[Bug report] kernel BUG in gfs2_glock_nq

From: yang lan
Date: Fri Aug 04 2023 - 10:03:07 EST


Hi,

We use our modified Syzkaller to fuzz the latest Linux kernel and
found the following issue.

Head Commit: 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4
Git Tree: upstream

I compile the kernel with the "kernel_config" provided. And this bug
can be reproduced with the "c_poc" in attachment of this email.

If you fix the bug, please add the following tag to the commit:
Reported-by: lanyang0908@xxxxxxxxx

Crash log:
[ 105.802919][ T7184] ------------[ cut here ]------------
[ 105.803214][ T7184] kernel BUG at fs/gfs2/glock.c:1551!
[ 105.803516][ T7184] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 105.803838][ T7184] CPU: 1 PID: 7184 Comm: syz-executor.3 Not
tainted 6.5.0-rc4 #1
[ 105.804236][ T7184] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.12.0-1 04/01/2014
[ 105.804703][ T7184] RIP: 0010:gfs2_glock_nq+0xa00/0x1930
[ 105.804993][ T7184] Code: 08 3c 03 0f 8e 70 0d 00 00 8b 53 18 4c 89
e6 48 c7 c7 00 c2 d6 89 e8 ef 24 e3 fd ba 01 00 00 00 4c 89 ee 31 ff
e8 f0 5c ff ff <0f> 0b 4c 8b 6c 24 20 e8 04 58 fe fd 0f 1f 44 00 00 e8
fa 57 fe fd
[ 105.805989][ T7184] RSP: 0018:ffff888027c17a70 EFLAGS: 00010282
[ 105.806305][ T7184] RAX: 0000000000000000 RBX: ffff88804d339c20
RCX: ffff888042600000
[ 105.806739][ T7184] RDX: 0000000000000000 RSI: ffff888042600000
RDI: 0000000000000002
[ 105.807157][ T7184] RBP: ffff888026eae280 R08: ffffffff837ca265
R09: 0000000000000000
[ 105.807564][ T7184] R10: 0000000000000001 R11: 0000000000000001
R12: ffff88805a6e1270
[ 105.807968][ T7184] R13: ffff88804d339c20 R14: 0000000000001c10
R15: ffff888057693822
[ 105.808370][ T7184] FS: 0000000002658940(0000)
GS:ffff88807ec00000(0000) knlGS:0000000000000000
[ 105.808822][ T7184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 105.809163][ T7184] CR2: 00007f0b0cb8a000 CR3: 0000000028b4f000
CR4: 0000000000350ee0
[ 105.809581][ T7184] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[ 105.809980][ T7184] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[ 105.810379][ T7184] Call Trace:
[ 105.810553][ T7184] <TASK>
[ 105.810755][ T7184] ? __die_body+0x15/0x60
[ 105.811044][ T7184] ? die+0x37/0x50
[ 105.811254][ T7184] ? do_trap+0x1a3/0x280
[ 105.811492][ T7184] ? gfs2_glock_nq+0xa00/0x1930
[ 105.811754][ T7184] ? do_error_trap+0x9e/0x160
[ 105.812010][ T7184] ? gfs2_glock_nq+0xa00/0x1930
[ 105.812272][ T7184] ? handle_invalid_op+0x2c/0x30
[ 105.812541][ T7184] ? gfs2_glock_nq+0xa00/0x1930
[ 105.812800][ T7184] ? exc_invalid_op+0x2d/0x40
[ 105.813059][ T7184] ? asm_exc_invalid_op+0x1a/0x20
[ 105.813334][ T7184] ? gfs2_dump_glock+0x1405/0x1c60
[ 105.813606][ T7184] ? gfs2_glock_nq+0xa00/0x1930
[ 105.813866][ T7184] ? __sanitizer_cov_trace_pc+0x1e/0x50
[ 105.814166][ T7184] ? __gfs2_holder_init+0x14c/0x290
[ 105.814440][ T7184] do_sync+0x4a3/0xc30
[ 105.814671][ T7184] ? gfs2_qa_put+0x150/0x150
[ 105.814916][ T7184] ? lock_sync+0x180/0x180
[ 105.815170][ T7184] ? do_raw_spin_lock+0x125/0x2d0
[ 105.815434][ T7184] ? rwlock_bug.part.1+0x90/0x90
[ 105.815694][ T7184] ? __sanitizer_cov_trace_pc+0x1e/0x50
[ 105.815986][ T7184] gfs2_quota_sync+0x28f/0x540
[ 105.816260][ T7184] gfs2_sync_fs+0x45/0xb0
[ 105.816520][ T7184] ? rgrp_unlock_local+0x20/0x20
[ 105.816815][ T7184] sync_filesystem+0x10a/0x290
[ 105.817096][ T7184] generic_shutdown_super+0x74/0x480
[ 105.817409][ T7184] kill_block_super+0x64/0xb0
[ 105.817688][ T7184] gfs2_kill_sb+0x35a/0x410
[ 105.817965][ T7184] deactivate_locked_super+0x92/0xf0
[ 105.818277][ T7184] deactivate_super+0xd8/0xf0
[ 105.818557][ T7184] cleanup_mnt+0x30c/0x470
[ 105.818819][ T7184] task_work_run+0x16f/0x270
[ 105.819095][ T7184] ? task_work_cancel+0x30/0x30
[ 105.819381][ T7184] ? ksys_umount+0xdc/0x120
[ 105.819651][ T7184] exit_to_user_mode_prepare+0x1f8/0x200
[ 105.819987][ T7184] syscall_exit_to_user_mode+0x1d/0x50
[ 105.820309][ T7184] do_syscall_64+0x44/0x80
[ 105.820576][ T7184] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 105.820924][ T7184] RIP: 0033:0x46bc17
[ 105.821158][ T7184] Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7
c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6
00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8
64 89 01 48
[ 105.822236][ T7184] RSP: 002b:00007ffef0a34288 EFLAGS: 00000246
ORIG_RAX: 00000000000000a6
[ 105.822720][ T7184] RAX: 0000000000000000 RBX: 0000000000000000
RCX: 000000000046bc17
[ 105.823171][ T7184] RDX: 0000000000000000 RSI: 0000000000000002
RDI: 00007ffef0a34350
[ 105.823622][ T7184] RBP: 00007ffef0a34350 R08: 0000000002659ec3
R09: 0000000000000009
[ 105.824074][ T7184] R10: 0000000000000000 R11: 0000000000000246
R12: 00000000004c9133
[ 105.824525][ T7184] R13: 00007ffef0a353f0 R14: 0000000000000001
R15: 0000000000000032
[ 105.824987][ T7184] </TASK>
[ 105.825169][ T7184] Modules linked in:
[ 105.825509][ T7184] ---[ end trace 0000000000000000 ]---
[ 105.825829][ T7184] RIP: 0010:gfs2_glock_nq+0xa00/0x1930
[ 105.826158][ T7184] Code: 08 3c 03 0f 8e 70 0d 00 00 8b 53 18 4c 89
e6 48 c7 c7 00 c2 d6 89 e8 ef 24 e3 fd ba 01 00 00 00 4c 89 ee 31 ff
e8 f0 5c ff ff <0f> 0b 4c 8b 6c 24 20 e8 04 58 fe fd 0f 1f 44 00 00 e8
fa 57 fe fd
[ 105.827254][ T7184] RSP: 0018:ffff888027c17a70 EFLAGS: 00010282
[ 105.827610][ T7184] RAX: 0000000000000000 RBX: ffff88804d339c20
RCX: ffff888042600000
[ 105.828067][ T7184] RDX: 0000000000000000 RSI: ffff888042600000
RDI: 0000000000000002
[ 105.828521][ T7184] RBP: ffff888026eae280 R08: ffffffff837ca265
R09: 0000000000000000
[ 105.829289][ T7184] R10: 0000000000000001 R11: 0000000000000001
R12: ffff88805a6e1270
[ 105.829748][ T7184] R13: ffff88804d339c20 R14: 0000000000001c10
R15: ffff888057693822
[ 105.830207][ T7184] FS: 0000000002658940(0000)
GS:ffff88807ec00000(0000) knlGS:0000000000000000
[ 105.830725][ T7184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 105.831107][ T7184] CR2: 00007f0b0cb8a000 CR3: 0000000028b4f000
CR4: 0000000000350ee0
[ 105.831561][ T7184] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[ 105.832015][ T7184] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[ 105.832466][ T7184] Kernel panic - not syncing: Fatal exception
[ 105.833065][ T7184] Kernel Offset: disabled
[ 105.833317][ T7184] Rebooting in 86400 seconds..

Attachment: log_6.5-rc4
Description: Binary data

Attachment: kernel_config
Description: Binary data

Attachment: syz_poc
Description: Binary data

Attachment: c_poc
Description: Binary data