This is a bcachefs issue. [email protected]
In the future, when fuzzing a filesystem please direct any bugs found directly to the mailing list for the corresponding filesystem. On Mon, Mar 24, 2025 at 08:05:29PM +0800, Hui Guo wrote: > Hi Kernel Maintainers, > we found a crash "KASAN: use-after-free Read in poly1305_update_arch" > (it is a KASAN and makes the kernel reboot) in upstream, we also have > successfully reproduced it manually: > > HEAD Commit: 586de92313fcab8ed84ac5f78f4d2aae2db92c59 > kernel config: > https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/a29967be967eebf049e89edb14c4edf9991bc929/.config > > console output: > https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/586de92313fcab8ed84ac5f78f4d2aae2db92c59/f3745555675b1b16c0ddf549fbd72fb975100195/repro.log > repro report: > https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/586de92313fcab8ed84ac5f78f4d2aae2db92c59/f3745555675b1b16c0ddf549fbd72fb975100195/repro.report > syz reproducer: > https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/586de92313fcab8ed84ac5f78f4d2aae2db92c59/f3745555675b1b16c0ddf549fbd72fb975100195/repro.prog > c reproducer: > https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/586de92313fcab8ed84ac5f78f4d2aae2db92c59/f3745555675b1b16c0ddf549fbd72fb975100195/repro.cprog > > Please let me know if there is anything I can help with. > Best, > Hui Guo > > > This is the crash log I got by reproducing the bug based on the above > environment, > I have piped this log through decode_stacktrace.sh to better > understand the cause of the bug. > ============================================================================================= > 2025/03/24 11:50:17 parsed 1 programs > [ 84.317117][ T9599] Adding 124996k swap on ./swap-file. Priority:0 > extents:1 across:124996k > [ 85.846374][ T60] audit: type=1400 audit(1742817027.690:8): avc: > denied { execmem } for pid=9615 comm="syz-executor" > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=process permissive=1 > [ 85.970995][ T9653] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 > [ 85.974096][ T9653] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 > [ 85.980118][ T9653] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 > [ 85.997135][ T9653] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 > [ 85.998658][ T9653] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 > [ 86.000139][ T9653] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 > [ 86.273149][ T60] audit: type=1401 audit(1742817028.110:9): > op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" > [ 86.464134][ T1151] wlan0: Created IBSS using preconfigured BSSID > 50:50:50:50:50:50 > [ 86.465682][ T1151] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 > [ 86.504503][ T96] wlan1: Created IBSS using preconfigured BSSID > 50:50:50:50:50:50 > [ 86.505750][ T96] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 > [ 86.526978][ T9637] chnl_net:caif_netlink_parms(): no params data found > [ 86.589108][ T9637] bridge0: port 1(bridge_slave_0) entered blocking state > [ 86.590934][ T9637] bridge0: port 1(bridge_slave_0) entered disabled state > [ 86.591956][ T9637] bridge_slave_0: entered allmulticast mode > [ 86.593729][ T9637] bridge_slave_0: entered promiscuous mode > [ 86.596288][ T9637] bridge0: port 2(bridge_slave_1) entered blocking state > [ 86.597273][ T9637] bridge0: port 2(bridge_slave_1) entered disabled state > [ 86.598304][ T9637] bridge_slave_1: entered allmulticast mode > [ 86.599650][ T9637] bridge_slave_1: entered promiscuous mode > [ 86.625741][ T9637] bond0: (slave bond_slave_0): Enslaving as an > active interface with an up link > [ 86.628209][ T9637] bond0: (slave bond_slave_1): Enslaving as an > active interface with an up link > [ 86.655584][ T9637] team0: Port device team_slave_0 added > [ 86.657634][ T9637] team0: Port device team_slave_1 added > [ 86.688129][ T9637] batman_adv: batadv0: Adding interface: batadv_slave_0 > [ 86.688984][ T9637] batman_adv: batadv0: The MTU of interface > batadv_slave_0 is too small (1500) to handle the transport of > batman-adv packets. Packets going over this interface will be > fragmented on layer2 which could impact the performance. Setting the > MTU to 1560 would solve the problem. > [ 86.691855][ T9637] batman_adv: batadv0: Not using interface > batadv_slave_0 (retrying later): interface not active > [ 86.696337][ T9637] batman_adv: batadv0: Adding interface: batadv_slave_1 > [ 86.697241][ T9637] batman_adv: batadv0: The MTU of interface > batadv_slave_1 is too small (1500) to handle the transport of > batman-adv packets. Packets going over this interface will be > fragmented on layer2 which could impact the performance. Setting the > MTU to 1560 would solve the problem. > [ 86.700500][ T9637] batman_adv: batadv0: Not using interface > batadv_slave_1 (retrying later): interface not active > [ 86.739582][ T9637] hsr_slave_0: entered promiscuous mode > [ 86.740760][ T9637] hsr_slave_1: entered promiscuous mode > [ 86.870829][ T9637] netdevsim netdevsim7 netdevsim0: renamed from eth0 > [ 86.875475][ T9637] netdevsim netdevsim7 netdevsim1: renamed from eth1 > [ 86.878531][ T9637] netdevsim netdevsim7 netdevsim2: renamed from eth2 > [ 86.881574][ T9637] netdevsim netdevsim7 netdevsim3: renamed from eth3 > [ 86.897919][ T9637] bridge0: port 2(bridge_slave_1) entered blocking