[Android 5.10] general protection fault in fuse_atomic_open
0 views
Skip to first unread message
syzbot
Jul 16, 2023, 7:36:02 PM7/16/23
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 59b65efafe20 Revert "gpio: Allow per-parent interrupt data"
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16ead7a2a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=21b7341388eb4bd9
dashboard link: https://syzkaller.appspot.com/bug?extid=8e06855e2fa000e0c107
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11597596a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ead7a2a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/af0aa144141b/disk-59b65efa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c90c9cff963e/vmlinux-59b65efa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/81a3f67fcae6/bzImage-59b65efa.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8e0685...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
CPU: 1 PID: 292 Comm: syz-executor142 Not tainted 5.10.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
RIP: 0010:d_really_is_positive include/linux/dcache.h:499 [inline]
RIP: 0010:fuse_atomic_open+0x27c/0x31a0 fs/fuse/dir.c:846
Code: e0 40 4c 8b 64 24 28 75 07 e8 c0 5d 6d ff eb 37 48 8b 44 24 60 48 8d 58 30 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 86 7e aa ff 48 83 3b 00 0f 84 a6 00
RSP: 0018:ffffc90000b77300 EFLAGS: 00010202
RAX: 0000000000000007 RBX: 0000000000000039 RCX: dffffc0000000000
RDX: ffff88811dee13c0 RSI: 0000000000000040 RDI: 0000000000000000
RBP: ffffc90000b77930 R08: ffffffff81fd2a0f R09: ffffed10238987bc
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88811c4c3aa8
R13: ffff88811e10c800 R14: 1ffff9200016ee78 R15: 0000000000000009
FS: 00007fb2952756c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 000000011e08c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
atomic_open fs/namei.c:3120 [inline]
lookup_open fs/namei.c:3225 [inline]
open_last_lookups fs/namei.c:3323 [inline]
path_openat+0xff0/0x3000 fs/namei.c:3512
do_filp_open+0x21c/0x460 fs/namei.c:3542
do_sys_openat2+0x13f/0x6f0 fs/open.c:1217
do_sys_open fs/open.c:1233 [inline]
__do_sys_creat fs/open.c:1307 [inline]
__se_sys_creat fs/open.c:1301 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1301
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fb2952d44b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb295275218 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007fb2953613f8 RCX: 00007fb2952d44b9
RDX: 00007fb2952b1c46 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007fb2953613f0 R08: 00007fff21287327 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb29532e024
R13: 000000000000006e R14: 0030656c69662f30 R15: 2f30656c69662f2e
Modules linked in:
---[ end trace 88cdf4a084fb2158 ]---
RIP: 0010:d_really_is_positive include/linux/dcache.h:499 [inline]
RIP: 0010:fuse_atomic_open+0x27c/0x31a0 fs/fuse/dir.c:846
Code: e0 40 4c 8b 64 24 28 75 07 e8 c0 5d 6d ff eb 37 48 8b 44 24 60 48 8d 58 30 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 86 7e aa ff 48 83 3b 00 0f 84 a6 00
RSP: 0018:ffffc90000b77300 EFLAGS: 00010202
RAX: 0000000000000007 RBX: 0000000000000039 RCX: dffffc0000000000
RDX: ffff88811dee13c0 RSI: 0000000000000040 RDI: 0000000000000000
RBP: ffffc90000b77930 R08: ffffffff81fd2a0f R09: ffffed10238987bc
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88811c4c3aa8
R13: ffff88811e10c800 R14: 1ffff9200016ee78 R15: 0000000000000009
FS: 00007fb2952756c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020005000 CR3: 000000011e08c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: e0 40 loopne 0x42
2: 4c 8b 64 24 28 mov 0x28(%rsp),%r12
7: 75 07 jne 0x10
9: e8 c0 5d 6d ff call 0xff6d5dce
e: eb 37 jmp 0x47
10: 48 8b 44 24 60 mov 0x60(%rsp),%rax
15: 48 8d 58 30 lea 0x30(%rax),%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 86 7e aa ff call 0xffaa7ebe
38: 48 83 3b 00 cmpq $0x0,(%rbx)
3c: 0f .byte 0xf
3d: 84 .byte 0x84
