[Cluster-devel] [PATCH] fs: dlm: fix return value check in dlm_memory_init()

2023-01-03 Thread Yang Yingliang 
It should check 'cb_cache', after calling kmem_cache_create("dlm_cb").

Fixes: 61bed0baa4db ("fs: dlm: use a non-static queue for callbacks")
Signed-off-by: Yang Yingliang 
---
 fs/dlm/memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/dlm/memory.c b/fs/dlm/memory.c
index eb7a08641fcf..cdbaa452fc05 100644
--- a/fs/dlm/memory.c
+++ b/fs/dlm/memory.c
@@ -51,7 +51,7 @@ int __init dlm_memory_init(void)
cb_cache = kmem_cache_create("dlm_cb", sizeof(struct dlm_callback),
 __alignof__(struct dlm_callback), 0,
 NULL);
-   if (!rsb_cache)
+   if (!cb_cache)
goto cb;
 
return 0;
-- 
2.25.1

[Cluster-devel] [syzbot] [gfs2?] BUG: unable to handle kernel NULL pointer dereference in gfs2_rgrp_dump

2023-01-03 Thread syzbot 
Hello,

syzbot found the following issue on:

HEAD commit:a5541c0811a0 Merge branch 'for-next/core' into for-kernelci
git tree:   git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 
for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=11859c5048
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbd4e584773e9397
dashboard link: https://syzkaller.appspot.com/bug?extid=da0fc229cc1ff4bb2e6d
compiler:   Debian clang version 
13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU 
Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101babb448
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10bfb18c48

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/4b7702208fb9/disk-a5541c08.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/9ec0153ec051/vmlinux-a5541c08.xz
kernel image: 
https://storage.googleapis.com/syzbot-assets/6f8725ad290a/Image-a5541c08.gz.xz
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/0bee075b0175/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+da0fc229cc1ff4bb2...@syzkaller.appspotmail.com

ri_length = 1
ri_data0 = 19
ri_data = 2060
ri_bitbytes = 514
start=0 len=514 offset=128
gfs2: fsid=syz:syz.s:  R: n:18 f:00 b:0/0 i:0 q:0 r:0 e:0
Unable to handle kernel NULL pointer dereference at virtual address 
0004
Mem abort info:
  ESR = 0x9606
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x0006
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00010e23f000
[0004] pgd=08010b804003, p4d=08010b804003, 
pud=08010a4e8003, pmd=
Internal error: Oops: 9606 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3072 Comm: syz-executor147 Not tainted 
6.1.0-rc8-syzkaller-0-ga5541c0811a0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
10/26/2022
pstate: 8045 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : gfs2_rgrp_dump+0xa0/0x138 fs/gfs2/rgrp.c:2313
lr : gfs2_rgrp_dump+0x90/0x138
sp : 8fb93780
x29: 8fb937a0 x28: cb82a000 x27: cb82a000
x26: ca4de000 x25: 0808 x24: 080c
x23: 0001c103 x22: ca4de000 x21: 
x20: 8fb937e0 x19: ca4de080 x18: 00c0
x17: 8dda8198 x16: 8dbe6158 x15: c680
x14:  x13:  x12: c680
x11: ff80892a5154 x10:  x9 : 892a5154
x8 :  x7 : 8c091ebc x6 : 
x5 : 0080 x4 : 0001 x3 : 
x2 : 0001fefbecd0 x1 : 8cc9c685 x0 : 
Call trace:
 gfs2_rgrp_dump+0xa0/0x138 fs/gfs2/rgrp.c:2312
 gfs2_consist_rgrpd_i+0x78/0xe4 fs/gfs2/util.c:480
 read_rindex_entry fs/gfs2/rgrp.c:931 [inline]
 gfs2_ri_update+0x398/0x7e4 fs/gfs2/rgrp.c:1001
 gfs2_rindex_update+0x1b0/0x21c fs/gfs2/rgrp.c:1051
 init_inodes+0x11c/0x184 fs/gfs2/ops_fstype.c:917
 gfs2_fill_super+0x630/0x874 fs/gfs2/ops_fstype.c:1247
 get_tree_bdev+0x1e8/0x2a0 fs/super.c:1324
 gfs2_get_tree+0x30/0xc0 fs/gfs2/ops_fstype.c:1330
 vfs_get_tree+0x40/0x140 fs/super.c:1531
 do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
 path_mount+0x358/0x890 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x2c4/0x3c4 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x140 arch/arm64/kernel/syscall.c:197
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584
Code: f94036c8 f001cfa1 911a1421 aa1503e0 (2940a909) 
---[ end trace  ]---

