From: Ian Kent <raven@themaw.net>
To: Dmitry Vyukov <dvyukov@google.com>, Al Viro <viro@zeniv.linux.org.uk>
Cc: syzbot <syzbot+5399ed0832693e29f392@syzkaller.appspotmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Amir Goldstein <amir73il@gmail.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: kernel BUG at fs/inode.c:LINE!
Date: Wed, 10 Apr 2019 18:35:51 +0800 [thread overview]
Message-ID: <eb223b47641df91a56fd200188a65d2c0ca4abe1.camel@themaw.net> (raw)
In-Reply-To: <CACT4Y+YurDDxvvd2MbOf8pGyA0B+W_EFB34oVAcHXyv-ApKC7Q@mail.gmail.com>
On Wed, 2019-04-10 at 10:27 +0200, Dmitry Vyukov wrote:
> On Wed, Apr 10, 2019 at 2:26 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> > > Bisection is inconclusive: the first bad commit could be any of:
> >
> > [snip the useless pile]
> >
> > > bisection log:
> > > https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b200000
> > > start commit: [unknown
> > > git tree: linux-next
> > > dashboard link:
> > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=101032b3400000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16534063400000
> > >
> > > For information about bisection process see:
> > > https://goo.gl/tpsmEJ#bisection
> >
> > If I'm not misreading the "crash report" there, it has injected an
> > allocation
> > failure in dentry allocation in d_make_root() from autofs_fill_super() (
> > root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> > root = d_make_root(root_inode);
> > ) which has triggered iput() on the inode passed to d_make_root() (as it
> > ought
> > to). At which point it stepped into some BUG_ON() in fs/inode.c, but I've
> > no idea which one it is - line numbers do not match anything in linux-next
> > or in mainline. Reported line 1566 is
> > if (inode->i_nlink && (inode->i_state & I_DIRTY_TIME)) {
> > in all of them; as the matter of fact, the diff in fs/inode.c between
> > -next and mainline is empty.
> >
> > There is a BUG_ON() several lines prior, and in 4.20 it used to be line
> > 1566,
> > so _probably_ that's what it is. With that assumption, it's
> > BUG_ON(inode->i_state & I_CLEAR);
> > IOW, we'd got I_CLEAR in the inode passed to d_make_root() there. Which
> > should not happen - the inode must have come from new_inode(), which
> > gets it from new_inode_pseudo(), which zeroes ->i_state. And I_CLEAR
> > is set only in clear_inode(). For autofs inodes that can come only
> > from autofs_evict_inode(), called as ->evict() from evict_inode().
> > Which should never ever be called for inode with positive ->i_count...
> >
> > It might be memory corruption; it might be a dangling inode pointer
> > somewhere, it might be something else.
> >
> > To get any further we really need a confirmation of the identity of
> > triggered BUG_ON().
> >
> > As an aside, your "sample crash reports" would've been much more useful if
> > they went with commit SHA1 in question, especially when they contain line
> > numbers.
>
> Hi Al,
>
> This is the commit for matching lines:
>
> > HEAD commit: d14b746c6c1c Add linux-next specific files for 20181214
Are you sure?
what does 20181214 mean?
Looking at current next code (and several branches) it doesn't
appear the problem is possible?
> > git tree: linux-next
But which branch is it really, master (which doesn't match the
line numbers btw)?
>
> fs/inode.c:1566 points to:
>
> void iput(struct inode *inode)
> {
> ...
> BUG_ON(inode->i_state & I_CLEAR);
>
>
> The dashboard page provides kernel git repository and commit for each crash.
Those links don't seem to make sense to me ...
Help me out here!
Ian
next prev parent reply other threads:[~2019-04-10 10:36 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-17 6:11 kernel BUG at fs/inode.c:LINE! syzbot
2018-12-17 7:21 ` Al Viro
2018-12-17 10:08 ` Dmitry Vyukov
2018-12-18 10:40 ` Tetsuo Handa
2018-12-18 10:42 ` Ian Kent
2018-12-18 11:01 ` Amir Goldstein
2018-12-18 11:52 ` Ian Kent
2018-12-18 11:34 ` Ian Kent
2018-12-18 12:27 ` Dmitry Vyukov
2018-12-18 12:42 ` Ian Kent
2018-12-18 13:19 ` Dmitry Vyukov
2018-12-18 14:40 ` Ian Kent
2018-12-18 21:09 ` Andrew Morton
2018-12-19 0:05 ` Ian Kent
2018-12-18 13:51 ` Al Viro
2019-04-09 14:36 ` syzbot
2019-04-10 0:26 ` Al Viro
2019-04-10 8:27 ` Dmitry Vyukov
2019-04-10 10:35 ` Ian Kent [this message]
2019-04-10 11:40 ` Dmitry Vyukov
2019-04-10 11:57 ` Ian Kent
2019-04-10 12:02 ` Dmitry Vyukov
2019-04-10 12:03 ` Dmitry Vyukov
2019-04-10 12:07 ` Ian Kent
2019-04-10 12:11 ` Al Viro
2019-04-10 12:41 ` Dmitry Vyukov
2019-04-11 0:50 ` Ian Kent
2019-04-11 2:22 ` Al Viro
2019-04-12 11:04 ` Dmitry Vyukov
2019-04-12 19:46 ` Eric Biggers
2019-04-12 10:59 ` Dmitry Vyukov
2019-04-12 19:19 ` Al Viro
2019-04-10 12:39 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eb223b47641df91a56fd200188a65d2c0ca4abe1.camel@themaw.net \
--to=raven@themaw.net \
--cc=akpm@linux-foundation.org \
--cc=amir73il@gmail.com \
--cc=dvyukov@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+5399ed0832693e29f392@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).