Hi Pavel, On Sat, Mar 12, 2022 at 11:20 PM Pavel Skripkin <paskripkin@xxxxxxxxx> wrote: > > Hi Dongliang, > > On 3/9/22 11:30, Dongliang Mu wrote: > >> Now I am checking the log and trying to find error injection in the > >> log file, as said by Pavel. > > > > Attached is the report and log file. > > > > @Pavel Skripkin I don't find any useful error injection in the log file. > > > > In case I made some mistakes, I will clean up my local crash reports, > > update to the latest upstream kernel and restart the syzkaller. Let's > > see if the crash still occurs. > > The execution path is clear from the logs. Quick grep for nilfs shows > these lines > > [ 886.701044][T25972] NILFS (loop2): broken superblock, retrying with > spare superblock (blocksize = 1024) > [ 886.703251][T25972] NILFS (loop2): broken superblock, retrying with > spare superblock (blocksize = 4096) > [ 886.706454][T25972] NILFS (loop2): error -4 creating segctord thread > > So here is calltrace: > > nilfs_fill_super > nilfs_attach_log_writer > nilfs_segctor_start_thread <- failed > > > In case of nilfs_attach_log_writer() error code jumps to > failed_checkpoint label and calls destroy_nilfs() which should call > nilfs_sysfs_delete_device_group(). nilfs_sysfs_delete_device_group() is called in destroy_nilfs() if nilfs->ns_flags has THE_NILFS_INIT flag -- nilfs_init() inline function tests this flag. The flag is set after init_nilfs() succeeded at the beginning of nilfs_fill_super() because the set_nilfs_init() inline in init_nilfs() sets it. So, nilfs_sysfs_delete_group() seems to be called in case of the above failure. Am I missing something? Thanks, Ryusuke Konishi > > So I can really see how this leak is possible on top of current Linus' HEAD. > > > Also in the log there are onlyh 4 syz_mount_image$nilfs2 programs, so > only one of them may be a reproducer. If you have spare time you can try > to execute them using syz-execprog and see if it works :)) > > > > With regards, > Pavel Skripkin