Code disassembly (best guess):
   0:   f94036c8ldr x8, [x22, #104]
   4:   f001cfa1adrpx1, 0x39f7000
   8:   911a1421add x1, x1, #0x685
   c:   aa1503e0mov x0, x21
* 10:   2940a909ldp w9, w10, [x8, #4] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Cluster-devel] [syzbot] [gfs2?] kernel panic: stack is corrupted in gfs2_block_map

2023-01-03 Thread syzbot 
Hello,

syzbot found the following issue on:

HEAD commit:a5541c0811a0 Merge branch 'for-next/core' into for-kernelci
git tree:   git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 
for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=10e77d2788
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbd4e584773e9397
dashboard link: https://syzkaller.appspot.com/bug?extid=2b5229694171c6846a90
compiler:   Debian clang version 
13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU 
Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=11b3961048
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11a1c6f788

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/4b7702208fb9/disk-a5541c08.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/9ec0153ec051/vmlinux-a5541c08.xz
kernel image: 
https://storage.googleapis.com/syzbot-assets/6f8725ad290a/Image-a5541c08.gz.xz
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/72be6726ff4f/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2b5229694171c6846...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 125323
gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz"
gfs2: fsid=syz:syz: Now mounting FS (format 1801)...
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 
gfs2_block_map+0x33c/0x408
CPU: 1 PID: 3073 Comm: syz-executor388 Not tainted 
6.1.0-rc8-syzkaller-0-ga5541c0811a0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
10/26/2022
Call trace:
 dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 panic+0x218/0x508 kernel/panic.c:274
 warn_bogus_irq_restore+0x0/0x40 kernel/panic.c:703
 gfs2_block_map+0x33c/0x408
 0x0
SMP: stopping secondary CPUs
Kernel Offset: disabled
CPU features: 0x0,040e0108,4c017203
Memory Limit: none
Rebooting in 86400 seconds..


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [Cluster-devel] [syzbot] [gfs2?] BUG: sleeping function called from invalid context in do_page_fault (3)

2023-01-03 Thread syzbot 
syzbot has found a reproducer for the following issue on:

HEAD commit:a5541c0811a0 Merge branch 'for-next/core' into for-kernelci
git tree:   git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 
for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=11b7992848
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbd4e584773e9397
dashboard link: https://syzkaller.appspot.com/bug?extid=2845b2dfa28dec36e215
compiler:   Debian clang version 
13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU 
Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=156dcd5048
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1337f2e448

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/4b7702208fb9/disk-a5541c08.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/9ec0153ec051/vmlinux-a5541c08.xz
kernel image: 
https://storage.googleapis.com/syzbot-assets/6f8725ad290a/Image-a5541c08.gz.xz
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/9d323fcb08fb/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2845b2dfa28dec36e...@syzkaller.appspotmail.com