3e: a6 cmpsb %es:(%rdi),%ds:(%rsi)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 59b65efafe20 Revert "gpio: Allow per-parent interrupt data"
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16ead7a2a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=21b7341388eb4bd9
dashboard link: https://syzkaller.appspot.com/bug?extid=8e06855e2fa000e0c107
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11597596a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ead7a2a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/af0aa144141b/disk-59b65efa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c90c9cff963e/vmlinux-59b65efa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/81a3f67fcae6/bzImage-59b65efa.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8e0685...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
CPU: 1 PID: 292 Comm: syz-executor142 Not tainted 5.10.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
RIP: 0010:d_really_is_positive include/linux/dcache.h:499 [inline]
RIP: 0010:fuse_atomic_open+0x27c/0x31a0 fs/fuse/dir.c:846
Code: e0 40 4c 8b 64 24 28 75 07 e8 c0 5d 6d ff eb 37 48 8b 44 24 60 48 8d 58 30 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 86 7e aa ff 48 83 3b 00 0f 84 a6 00
RSP: 0018:ffffc90000b77300 EFLAGS: 00010202
RAX: 0000000000000007 RBX: 0000000000000039 RCX: dffffc0000000000
RDX: ffff88811dee13c0 RSI: 0000000000000040 RDI: 0000000000000000
RBP: ffffc90000b77930 R08: ffffffff81fd2a0f R09: ffffed10238987bc
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88811c4c3aa8
R13: ffff88811e10c800 R14: 1ffff9200016ee78 R15: 0000000000000009
FS: 00007fb2952756c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 000000011e08c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
atomic_open fs/namei.c:3120 [inline]
lookup_open fs/namei.c:3225 [inline]
open_last_lookups fs/namei.c:3323 [inline]
path_openat+0xff0/0x3000 fs/namei.c:3512
do_filp_open+0x21c/0x460 fs/namei.c:3542
do_sys_openat2+0x13f/0x6f0 fs/open.c:1217
do_sys_open fs/open.c:1233 [inline]
__do_sys_creat fs/open.c:1307 [inline]
__se_sys_creat fs/open.c:1301 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1301
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fb2952d44b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb295275218 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007fb2953613f8 RCX: 00007fb2952d44b9
RDX: 00007fb2952b1c46 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007fb2953613f0 R08: 00007fff21287327 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb29532e024
R13: 000000000000006e R14: 0030656c69662f30 R15: 2f30656c69662f2e
Modules linked in:
---[ end trace 88cdf4a084fb2158 ]---
RIP: 0010:d_really_is_positive include/linux/dcache.h:499 [inline]
RIP: 0010:fuse_atomic_open+0x27c/0x31a0 fs/fuse/dir.c:846
Code: e0 40 4c 8b 64 24 28 75 07 e8 c0 5d 6d ff eb 37 48 8b 44 24 60 48 8d 58 30 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 86 7e aa ff 48 83 3b 00 0f 84 a6 00
RSP: 0018:ffffc90000b77300 EFLAGS: 00010202
RAX: 0000000000000007 RBX: 0000000000000039 RCX: dffffc0000000000
RDX: ffff88811dee13c0 RSI: 0000000000000040 RDI: 0000000000000000
RBP: ffffc90000b77930 R08: ffffffff81fd2a0f R09: ffffed10238987bc
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88811c4c3aa8
R13: ffff88811e10c800 R14: 1ffff9200016ee78 R15: 0000000000000009
FS: 00007fb2952756c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020005000 CR3: 000000011e08c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: e0 40 loopne 0x42
2: 4c 8b 64 24 28 mov 0x28(%rsp),%r12
7: 75 07 jne 0x10
9: e8 c0 5d 6d ff call 0xff6d5dce
e: eb 37 jmp 0x47
10: 48 8b 44 24 60 mov 0x60(%rsp),%rax
15: 48 8d 58 30 lea 0x30(%rax),%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 86 7e aa ff call 0xffaa7ebe
38: 48 83 3b 00 cmpq $0x0,(%rbx)
3c: 0f .byte 0xf
3d: 84 .byte 0x84
3e: a6 cmpsb %es:(%rdi),%ds:(%rsi)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jul 16, 2023, 8:03:57 PM7/16/23
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: f6707f352b54 ANDROID: sched: Export sched_domains_mutex fo..
syzbot found the following issue on:
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14500de4a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b75c7b7ab5a09aff
dashboard link: https://syzkaller.appspot.com/bug?extid=8e2c502cde30a2ac8d7f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=138e0a92a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12c4feb6a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d59a8465ed30/disk-f6707f35.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c29415da2d4d/vmlinux-f6707f35.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cc08b957a9ac/bzImage-f6707f35.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
RIP: 0010:d_really_is_positive include/linux/dcache.h:493 [inline]
RIP: 0010:fuse_atomic_open+0x166/0x3a0 fs/fuse/dir.c:866
Code: 45 fe 8b 5d c4 89 de 83 e6 40 31 ff e8 f3 fc 60 ff 89 d8 83 e0 40 75 07 e8 37 f9 60 ff eb 25 49 8d 5f 30 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 5b 15 a7 ff 48 83 3b 00 74 24 e8
RSP: 0018:ffffc90000e678f8 EFLAGS: 00010202
RAX: 0000000000000007 RBX: 0000000000000039 RCX: ffff88811cfcbcc0
RDX: ffff88811cfcbcc0 RSI: 0000000000000040 RDI: 0000000000000000
RBP: ffffc90000e67950 R08: ffffffff8213ebcd R09: fffff520001cce69
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88810bebd540 R14: 0000000000000009 R15: 0000000000000009
FS: 00007fc5bfb136c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000121e78000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
atomic_open fs/namei.c:3276 [inline]
lookup_open fs/namei.c:3384 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0xf52/0x2d60 fs/namei.c:3711
do_filp_open+0x230/0x480 fs/namei.c:3741
do_sys_openat2+0x13f/0x850 fs/open.c:1333
do_sys_open fs/open.c:1349 [inline]
__do_sys_creat fs/open.c:1425 [inline]
__se_sys_creat fs/open.c:1419 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1419
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc5bfb724b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc5bfb13218 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007fc5bfbff3f8 RCX: 00007fc5bfb724b9
RDX: 00007fc5bfb4fc46 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007fc5bfbff3f0 R08: 00007ffcb52a7a07 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc5bfbcc024
R13: 000000000000006e R14: 0030656c69662f30 R15: 2f30656c69662f2e
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:d_really_is_positive include/linux/dcache.h:493 [inline]
RIP: 0010:fuse_atomic_open+0x166/0x3a0 fs/fuse/dir.c:866
Code: 45 fe 8b 5d c4 89 de 83 e6 40 31 ff e8 f3 fc 60 ff 89 d8 83 e0 40 75 07 e8 37 f9 60 ff eb 25 49 8d 5f 30 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 5b 15 a7 ff 48 83 3b 00 74 24 e8
RSP: 0018:ffffc90000e678f8 EFLAGS: 00010202
RAX: 0000000000000007 RBX: 0000000000000039 RCX: ffff88811cfcbcc0
RDX: ffff88811cfcbcc0 RSI: 0000000000000040 RDI: 0000000000000000
RBP: ffffc90000e67950 R08: ffffffff8213ebcd R09: fffff520001cce69
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88810bebd540 R14: 0000000000000009 R15: 0000000000000009
FS: 00007fc5bfb136c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000121e78000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 45 fe 8b 5d c4 89 de rex.RB decb -0x21763ba3(%r11)
Code disassembly (best guess):
7: 83 e6 40 and $0x40,%esi
a: 31 ff xor %edi,%edi
c: e8 f3 fc 60 ff call 0xff60fd04
11: 89 d8 mov %ebx,%eax
13: 83 e0 40 and $0x40,%eax
16: 75 07 jne 0x1f
18: e8 37 f9 60 ff call 0xff60f954
1d: eb 25 jmp 0x44
1f: 49 8d 5f 30 lea 0x30(%r15),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 5b 15 a7 ff call 0xffa71594
39: 48 83 3b 00 cmpq $0x0,(%rbx)
3d: 74 24 je 0x63
3f: e8 .byte 0xe8
syzbot
Jul 16, 2023, 8:54:46 PM7/16/23
to syzkaller-a...@googlegroups.com
Bug presence analysis results: the bug reproduces only on Android 6.1.
syzbot has run the reproducer on other relevant kernel trees and got
the following results:
android14-6.1 (commit f6707f352b54) on 2023/07/17:
general protection fault in fuse_atomic_open
Report: https://syzkaller.appspot.com/x/report.txt?x=17b4f646a80000
lts (commit b1644a0031cf) on 2023/07/17:
Didn't crash.
upstream (commit fdf0eaf11452) on 2023/07/17:
Didn't crash.
More details can be found at:
https://syzkaller.appspot.com/bug?extid=8e2c502cde30a2ac8d7f
syzbot has run the reproducer on other relevant kernel trees and got
the following results:
android14-6.1 (commit f6707f352b54) on 2023/07/17:
general protection fault in fuse_atomic_open
Report: https://syzkaller.appspot.com/x/report.txt?x=17b4f646a80000
lts (commit b1644a0031cf) on 2023/07/17:
Didn't crash.
upstream (commit fdf0eaf11452) on 2023/07/17:
Didn't crash.
More details can be found at:
https://syzkaller.appspot.com/bug?extid=8e2c502cde30a2ac8d7f
syzbot
Jul 17, 2023, 9:40:31 PM7/17/23
to syzkaller-a...@googlegroups.com
syzbot has bisected this issue to:
commit 57f3ff9648991998d008ecf32f2f9e78a08bfb8b
Author: Daniel Rosenberg <dro...@google.com>
Date: Thu Dec 2 21:50:02 2021 +0000
ANDROID: fuse-bpf v1.1
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1603931ea80000
start commit: f6707f352b54 ANDROID: sched: Export sched_domains_mutex fo..
git tree: android14-6.1
final oops: https://syzkaller.appspot.com/x/report.txt?x=1503931ea80000
console output: https://syzkaller.appspot.com/x/log.txt?x=1103931ea80000
Fixes: 57f3ff964899 ("ANDROID: fuse-bpf v1.1")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 57f3ff9648991998d008ecf32f2f9e78a08bfb8b
Author: Daniel Rosenberg <dro...@google.com>
Date: Thu Dec 2 21:50:02 2021 +0000
ANDROID: fuse-bpf v1.1
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1603931ea80000
start commit: f6707f352b54 ANDROID: sched: Export sched_domains_mutex fo..
git tree: android14-6.1
final oops: https://syzkaller.appspot.com/x/report.txt?x=1503931ea80000
console output: https://syzkaller.appspot.com/x/log.txt?x=1103931ea80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b75c7b7ab5a09aff
dashboard link: https://syzkaller.appspot.com/bug?extid=8e2c502cde30a2ac8d7f
dashboard link: https://syzkaller.appspot.com/bug?extid=8e2c502cde30a2ac8d7f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=138e0a92a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12c4feb6a80000
Reported-by: syzbot+8e2c50...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12c4feb6a80000
Fixes: 57f3ff964899 ("ANDROID: fuse-bpf v1.1")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages