lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <000000000000dfd631061eaeb4bc@google.com>
Date: Fri, 02 Aug 2024 00:59:27 -0700
From: syzbot <syzbot+7dbbb74af6291b5a5a8b@...kaller.appspotmail.com>
To: clm@...com, dsterba@...e.com, fdmanana@...e.com, hreitz@...hat.com, 
	josef@...icpanda.com, linux-btrfs@...r.kernel.org, 
	linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: [syzbot] [btrfs?] WARNING: bad unlock balance in btrfs_direct_write

Hello,

syzbot found the following issue on:

HEAD commit:    e4fc196f5ba3 Merge tag 'for-6.11-rc1-tag' of git://git.ker..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=126942d3980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2258b49cd9b339fa
dashboard link: https://syzkaller.appspot.com/bug?extid=7dbbb74af6291b5a5a8b
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14889175980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14d261f9980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ac353d93e559/disk-e4fc196f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7c2d4dacbc40/vmlinux-e4fc196f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/427fd3f8ee36/bzImage-e4fc196f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/9d865517e0c9/mount_0.gz

The issue was bisected to:

commit 939b656bc8ab203fdbde26ccac22bcb7f0985be5
Author: Filipe Manana <fdmanana@...e.com>
Date:   Fri Jul 26 10:12:52 2024 +0000

    btrfs: fix corruption after buffer fault in during direct IO append write

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=16f8316d980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=15f8316d980000
console output: https://syzkaller.appspot.com/x/log.txt?x=11f8316d980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7dbbb74af6291b5a5a8b@...kaller.appspotmail.com
Fixes: 939b656bc8ab ("btrfs: fix corruption after buffer fault in during direct IO append write")

=====================================
WARNING: bad unlock balance detected!
6.11.0-rc1-syzkaller-00062-ge4fc196f5ba3 #0 Not tainted
-------------------------------------
syz-executor334/5215 is trying to release lock (&sb->s_type->i_mutex_key) at:
[<ffffffff83d47c3f>] btrfs_direct_write+0x91f/0xb40 fs/btrfs/direct-io.c:920
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz-executor334/5215:
 #0: ffff888025b4c420 (sb_writers#9){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2876 [inline]
 #0: ffff888025b4c420 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x227/0xc90 fs/read_write.c:586

stack backtrace:
CPU: 0 UID: 0 PID: 5215 Comm: syz-executor334 Not tainted 6.11.0-rc1-syzkaller-00062-ge4fc196f5ba3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 print_unlock_imbalance_bug+0x256/0x2c0 kernel/locking/lockdep.c:5199
 __lock_release kernel/locking/lockdep.c:5436 [inline]
 lock_release+0x5cb/0xa30 kernel/locking/lockdep.c:5780
 up_write+0x79/0x590 kernel/locking/rwsem.c:1631
 btrfs_direct_write+0x91f/0xb40 fs/btrfs/direct-io.c:920
 btrfs_do_write_iter+0x2a1/0x760 fs/btrfs/file.c:1505
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xa72/0xc90 fs/read_write.c:590
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b6c418169
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb1dc3c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0073746e6576652e RCX: 00007f5b6c418169
RDX: 0000000000182000 RSI: 0000000020000000 RDI: 0000000000000005
RBP: 652e79726f6d656d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb1dc3ce0
R13: 00007ffdb1dc3d20 R14: 0000000001000000 R15: 0000000000000003
 </TASK>
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff888075c915c8, owner = 0x0, curr 0xffff888025265a00, list empty
WARNING: CPU: 0 PID: 5215 at kernel/locking/rwsem.c:1370 __up_write kernel/locking/rwsem.c:1369 [inline]
WARNING: CPU: 0 PID: 5215 at kernel/locking/rwsem.c:1370 up_write+0x502/0x590 kernel/locking/rwsem.c:1632
Modules linked in:
CPU: 0 UID: 0 PID: 5215 Comm: syz-executor334 Not tainted 6.11.0-rc1-syzkaller-00062-ge4fc196f5ba3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:__up_write kernel/locking/rwsem.c:1369 [inline]
RIP: 0010:up_write+0x502/0x590 kernel/locking/rwsem.c:1632
Code: c7 c7 a0 c8 ea 8b 48 c7 c6 20 cb ea 8b 48 8b 54 24 28 48 8b 4c 24 18 4d 89 e0 4c 8b 4c 24 30 53 e8 d3 9c e6 ff 48 83 c4 08 90 <0f> 0b 90 90 e9 6a fd ff ff 48 c7 c1 00 a9 f6 8f 80 e1 07 80 c1 03
RSP: 0018:ffffc90003507920 EFLAGS: 00010292
RAX: 889b6823d8081400 RBX: ffffffff8beac980 RCX: ffff888025265a00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900035079f0 R08: ffffffff81559202 R09: fffffbfff1cb9f80
R10: dffffc0000000000 R11: fffffbfff1cb9f80 R12: 0000000000000000
R13: ffff888075c915c8 R14: 1ffff920006a0f2c R15: dffffc0000000000
FS:  0000555586938380(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe3488bd28 CR3: 000000002503c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 btrfs_direct_write+0x91f/0xb40 fs/btrfs/direct-io.c:920
 btrfs_do_write_iter+0x2a1/0x760 fs/btrfs/file.c:1505
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xa72/0xc90 fs/read_write.c:590
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b6c418169
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb1dc3c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0073746e6576652e RCX: 00007f5b6c418169
RDX: 0000000000182000 RSI: 0000000020000000 RDI: 0000000000000005
RBP: 652e79726f6d656d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb1dc3ce0
R13: 00007ffdb1dc3d20 R14: 0000000001000000 R15: 0000000000000003
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