gfs2: fsid=syz:syz.0:  H: s:SH f:H e:0 p:4002 [syz-executor363] 
__gfs2_lookup+0x5c/0x1dc fs/gfs2/inode.c:870
BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:599
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 4011, name: 
syz-executor363
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
3 locks held by syz-executor363/4011:
 #0: 
cfa98dd0
 (
&type->i_mutex_dir_key
#8
){.+.+}-{3:3}
, at: inode_lock_shared include/linux/fs.h:766 [inline]
, at: open_last_lookups fs/namei.c:3480 [inline]
, at: path_openat+0x2e4/0x11c4 fs/namei.c:3711
 #1: 
8d4a4640
 (
rcu_read_lock
){}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:303
 #2: 
c0e15648
 (
&mm->mmap_lock){}-{3:3}, at: mmap_read_trylock 
include/linux/mmap_lock.h:136 [inline]
&mm->mmap_lock){}-{3:3}, at: do_page_fault+0x1ec/0x79c 
arch/arm64/mm/fault.c:589
CPU: 1 PID: 4011 Comm: syz-executor363 Not tainted 
6.1.0-rc8-syzkaller-0-ga5541c0811a0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
10/26/2022
Call trace:
 dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 __might_resched+0x208/0x218 kernel/sched/core.c:9908
 __might_sleep+0x48/0x78 kernel/sched/core.c:9837
 do_page_fault+0x214/0x79c arch/arm64/mm/fault.c:599
 do_translation_fault+0x78/0x194 arch/arm64/mm/fault.c:691
 do_mem_abort+0x54/0x130 arch/arm64/mm/fault.c:827
 el1_abort+0x3c/0x5c arch/arm64/kernel/entry-common.c:367
 el1h_64_sync_handler+0x60/0xac arch/arm64/kernel/entry-common.c:427
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:579
 rcu_read_lock include/linux/rcupdate.h:739 [inline]
 dump_holder fs/gfs2/glock.c:2332 [inline]
 gfs2_dump_glock+0x4f4/0x904 fs/gfs2/glock.c:2447
 gfs2_consist_inode_i+0x68/0x88 fs/gfs2/util.c:465
 gfs2_dirent_scan+0x2dc/0x3b4 fs/gfs2/dir.c:602
 gfs2_dirent_search+0x134/0x494 fs/gfs2/dir.c:850
 gfs2_dir_search+0x58/0x130 fs/gfs2/dir.c:1650
 gfs2_lookupi+0x23c/0x354 fs/gfs2/inode.c:323
 __gfs2_lookup+0x5c/0x1dc fs/gfs2/inode.c:870
 gfs2_atomic_open+0x74/0x148 fs/gfs2/inode.c:1274
 atomic_open fs/namei.c:3276 [inline]
 lookup_open fs/namei.c:3384 [inline]
 open_last_lookups fs/namei.c:3481 [inline]
 path_openat+0x67c/0x11c4 fs/namei.c:3711
 do_filp_open+0xdc/0x1b8 fs/namei.c:3741
 do_sys_openat2+0xb8/0x22c fs/open.c:1310
 do_sys_open fs/open.c:1326 [inline]
 __do_sys_openat fs/open.c:1342 [inline]
 __se_sys_openat fs/open.c:1337 [inline]
 __arm64_sys_openat+0xb0/0xe0 fs/open.c:1337
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x140 arch/arm64/kernel/syscall.c:197
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584
Unable to handle kernel NULL pointer dereference at virtual address 
0021
Mem abort info:
  ESR = 0x9606
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x0006
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000113364000
[0021] pgd=080111d8b003, p4d=080111d8b003, 
pud=080111d8c003, pmd=
Internal error: Oops: 9606 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4011 Comm: syz-executor

Re: [Cluster-devel] [syzbot] [gfs2?] possible deadlock in freeze_super (2)

2023-01-03 Thread syzbot 
syzbot has found a reproducer for the following issue on:

HEAD commit:1b929c02afd3 Linux 6.2-rc1
git tree:   upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1144731248
kernel config:  https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=be899d4f10b2a9522dce
compiler:   Debian clang version 
13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU 
Binutils for Debian) 2.35.2
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=14b638c048
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11b1727048

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
kernel image: 
https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/952580c084c8/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+be899d4f10b2a9522...@syzkaller.appspotmail.com

==
WARNING: possible circular locking dependency detected
6.2.0-rc1-syzkaller #0 Not tainted
--
kworker/0:1H/52 is trying to acquire lock:
8880277440e0 (&type->s_umount_key#44){+.+.}-{3:3}, at: 
freeze_super+0x45/0x420 fs/super.c:1655

but task is already holding lock:
c9bd7d00 ((work_completion)(&(&gl->gl_work)->work)){+.+.}-{0:0}, at: 
process_one_work+0x831/0xdb0 kernel/workqueue.c:2264

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 ((work_completion)(&(&gl->gl_work)->work)){+.+.}-{0:0}:
   lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
   process_one_work+0x852/0xdb0 kernel/workqueue.c:2265
   worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
   kthread+0x266/0x300 kernel/kthread.c:376
   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

-> #1 ((wq_completion)glock_workqueue){+.+.}-{0:0}:
   lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
   __flush_workqueue+0x178/0x1680 kernel/workqueue.c:2809
   gfs2_gl_hash_clear+0xa3/0x300 fs/gfs2/glock.c:2191
   gfs2_put_super+0x862/0x8d0 fs/gfs2/super.c:627
   generic_shutdown_super+0x130/0x310 fs/super.c:492
   kill_block_super+0x79/0xd0 fs/super.c:1386
   deactivate_locked_super+0xa7/0xf0 fs/super.c:332
   cleanup_mnt+0x494/0x520 fs/namespace.c:1291
   task_work_run+0x243/0x300 kernel/task_work.c:179
   ptrace_notify+0x29a/0x340 kernel/signal.c:2354
   ptrace_report_syscall include/linux/ptrace.h:411 [inline]
   ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
   syscall_exit_work+0x8c/0xe0 kernel/entry/common.c:251
   syscall_exit_to_user_mode_prepare+0x63/0xc0 kernel/entry/common.c:278
   __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
   syscall_exit_to_user_mode+0xa/0x60 kernel/entry/common.c:296
   do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #0 (&type->s_umount_key#44){+.+.}-{3:3}:
   check_prev_add kernel/locking/lockdep.c:3097 [inline]
   check_prevs_add kernel/locking/lockdep.c:3216 [inline]
   validate_chain+0x1898/0x6ae0 kernel/locking/lockdep.c:3831
   __lock_acquire+0x1292/0x1f60 kernel/locking/lockdep.c:5055
   lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
   down_write+0x9c/0x270 kernel/locking/rwsem.c:1562
   freeze_super+0x45/0x420 fs/super.c:1655
   freeze_go_sync+0x178/0x340 fs/gfs2/glops.c:577
   do_xmote+0x34d/0x13d0 fs/gfs2/glock.c:708
   glock_work_func+0x2c2/0x450 fs/gfs2/glock.c:1056
   process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
   worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
   kthread+0x266/0x300 kernel/kthread.c:376
   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

other info that might help us debug this:

Chain exists of:
  &type->s_umount_key#44 --> (wq_completion)glock_workqueue --> 
(work_completion)(&(&gl->gl_work)->work)

 Possible unsafe locking scenario:

   CPU0CPU1
   
  lock((work_completion)(&(&gl->gl_work)->work));
   lock((wq_completion)glock_workqueue);
   lock((work_completion)(&(&gl->gl_work)->work));
  lock(&type->s_umount_key#44);

 *** DEADLOCK ***

2 locks held by kworker/0:1H/52:
 #0: 888018293938 ((wq_completion)glock_workqueue){+.+.}-{0:0}, at: 
process_one_work+0x7f2/0xdb0
 #1: c9bd7d00 ((work_completion)(&(&gl->gl_work)->work)
){+.+.}-{0:0}
, at: process_one_work+0x831/0xdb0 kernel/workqueue.c:2264

stack backtrace:
CPU: 0 PID: 52 Comm: kworker/0:1H Not tainted 6.2.0-rc1-syzkalle

[Cluster-devel] [syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2)

2023-01-03 Thread syzbot 
Hello,

syzbot found the following issue on:

HEAD commit:1b929c02afd3 Linux 6.2-rc1
git tree:   upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c25048
kernel config:  https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler:   Debian clang version 
13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU 
Binutils for Debian) 2.35.2
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=14c4ea1848
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1359b33848

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
kernel image: 
https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3f6a670108ce43356...@syzkaller.appspotmail.com

R10:  R11: 0246 R12: 7f2c431103d0
R13: 0001 R14:  R15: 0001
 
==
BUG: KASAN: use-after-free in instrument_atomic_read 
include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit 
include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr 888073997090 by task syz-executor221/5069

CPU: 1 PID: 5069 Comm: syz-executor221 Not tainted 6.2.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
10/26/2022
Call Trace:
 
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
 print_address_description+0x74/0x340 mm/kasan/report.c:306
 print_report+0x107/0x1f0 mm/kasan/report.c:417
 kasan_report+0xcd/0x100 mm/kasan/report.c:517
 kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:72 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
 gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1325
 gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
 sync_filesystem+0xe8/0x220 fs/sync.c:56
 generic_shutdown_super+0x6b/0x310 fs/super.c:474
 kill_block_super+0x79/0xd0 fs/super.c:1386
 deactivate_locked_super+0xa7/0xf0 fs/super.c:332
 cleanup_mnt+0x494/0x520 fs/namespace.c:1291
 task_work_run+0x243/0x300 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x644/0x2150 kernel/exit.c:867
 do_group_exit+0x1fd/0x2b0 kernel/exit.c:1012
 __do_sys_exit_group kernel/exit.c:1023 [inline]
 __se_sys_exit_group kernel/exit.c:1021 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1021
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2c4308d0c9
Code: Unable to access opcode bytes at 0x7f2c4308d09f.
RSP: 002b:7ffcdd2f81f8 EFLAGS: 0246 ORIG_RAX: 00e7
RAX: ffda RBX: 7f2c431103d0 RCX: 7f2c4308d0c9
RDX: 003c RSI: 00e7 RDI: 0001
RBP: 0001 R08: ffc0 R09: 00012550
R10:  R11: 0246 R12: 7f2c431103d0
R13: 0001 R14:  R15: 0001
 

Allocated by task 5069:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
 __kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slab.h:761 [inline]
 slab_alloc_node mm/slub.c:3452 [inline]
 slab_alloc mm/slub.c:3460 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3467 [inline]
 kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
 kmem_cache_zalloc include/linux/slab.h:710 [inline]
 qd_alloc+0x51/0x250 fs/gfs2/quota.c:216
 gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1415
 gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
 gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
 get_tree_bdev+0x400/0x620 fs/super.c:1282
 gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
 vfs_get_tree+0x88/0x270 fs/super.c:1489
 do_new_mount+0x289/0xad0 fs/namespace.c:3145
 do_mount fs/namespace.c:3488 [inline]
 __do_sys_mount fs/namespace.c:3697 [inline]
 __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 0:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
 kasan_slab_free

Re: [Cluster-devel] [syzbot] [gfs2?] INFO: task hung in gfs2_jhead_process_page

2023-01-03 Thread syzbot 
syzbot has found a reproducer for the following issue on:

HEAD commit:a5541c0811a0 Merge branch 'for-next/core' into for-kernelci
git tree:   git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 
for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=172de6df88
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbd4e584773e9397
dashboard link: https://syzkaller.appspot.com/bug?extid=b9c5afe053a08cd29468
compiler:   Debian clang version 
13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU 
Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=116fc08848
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1756e06048

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/4b7702208fb9/disk-a5541c08.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/9ec0153ec051/vmlinux-a5541c08.xz
kernel image: 
https://storage.googleapis.com/syzbot-assets/6f8725ad290a/Image-a5541c08.gz.xz
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/aa84169739f7/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b9c5afe053a08cd29...@syzkaller.appspotmail.com

INFO: task kworker/1:2:2221 blocked for more than 143 seconds.
  Not tainted 6.1.0-rc8-syzkaller-0-ga5541c0811a0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:2 state:D stack:0 pid:2221  ppid:2  flags:0x0008
Workqueue: gfs_recovery gfs2_recover_func
Call trace:
 __switch_to+0x180/0x298 arch/arm64/kernel/process.c:555
 context_switch kernel/sched/core.c:5209 [inline]
 __schedule+0x408/0x594 kernel/sched/core.c:6521
 schedule+0x64/0xa4 kernel/sched/core.c:6597
 io_schedule+0x38/0xbc kernel/sched/core.c:8741
 folio_wait_bit_common+0x430/0x97c mm/filemap.c:1296
 folio_wait_bit+0x30/0x40 mm/filemap.c:1440
 folio_wait_locked include/linux/pagemap.h:1022 [inline]
 gfs2_jhead_process_page+0xb4/0x40c fs/gfs2/lops.c:476
 gfs2_find_jhead+0x450/0x50c fs/gfs2/lops.c:594
 gfs2_recover_func+0x278/0xcc8 fs/gfs2/recovery.c:460
 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
 worker_thread+0x340/0x610 kernel/workqueue.c:2436
 kthread+0x12c/0x158 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863
INFO: task syz-executor189:3110 blocked for more than 143 seconds.
  Not tainted 6.1.0-rc8-syzkaller-0-ga5541c0811a0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor189 state:D stack:0 pid:3110  ppid:3109   flags:0x0009
Call trace:
 __switch_to+0x180/0x298 arch/arm64/kernel/process.c:555
 context_switch kernel/sched/core.c:5209 [inline]
 __schedule+0x408/0x594 kernel/sched/core.c:6521
 schedule+0x64/0xa4 kernel/sched/core.c:6597
 bit_wait+0x18/0x60 kernel/sched/wait_bit.c:199
 __wait_on_bit kernel/sched/wait_bit.c:49 [inline]
 out_of_line_wait_on_bit+0xc8/0x140 kernel/sched/wait_bit.c:64
 wait_on_bit include/linux/wait_bit.h:76 [inline]
 gfs2_recover_journal+0xc0/0x104 fs/gfs2/recovery.c:577
 init_journal+0x930/0xcbc fs/gfs2/ops_fstype.c:835
 init_inodes+0x74/0x184 fs/gfs2/ops_fstype.c:889
 gfs2_fill_super+0x630/0x874 fs/gfs2/ops_fstype.c:1247
 get_tree_bdev+0x1e8/0x2a0 fs/super.c:1324
 gfs2_get_tree+0x30/0xc0 fs/gfs2/ops_fstype.c:1330
 vfs_get_tree+0x40/0x140 fs/super.c:1531
 do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
 path_mount+0x358/0x890 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x2c4/0x3c4 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x140 arch/arm64/kernel/syscall.c:197
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584

Showing all locks held in the system:
1 lock held by rcu_tasks_kthre/11:
 #0: 8d4a4768 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: 
rcu_tasks_one_gp+0x3c/0x450 kernel/rcu/tasks.h:507
1 lock held by rcu_tasks_trace/12:
 #0: 8d4a4db8 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: 
rcu_tasks_one_gp+0x3c/0x450 kernel/rcu/tasks.h:507
1 lock held by khungtaskd/27:
 #0: 8d4a4640 (rcu_read_lock){}-{1:2}, at: 
rcu_lock_acquire+0x4/0x48 include/linux/rcupdate.h:303
2 locks held by kworker/1:2/2221:
 #0: c028d138 ((wq_completion)gfs_recovery){+.+.}-{0:0}, at: 
process_one_work+0x270/0x504 kernel/workqueue.c:2262
 #1: 800015de3d80 ((work_completion)(&jd->jd_work)){+.+.}-{0:0}, at: 
process_one_work+0x29c/0x504 kernel/workqueue.c:2264
2 locks held by getty/2758:
 #0: c535f098 (&tty->ldisc_sem){}-{0:0}, at: 
tty_ldisc_ref_w

[Cluster-devel] [syzbot] [gfs2?] BUG: unable to handle kernel NULL pointer dereference in gfs2_rindex_update

2023-01-03 Thread syzbot 
Hello,

syzbot found the following issue on:

HEAD commit:a5541c0811a0 Merge branch 'for-next/core' into for-kernelci
git tree:   git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 
for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1130468c48
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbd4e584773e9397
dashboard link: https://syzkaller.appspot.com/bug?extid=2b32df23ff6b5b307565
compiler:   Debian clang version 
13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU 
Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=141a939048
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166a031788

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/4b7702208fb9/disk-a5541c08.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/9ec0153ec051/vmlinux-a5541c08.xz
kernel image: 
https://storage.googleapis.com/syzbot-assets/6f8725ad290a/Image-a5541c08.gz.xz
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/9bf67d96dec4/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2b32df23ff6b5b307...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 32768
gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz"
gfs2: fsid=syz:syz: Now mounting FS (format 1801)...
gfs2: fsid=syz:syz.0: journal 0 mapped with 3 extents in 0ms
Unable to handle kernel NULL pointer dereference at virtual address 
04b8
Mem abort info:
  ESR = 0x9606
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x0006
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00010d0e4000
[04b8] pgd=08010d0ef003, p4d=08010d0ef003, 
pud=08010c843003, pmd=
Internal error: Oops: 9606 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3073 Comm: syz-executor647 Not tainted 
6.1.0-rc8-syzkaller-0-ga5541c0811a0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
10/26/2022
pstate: 8045 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : gfs2_rindex_update+0x4c/0x21c fs/gfs2/rgrp.c:1037
lr : gfs2_rindex_update+0x3c/0x21c fs/gfs2/rgrp.c:1035
sp : 800012f13610
x29: 800012f13650 x28:  x27: 
x26: ca97a580 x25: cb5ee000 x24: cb5ee174
x23:  x22: 8925c6b0 x21: 800012f13850
x20: cb5ee000 x19:  x18: 800012f132d0
x17: 8dda8198 x16: 8dbe6158 x15: c99bcec0
x14:  x13:  x12: c99bcec0
x11: ff80892a1b7c x10:  x9 : 892a1b7c
x8 : c99bcec0 x7 : 8846001c x6 : 
x5 :  x4 :  x3 : 0002
x2 :  x1 :  x0 : 
Call trace:
 gfs2_rindex_update+0x4c/0x21c fs/gfs2/rgrp.c:1038
 punch_hole+0x578/0x18b8 fs/gfs2/bmap.c:1796
 gfs2_truncatei_resume+0x28/0x68 fs/gfs2/bmap.c:2154
 inode_go_held+0xb8/0xe0 fs/gfs2/glops.c:513
 gfs2_instantiate+0xf0/0x208 fs/gfs2/glock.c:529
 gfs2_glock_holder_ready fs/gfs2/glock.c:1326 [inline]
 gfs2_glock_wait+0x10c/0x164 fs/gfs2/glock.c:1346
 gfs2_glock_nq+0x104/0x220 fs/gfs2/glock.c:1596
 gfs2_glock_nq_init fs/gfs2/glock.h:264 [inline]
 init_statfs fs/gfs2/ops_fstype.c:696 [inline]
 init_journal+0x7a8/0xcbc fs/gfs2/ops_fstype.c:820
 init_inodes+0x74/0x184 fs/gfs2/ops_fstype.c:889
 gfs2_fill_super+0x630/0x874 fs/gfs2/ops_fstype.c:1247
 get_tree_bdev+0x1e8/0x2a0 fs/super.c:1324
 gfs2_get_tree+0x30/0xc0 fs/gfs2/ops_fstype.c:1330
 vfs_get_tree+0x40/0x140 fs/super.c:1531
 do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
 path_mount+0x358/0x890 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x2c4/0x3c4 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x140 arch/arm64/kernel/syscall.c:197
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584
Code: f943a293 b947c697 2a1f03e0 a902 (f9425e75) 
---[ end trace  ]---

Code disassembly (best guess):
   0:   f943a293ldr x19, [x20, #1856]
   4:   b947c697ldr w23, [x20, #1988]
   8:   2a1f03e0mov w0, wzr
   c:   a902stp xzr, xzr, [sp, #40]
* 10:   f9425e75ldr x21, [x19, #1208] <-- trapping instruction


---
Thi

Re: [Cluster-devel] [syzbot] [gfs2?] general protection fault in gfs2_evict_inode (2)

2023-01-03 Thread syzbot 
syzbot has found a reproducer for the following issue on:

HEAD commit:a5541c0811a0 Merge branch 'for-next/core' into for-kernelci
git tree:   git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 
for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1555132788
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbd4e584773e9397
dashboard link: https://syzkaller.appspot.com/bug?extid=8a5fc6416c175cecea34
compiler:   Debian clang version 
13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU 
Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=1718796f88
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1735df8f88

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/4b7702208fb9/disk-a5541c08.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/9ec0153ec051/vmlinux-a5541c08.xz
kernel image: 
https://storage.googleapis.com/syzbot-assets/6f8725ad290a/Image-a5541c08.gz.xz
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/b4c763067524/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8a5fc6416c175cece...@syzkaller.appspotmail.com

gfs2: fsid=syz:syz.0: error recovering journal 0: -5
Unable to handle kernel NULL pointer dereference at virtual address 
008c
Mem abort info:
  ESR = 0x9606
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x0006
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00010dd7c000
[008c] pgd=08010bf77003, p4d=08010bf77003, 
pud=08010a9f1003, pmd=
Internal error: Oops: 9606 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3071 Comm: syz-executor179 Not tainted 
6.1.0-rc8-syzkaller-0-ga5541c0811a0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
10/26/2022
pstate: 8045 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : evict_linked_inode fs/gfs2/super.c:1330 [inline]
pc : gfs2_evict_inode+0x6f8/0x918 fs/gfs2/super.c:1385
lr : evict_linked_inode fs/gfs2/super.c:1328 [inline]
lr : gfs2_evict_inode+0x6ec/0x918 fs/gfs2/super.c:1385
sp : 8ff73830
x29: 8ff738a0 x28:  x27: 
x26: cb74c728 x25: 8004 x24: c9b25110
x23: cb74c000 x22: c9b24e70 x21: cb74c000
x20: ca579770 x19: ca5792c0 x18: 00c0
x17: 8dda8198 x16: 8dbe6158 x15: c407cec0
x14: 00b8 x13:  x12: c407cec0
x11: ff8089278314 x10:  x9 : 89278314
x8 :  x7 : 8862aa80 x6 : 
x5 :  x4 : 0001 x3 : 
x2 : 0001 x1 :  x0 : cb74c000
Call trace:
 evict_linked_inode fs/gfs2/super.c:1330 [inline]
 gfs2_evict_inode+0x6f8/0x918 fs/gfs2/super.c:1385
 evict+0xec/0x334 fs/inode.c:664
 iput_final fs/inode.c:1747 [inline]
 iput+0x2c4/0x324 fs/inode.c:1773
 gfs2_jindex_free+0x10c/0x16c fs/gfs2/super.c:75
 init_journal+0x518/0xcbc fs/gfs2/ops_fstype.c:871
 init_inodes+0x74/0x184 fs/gfs2/ops_fstype.c:889
 gfs2_fill_super+0x630/0x874 fs/gfs2/ops_fstype.c:1247
 get_tree_bdev+0x1e8/0x2a0 fs/super.c:1324
 gfs2_get_tree+0x30/0xc0 fs/gfs2/ops_fstype.c:1330
 vfs_get_tree+0x40/0x140 fs/super.c:1531
 do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
 path_mount+0x358/0x890 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x2c4/0x3c4 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x140 arch/arm64/kernel/syscall.c:197
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584
Code: 97ff3736 f94482e8 aa1703e0 2a1f03e1 (b9408d02) 
---[ end trace  ]---

