kernel warning in vprintfmt (2)

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: d8ea787e 9ns: don't pass user pointers for 'spec'
git tree: akaros
console output: https://syzkaller.appspot.com/x/log.txt?x=153691e0a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=bc709c3b83482973
dashboard link: https://syzkaller.appspot.com/bug?extid=36f58f45c1902ffdca18

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+36f58f...@syzkaller.appspotmail.com

kernel warning at kern/src/printfmt.c:153, from core 1: _x && _x < ULIM
Stack Backtrace on Core 1:
#01 [<0xffffffffc200a42c>] in backtrace at src/kdebug.c:235
#02 [<0xffffffffc2009c54>] in _warn at src/init.c:326
#03 [<0xffffffffc2049071>] in vprintfmt at src/printfmt.c:153
#04 [<0xffffffffc2049312>] in vsnprintf at src/printfmt.c:328
#05 [<0xffffffffc2058539>] in vset_errstr at src/syscall.c:509
#06 [<0xffffffffc205866b>] in set_error at src/syscall.c:542
#07 [<0xffffffffc2039a29>] in cmderror at src/ns/parse.c:121
#08 [<0xffffffffc2039b1b>] in lookupcmd at src/ns/parse.c:152
#09 [<0xffffffffc202876a>] in netlogctl at src/net/netlog.c:213
#10 [<0xffffffffc2016d5e>] in ipwrite at src/net/devip.c:1447
#11 [<0xffffffffc2040639>] in rwrite at src/ns/sysfile.c:1117
#12 [<0xffffffffc204088b>] in syswrite at src/ns/sysfile.c:1135
#13 [<0xffffffffc20593e9>] in sys_write at src/syscall.c:1785
#14 [<0xffffffffc2059f49>] in syscall at src/syscall.c:2578
#15 [<0xffffffffc205aaf8>] in run_local_syscall at src/syscall.c:2615
#16 [<0xffffffffc205b039>] in prep_syscalls at src/syscall.c:2635
#17 [<0xffffffffc20ac812>] in sysenter_callwrapper at arch/x86/trap.c:877
kernel panic at kern/arch/x86/trap.c:318, from core 1: Proc-ful Page Fault
in the Kernel at 0x0000000000000005!
HW TRAP frame at 0xfffffff0000c19c0 on core 1
rax 0x0000000000000015
rbx 0xfffffff0000c1af8
rcx 0x00000000000003d4
rdx 0x0000000000000005
rbp 0xfffffff0000c1ae8
rsi 0x0000000000000780
rdi 0xffffffffc210fb30
r8 0xffff8000000b8fa0
r9 0x0000000000000f00
r10 0xffff8000000b8f00
r11 0xffff8000000b8ec0
r12 0xffffffffc2048830
r13 0x0000000000000005
r14 0x0000000000000015
r15 0xffff8000047f477c
trap 0x0000000e Page Fault
gsbs 0xffffffffc8e37dc0
fsbs 0x0000000000000000
err 0x--------00000000
rip 0xffffffffc2048b0c
cs 0x------------0008
flag 0x0000000000010206
rsp 0xfffffff0000c1a88
ss 0x------------0010
Backtrace of kernel context on Core 1:
#01 [<0xffffffffc2048b0c>] in vprintfmt at src/printfmt.c:153
#02 [<0xffffffffc2049312>] in vsnprintf at src/printfmt.c:328
#03 [<0xffffffffc2058539>] in vset_errstr at src/syscall.c:509
#04 [<0xffffffffc205866b>] in set_error at src/syscall.c:542
#05 [<0xffffffffc2039a29>] in cmderror at src/ns/parse.c:121
#06 [<0xffffffffc2039b1b>] in lookupcmd at src/ns/parse.c:152
#07 [<0xffffffffc202876a>] in netlogctl at src/net/netlog.c:213
#08 [<0xffffffffc2016d5e>] in ipwrite at src/net/devip.c:1447
#09 [<0xffffffffc2040639>] in rwrite at src/ns/sysfile.c:1117
#10 [<0xffffffffc204088b>] in syswrite at src/ns/sysfile.c:1135
#11 [<0xffffffffc20593e9>] in sys_write at src/syscall.c:1785
#12 [<0xffffffffc2059f49>] in syscall at src/syscall.c:2578
#13 [<0xffffffffc205aaf8>] in run_local_syscall at src/syscall.c:2615
#14 [<0xffffffffc205b039>] in prep_syscalls at src/syscall.c:2635
#15 [<0xffffffffc20ac812>] in sysenter_callwrapper at arch/x86/trap.c:877


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: d8ea787e 9ns: don't pass user pointers for 'spec'
git tree: akaros

console output: https://syzkaller.appspot.com/x/log.txt?x=160ce6fca00000

kernel config: https://syzkaller.appspot.com/x/.config?x=bc709c3b83482973
dashboard link: https://syzkaller.appspot.com/bug?extid=36f58f45c1902ffdca18

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17330c58a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=158bc184a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+36f58f...@syzkaller.appspotmail.com

kernel warning at kern/src/printfmt.c:189, from core 1: _x && _x < ULIM

Stack Backtrace on Core 1:
#01 [<0xffffffffc200a42c>] in backtrace at src/kdebug.c:235
#02 [<0xffffffffc2009c54>] in _warn at src/init.c:326

#03 [<0xffffffffc20490e4>] in vprintfmt at src/printfmt.c:189

#04 [<0xffffffffc2049312>] in vsnprintf at src/printfmt.c:328
#05 [<0xffffffffc2058539>] in vset_errstr at src/syscall.c:509
#06 [<0xffffffffc205866b>] in set_error at src/syscall.c:542
#07 [<0xffffffffc2039a29>] in cmderror at src/ns/parse.c:121
#08 [<0xffffffffc2039b1b>] in lookupcmd at src/ns/parse.c:152
#09 [<0xffffffffc202876a>] in netlogctl at src/net/netlog.c:213
#10 [<0xffffffffc2016d5e>] in ipwrite at src/net/devip.c:1447
#11 [<0xffffffffc2040639>] in rwrite at src/ns/sysfile.c:1117
#12 [<0xffffffffc204088b>] in syswrite at src/ns/sysfile.c:1135
#13 [<0xffffffffc20593e9>] in sys_write at src/syscall.c:1785
#14 [<0xffffffffc2059f49>] in syscall at src/syscall.c:2578
#15 [<0xffffffffc205aaf8>] in run_local_syscall at src/syscall.c:2615
#16 [<0xffffffffc205b039>] in prep_syscalls at src/syscall.c:2635
#17 [<0xffffffffc20ac812>] in sysenter_callwrapper at arch/x86/trap.c:877
kernel panic at kern/arch/x86/trap.c:318, from core 1: Proc-ful Page Fault
in the Kernel at 0x0000000000000005!

HW TRAP frame at 0xfffffff0000149c0 on core 1
rax 0xffffffffc20baa10
rbx 0xfffffff000014af8
rcx 0x00000000ffffffff
rdx 0x0000000000000005
rbp 0xfffffff000014ae8
rsi 0x0000000000000780
rdi 0xffffffffc210fb30
r8 0x0000000000000020
r9 0x0000000000000005

r10 0xffff8000000b8f00
r11 0xffff8000000b8ec0
r12 0xffffffffc2048830

r13 0xfffffff000014b50
r14 0x00000000ffffffff
r15 0xffff80000d8041f1

trap 0x0000000e Page Fault
gsbs 0xffffffffc8e37dc0
fsbs 0x0000000000000000
err 0x--------00000000

rip 0xffffffffc2048c49
cs 0x------------0008
flag 0x0000000000010286
rsp 0xfffffff000014a88

ss 0x------------0010
Backtrace of kernel context on Core 1:

#01 [<0xffffffffc2048c49>] in vprintfmt at src/printfmt.c:192