general protection fault in input_ff_erase
7 views
Skip to first unread message
syzbot
Apr 11, 2019, 4:44:54 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b3e9e81e Merge 4.4.172 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=155e382f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d33f51998ee531f
dashboard link: https://syzkaller.appspot.com/bug?extid=ef158c69e682516f7d50
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16096528c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=146dd050c00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ef158c...@syzkaller.appspotmail.com
input: syz0 as /devices/virtual/input/input4
input: syz0 as /devices/virtual/input/input5
kasan: CONFIG_KASAN_INLINE enabled[ 33.004665] input: syz0 as
/devices/virtual/input/input7
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 2070 Comm: syz-executor848 Not tainted 4.4.172+ #13
task: ffff8801d5ff8000 task.stack: ffff8800b75d8000
input: syz0 as /devices/virtual/input/input6
RIP: 0010:[<ffffffff811ff993>] [<ffffffff811ff993>]
__lock_acquire+0x5f3/0x4f50 kernel/locking/lockdep.c:3092
RSP: 0018:ffff8800b75df8d0 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: ffff8801d5ff8000 RCX: 0000000000000001
RDX: 0000000000000015 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff8800b75dfa48 R08: 0000000000000001 R09: 0000000000000000
R10: ffffffff82836880 R11: ffffffff831a4d78 R12: ffff8801d5ff8000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS: 0000000001fc7880(0063) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d0090 CR3: 00000000ba3e2000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d5ff8000 ffff8801d5ff88c8 0000000000000003 0000000000000000
ffff8800b75dfa78 0000000000000046 0000000000000000 0000000000000000
ffff8800b75dfa98 ffffffff811ffdef ffff8800b75dfb30 ffffffff00000000
Call Trace:
[<ffffffff81205d5e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff8270bc11>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8270bc11>] mutex_lock_nested+0xc1/0xb80
kernel/locking/mutex.c:621
[<ffffffff81f89e0c>] input_ff_erase+0x7c/0xc0 drivers/input/ff-core.c:231
[<ffffffff81f96692>] evdev_do_ioctl drivers/input/evdev.c:1107 [inline]
[<ffffffff81f96692>] evdev_ioctl_handler+0x752/0x19c0
drivers/input/evdev.c:1302
[<ffffffff81f97958>] evdev_ioctl+0x28/0x30 drivers/input/evdev.c:1311
[<ffffffff814d2037>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff814d2037>] file_ioctl fs/ioctl.c:470 [inline]
[<ffffffff814d2037>] do_vfs_ioctl+0x6e7/0xfa0 fs/ioctl.c:605
[<ffffffff814d297f>] SYSC_ioctl fs/ioctl.c:622 [inline]
[<ffffffff814d297f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
[<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 0f 85 7f 32 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 8b
94 24 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00
0f 85 a7 33 00 00 48 8b 84 24 88 00 00 00 48 81 38
RIP [<ffffffff811ff993>] __lock_acquire+0x5f3/0x4f50
kernel/locking/lockdep.c:3092
RSP <ffff8800b75df8d0>
---[ end trace d5d3d8ec0a45731f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: b3e9e81e Merge 4.4.172 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=155e382f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d33f51998ee531f
dashboard link: https://syzkaller.appspot.com/bug?extid=ef158c69e682516f7d50
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16096528c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=146dd050c00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ef158c...@syzkaller.appspotmail.com
input: syz0 as /devices/virtual/input/input4
input: syz0 as /devices/virtual/input/input5
kasan: CONFIG_KASAN_INLINE enabled[ 33.004665] input: syz0 as
/devices/virtual/input/input7
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 2070 Comm: syz-executor848 Not tainted 4.4.172+ #13
task: ffff8801d5ff8000 task.stack: ffff8800b75d8000
input: syz0 as /devices/virtual/input/input6
RIP: 0010:[<ffffffff811ff993>] [<ffffffff811ff993>]
__lock_acquire+0x5f3/0x4f50 kernel/locking/lockdep.c:3092
RSP: 0018:ffff8800b75df8d0 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: ffff8801d5ff8000 RCX: 0000000000000001
RDX: 0000000000000015 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff8800b75dfa48 R08: 0000000000000001 R09: 0000000000000000
R10: ffffffff82836880 R11: ffffffff831a4d78 R12: ffff8801d5ff8000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS: 0000000001fc7880(0063) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d0090 CR3: 00000000ba3e2000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d5ff8000 ffff8801d5ff88c8 0000000000000003 0000000000000000
ffff8800b75dfa78 0000000000000046 0000000000000000 0000000000000000
ffff8800b75dfa98 ffffffff811ffdef ffff8800b75dfb30 ffffffff00000000
Call Trace:
[<ffffffff81205d5e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff8270bc11>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8270bc11>] mutex_lock_nested+0xc1/0xb80
kernel/locking/mutex.c:621
[<ffffffff81f89e0c>] input_ff_erase+0x7c/0xc0 drivers/input/ff-core.c:231
[<ffffffff81f96692>] evdev_do_ioctl drivers/input/evdev.c:1107 [inline]
[<ffffffff81f96692>] evdev_ioctl_handler+0x752/0x19c0
drivers/input/evdev.c:1302
[<ffffffff81f97958>] evdev_ioctl+0x28/0x30 drivers/input/evdev.c:1311
[<ffffffff814d2037>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff814d2037>] file_ioctl fs/ioctl.c:470 [inline]
[<ffffffff814d2037>] do_vfs_ioctl+0x6e7/0xfa0 fs/ioctl.c:605
[<ffffffff814d297f>] SYSC_ioctl fs/ioctl.c:622 [inline]
[<ffffffff814d297f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
[<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 0f 85 7f 32 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 8b
94 24 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00
0f 85 a7 33 00 00 48 8b 84 24 88 00 00 00 48 81 38
RIP [<ffffffff811ff993>] __lock_acquire+0x5f3/0x4f50
kernel/locking/lockdep.c:3092
RSP <ffff8800b75df8d0>
---[ end trace d5d3d8ec0a45731f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages