On 2017/11/21 16:35, syzbot wrote:
> Hello,
> 
> syzkaller hit the following crash on ca91659962303d4fd5211a5e4e13df5cbb11e744
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> 
> Unfortunately, I don't have any reproducer for this bug yet.

Fault injection found an unchecked register_shrinker() return code.
Wow, register_shrinker()/unregister_shinker() is possibly frequently called 
path?


struct super_block *sget_userns(struct file_system_type *type,
                                int (*test)(struct super_block *,void *),
                                int (*set)(struct super_block *,void *),
                                int flags, struct user_namespace *user_ns,
                                void *data)
{
(...snipped...)
        spin_unlock(&sb_lock);
        get_filesystem(type);
        register_shrinker(&s->s_shrink); // Error check required.
        return s;
}

[  554.881422] FAULT_INJECTION: forcing a failure.
[  554.881422] name failslab, interval 1, probability 0, space 0, times 0
[  554.881438] CPU: 1 PID: 13231 Comm: syz-executor1 Not tainted 4.14.0-rc8+ #82
[  554.881443] Hardware name: Google Google Compute Engine/Google Compute 
Engine, BIOS Google 01/01/2011
[  554.881445] Call Trace:
[  554.881459]  dump_stack+0x194/0x257
[  554.881474]  ? arch_local_irq_restore+0x53/0x53
[  554.881486]  ? find_held_lock+0x35/0x1d0
[  554.881507]  should_fail+0x8c0/0xa40
[  554.881522]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[  554.881537]  ? check_noncircular+0x20/0x20
[  554.881546]  ? find_next_zero_bit+0x2c/0x40
[  554.881560]  ? ida_get_new_above+0x421/0x9d0
[  554.881577]  ? find_held_lock+0x35/0x1d0
[  554.881594]  ? __lock_is_held+0xb6/0x140
[  554.881628]  ? check_same_owner+0x320/0x320
[  554.881634]  ? lock_downgrade+0x990/0x990
[  554.881649]  ? find_held_lock+0x35/0x1d0
[  554.881672]  should_failslab+0xec/0x120
[  554.881684]  __kmalloc+0x63/0x760
[  554.881692]  ? lock_downgrade+0x990/0x990
[  554.881712]  ? register_shrinker+0x10e/0x2d0
[  554.881721]  ? trace_event_raw_event_module_request+0x320/0x320
[  554.881737]  register_shrinker+0x10e/0x2d0
[  554.881747]  ? prepare_kswapd_sleep+0x1f0/0x1f0
[  554.881755]  ? _down_write_nest_lock+0x120/0x120
[  554.881765]  ? memcpy+0x45/0x50
[  554.881785]  sget_userns+0xbcd/0xe20
[  554.881792]  ? set_anon_super+0x20/0x20
[  554.881809]  ? put_filp+0x90/0x90
[  554.881822]  ? __sb_start_write+0x2a0/0x2a0
[  554.881829]  ? alloc_pages_current+0xbe/0x1e0
[  554.881846]  ? free_pages+0x51/0x90
[  554.881858]  ? selinux_sb_copy_data+0x4a1/0x610
[  554.881864]  ? __lockdep_init_map+0xe4/0x650
[  554.881882]  ? selinux_quota_on+0x320/0x320
[  554.881892]  ? __lockdep_init_map+0xe4/0x650
[  554.881906]  ? lockdep_init_map+0x9/0x10
[  554.881936]  ? mqueue_get_inode+0xc60/0xc60
[  554.881944]  mount_ns+0x6d/0x190
[  554.881960]  mqueue_mount+0xbe/0xe0
[  554.881975]  mount_fs+0x66/0x2d0
[  554.881991]  vfs_kern_mount.part.26+0xc6/0x4a0
[  554.882004]  ? may_umount+0xa0/0xa0
[  554.882013]  ? compat_SyS_msgrcv+0x50/0x50
[  554.882023]  ? ida_remove+0x3e0/0x3e0
[  554.882034]  ? kmem_cache_alloc_trace+0x456/0x750
[  554.882048]  kern_mount_data+0x50/0xb0

[  554.898693] kasan: CONFIG_KASAN_INLINE enabled
[  554.898724] kasan: GPF could be caused by NULL-ptr deref or user memory 
access
[  554.898732] general protection fault: 0000 [#1] SMP KASAN
[  554.898737] Dumping ftrace buffer:
[  554.898741]    (ftrace buffer empty)
[  554.898743] Modules linked in:
[  554.898752] CPU: 1 PID: 13231 Comm: syz-executor1 Not tainted 4.14.0-rc8+ #82
[  554.898755] Hardware name: Google Google Compute Engine/Google Compute 
Engine, BIOS Google 01/01/2011
[  554.898760] task: ffff8801d1dbe5c0 task.stack: ffff8801c9e38000
[  554.898772] RIP: 0010:__list_del_entry_valid+0x7e/0x150
[  554.898775] RSP: 0018:ffff8801c9e3f108 EFLAGS: 00010246
[  554.898780] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  554.898784] RDX: 0000000000000000 RSI: ffff8801c53c6f98 RDI: ffff8801c53c6fa0
[  554.898788] RBP: ffff8801c9e3f120 R08: 1ffff100393c7d55 R09: 0000000000000004
[  554.898791] R10: ffff8801c9e3ef70 R11: 0000000000000000 R12: 0000000000000000
[  554.898795] R13: dffffc0000000000 R14: 1ffff100393c7e45 R15: ffff8801c53c6f98
[  554.898800] FS:  0000000000000000(0000) GS:ffff8801db300000(0000) 
knlGS:0000000000000000
[  554.898804] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  554.898807] CR2: 00000000dbc23000 CR3: 00000001c7269000 CR4: 00000000001406e0
[  554.898813] DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
[  554.898816] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
[  554.898818] Call Trace:
[  554.898828]  unregister_shrinker+0x79/0x300
[  554.898837]  ? perf_trace_mm_vmscan_writepage+0x750/0x750
[  554.898844]  ? down_write+0x87/0x120
[  554.898851]  ? deactivate_super+0x139/0x1b0
[  554.898857]  ? down_read+0x150/0x150
[  554.898864]  ? check_same_owner+0x320/0x320
[  554.898875]  deactivate_locked_super+0x64/0xd0
[  554.898883]  deactivate_super+0x141/0x1b0
[  554.898893]  ? mount_ns+0x190/0x190
[  554.898901]  ? dput.part.24+0x175/0x740
[  554.898912]  cleanup_mnt+0xb2/0x150
[  554.898919]  mntput_no_expire+0x6e0/0xa90
[  554.898926]  ? call_rcu_bh+0x20/0x20
[  554.898934]  ? mnt_get_count+0x150/0x150
[  554.898942]  ? trace_raw_output_rcu_utilization+0xb0/0xb0
[  554.898954]  ? __might_sleep+0x95/0x190
[  554.898964]  kern_unmount+0x9c/0xd0

Reply via email to