookup_slow fs/namei.c:1749 [inline]
lookup_one_unlocked+0x1a4/0x290 fs/namei.c:2912
ovl_lookup_positive_unlocked fs/overlayfs/namei.c:210 [inline]
ovl_lookup_single+0x200/0xbd0 fs/overlayfs/namei.c:240
ovl_lookup_layer+0x417/0x510 fs/overlayfs/namei.c:333
ovl_lookup+0x5d8/0x2a60 fs/overlayfs/namei.c:1068
lookup_open fs/namei.c:3573 [inline]
open_last_lookups fs/namei.c:3694 [inline]
path_openat+0x11a7/0x3590 fs/namei.c:3930
do_filp_open+0x235/0x490 fs/namei.c:3960
do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_open fs/open.c:1438 [inline]
__se_sys_open fs/open.c:1434 [inline]
__x64_sys_open+0x225/0x270 fs/open.c:1434
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbfb1f7dff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbfb2dcc038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fbfb2135f80 RCX: 00007fbfb1f7dff9
RDX: 0000000000000000 RSI: 000000000014d27e RDI: 0000000020000180
RBP: 00007fbfb1ff0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fbfb2135f80 R15: 00007ffe859206a8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
Code: 89 fa e8 dd d7 cb 02 e9 95 fe ff ff e8 63 9b 74 ff 90 0f 0b e8 5b 9b 74 ff 90 0f 0b e8 53 9b 74 ff 90 0f 0b e8 4b 9b 74 ff 90 <0f> 0b e8 43 9b 74 ff 90 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9000303e9f8 EFLAGS: 00010287
RAX: ffffffff82204bb5 RBX: 0000000000000154 RCX: 0000000000040000
RDX: ffffc900044b1000 RSI: 0000000000000a81 RDI: 0000000000000a82
RBP: 0000000000000100 R08: ffffffff82204779 R09: 1ffff1100ae83f79
R10: dffffc0000000000 R11: ffffed100ae83f7a R12: 0000000000000000
R13: ffff88805741fbc8 R14: 0000000000000000 R15: 1ffff1100ae83f79
FS: 00007fbfb2dcc6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f08b6361160 CR3: 000000005f354000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Ryusuke Konishi
Oct 14, 2024, 12:53:53 PM10/14/24
to syzbot, [email protected], [email protected], [email protected], [email protected]
issue with nilfs2, so I'll add the nilfs tag:
#syz set subsystems: nilfs, fs
Ryusuke Konishi
Ryusuke Konishi
Oct 16, 2024, 12:33:08 AM10/16/24
to Andrew Morton, [email protected], [email protected], syzbot, [email protected], [email protected]
Syzbot reported that after nilfs2 reads a corrupted file system image
and degrades to read-only, the BUG_ON check for the buffer delay flag
in submit_bh_wbc() may fail, causing a kernel bug.
This is because the buffer delay flag is not cleared when clearing the
buffer state flags to discard a page/folio or a buffer head. So, fix
this.
This became necessary when the use of nilfs2's own page clear routine
was expanded. This state inconsistency does not occur if the buffer
is written normally by log writing.
Signed-off-by: Ryusuke Konishi <[email protected]>
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
Cc: [email protected]
---
Andrew, please apply this as a bug fix.
This fixes a kernel bug recently reported by Syzbot.
Thanks,
Ryusuke Konishi
fs/nilfs2/page.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c
index 9c0b7cddeaae..5436eb0424bd 100644
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -77,7 +77,8 @@ void nilfs_forget_buffer(struct buffer_head *bh)
const unsigned long clear_bits =
(BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) |
BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) |
- BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected));
+ BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) |
+ BIT(BH_Delay));
lock_buffer(bh);
set_mask_bits(&bh->b_state, clear_bits, 0);
@@ -406,7 +407,8 @@ void nilfs_clear_folio_dirty(struct folio *folio)
const unsigned long clear_bits =
(BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) |
BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) |
- BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected));
+ BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) |
+ BIT(BH_Delay));
bh = head;
do {
--
2.43.0
and degrades to read-only, the BUG_ON check for the buffer delay flag
in submit_bh_wbc() may fail, causing a kernel bug.
This is because the buffer delay flag is not cleared when clearing the
buffer state flags to discard a page/folio or a buffer head. So, fix
this.
This became necessary when the use of nilfs2's own page clear routine
was expanded. This state inconsistency does not occur if the buffer
is written normally by log writing.
Signed-off-by: Ryusuke Konishi <[email protected]>
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
Cc: [email protected]
---
Andrew, please apply this as a bug fix.
This fixes a kernel bug recently reported by Syzbot.
Thanks,
Ryusuke Konishi
fs/nilfs2/page.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c
index 9c0b7cddeaae..5436eb0424bd 100644
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -77,7 +77,8 @@ void nilfs_forget_buffer(struct buffer_head *bh)
const unsigned long clear_bits =
(BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) |
BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) |
- BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected));
+ BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) |
+ BIT(BH_Delay));
lock_buffer(bh);
set_mask_bits(&bh->b_state, clear_bits, 0);
@@ -406,7 +407,8 @@ void nilfs_clear_folio_dirty(struct folio *folio)
const unsigned long clear_bits =
(BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) |
BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) |
- BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected));
+ BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) |
+ BIT(BH_Delay));
bh = head;
do {
--
2.43.0
syzbot
Oct 16, 2024, 11:13:29 AM10/16/24
syzbot has found a reproducer for the following issue on:
HEAD commit: 2f87d0916ce0 Merge tag 'trace-ringbuffer-v6.12-rc3' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1773b727980000
kernel config: https://syzkaller.appspot.com/x/.config?x=cfbd94c114a3d407
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2f87d091.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2704ba6867a8/vmlinux-2f87d091.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9f7121fd532b/bzImage-2f87d091.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/51d4ae79614c/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
NILFS error (device loop0): nilfs_check_folio: bad entry in directory #12: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0
NILFS (loop0): unable to write superblock: err=-5
Remounting filesystem read-only
NILFS error (device loop0): nilfs_readdir: bad page in #12
CPU: 0 UID: 0 PID: 5210 Comm: syz-executor Not tainted 6.12.0-rc3-syzkaller-00044-g2f87d0916ce0 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RSP: 0018:ffffc9000253f618 EFLAGS: 00010293
RAX: ffffffff82237475 RBX: 0000000000000154 RCX: ffff888000800000
RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000
RBP: 0000000000000100 R08: ffffffff82237039 R09: 1ffff1100639095c
R10: dffffc0000000000 R11: ffffed100639095d R12: 0000000000000000
R13: ffff888031c84ae0 R14: 0000000000000000 R15: 1ffff1100639095c
FS: 0000555563876500(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
iterate_dir+0x571/0x800 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:407 [inline]
__se_sys_getdents64+0x1d3/0x4a0 fs/readdir.c:392
Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 42 43 f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8
RSP: 002b:00007ffe94f96358 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000555563899640 RCX: 00007f5be9db0193
RDX: 0000000000008000 RSI: 0000555563899640 RDI: 0000000000000006
RBP: 0000555563899614 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8
R13: 0000000000000016 R14: 0000555563899610 R15: 00007ffe94f996f0
RSP: 0018:ffffc9000253f618 EFLAGS: 00010293
RAX: ffffffff82237475 RBX: 0000000000000154 RCX: ffff888000800000
RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000
RBP: 0000000000000100 R08: ffffffff82237039 R09: 1ffff1100639095c
R10: dffffc0000000000 R11: ffffed100639095d R12: 0000000000000000
R13: ffff888031c84ae0 R14: 0000000000000000 R15: 1ffff1100639095c
FS: 0000555563876500(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 2f87d0916ce0 Merge tag 'trace-ringbuffer-v6.12-rc3' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1773b727980000
kernel config: https://syzkaller.appspot.com/x/.config?x=cfbd94c114a3d407
dashboard link: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10015030580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2f87d091.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2704ba6867a8/vmlinux-2f87d091.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9f7121fd532b/bzImage-2f87d091.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/51d4ae79614c/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
NILFS (loop0): unable to write superblock: err=-5
Remounting filesystem read-only
NILFS error (device loop0): nilfs_readdir: bad page in #12
------------[ cut here ]------------
kernel BUG at fs/buffer.c:2785!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
kernel BUG at fs/buffer.c:2785!
CPU: 0 UID: 0 PID: 5210 Comm: syz-executor Not tainted 6.12.0-rc3-syzkaller-00044-g2f87d0916ce0 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
Code: 89 fa e8 1d d9 d1 02 e9 95 fe ff ff e8 f3 72 71 ff 90 0f 0b e8 eb 72 71 ff 90 0f 0b e8 e3 72 71 ff 90 0f 0b e8 db 72 71 ff 90 <0f> 0b e8 d3 72 71 ff 90 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9000253f618 EFLAGS: 00010293
RAX: ffffffff82237475 RBX: 0000000000000154 RCX: ffff888000800000
RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000
RBP: 0000000000000100 R08: ffffffff82237039 R09: 1ffff1100639095c
R10: dffffc0000000000 R11: ffffed100639095d R12: 0000000000000000
R13: ffff888031c84ae0 R14: 0000000000000000 R15: 1ffff1100639095c
FS: 0000555563876500(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fddb347fb98 CR3: 00000000566ca000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
submit_bh fs/buffer.c:2824 [inline]
block_read_full_folio+0x93b/0xcd0 fs/buffer.c:2451
do_mpage_readpage+0x1a73/0x1c80 fs/mpage.c:317
mpage_read_folio+0x108/0x1e0 fs/mpage.c:392
filemap_read_folio+0x14b/0x630 mm/filemap.c:2367
do_read_cache_folio+0x3f5/0x850 mm/filemap.c:3825
read_mapping_folio include/linux/pagemap.h:1011 [inline]
nilfs_get_folio+0x4b/0x240 fs/nilfs2/dir.c:190
nilfs_readdir+0x1b3/0x7d0 fs/nilfs2/dir.c:251
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
submit_bh fs/buffer.c:2824 [inline]
block_read_full_folio+0x93b/0xcd0 fs/buffer.c:2451
do_mpage_readpage+0x1a73/0x1c80 fs/mpage.c:317
mpage_read_folio+0x108/0x1e0 fs/mpage.c:392
filemap_read_folio+0x14b/0x630 mm/filemap.c:2367
do_read_cache_folio+0x3f5/0x850 mm/filemap.c:3825
read_mapping_folio include/linux/pagemap.h:1011 [inline]
nilfs_get_folio+0x4b/0x240 fs/nilfs2/dir.c:190
iterate_dir+0x571/0x800 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:407 [inline]
__se_sys_getdents64+0x1d3/0x4a0 fs/readdir.c:392
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5be9db0193
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 42 43 f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8
RSP: 002b:00007ffe94f96358 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000555563899640 RCX: 00007f5be9db0193
RDX: 0000000000008000 RSI: 0000555563899640 RDI: 0000000000000006
RBP: 0000555563899614 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8
R13: 0000000000000016 R14: 0000555563899610 R15: 00007ffe94f996f0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
Code: 89 fa e8 1d d9 d1 02 e9 95 fe ff ff e8 f3 72 71 ff 90 0f 0b e8 eb 72 71 ff 90 0f 0b e8 e3 72 71 ff 90 0f 0b e8 db 72 71 ff 90 <0f> 0b e8 d3 72 71 ff 90 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
RSP: 0018:ffffc9000253f618 EFLAGS: 00010293
RAX: ffffffff82237475 RBX: 0000000000000154 RCX: ffff888000800000
RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000
RBP: 0000000000000100 R08: ffffffff82237039 R09: 1ffff1100639095c
R10: dffffc0000000000 R11: ffffed100639095d R12: 0000000000000000
R13: ffff888031c84ae0 R14: 0000000000000000 R15: 1ffff1100639095c
FS: 0000555563876500(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fddb347fb98 CR3: 00000000566ca000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
If you want syzbot to run the reproducer, reply with:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Christian Brauner
Oct 16, 2024, 4:05:59 PM10/16/24
to Andrew Morton, Ryusuke Konishi, Christian Brauner, [email protected], [email protected], syzbot, [email protected], [email protected]
On Wed, 16 Oct 2024 06:32:07 +0900, Ryusuke Konishi wrote:
> Syzbot reported that after nilfs2 reads a corrupted file system image
> and degrades to read-only, the BUG_ON check for the buffer delay flag
> in submit_bh_wbc() may fail, causing a kernel bug.
>
> This is because the buffer delay flag is not cleared when clearing the
> buffer state flags to discard a page/folio or a buffer head. So, fix
> this.
>
> [...]
> Syzbot reported that after nilfs2 reads a corrupted file system image
> and degrades to read-only, the BUG_ON check for the buffer delay flag
> in submit_bh_wbc() may fail, causing a kernel bug.
>
> This is because the buffer delay flag is not cleared when clearing the
> buffer state flags to discard a page/folio or a buffer head. So, fix
> this.
>
Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.
Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.
It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.
Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes
[1/1] nilfs2: fix kernel bug due to missing clearing of buffer delay flag
https://git.kernel.org/vfs/vfs/c/6ed469df0bfb
syzbot
Oct 21, 2024, 12:48:38 PM10/21/24
syzbot has found a reproducer for the following issue on:
HEAD commit: 42f7652d3eb5 Linux 6.12-rc4
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10c66a40580000
kernel config: https://syzkaller.appspot.com/x/.config?x=41330fd2db03893d
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1181e0a7980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/21f56ec05989/disk-42f7652d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d295ea00e68a/vmlinux-42f7652d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6c4b95c7f67f/bzImage-42f7652d.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/709e6e32762f/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/6576d8861c23/mount_7.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
kernel BUG at fs/buffer.c:2785!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 5235 Comm: syz-executor372 Not tainted 6.12.0-rc4-syzkaller #0
RSP: 0018:ffffc90003b6f0d8 EFLAGS: 00010293
RAX: ffffffff82206235 RBX: 0000000000000154 RCX: ffff88802d490000
R10: dffffc0000000000 R11: ffffed100ef571d1 R12: 0000000000000000
R13: ffff888077ab8e80 R14: 0000000000000000 R15: 1ffff1100ef571d0
FS: 0000555573f7e380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
nilfs_inode_by_name+0xad/0x240 fs/nilfs2/dir.c:394
nilfs_lookup+0xed/0x210 fs/nilfs2/namei.c:63
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe5e610168 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbda41e54a9
RDX: 000000000000275a RSI: 0000000020000180 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000000051a5 R09: 000000002000a440
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe5e61019c
R13: 0000000000000007 R14: 431bde82d7b634db R15: 00007ffe5e6101d0
RSP: 0018:ffffc90003b6f0d8 EFLAGS: 00010293
RAX: ffffffff82206235 RBX: 0000000000000154 RCX: ffff88802d490000
R10: dffffc0000000000 R11: ffffed100ef571d1 R12: 0000000000000000
R13: ffff888077ab8e80 R14: 0000000000000000 R15: 1ffff1100ef571d0
FS: 0000555573f7e380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
HEAD commit: 42f7652d3eb5 Linux 6.12-rc4
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10c66a40580000
kernel config: https://syzkaller.appspot.com/x/.config?x=41330fd2db03893d
dashboard link: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1541e430580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1181e0a7980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/21f56ec05989/disk-42f7652d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d295ea00e68a/vmlinux-42f7652d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6c4b95c7f67f/bzImage-42f7652d.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/709e6e32762f/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/6576d8861c23/mount_7.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
kernel BUG at fs/buffer.c:2785!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
Code: 89 fa e8 dd 76 cc 02 e9 95 fe ff ff e8 73 85 74 ff 90 0f 0b e8 6b 85 74 ff 90 0f 0b e8 63 85 74 ff 90 0f 0b e8 5b 85 74 ff 90 <0f> 0b e8 53 85 74 ff 90 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
RSP: 0018:ffffc90003b6f0d8 EFLAGS: 00010293
RAX: ffffffff82206235 RBX: 0000000000000154 RCX: ffff88802d490000
RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000
RBP: 0000000000000100 R08: ffffffff82205df9 R09: 1ffff1100ef571d0
R10: dffffc0000000000 R11: ffffed100ef571d1 R12: 0000000000000000
R13: ffff888077ab8e80 R14: 0000000000000000 R15: 1ffff1100ef571d0
FS: 0000555573f7e380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbda422e00a CR3: 000000002fc1e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
submit_bh fs/buffer.c:2824 [inline]
block_read_full_folio+0x93b/0xcd0 fs/buffer.c:2451
do_mpage_readpage+0x1a73/0x1c80 fs/mpage.c:317
mpage_read_folio+0x108/0x1e0 fs/mpage.c:392
filemap_read_folio+0x14b/0x630 mm/filemap.c:2367
do_read_cache_folio+0x3f5/0x850 mm/filemap.c:3825
read_mapping_folio include/linux/pagemap.h:1011 [inline]
nilfs_get_folio+0x4b/0x240 fs/nilfs2/dir.c:190
nilfs_find_entry+0x13d/0x660 fs/nilfs2/dir.c:313
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
submit_bh fs/buffer.c:2824 [inline]
block_read_full_folio+0x93b/0xcd0 fs/buffer.c:2451
do_mpage_readpage+0x1a73/0x1c80 fs/mpage.c:317
mpage_read_folio+0x108/0x1e0 fs/mpage.c:392
filemap_read_folio+0x14b/0x630 mm/filemap.c:2367
do_read_cache_folio+0x3f5/0x850 mm/filemap.c:3825
read_mapping_folio include/linux/pagemap.h:1011 [inline]
nilfs_get_folio+0x4b/0x240 fs/nilfs2/dir.c:190
nilfs_inode_by_name+0xad/0x240 fs/nilfs2/dir.c:394
nilfs_lookup+0xed/0x210 fs/nilfs2/namei.c:63
lookup_open fs/namei.c:3573 [inline]
open_last_lookups fs/namei.c:3694 [inline]
path_openat+0x11a7/0x3590 fs/namei.c:3930
do_filp_open+0x235/0x490 fs/namei.c:3960
do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
open_last_lookups fs/namei.c:3694 [inline]
path_openat+0x11a7/0x3590 fs/namei.c:3930
do_filp_open+0x235/0x490 fs/namei.c:3960
do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbda41e54a9
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe5e610168 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbda41e54a9
RDX: 000000000000275a RSI: 0000000020000180 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000000051a5 R09: 000000002000a440
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe5e61019c
R13: 0000000000000007 R14: 431bde82d7b634db R15: 00007ffe5e6101d0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
Code: 89 fa e8 dd 76 cc 02 e9 95 fe ff ff e8 73 85 74 ff 90 0f 0b e8 6b 85 74 ff 90 0f 0b e8 63 85 74 ff 90 0f 0b e8 5b 85 74 ff 90 <0f> 0b e8 53 85 74 ff 90 0f 0b 90 90 90 90 90 90 90 90 90 90 90 90
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:submit_bh_wbc+0x556/0x560 fs/buffer.c:2785
RSP: 0018:ffffc90003b6f0d8 EFLAGS: 00010293
RAX: ffffffff82206235 RBX: 0000000000000154 RCX: ffff88802d490000
RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000
RBP: 0000000000000100 R08: ffffffff82205df9 R09: 1ffff1100ef571d0
R10: dffffc0000000000 R11: ffffed100ef571d1 R12: 0000000000000000
R13: ffff888077ab8e80 R14: 0000000000000000 R15: 1ffff1100ef571d0
FS: 0000555573f7e380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbd9cbff000 CR3: 000000002fc1e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
Ryusuke Konishi
Oct 21, 2024, 1:57:53 PM10/21/24
On Mon, Oct 21, 2024 at 6:48 PM syzbot
<[email protected]> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 42f7652d3eb5 Linux 6.12-rc4
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=10c66a40580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=41330fd2db03893d
> dashboard link: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1541e430580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1181e0a7980000
The kernel bug reproduced by this C-reproducer is fixed by the patch
<[email protected]> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 42f7652d3eb5 Linux 6.12-rc4
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=10c66a40580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=41330fd2db03893d
> dashboard link: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1541e430580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1181e0a7980000
"nilfs2: fix kernel bug due to missing clearing of buffer delay flag"
on the way upstream. I actually performed a follow-up test of this
C-reproducer and confirmed it.
This should be closed by the patch, so although there are additional
messages sent by syzbot, I will leave it without closing it manually.
Ryusuke Konishi
Reply all
Reply to author
Forward
0 new messages