Hi Kernel Maintainers, we found a bug "general protection fault in bioset_exit" in upstream, and reproduced it successfully: HEAD Commit: d5d547aa7b51467b15d9caa86b116f8c2507c72a(Merge tag 'random-6.11-rc6-for-linus') kernel config: https://github.com/androidAppGuard/KernelBugs/blob/main/6.11.config console output: https://github.com/androidAppGuard/KernelBugs/blob/main/d5d547aa7b51467b15d9caa86b116f8c2507c72a/5e472bcde03516824974868fc1dd30ab00bd2cd1/log0 syz reproducer: https://github.com/androidAppGuard/KernelBugs/blob/main/d5d547aa7b51467b15d9caa86b116f8c2507c72a/5e472bcde03516824974868fc1dd30ab00bd2cd1/repro.prog C reproducer: https://github.com/androidAppGuard/KernelBugs/blob/main/d5d547aa7b51467b15d9caa86b116f8c2507c72a/5e472bcde03516824974868fc1dd30ab00bd2cd1/repro.cprog Please let me know if there is anything I can help. Best, Hui Guo The following context is the crash report. ================================================================================ bcachefs (loop2): bch2_fs_recovery(): error fsck_errors_not_fixed bcachefs (loop2): bch2_fs_start(): error starting filesystem fsck_errors_not_fixed bcachefs (loop2): shutting down bcachefs (loop2): shutdown complete Oops: general protection fault, probably for non-canonical address 0x2feaecb40264aa05: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 40510 Comm: syz.2.2252 Not tainted 6.11.0-rc5-00081-gd5d547aa7b51 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:qlist_move_cache+0x6b/0x120 data/linux_kernel/linux/mm/kasan/quarantine.c:302 Code: 26 49 83 3e 00 0f 84 bb 00 00 00 49 8b 46 08 4c 89 28 4d 89 6e 08 49 c7 45 00 00 00 00 00 49 01 56 10 4d 85 ff 74 6a 4d 89 fd <4d> 8b 3f 4c 89 ef e8 5a 53 58 ff 48 c1 e8 0c 48 c1 e0 06 4c 01 e0 RSP: 0018:ffffc900024f7990 EFLAGS: 00010006 RAX: ffff88805ba22200 RBX: ffffc900024f79c8 RCX: ffffffff813d99ef RDX: 0000000000001100 RSI: ffffffff813d99f9 RDI: 0000000000000007 RBP: ffff88804bcb2500 R08: 0000000000000001 R09: fffff5200049ef27 R10: 0000000000000000 R11: 0000000000000000 R12: ffffea0000000000 R13: 2feaecb40264aa05 R14: ffffffff94c417c0 R15: 2feaecb40264aa05 FS: 00007f30de39e640(0000) GS:ffff88802c400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7fd3cf0090 CR3: 00000000291d2000 CR4: 0000000000750ef0 PKRU: 80000000 Call Trace: <TASK> kasan_quarantine_remove_cache+0x102/0x190 data/linux_kernel/linux/mm/kasan/quarantine.c:370 shutdown_cache data/linux_kernel/linux/mm/slab_common.c:546 [inline] kmem_cache_destroy data/linux_kernel/linux/mm/slab_common.c:588 [inline] kmem_cache_destroy+0x58/0x1b0 data/linux_kernel/linux/mm/slab_common.c:571 bio_put_slab data/linux_kernel/linux/block/bio.c:155 [inline] bioset_exit+0x2ff/0x5b0 data/linux_kernel/linux/block/bio.c:1750 bch2_fs_fs_io_direct_exit+0x19/0x30 data/linux_kernel/linux/fs/bcachefs/fs-io-direct.c:670 __bch2_fs_free data/linux_kernel/linux/fs/bcachefs/super.c:543 [inline] bch2_fs_release+0xad/0x8e0 data/linux_kernel/linux/fs/bcachefs/super.c:608 kobject_cleanup data/linux_kernel/linux/lib/kobject.c:689 [inline] kobject_release data/linux_kernel/linux/lib/kobject.c:720 [inline] kref_put data/linux_kernel/linux/include/linux/kref.h:65 [inline] kobject_put+0x1af/0x4c0 data/linux_kernel/linux/lib/kobject.c:737 bch2_fs_get_tree+0x1002/0x1330 data/linux_kernel/linux/fs/bcachefs/fs.c:2041 vfs_get_tree+0x94/0x380 data/linux_kernel/linux/fs/super.c:1800 do_new_mount data/linux_kernel/linux/fs/namespace.c:3472 [inline] path_mount+0x6b2/0x1ea0 data/linux_kernel/linux/fs/namespace.c:3799 do_mount data/linux_kernel/linux/fs/namespace.c:3812 [inline] __do_sys_mount data/linux_kernel/linux/fs/namespace.c:4020 [inline] __se_sys_mount data/linux_kernel/linux/fs/namespace.c:3997 [inline] __x64_sys_mount+0x284/0x310 data/linux_kernel/linux/fs/namespace.c:3997 do_syscall_x64 data/linux_kernel/linux/arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 data/linux_kernel/linux/arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f30dd59b45e Code: 48 c7 c0 ff ff ff ff eb aa e8 5e 20 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f30de39dda8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 000000000000f61f RCX: 00007f30dd59b45e RDX: 000000002000f640 RSI: 000000002000f680 RDI: 00007f30de39de00 RBP: 00007f30de39de40 R08: 00007f30de39de40 R09: 0000000000000000 R10: 0000000001200040 R11: 0000000000000246 R12: 000000002000f640 R13: 000000002000f680 R14: 00007f30de39de00 R15: 0000000020000040 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:qlist_move_cache+0x6b/0x120 data/linux_kernel/linux/mm/kasan/quarantine.c:302 Code: 26 49 83 3e 00 0f 84 bb 00 00 00 49 8b 46 08 4c 89 28 4d 89 6e 08 49 c7 45 00 00 00 00 00 49 01 56 10 4d 85 ff 74 6a 4d 89 fd <4d> 8b 3f 4c 89 ef e8 5a 53 58 ff 48 c1 e8 0c 48 c1 e0 06 4c 01 e0 RSP: 0018:ffffc900024f7990 EFLAGS: 00010006 RAX: ffff88805ba22200 RBX: ffffc900024f79c8 RCX: ffffffff813d99ef RDX: 0000000000001100 RSI: ffffffff813d99f9 RDI: 0000000000000007 RBP: ffff88804bcb2500 R08: 0000000000000001 R09: fffff5200049ef27 R10: 0000000000000000 R11: 0000000000000000 R12: ffffea0000000000 R13: 2feaecb40264aa05 R14: ffffffff94c417c0 R15: 2feaecb40264aa05 FS: 00007f30de39e640(0000) GS:ffff88802c400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7fd3cf0090 CR3: 00000000291d2000 CR4: 0000000000750ef0 PKRU: 80000000 ---------------- Code disassembly (best guess): 0: 26 49 83 3e 00 es cmpq $0x0,(%r14) 5: 0f 84 bb 00 00 00 je 0xc6 b: 49 8b 46 08 mov 0x8(%r14),%rax f: 4c 89 28 mov %r13,(%rax) 12: 4d 89 6e 08 mov %r13,0x8(%r14) 16: 49 c7 45 00 00 00 00 movq $0x0,0x0(%r13) 1d: 00 1e: 49 01 56 10 add %rdx,0x10(%r14) 22: 4d 85 ff test %r15,%r15 25: 74 6a je 0x91 27: 4d 89 fd mov %r15,%r13 * 2a: 4d 8b 3f mov (%r15),%r15 <-- trapping instruction 2d: 4c 89 ef mov %r13,%rdi 30: e8 5a 53 58 ff call 0xff58538f 35: 48 c1 e8 0c shr $0xc,%rax 39: 48 c1 e0 06 shl $0x6,%rax 3d: 4c 01 e0 add %r12,%rax