state > [ 86.898935][ T9637] bridge0: port 2(bridge_slave_1) entered forwarding state > [ 86.900314][ T9637] bridge0: port 1(bridge_slave_0) entered blocking state > [ 86.901516][ T9637] bridge0: port 1(bridge_slave_0) entered forwarding state > [ 86.936584][ T9637] 8021q: adding VLAN 0 to HW filter on device bond0 > [ 86.950832][ T96] bridge0: port 1(bridge_slave_0) entered disabled state > [ 86.955164][ T96] bridge0: port 2(bridge_slave_1) entered disabled state > [ 86.966527][ T9637] 8021q: adding VLAN 0 to HW filter on device team0 > [ 86.972683][ T3579] bridge0: port 1(bridge_slave_0) entered blocking state > [ 86.973793][ T3579] bridge0: port 1(bridge_slave_0) entered forwarding state > [ 86.978878][ T96] bridge0: port 2(bridge_slave_1) entered blocking state > [ 86.979967][ T96] bridge0: port 2(bridge_slave_1) entered forwarding state > [ 87.008199][ T9637] hsr0: Slave B (hsr_slave_1) is not up; please > bring it up to get a fully working HSR network > [ 87.108957][ T9637] 8021q: adding VLAN 0 to HW filter on device batadv0 > [ 87.256320][ T9637] veth0_vlan: entered promiscuous mode > [ 87.260969][ T9637] veth1_vlan: entered promiscuous mode > [ 87.277472][ T9637] veth0_macvtap: entered promiscuous mode > [ 87.280374][ T9637] veth1_macvtap: entered promiscuous mode > [ 87.290443][ T9637] batman_adv: batadv0: Interface activated: batadv_slave_0 > [ 87.295969][ T9637] batman_adv: batadv0: Interface activated: batadv_slave_1 > [ 87.299447][ T9637] netdevsim netdevsim7 netdevsim0: set [1, 0] type > 2 family 0 port 6081 - 0 > [ 87.300756][ T9637] netdevsim netdevsim7 netdevsim1: set [1, 0] type > 2 family 0 port 6081 - 0 > [ 87.301968][ T9637] netdevsim netdevsim7 netdevsim2: set [1, 0] type > 2 family 0 port 6081 - 0 > [ 87.304774][ T9637] netdevsim netdevsim7 netdevsim3: set [1, 0] type > 2 family 0 port 6081 - 0 > 2025/03/24 11:50:29 executed programs: 0 > [ 87.415821][ T85] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 > [ 87.418787][ T85] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 > [ 87.420546][ T85] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 > [ 87.422241][ T85] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 > [ 87.424108][ T85] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 > [ 87.425385][ T85] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 > [ 87.509901][T11019] chnl_net:caif_netlink_parms(): no params data found > [ 87.563201][T11019] bridge0: port 1(bridge_slave_0) entered blocking state > [ 87.564637][T11019] bridge0: port 1(bridge_slave_0) entered disabled state > [ 87.565479][T11019] bridge_slave_0: entered allmulticast mode > [ 87.566585][T11019] bridge_slave_0: entered promiscuous mode > [ 87.568503][T11019] bridge0: port 2(bridge_slave_1) entered blocking state > [ 87.569538][T11019] bridge0: port 2(bridge_slave_1) entered disabled state > [ 87.570614][T11019] bridge_slave_1: entered allmulticast mode > [ 87.571860][T11019] bridge_slave_1: entered promiscuous mode > [ 87.602767][T11019] bond0: (slave bond_slave_0): Enslaving as an > active interface with an up link > [ 87.608519][T11019] bond0: (slave bond_slave_1): Enslaving as an > active interface with an up link > [ 87.634579][T11019] team0: Port device team_slave_0 added > [ 87.636573][T11019] team0: Port device team_slave_1 added > [ 87.660148][T11019] batman_adv: batadv0: Adding interface: batadv_slave_0 > [ 87.661048][T11019] batman_adv: batadv0: The MTU of interface > batadv_slave_0 is too small (1500) to handle the transport of > batman-adv packets. Packets going over this interface will be > fragmented on layer2 which could impact the performance. Setting the > MTU to 1560 would solve the problem. > [ 87.665631][T11019] batman_adv: batadv0: Not using interface > batadv_slave_0 (retrying later): interface not active > [ 87.667657][T11019] batman_adv: batadv0: Adding interface: batadv_slave_1 > [ 87.668523][T11019] batman_adv: batadv0: The MTU of interface > batadv_slave_1 is too small (1500) to handle the transport of > batman-adv packets. Packets going over this interface will be > fragmented on layer2 which could impact the performance. Setting the > MTU to 1560 would solve the problem. > [ 87.671697][T11019] batman_adv: batadv0: Not using interface > batadv_slave_1 (retrying later): interface not active > [ 87.717200][T11019] hsr_slave_0: entered promiscuous mode > [ 87.718492][T11019] hsr_slave_1: entered promiscuous mode > [ 87.719592][T11019] debugfs: Directory 'hsr0' with parent 'hsr' > already present! > [ 87.720959][T11019] Cannot create hsr debugfs directory > [ 87.827241][T11019] netdevsim netdevsim0 netdevsim0: renamed from eth0 > [ 87.829744][T11019] netdevsim netdevsim0 netdevsim1: renamed from eth1 > [ 87.832224][T11019] netdevsim netdevsim0 netdevsim2: renamed from eth2 > [ 87.835215][T11019] netdevsim netdevsim0 netdevsim3: renamed from eth3 > [ 87.847029][T11019] bridge0: port 2(bridge_slave_1) entered blocking state > [ 87.847885][T11019] bridge0: port 2(bridge_slave_1) entered forwarding state > [ 87.848778][T11019] bridge0: port 1(bridge_slave_0) entered blocking state > [ 87.849602][T11019] bridge0: port 1(bridge_slave_0) entered forwarding state > [ 87.872807][T11019] 8021q: adding VLAN 0 to HW filter on device bond0 > [ 87.880118][ T13] bridge0: port 1(bridge_slave_0) entered disabled state > [ 87.883677][ T13] bridge0: port 2(bridge_slave_1) entered disabled state > [ 87.895124][T11019] 8021q: adding VLAN 0 to HW filter on device team0 > [ 87.900930][ T97] bridge0: port 1(bridge_slave_0) entered blocking state > [ 87.902120][ T97] bridge0: port 1(bridge_slave_0) entered forwarding state > [ 87.908002][T11294] bridge0: port 2(bridge_slave_1) entered blocking state > [ 87.909741][T11294] bridge0: port 2(bridge_slave_1) entered forwarding state > [ 88.032278][T11019] 8021q: adding VLAN 0 to HW filter on device batadv0 > [ 88.034050][ T85] Bluetooth: hci0: command tx timeout > [ 88.055135][T11019] veth0_vlan: entered promiscuous mode > [ 88.059506][T11019] veth1_vlan: entered promiscuous mode > [ 88.074272][T11019] veth0_macvtap: entered promiscuous mode > [ 88.077239][T11019] veth1_macvtap: entered promiscuous mode > [ 88.085062][T11019] batman_adv: The newly added mac address > (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 > [ 88.086633][T11019] batman_adv: It is strongly recommended to keep > mac addresses unique to avoid problems! > [ 88.088956][T11019] batman_adv: batadv0: Interface activated: batadv_slave_0 > [ 88.094524][T11019] batman_adv: The newly added mac address > (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 > [ 88.095959][T11019] batman_adv: It is strongly recommended to keep > mac addresses unique to avoid problems! > [ 88.098273][T11019] batman_adv: batadv0: Interface activated: batadv_slave_1 > [ 88.101977][T11019] netdevsim netdevsim0 netdevsim0: set [1, 0] type > 2 family 0 port 6081 - 0 > [ 88.104171][T11019] netdevsim netdevsim0 netdevsim1: set [1, 0] type > 2 family 0 port 6081 - 0 > [ 88.105401][T11019] netdevsim netdevsim0 netdevsim2: set [1, 0] type > 2 family 0 port 6081 - 0 > [ 88.106599][T11019] netdevsim netdevsim0 netdevsim3: set [1, 0] type > 2 family 0 port 6081 - 0 > [ 88.140817][ T13] wlan0: Created IBSS using preconfigured BSSID > 50:50:50:50:50:50 > [ 88.142392][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 > [ 88.155795][ T96] wlan1: Created IBSS using preconfigured BSSID > 50:50:50:50:50:50 > [ 88.156973][ T96] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 > [ 88.314757][T12039] loop0: detected capacity change from 0 to 32768 > [ 88.346885][T12039] bcachefs (loop0): starting version 1.7: > mi_btree_bitmap > opts=metadata_checksum=none,data_checksum=xxhash,nojournal_transaction_names > [ 88.348824][T12039] bcachefs (loop0): recovering from clean shutdown, > journal seq 10 > [ 88.349815][T12039] bcachefs (loop0): Doing compatible version > upgrade from 1.7: mi_btree_bitmap to 1.20: directory_size > [ 88.349815][T12039] running recovery passes: > check_allocations,check_extents_to_backpointers,check_inodes > [ 88.360566][T12039] bcachefs (loop0): error validating btree node on > loop0 at btree alloc level 0/0 > [ 88.360581][T12039] u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: > seq 4fe84214937890c3 written 32 min_key POS_MIN durability: 1 ptr: > 0:26:0 gen 0 > [ 88.360589][T12039] node offset 8/32 bset u64s 375: checksum error, > type chacha20_poly1305_128: got 5125f248dce6c8583c1006bcb40e6d91 > should be 56f8c5dd15dee062262778682ebef4d2, shutting down > [ 88.367016][T12039] bcachefs (loop0): inconsistency detected - > emergency read only at journal seq 10 > [ 88.368285][T12039] bcachefs (loop0): flagging btree alloc lost data > [ 88.369242][T12039] bcachefs (loop0): running explicit recovery pass > check_topology (2), currently at recovery_pass_empty (0) > [ 88.370747][T12039] bcachefs (loop0): running explicit recovery pass > check_lrus (14), currently at recovery_pass_empty (0) > [ 88.372157][T12039] bcachefs (loop0): running explicit recovery pass > check_backpointers_to_extents (16), currently at recovery_pass_empty > (0) > [ 88.373924][T12039] bcachefs (loop0): running explicit recovery pass > check_alloc_info (13), currently at recovery_pass_empty (0) > [ 88.377400][T12039] error reading btree root btree=alloc level=0: > btree_node_read_error, fixing > [ 88.380073][T12039] > ================================================================== > [88.381083][T12039] BUG: KASAN: use-after-free in poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:198) > [ 88.382059][T12039] Read of size 8 at addr ffff8880496c7050 by task > syz.0.15/12039 > [ 88.383042][T12039] > [ 88.383346][T12039] CPU: 3 UID: 0 PID: 12039 Comm: syz.0.15 Not > tainted 6.14.0-rc7-00205-g586de92313fc #1 > [ 88.383357][T12039] Hardware name: QEMU Standard PC (i440FX + PIIX, > 1996), BIOS 1.15.0-1 04/01/2014 > [ 88.383363][T12039] Call Trace: > [ 88.383367][T12039] <TASK> > [88.383371][T12039] dump_stack_lvl > (/data/ghui/docker_data/linux_kernel/upstream/linux/lib/dump_stack.c:123) > [88.383385][T12039] print_report > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/report.c:409 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/report.c:521) > [88.383398][T12039] ? __phys_addr > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/mm/physaddr.c:32 > (discriminator 4)) > [88.383408][T12039] ? poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:198) > [88.383420][T12039] ? poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:198) > [88.383432][T12039] kasan_report > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/report.c:636) > [88.383443][T12039] ? poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:196) > [88.383455][T12039] ? poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:198) > [88.383468][T12039] kasan_check_range > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/generic.c:183 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/generic.c:189) > [88.383481][T12039] __asan_memcpy > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/shadow.c:105) > [88.383490][T12039] poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:198) > [88.383503][T12039] crypto_poly1305_update > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:232) > [88.383515][T12039] bch2_checksum > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/checksum.c:240) > [88.383527][T12039] ? __pfx_bch2_checksum > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/checksum.c:213) > [88.383539][T12039] ? rcu_is_watching > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/context_tracking.h:128 > /data/ghui/docker_data/linux_kernel/upstream/linux/kernel/rcu/tree.c:716) > [88.383550][T12039] ? kfree > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/trace/events/kmem.h:94 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4744) > [88.383566][T12039] ? bch2_journal_seq_is_blacklisted > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/journal_seq_blacklist.c:131) > [88.383580][T12039] bch2_btree_node_read_done > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1130) > [88.383598][T12039] ? bch2_bkey_pick_read_device > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/rcupdate.h:347 > /data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/rcupdate.h:880 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/extents.c:173) > [88.383611][T12039] ? __pfx_bch2_btree_node_read_done > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1009) > [88.383625][T12039] ? bch2_bkey_pick_read_device > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/extents.c:119) > [88.383634][T12039] ? __pfx___lock_acquire > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5079) > [88.383650][T12039] ? __pfx_bch2_bkey_pick_read_device > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/extents.c:119) > [88.383661][T12039] ? bch2_mark_io_failure > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/extents.c:61 > (discriminator 2)) > [88.383672][T12039] ? btree_node_read_work > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1357 > (discriminator 1)) > [88.383680][T12039] btree_node_read_work > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1357 > (discriminator 1)) > [88.383688][T12039] ? lockdep_hardirqs_on > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:4470) > [88.383702][T12039] ? __pfx_btree_node_read_work > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1312) > [88.383711][T12039] ? bch2_latency_acct > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/io_write.c:66) > [88.383723][T12039] ? __pfx_bch2_latency_acct > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/io_write.c:66) > [88.383735][T12039] bch2_btree_node_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1748) > [88.383745][T12039] ? __pfx_bch2_btree_node_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1685) > [88.383753][T12039] ? find_held_lock > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5341) > [88.383765][T12039] ? __pfx_lock_release > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5859) > [88.383777][T12039] ? __bch2_trans_unlock > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_iter.h:111 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_locking.c:725) > [88.383787][T12039] ? __pfx_bch2_btree_cache_cmp_fn > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_cache.c:135) > [88.383799][T12039] bch2_btree_root_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/instrumented.h:68 > /data/ghui/docker_data/linux_kernel/upstream/linux/./include/asm-generic/bitops/instrumented-non-atomic.h:141 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_types.h:628 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1791 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1811) > [88.383808][T12039] ? __pfx___mutex_unlock_slowpath > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/mutex.c:885) > [88.383820][T12039] ? __pfx_bch2_btree_root_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1810) > [88.383832][T12039] bch2_fs_recovery > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/recovery.c:581 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/recovery.c:928) > [88.383848][T12039] ? __pfx_bch2_fs_recovery > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/recovery.c:699) > [88.383863][T12039] ? bch2_get_next_online_dev > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/rcupdate.h:347 > /data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/rcupdate.h:880 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/sb-members.h:157) > [88.383874][T12039] ? __pfx_lock_release > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5859) > [88.383889][T12039] ? bch2_get_next_online_dev > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/sb-members.h:160) > [88.383900][T12039] ? llist_reverse_order > (/data/ghui/docker_data/linux_kernel/upstream/linux/lib/llist.c:115) > [88.383915][T12039] ? __closure_wake_up > (/data/ghui/docker_data/linux_kernel/upstream/linux/lib/closure.c:89) > [88.383925][T12039] bch2_fs_start > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1041) > [88.383940][T12039] bch2_fs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/fs.c:2204) > [88.383950][T12039] ? __pfx_bch2_fs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/fs.c:2160) > [88.383958][T12039] ? lock_acquire > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5824) > [88.383974][T12039] ? rcu_is_watching > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/context_tracking.h:128 > /data/ghui/docker_data/linux_kernel/upstream/linux/kernel/rcu/tree.c:716) > [88.383986][T12039] ? bpf_lsm_capable > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/lsm_hook_defs.h:44) > [88.383999][T12039] ? security_capable > (/data/ghui/docker_data/linux_kernel/upstream/linux/security/security.c:1143 > (discriminator 120)) > [88.384013][T12039] vfs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/super.c:1815) > [88.384027][T12039] path_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3561 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3887) > [88.384039][T12039] ? kmem_cache_free > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4609 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4711) > [88.384048][T12039] ? __pfx_path_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3814) > [88.384060][T12039] ? putname.part.0 > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namei.c:297) > [88.384073][T12039] __x64_sys_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3901 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4111 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4088 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4088) > [88.384084][T12039] ? __pfx___x64_sys_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4088) > [88.384097][T12039] do_syscall_64 > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/common.c:52 > /data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/common.c:83) > [88.384109][T12039] entry_SYSCALL_64_after_hwframe > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/entry_64.S:130) > [ 88.384123][T12039] RIP: 0033:0x7f7c16f9e49e > [ 88.384131][T12039] Code: 48 c7 c0 ff ff ff ff eb aa e8 5e 20 00 00 > 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 > 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 > 64 89 01 48 > All code > ======== > 0: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax > 7: eb aa jmp 0xffffffffffffffb3 > 9: e8 5e 20 00 00 call 0x206c > e: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) > 15: 00 00 00 > 18: 0f 1f 40 00 nopl 0x0(%rax) > 1c: f3 0f 1e fa endbr64 > 20: 49 89 ca mov %rcx,%r10 > 23: b8 a5 00 00 00 mov $0xa5,%eax > 28: 0f 05 syscall > 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction > 30: 73 01 jae 0x33 > 32: c3 ret > 33: 48 c7 c1 a8 ff ff ff mov $0xffffffffffffffa8,%rcx > 3a: f7 d8 neg %eax > 3c: 64 89 01 mov %eax,%fs:(%rcx) > 3f: 48 rex.W > > Code starting with the faulting instruction > =========================================== > 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax > 6: 73 01 jae 0x9 > 8: c3 ret > 9: 48 c7 c1 a8 ff ff ff mov $0xffffffffffffffa8,%rcx > 10: f7 d8 neg %eax > 12: 64 89 01 mov %eax,%fs:(%rcx) > 15: 48 rex.W > [ 88.384140][T12039] RSP: 002b:00007f7c17ce4da8 EFLAGS: 00000246 > ORIG_RAX: 00000000000000a5 > [ 88.384149][T12039] RAX: ffffffffffffffda RBX: 00000000000119f4 RCX: > 00007f7c16f9e49e > [ 88.384156][T12039] RDX: 0000000020011a00 RSI: 0000000020000000 RDI: > 00007f7c17ce4e00 > [ 88.384162][T12039] RBP: 00007f7c17ce4e40 R08: 00007f7c17ce4e40 R09: > 0000000000000000 > [ 88.384167][T12039] R10: 0000000000000000 R11: 0000000000000246 R12: > 0000000020011a00 > [ 88.384173][T12039] R13: 0000000020000000 R14: 00007f7c17ce4e00 R15: > 0000000020000100 > [ 88.384195][T12039] </TASK> > [ 88.384198][T12039] > [ 88.434820][T12039] The buggy address belongs to the physical page: > [ 88.435543][T12039] page: refcount:0 mapcount:0 > mapping:0000000000000000 index:0x0 pfn:0x496c7 > [ 88.436519][T12039] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) > [ 88.437336][T12039] raw: 00fff00000000000 0000000000000000 > dead000000000122 0000000000000000 > [ 88.438312][T12039] raw: 0000000000000000 0000000000000000 > 00000000ffffffff 0000000000000000 > [ 88.439298][T12039] page dumped because: kasan: bad access detected > [ 88.440027][T12039] page_owner tracks the page as freed > [ 88.440651][T12039] page last allocated via order 5, migratetype > Reclaimable, gfp_mask > 0x452cd0(GFP_KERNEL_ACCOUNT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_RECLAIMABLE), > pid 12039, tgid 12038 (syz.0.15), ts 88328445083, free_ts 88379542461 > [88.443083][T12039] post_alloc_hook > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/page_owner.h:32 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/page_alloc.c:1551) > [88.443647][T12039] get_page_from_freelist > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/page_alloc.c:1561 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/page_alloc.c:3477) > [88.444281][T12039] __alloc_frozen_pages_noprof > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/page_alloc.c:4741) > [88.444952][T12039] __alloc_pages_noprof > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/page_alloc.c:4775) > [88.445534][T12039] ___kmalloc_large_node > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4232) > [88.446133][T12039] __kmalloc_large_node_noprof > (/data/ghui/docker_data/linux_kernel/upstream/linux/./arch/x86/include/asm/bitops.h:417 > /data/ghui/docker_data/linux_kernel/upstream/linux/./include/asm-generic/getorder.h:46 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4268) > [88.446800][T12039] __kmalloc_node_noprof > (/data/ghui/docker_data/linux_kernel/upstream/linux/./arch/x86/include/asm/bitops.h:417 > /data/ghui/docker_data/linux_kernel/upstream/linux/./include/asm-generic/getorder.h:46 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4284 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4300) > [88.447416][T12039] __kvmalloc_node_noprof > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/util.c:668) > [88.448024][T12039] btree_node_data_alloc.constprop.0 > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_cache.c:156) > [88.448747][T12039] __bch2_btree_node_mem_alloc > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_cache.c:201) > [88.449392][T12039] bch2_fs_btree_cache_init > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_cache.c:655) > [88.450026][T12039] bch2_fs_alloc > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:919) > [88.450582][T12039] bch2_fs_open > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/err.h:116 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:2066) > [88.451115][T12039] bch2_fs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/err.h:116 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/fs.c:2191) > [88.451702][T12039] vfs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/super.c:1815) > [88.452226][T12039] path_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3561 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3887) > [ 88.452735][T12039] page last free pid 12039 tgid 12038 stack trace: > [88.453481][T12039] __free_pages_ok > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/page_owner.h:25 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/page_alloc.c:1127 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/page_alloc.c:1271) > [88.454058][T12039] __folio_put > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/swap.c:112) > [88.454577][T12039] kvfree > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/util.c:709) > [88.455012][T12039] bch2_btree_node_read_done > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:111 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1243) > [88.455689][T12039] btree_node_read_work > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1357 > (discriminator 1)) > [88.456291][T12039] bch2_btree_node_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1748) > [88.456878][T12039] bch2_btree_root_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/instrumented.h:68 > /data/ghui/docker_data/linux_kernel/upstream/linux/./include/asm-generic/bitops/instrumented-non-atomic.h:141 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_types.h:628 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1791 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1811) > [88.457472][T12039] bch2_fs_recovery > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/recovery.c:581 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/recovery.c:928) > [88.458035][T12039] bch2_fs_start > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1041) > [88.458565][T12039] bch2_fs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/fs.c:2204) > [88.459139][T12039] vfs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/super.c:1815) > [88.459647][T12039] path_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3561 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3887) > [88.460144][T12039] __x64_sys_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3901 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4111 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4088 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4088) > [88.460722][T12039] do_syscall_64 > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/common.c:52 > /data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/common.c:83) > [88.461243][T12039] entry_SYSCALL_64_after_hwframe > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/entry_64.S:130) > [ 88.461903][T12039] > [ 88.462174][T12039] Memory state around the buggy address: > [ 88.462801][T12039] ffff8880496c6f00: ff ff ff ff ff ff ff ff ff ff > ff ff ff ff ff ff > [ 88.463717][T12039] ffff8880496c6f80: ff ff ff ff ff ff ff ff ff ff > ff ff ff ff ff ff > [ 88.464735][T12039] >ffff8880496c7000: ff ff ff ff ff ff ff ff ff ff > ff ff ff ff ff ff > [ 88.465763][T12039] ^ > [ 88.466619][T12039] ffff8880496c7080: ff ff ff ff ff ff ff ff ff ff > ff ff ff ff ff ff > [ 88.467647][T12039] ffff8880496c7100: ff ff ff ff ff ff ff ff ff ff > ff ff ff ff ff ff > [ 88.468677][T12039] > ================================================================== > [ 88.469819][T12039] Kernel panic - not syncing: KASAN: panic_on_warn set ... > [ 88.470749][T12039] CPU: 3 UID: 0 PID: 12039 Comm: syz.0.15 Not > tainted 6.14.0-rc7-00205-g586de92313fc #1 > [ 88.471966][T12039] Hardware name: QEMU Standard PC (i440FX + PIIX, > 1996), BIOS 1.15.0-1 04/01/2014 > [ 88.473133][T12039] Call Trace: > 12039] <TASK>[T > > [88.474112][T12039] dump_stack_lvl > (/data/ghui/docker_data/linux_kernel/upstream/linux/lib/dump_stack.c:124 > (discriminator 7)) > essage f[ 88.474971][Tr12039] panic+0xo6fd/0x7b0 > m sy[ s 8l8.o4g75d6@12s]y[Tzk12a039l]l e ?r mark_held_locks > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:4323) > at [ M a8r8. 4276440 2]1[1T:125003:9] ? __pfx_panic > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/panic.c:288) > 70 [ . . 8.8. > 71 1k2]e[rTn12e0l39] ? irqentry_exit > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/entry/common.c:358) > :[ [8888..47748566]9[T819]12[039] ? lockdep_hardirqs_on > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:4470) > T12[ 0 3889.47]86 66K][eTrn12e03l9] p ? check_panic_on_warn > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/panic.c:242) > ani[ c 8-8.4 7945n4o][tT s12y0n3c9i] check_panic_on_warn > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/panic.c:243) > ng:[ 8K8A.S4A8N024:9 ][pTa120n3i9]c end_report > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/report.c:227) > _on[ _ w 8a8r.4n80 97s6]e[Tt12 03.9]. . ? poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:198) > > [88.481811][T12039] kasan_report > (/data/ghui/docker_data/linux_kernel/upstream/linux/./arch/x86/include/asm/smap.h:52 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/report.c:639) > [88.482363][T12039] ? poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:196) > [88.483019][T12039] ? poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:198) > [88.483664][T12039] kasan_check_range > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/generic.c:183 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/generic.c:189) > [88.484229][T12039] __asan_memcpy > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/kasan/shadow.c:105) > [88.484735][T12039] poly1305_update_arch > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:198) > [88.485333][T12039] crypto_poly1305_update > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/crypto/poly1305_glue.c:232) > [88.485922][T12039] bch2_checksum > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/checksum.c:240) > [88.486453][T12039] ? __pfx_bch2_checksum > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/checksum.c:213) > [88.487035][T12039] ? rcu_is_watching > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/context_tracking.h:128 > /data/ghui/docker_data/linux_kernel/upstream/linux/kernel/rcu/tree.c:716) > [88.487588][T12039] ? kfree > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/trace/events/kmem.h:94 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4744) > [88.488064][T12039] ? bch2_journal_seq_is_blacklisted > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/journal_seq_blacklist.c:131) > [88.488806][T12039] bch2_btree_node_read_done > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1130) > [88.489490][T12039] ? bch2_bkey_pick_read_device > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/rcupdate.h:347 > /data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/rcupdate.h:880 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/extents.c:173) > [88.490261][T12039] ? __pfx_bch2_btree_node_read_done > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1009) > [88.491058][T12039] ? bch2_bkey_pick_read_device > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/extents.c:119) > [88.491835][T12039] ? __pfx___lock_acquire > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5079) > [88.492511][T12039] ? __pfx_bch2_bkey_pick_read_device > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/extents.c:119) > [88.493328][T12039] ? bch2_mark_io_failure > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/extents.c:61 > (discriminator 2)) > [88.494005][T12039] ? btree_node_read_work > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1357 > (discriminator 1)) > [88.494747][T12039] btree_node_read_work > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1357 > (discriminator 1)) > [88.495440][T12039] ? lockdep_hardirqs_on > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:4470) > [88.496116][T12039] ? __pfx_btree_node_read_work > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1312) > [88.496858][T12039] ? bch2_latency_acct > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/io_write.c:66) > [88.497530][T12039] ? __pfx_bch2_latency_acct > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/io_write.c:66) > [88.498248][T12039] bch2_btree_node_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1748) > [88.498921][T12039] ? __pfx_bch2_btree_node_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1685) > [88.499664][T12039] ? find_held_lock > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5341) > [88.500290][T12039] ? __pfx_lock_release > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5859) > [88.500940][T12039] ? __bch2_trans_unlock > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_iter.h:111 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_locking.c:725) > [88.501616][T12039] ? __pfx_bch2_btree_cache_cmp_fn > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_cache.c:135) > [88.502392][T12039] bch2_btree_root_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/instrumented.h:68 > /data/ghui/docker_data/linux_kernel/upstream/linux/./include/asm-generic/bitops/instrumented-non-atomic.h:141 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_types.h:628 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1791 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1811) > [88.503064][T12039] ? __pfx___mutex_unlock_slowpath > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/mutex.c:885) > [88.503849][T12039] ? __pfx_bch2_btree_root_read > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/btree_io.c:1810) > [88.504562][T12039] bch2_fs_recovery > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/recovery.c:581 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/recovery.c:928) > [88.505228][T12039] ? __pfx_bch2_fs_recovery > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/recovery.c:699) > [88.505862][T12039] ? bch2_get_next_online_dev > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/rcupdate.h:347 > /data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/rcupdate.h:880 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/sb-members.h:157) > [88.506608][T12039] ? __pfx_lock_release > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5859) > [88.507271][T12039] ? bch2_get_next_online_dev > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/sb-members.h:160) > [88.508010][T12039] ? llist_reverse_order > (/data/ghui/docker_data/linux_kernel/upstream/linux/lib/llist.c:115) > [88.508649][T12039] ? __closure_wake_up > (/data/ghui/docker_data/linux_kernel/upstream/linux/lib/closure.c:89) > [88.509258][T12039] bch2_fs_start > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1041) > [88.509806][T12039] bch2_fs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/fs.c:2204) > [88.510403][T12039] ? __pfx_bch2_fs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/fs.c:2160) > [88.511023][T12039] ? lock_acquire > (/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/locking/lockdep.c:5824) > [88.511565][T12039] ? rcu_is_watching > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/context_tracking.h:128 > /data/ghui/docker_data/linux_kernel/upstream/linux/kernel/rcu/tree.c:716) > [88.512125][T12039] ? bpf_lsm_capable > (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/lsm_hook_defs.h:44) > [88.512683][T12039] ? security_capable > (/data/ghui/docker_data/linux_kernel/upstream/linux/security/security.c:1143 > (discriminator 120)) > [88.513382][T12039] vfs_get_tree > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/super.c:1815) > [88.513927][T12039] path_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3561 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3887) > [88.514518][T12039] ? kmem_cache_free > (/data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4609 > /data/ghui/docker_data/linux_kernel/upstream/linux/mm/slub.c:4711) > [88.515169][T12039] ? __pfx_path_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3814) > [88.515828][T12039] ? putname.part.0 > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namei.c:297) > [88.516481][T12039] __x64_sys_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3901 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4111 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4088 > /data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4088) > [88.517116][T12039] ? __pfx___x64_sys_mount > (/data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4088) > [88.517828][T12039] do_syscall_64 > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/common.c:52 > /data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/common.c:83) > [88.518441][T12039] entry_SYSCALL_64_after_hwframe > (/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/entry_64.S:130) > [ 88.519229][T12039] RIP: 0033:0x7f7c16f9e49e > [ 88.519814][T12039] Code: 48 c7 c0 ff ff ff ff eb aa e8 5e 20 00 00 > 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 > 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 > 64 89 01 48 > All code > ======== > 0: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax > 7: eb aa jmp 0xffffffffffffffb3 > 9: e8 5e 20 00 00 call 0x206c > e: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) > 15: 00 00 00 > 18: 0f 1f 40 00 nopl 0x0(%rax) > 1c: f3 0f 1e fa endbr64 > 20: 49 89 ca mov %rcx,%r10 > 23: b8 a5 00 00 00 mov $0xa5,%eax > 28: 0f 05 syscall > 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction > 30: 73 01 jae 0x33 > 32: c3 ret > 33: 48 c7 c1 a8 ff ff ff mov $0xffffffffffffffa8,%rcx > 3a: f7 d8 neg %eax > 3c: 64 89 01 mov %eax,%fs:(%rcx) > 3f: 48 rex.W > > Code starting with the faulting instruction > =========================================== > 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax > 6: 73 01 jae 0x9 > 8: c3 ret > 9: 48 c7 c1 a8 ff ff ff mov $0xffffffffffffffa8,%rcx > 10: f7 d8 neg %eax > 12: 64 89 01 mov %eax,%fs:(%rcx) > 15: 48 rex.W > [ 88.522326][T12039] RSP: 002b:00007f7c17ce4da8 EFLAGS: 00000246 > ORIG_RAX: 00000000000000a5 > [ 88.523371][T12039] RAX: ffffffffffffffda RBX: 00000000000119f4 RCX: > 00007f7c16f9e49e > [ 88.524293][T12039] RDX: 0000000020011a00 RSI: 0000000020000000 RDI: > 00007f7c17ce4e00 > [ 88.525203][T12039] RBP: 00007f7c17ce4e40 R08: 00007f7c17ce4e40 R09: > 0000000000000000 > [ 88.526106][T12039] R10: 0000000000000000 R11: 0000000000000246 R12: > 0000000020011a00 > [ 88.527079][T12039] R13: 0000000020000000 R14: 00007f7c17ce4e00 R15: > 0000000020000100 > [ 88.528111][T12039] </TASK> > [ 88.528793][T12039] Kernel Offset: disabled > [ 88.529305][T12039] Rebooting in 86400 seconds.. > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/d/msgid/syzkaller-bugs/CAHOo4gLWAbArwg%2Bw%2BAqqkxGmOFX6cm8Tvy85tb4igN6V7Z9BZQ%40mail.gmail.com.
