* upstream boot error: can't ssh into the instance (2)
@ 2019-01-27 8:01 syzbot
2019-01-27 8:05 ` Dmitry Vyukov
0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2019-01-27 8:01 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 7930851ef10c Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1002c77f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=505743eba4e4f68
dashboard link: https://syzkaller.appspot.com/bug?extid=4df6ca820108fd248943
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4df6ca820108fd248943@syzkaller.appspotmail.com
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: upstream boot error: can't ssh into the instance (2)
2019-01-27 8:01 upstream boot error: can't ssh into the instance (2) syzbot
@ 2019-01-27 8:05 ` Dmitry Vyukov
2019-01-27 13:35 ` Jens Axboe
0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Vyukov @ 2019-01-27 8:05 UTC (permalink / raw)
To: Jens Axboe, linux-block, LKML; +Cc: syzkaller-bugs, syzbot
On Sun, Jan 27, 2019 at 9:01 AM syzbot
<syzbot+4df6ca820108fd248943@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 7930851ef10c Merge tag 'scsi-fixes' of git://git.kernel.or..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1002c77f400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=505743eba4e4f68
> dashboard link: https://syzkaller.appspot.com/bug?extid=4df6ca820108fd248943
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+4df6ca820108fd248943@syzkaller.appspotmail.com
Mainline tree crashes on boot.
+generic_make_request maintainers
[ 7.485069] ==================================================================
[ 7.486411] BUG: KASAN: use-after-free in generic_make_request+0x14dd/0x1810
[ 7.487539] Read of size 2 at addr ffff8880a39618d4 by task swapper/0/1
[ 7.488689]
[ 7.488970] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc3+ #45
[ 7.490025] Hardware name: Google Google Compute Engine/Google
Compute Engine, BIOS Google 01/01/2011
[ 7.491484] Call Trace:
[ 7.491484] dump_stack+0x1db/0x2d0
[ 7.491484] ? dump_stack_print_info.cold+0x20/0x20
[ 7.491484] ? generic_make_request+0x14dd/0x1810
[ 7.491484] print_address_description.cold+0x7c/0x20d
[ 7.491484] ? generic_make_request+0x14dd/0x1810
[ 7.491484] ? generic_make_request+0x14dd/0x1810
[ 7.491484] kasan_report.cold+0x1b/0x40
[ 7.491484] ? generic_make_request+0x14dd/0x1810
[ 7.491484] __asan_report_load2_noabort+0x14/0x20
[ 7.491484] generic_make_request+0x14dd/0x1810
[ 7.491484] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[ 7.491484] ? blk_queue_enter+0x1200/0x1200
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? check_preemption_disabled+0x48/0x290
[ 7.491484] ? guard_bio_eod+0x1cc/0x630
[ 7.491484] ? find_held_lock+0x35/0x120
[ 7.491484] ? guard_bio_eod+0x1cc/0x630
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] submit_bio+0xba/0x480
[ 7.491484] ? submit_bio+0xba/0x480
[ 7.491484] ? rcu_read_unlock_special+0x380/0x380
[ 7.491484] ? generic_make_request+0x1810/0x1810
[ 7.491484] ? __bio_add_page+0x11e/0x280
[ 7.491484] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 7.491484] ? guard_bio_eod+0x293/0x630
[ 7.491484] submit_bh_wbc+0x5f7/0x7f0
[ 7.491484] block_read_full_page+0x946/0xfe0
[ 7.491484] ? check_disk_change+0x140/0x140
[ 7.491484] ? __bread_gfp+0x300/0x300
[ 7.491484] ? __inc_numa_state+0x49/0xe0
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? alloc_page_interleave+0x91/0x1c0
[ 7.491484] ? alloc_pages_current+0x10f/0x210
[ 7.491484] ? __page_cache_alloc+0x19c/0x620
[ 7.491484] ? __filemap_set_wb_err+0x3f0/0x3f0
[ 7.491484] blkdev_readpage+0x1d/0x30
[ 7.491484] do_read_cache_page+0x796/0x16a0
[ 7.491484] ? blkdev_writepages+0x30/0x30
[ 7.491484] ? grab_cache_page_write_begin+0xb0/0xb0
[ 7.491484] ? mark_held_locks+0xb1/0x100
[ 7.491484] ? mark_held_locks+0x100/0x100
[ 7.491484] ? depot_save_stack+0x1de/0x460
[ 7.491484] ? trace_hardirqs_off_caller+0x300/0x300
[ 7.491484] ? do_raw_spin_trylock+0x270/0x270
[ 7.491484] ? __lock_is_held+0xb6/0x140
[ 7.491484] ? add_lock_to_list.isra.0+0x450/0x450
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? check_preemption_disabled+0x48/0x290
[ 7.491484] ? add_lock_to_list.isra.0+0x450/0x450
[ 7.491484] ? __lock_is_held+0xb6/0x140
[ 7.491484] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 7.491484] ? widen_string+0xe0/0x2e0
[ 7.491484] ? blkdev_writepages+0x30/0x30
[ 7.491484] read_cache_page+0x5e/0x70
[ 7.491484] read_dev_sector+0x12c/0x510
[ 7.491484] ? __delete_partition+0x210/0x210
[ 7.491484] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 7.491484] ? format_decode+0x227/0xb00
[ 7.491484] ? enable_ptr_key_workfn+0x30/0x30
[ 7.491484] ? adfspart_check_ADFS+0x9c0/0x9c0
[ 7.491484] adfspart_check_ICS+0x153/0xfb0
[ 7.491484] ? memcpy+0x46/0x50
[ 7.491484] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 7.491484] ? adfspart_check_ADFS+0x9c0/0x9c0
[ 7.491484] ? pointer+0x930/0x930
[ 7.491484] ? snprintf+0xbb/0xf0
[ 7.491484] ? vsprintf+0x40/0x40
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? adfspart_check_ADFS+0x9c0/0x9c0
[ 7.491484] check_partition+0x3be/0x6d0
[ 7.491484] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 7.491484] rescan_partitions+0x187/0x970
[ 7.491484] ? up_write+0x7b/0x230
[ 7.491484] ? set_init_blocksize+0x1ac/0x260
[ 7.491484] __blkdev_get+0xda1/0x1560
[ 7.491484] ? blkdev_get_block+0xc0/0xc0
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] blkdev_get+0xc1/0xae0
[ 7.491484] ? unlock_new_inode+0xfa/0x140
[ 7.491484] ? bdget+0xfe/0x600
[ 7.491484] ? bdget+0x600/0x600
[ 7.491484] ? refcount_dec_and_test_checked+0x1b/0x20
[ 7.491484] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 7.491484] ? kobject_put+0x84/0xe0
[ 7.491484] ? put_device+0x25/0x30
[ 7.491484] __device_add_disk+0xe5e/0x13c0
[ 7.491484] ? blk_alloc_devt+0x2e0/0x2e0
[ 7.491484] ? sprintf+0xc0/0x100
[ 7.491484] ? scnprintf+0x140/0x140
[ 7.491484] ? disk_expand_part_tbl+0x3d0/0x3d0
[ 7.491484] ? lockdep_init_map+0x10c/0x5b0
[ 7.491484] device_add_disk+0x2b/0x40
[ 7.491484] brd_init+0x2e9/0x3fa
[ 7.491484] ? ramdisk_size+0x2a/0x2a
[ 7.491484] ? ramdisk_size+0x2a/0x2a
[ 7.491484] ? ramdisk_size+0x2a/0x2a
[ 7.491484] do_one_initcall+0x129/0x937
[ 7.491484] ? perf_trace_initcall_level+0x750/0x750
[ 7.491484] ? rcu_read_lock_sched_held+0x110/0x130
[ 7.491484] ? trace_initcall_level+0x2d5/0x321
[ 7.491484] ? arch_local_irq_restore+0x56/0x56
[ 7.491484] ? down_write_nested+0x130/0x130
[ 7.491484] ? down_read+0x120/0x120
[ 7.491484] ? kasan_unpoison_shadow+0x35/0x50
[ 7.491484] kernel_init_freeable+0x4d5/0x5c4
[ 7.491484] ? rest_init+0x37b/0x37b
[ 7.491484] kernel_init+0x12/0x1c5
[ 7.491484] ret_from_fork+0x3a/0x50
[ 7.491484]
[ 7.491484] Allocated by task 1:
[ 7.491484] save_stack+0x45/0xd0
[ 7.491484] __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 7.491484] kasan_slab_alloc+0xf/0x20
[ 7.491484] kmem_cache_alloc+0x12d/0x710
[ 7.491484] mempool_alloc_slab+0x47/0x60
[ 7.491484] mempool_alloc+0x19f/0x500
[ 7.491484] bio_alloc_bioset+0x3c1/0x720
[ 7.491484] submit_bh_wbc+0x133/0x7f0
[ 7.491484] block_read_full_page+0x946/0xfe0
[ 7.491484] blkdev_readpage+0x1d/0x30
[ 7.491484] do_read_cache_page+0x796/0x16a0
[ 7.491484] read_cache_page+0x5e/0x70
[ 7.491484] read_dev_sector+0x12c/0x510
[ 7.491484] adfspart_check_ICS+0x153/0xfb0
[ 7.491484] check_partition+0x3be/0x6d0
[ 7.491484] rescan_partitions+0x187/0x970
[ 7.491484] __blkdev_get+0xda1/0x1560
[ 7.491484] blkdev_get+0xc1/0xae0
[ 7.491484] __device_add_disk+0xe5e/0x13c0
[ 7.491484] device_add_disk+0x2b/0x40
[ 7.491484] brd_init+0x2e9/0x3fa
[ 7.491484] do_one_initcall+0x129/0x937
[ 7.491484] kernel_init_freeable+0x4d5/0x5c4
[ 7.491484] kernel_init+0x12/0x1c5
[ 7.491484] ret_from_fork+0x3a/0x50
[ 7.491484]
[ 7.491484] Freed by task 1:
[ 7.491484] save_stack+0x45/0xd0
[ 7.491484] __kasan_slab_free+0x102/0x150
[ 7.491484] kasan_slab_free+0xe/0x10
[ 7.491484] kmem_cache_free+0x86/0x260
[ 7.491484] mempool_free_slab+0x1e/0x30
[ 7.491484] mempool_free+0xed/0x380
[ 7.491484] bio_free+0x324/0x570
[ 7.491484] bio_put+0x17a/0x1f0
[ 7.491484] end_bio_bh_io_sync+0xfb/0x140
[ 7.491484] bio_endio+0x840/0xfb0
[ 7.491484] brd_make_request+0x686/0x95a
[ 7.491484] generic_make_request+0x92b/0x1810
[ 7.491484] submit_bio+0xba/0x480
[ 7.491484] submit_bh_wbc+0x5f7/0x7f0
[ 7.491484] block_read_full_page+0x946/0xfe0
[ 7.491484] blkdev_readpage+0x1d/0x30
[ 7.491484] do_read_cache_page+0x796/0x16a0
[ 7.491484] read_cache_page+0x5e/0x70
[ 7.491484] read_dev_sector+0x12c/0x510
[ 7.491484] adfspart_check_ICS+0x153/0xfb0
[ 7.491484] check_partition+0x3be/0x6d0
[ 7.491484] rescan_partitions+0x187/0x970
[ 7.491484] __blkdev_get+0xda1/0x1560
[ 7.491484] blkdev_get+0xc1/0xae0
[ 7.491484] __device_add_disk+0xe5e/0x13c0
[ 7.491484] device_add_disk+0x2b/0x40
[ 7.491484] brd_init+0x2e9/0x3fa
[ 7.491484] do_one_initcall+0x129/0x937
[ 7.491484] kernel_init_freeable+0x4d5/0x5c4
[ 7.491484] kernel_init+0x12/0x1c5
[ 7.491484] ret_from_fork+0x3a/0x50
[ 7.491484]
[ 7.491484] The buggy address belongs to the object at ffff8880a39618c0
[ 7.491484] which belongs to the cache bio-0 of size 200
[ 7.491484] The buggy address is located 20 bytes inside of
[ 7.491484] 200-byte region [ffff8880a39618c0, ffff8880a3961988)
[ 7.491484] The buggy address belongs to the page:
[ 7.491484] page:ffffea00028e5840 count:1 mapcount:0
mapping:ffff88821bb1ea80 index:0x0
[ 7.491484] flags: 0x1fffc0000000200(slab)
[ 7.491484] raw: 01fffc0000000200 ffffea00028e8008 ffff88812c3cf648
ffff88821bb1ea80
[ 7.491484] raw: 0000000000000000 ffff8880a3961000 000000010000000c
0000000000000000
[ 7.491484] page dumped because: kasan: bad access detected
[ 7.491484]
[ 7.491484] Memory state around the buggy address:
[ 7.491484] ffff8880a3961780: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 7.491484] ffff8880a3961800: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 7.491484] >ffff8880a3961880: fc fc fc fc fc fc fc fc fb fb fb fb
fb fb fb fb
[ 7.491484] ^
[ 7.491484] ffff8880a3961900: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 7.491484] ffff8880a3961980: fb fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 7.491484] ==================================================================
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000027601e05806bf6be%40google.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: upstream boot error: can't ssh into the instance (2)
2019-01-27 8:05 ` Dmitry Vyukov
@ 2019-01-27 13:35 ` Jens Axboe
0 siblings, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2019-01-27 13:35 UTC (permalink / raw)
To: Dmitry Vyukov, linux-block, LKML; +Cc: syzkaller-bugs, syzbot, Ming Lei
On 1/27/19 1:05 AM, Dmitry Vyukov wrote:
> On Sun, Jan 27, 2019 at 9:01 AM syzbot
> <syzbot+4df6ca820108fd248943@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 7930851ef10c Merge tag 'scsi-fixes' of git://git.kernel.or..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1002c77f400000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=505743eba4e4f68
>> dashboard link: https://syzkaller.appspot.com/bug?extid=4df6ca820108fd248943
>> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>>
>> Unfortunately, I don't have any reproducer for this crash yet.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+4df6ca820108fd248943@syzkaller.appspotmail.com
>
>
> Mainline tree crashes on boot.
> +generic_make_request maintainers
>
> [ 7.485069] ==================================================================
> [ 7.486411] BUG: KASAN: use-after-free in generic_make_request+0x14dd/0x1810
> [ 7.487539] Read of size 2 at addr ffff8880a39618d4 by task swapper/0/1
> [ 7.488689]
Ah duh, not sure how I missed that:
+ bio_set_flag(bio, BIO_QUEUE_ENTERED);
ret = q->make_request_fn(q, bio);
+ bio_clear_flag(bio, BIO_QUEUE_ENTERED);
Ming, we can't touch bio after ->make_request_fn(), it could very well be
completed already.
--
Jens Axboe
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-27 13:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-27 8:01 upstream boot error: can't ssh into the instance (2) syzbot
2019-01-27 8:05 ` Dmitry Vyukov
2019-01-27 13:35 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).