All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+1c9fca23fe478633b305@syzkaller.appspotmail.com>
To: bfoster@redhat.com, kent.overstreet@linux.dev,
	 linux-bcachefs@vger.kernel.org, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: [syzbot] [bcachefs?] general protection fault in __bch2_insert_snapshot_whiteouts
Date: Tue, 14 May 2024 03:39:26 -0700	[thread overview]
Message-ID: <000000000000b2883b0618679d34@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    75fa778d74b7 Add linux-next specific files for 20240510
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=131c3100980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ccdd3ebd6715749a
dashboard link: https://syzkaller.appspot.com/bug?extid=1c9fca23fe478633b305
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13e892e4980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118d0fb8980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad9391835bcf/disk-75fa778d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d827b3da9a26/vmlinux-75fa778d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8f32f0182388/bzImage-75fa778d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/056346e690a7/mount_0.gz

The issue was bisected to:

commit f7643bc9749f270d487c32dc35b578575bf1adb0
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Wed Apr 17 05:26:02 2024 +0000

    bcachefs: make btree read errors silent during scan

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=100ed95c980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=120ed95c980000
console output: https://syzkaller.appspot.com/x/log.txt?x=140ed95c980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1c9fca23fe478633b305@syzkaller.appspotmail.com
Fixes: f7643bc9749f ("bcachefs: make btree read errors silent during scan")

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 5094 Comm: syz-executor156 Not tainted 6.9.0-rc7-next-20240510-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:bch2_snapshot_has_children fs/bcachefs/snapshot.h:184 [inline]
RIP: 0010:__bch2_insert_snapshot_whiteouts+0x306/0x15e0 fs/bcachefs/btree_update.c:135
Code: fb 0f 86 c2 11 00 00 e8 28 d9 7c fd 49 6b c7 38 49 8d 5c 04 18 48 8d 7b 14 48 89 f8 48 c1 e8 03 49 bc 00 00 00 00 00 fc ff df <42> 0f b6 04 20 84 c0 0f 85 3d 12 00 00 44 8b 7b 14 48 83 c3 18 48
RSP: 0018:ffffc900037be0c0 EFLAGS: 00010203
RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffff8880296b0000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000014
RBP: ffffc900037be420 R08: ffffffff841942f8 R09: 1ffffffff25f64b0
R10: dffffc0000000000 R11: fffffbfff25f64b1 R12: dffffc0000000000
R13: ffffc900037be380 R14: ffffffff84194214 R15: 00000000ffffffff
FS:  000055555dcea380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559e8263e0b0 CR3: 000000006fca6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_insert_snapshot_whiteouts fs/bcachefs/btree_update.h:95 [inline]
 bch2_trans_update_extent_overwrite+0xfd6/0x3710 fs/bcachefs/btree_update.c:218
 bch2_trans_update_extent fs/bcachefs/btree_update.c:318 [inline]
 bch2_trans_update+0x186f/0x2550 fs/bcachefs/btree_update.c:514
 bch2_extent_update+0x43c/0xbb0 fs/bcachefs/io_write.c:325
 bch2_write_index_default fs/bcachefs/io_write.c:374 [inline]
 __bch2_write_index+0xee9/0x2190 fs/bcachefs/io_write.c:527
 bch2_write_data_inline fs/bcachefs/io_write.c:1551 [inline]
 bch2_write+0xf4d/0x1670 fs/bcachefs/io_write.c:1619
 closure_queue include/linux/closure.h:269 [inline]
 closure_call include/linux/closure.h:402 [inline]
 bch2_writepage_do_io fs/bcachefs/fs-io-buffered.c:460 [inline]
 bch2_writepages+0x27d/0x380 fs/bcachefs/fs-io-buffered.c:652
 do_writepages+0x359/0x870 mm/page-writeback.c:2634
 filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397
 __filemap_fdatawrite_range mm/filemap.c:430 [inline]
 file_write_and_wait_range+0x1aa/0x290 mm/filemap.c:788
 bch2_fsync+0x93/0x130 fs/bcachefs/fs-io.c:197
 generic_write_sync include/linux/fs.h:2794 [inline]
 bch2_buffered_write fs/bcachefs/fs-io-buffered.c:1128 [inline]
 bch2_write_iter+0x262e/0x2840 fs/bcachefs/fs-io-buffered.c:1136
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xa72/0xc90 fs/read_write.c:590
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbe67e38979
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd7ce752c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fbe67e8104b RCX: 00007fbe67e38979
RDX: 000000000000000b RSI: 0000000020000680 RDI: 0000000000000004
RBP: 00007fbe67ebe610 R08: 00007ffd7ce75498 R09: 00007ffd7ce75498
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffd7ce75488 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_snapshot_has_children fs/bcachefs/snapshot.h:184 [inline]
RIP: 0010:__bch2_insert_snapshot_whiteouts+0x306/0x15e0 fs/bcachefs/btree_update.c:135
Code: fb 0f 86 c2 11 00 00 e8 28 d9 7c fd 49 6b c7 38 49 8d 5c 04 18 48 8d 7b 14 48 89 f8 48 c1 e8 03 49 bc 00 00 00 00 00 fc ff df <42> 0f b6 04 20 84 c0 0f 85 3d 12 00 00 44 8b 7b 14 48 83 c3 18 48
RSP: 0018:ffffc900037be0c0 EFLAGS: 00010203
RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffff8880296b0000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000014
RBP: ffffc900037be420 R08: ffffffff841942f8 R09: 1ffffffff25f64b0
R10: dffffc0000000000 R11: fffffbfff25f64b1 R12: dffffc0000000000
R13: ffffc900037be380 R14: ffffffff84194214 R15: 00000000ffffffff
FS:  000055555dcea380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000193c CR3: 000000006fca6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	fb                   	sti
   1:	0f 86 c2 11 00 00    	jbe    0x11c9
   7:	e8 28 d9 7c fd       	call   0xfd7cd934
   c:	49 6b c7 38          	imul   $0x38,%r15,%rax
  10:	49 8d 5c 04 18       	lea    0x18(%r12,%rax,1),%rbx
  15:	48 8d 7b 14          	lea    0x14(%rbx),%rdi
  19:	48 89 f8             	mov    %rdi,%rax
  1c:	48 c1 e8 03          	shr    $0x3,%rax
  20:	49 bc 00 00 00 00 00 	movabs $0xdffffc0000000000,%r12
  27:	fc ff df
* 2a:	42 0f b6 04 20       	movzbl (%rax,%r12,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 3d 12 00 00    	jne    0x1274
  37:	44 8b 7b 14          	mov    0x14(%rbx),%r15d
  3b:	48 83 c3 18          	add    $0x18,%rbx
  3f:	48                   	rex.W


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

                 reply	other threads:[~2024-05-14 10:39 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000b2883b0618679d34@google.com \
    --to=syzbot+1c9fca23fe478633b305@syzkaller.appspotmail.com \
    --cc=bfoster@redhat.com \
    --cc=kent.overstreet@linux.dev \
    --cc=linux-bcachefs@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.