Code disassembly (best guess):
   0:   97ff3736bl  0xfffcdcd8
   4:   f94482e8ldr x8, [x23, #2304]
   8:   aa1703e0mov x0, x23
   c:   2a1f03e1mov w1, wzr
* 10:   b9408d02ldr w2, [x8, #140] <-- trapping instruction

[Cluster-devel] [syzbot] [gfs2?] UBSAN: array-index-out-of-bounds in __gfs2_iomap_get

2023-01-03 Thread syzbot 
Hello,

syzbot found the following issue on:

HEAD commit:77856d911a8c Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree:   upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=155a666388
kernel config:  https://syzkaller.appspot.com/x/.config?x=f967143badd2fa39
dashboard link: https://syzkaller.appspot.com/bug?extid=45d4691b1ed3c48eba05
compiler:   Debian clang version 
13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU 
Binutils for Debian) 2.35.2
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=160f494f88
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=123f957788

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/4b424d9203f5/disk-77856d91.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/47fd68051834/vmlinux-77856d91.xz
kernel image: 
https://storage.googleapis.com/syzbot-assets/d3091f087a86/bzImage-77856d91.xz
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/67525acd7f1d/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+45d4691b1ed3c48eb...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 125323
gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz"
gfs2: fsid=syz:syz: Now mounting FS (format 1801)...

UBSAN: array-index-out-of-bounds in fs/gfs2/bmap.c:901:46
index 11 is out of range for type 'u64 [11]'
CPU: 0 PID: 5067 Comm: syz-executor164 Not tainted 
6.1.0-syzkaller-13031-g77856d911a8c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
10/26/2022
Call Trace:
 
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_out_of_bounds+0xe0/0x110 lib/ubsan.c:282
 __gfs2_iomap_get+0x4a4/0x16e0 fs/gfs2/bmap.c:901
 gfs2_iomap_get fs/gfs2/bmap.c:1399 [inline]
 gfs2_block_map+0x28f/0x7f0 fs/gfs2/bmap.c:1214
 gfs2_write_alloc_required+0x441/0x6e0 fs/gfs2/bmap.c:2322
 gfs2_jdesc_check+0x1b9/0x290 fs/gfs2/super.c:114
 init_journal+0x5a4/0x22c0 fs/gfs2/ops_fstype.c:804
 init_inodes+0xdc/0x340 fs/gfs2/ops_fstype.c:889
 gfs2_fill_super+0x1bb2/0x2700 fs/gfs2/ops_fstype.c:1247
 get_tree_bdev+0x400/0x620 fs/super.c:1282
 gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
 vfs_get_tree+0x88/0x270 fs/super.c:1489
 do_new_mount+0x289/0xad0 fs/namespace.c:3145
 do_mount fs/namespace.c:3488 [inline]
 __do_sys_mount fs/namespace.c:3697 [inline]
 __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2c63567aca
Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 
00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 
c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:7ffd0e3a28d8 EFLAGS: 0282 ORIG_RAX: 00a5
RAX: ffda RBX: 0003 RCX: 7f2c63567aca
RDX: 20037f40 RSI: 20037f80 RDI: 7ffd0e3a28e0
RBP: 7ffd0e3a28e0 R08: 7ffd0e3a2920 R09: 00043350
R10: 0211 R11: 0282 R12: 0004
R13: 567192c0 R14: 7ffd0e3a2920 R15: 
 



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches