[Android 5.10] general protection fault in current_umask
0 views
Skip to first unread message
syzbot
Sep 17, 2024, 3:03:29 AMSep 17
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 8d23314f588a Merge 5.10.225 into android13-5.10-lts
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16dadfc7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=889d6bbfedaebd06
dashboard link: https://syzkaller.appspot.com/bug?extid=2c4104481f4e884738e7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14411797980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10dfdd67980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09c1893905da/disk-8d23314f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5294d841c477/vmlinux-8d23314f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a9c3f12eb021/bzImage-8d23314f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/de754e50901c/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2c4104...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_fill_super:4955: inode #2: comm syz-executor154: casefold flag without casefold feature
EXT4-fs (loop0): warning: mounting fs with errors, running e2fsck is recommended
EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsv0,test_dummy_encryption,,errors=continue
fscrypt: AES-256-CTS-CBC using implementation "cts(cbc-aes-aesni)"
fscrypt: AES-256-XTS using implementation "xts-aes-aesni"
incfs: Can't find or create .index dir in ./file0
incfs: mount failed -22
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 290 Comm: syz-executor154 Not tainted 5.10.225-syzkaller-00513-g8d23314f588a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:current_umask+0x49/0x70 fs/fs_struct.c:158
Code: 81 c3 c0 07 00 00 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 b5 a2 e9 ff 48 8b 1b 48 83 c3 0c 48 89 d8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 75 07 8b 03 5b 41 5e 5d c3 89 d9 80 e1 07 80
RSP: 0018:ffffc90000b074b8 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000c RCX: ffff8881210b62c0
RDX: 0000000000000000 RSI: ffffffff8686a330 RDI: 0000000000000000
RBP: ffffc90000b074c8 R08: 0000000000000007 R09: ffffffff81cb18f5
R10: 0000000000000002 R11: ffff8881210b62c0 R12: dffffc0000000000
R13: 1ffff92000160eb4 R14: dffffc0000000000 R15: ffff8881101e36c0
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f94c3ffe130 CR3: 000000010ca21000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
posix_acl_create+0x169/0x400 fs/posix_acl.c:597
ext4_init_acl+0xf3/0x400 fs/ext4/acl.c:279
__ext4_new_inode+0x2f6f/0x3ee0 fs/ext4/ialloc.c:1319
ext4_mknod+0x267/0x530 fs/ext4/namei.c:2856
vfs_mknod+0x53f/0x610 fs/namei.c:3693
vfs_whiteout include/linux/fs.h:1835 [inline]
ovl_do_whiteout fs/overlayfs/overlayfs.h:229 [inline]
ovl_whiteout fs/overlayfs/dir.c:77 [inline]
ovl_cleanup_and_whiteout+0x1b1/0x580 fs/overlayfs/dir.c:117
ovl_remove_and_whiteout fs/overlayfs/dir.c:795 [inline]
ovl_do_remove+0x72a/0xc90 fs/overlayfs/dir.c:922
ovl_rmdir+0x1a/0x20 fs/overlayfs/dir.c:956
vfs_rmdir+0x2b7/0x3f0 fs/namei.c:3852
incfs_kill_sb+0x108/0x220 fs/incfs/vfs.c:1973
deactivate_locked_super+0xad/0x110 fs/super.c:335
deactivate_super+0xbe/0xf0 fs/super.c:366
cleanup_mnt+0x45c/0x510 fs/namespace.c:1118
__cleanup_mnt+0x19/0x20 fs/namespace.c:1125
task_work_run+0x129/0x190 kernel/task_work.c:189
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0xc83/0x2a50 kernel/exit.c:863
do_group_exit+0x141/0x310 kernel/exit.c:985
__do_sys_exit_group kernel/exit.c:996 [inline]
__se_sys_exit_group kernel/exit.c:994 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:994
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f94c3f84809
Code: Unable to access opcode bytes at RIP 0x7f94c3f847df.
RSP: 002b:00007ffe23be76b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f94c3f84809
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 00007f94c40002b0 R08: ffffffffffffffb8 R09: 00007f94c3fd483c
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94c40002b0
R13: 0000000000000000 R14: 00007f94c4001020 R15: 00007f94c3f52b40
Modules linked in:
---[ end trace d0c7fb208f1297e2 ]---
RIP: 0010:current_umask+0x49/0x70 fs/fs_struct.c:158
Code: 81 c3 c0 07 00 00 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 b5 a2 e9 ff 48 8b 1b 48 83 c3 0c 48 89 d8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 75 07 8b 03 5b 41 5e 5d c3 89 d9 80 e1 07 80
RSP: 0018:ffffc90000b074b8 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000c RCX: ffff8881210b62c0
RDX: 0000000000000000 RSI: ffffffff8686a330 RDI: 0000000000000000
RBP: ffffc90000b074c8 R08: 0000000000000007 R09: ffffffff81cb18f5
R10: 0000000000000002 R11: ffff8881210b62c0 R12: dffffc0000000000
R13: 1ffff92000160eb4 R14: dffffc0000000000 R15: ffff8881101e36c0
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f94c3ffe130 CR3: 000000010ca21000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 81 c3 c0 07 00 00 add $0x7c0,%ebx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 b5 a2 e9 ff call 0xffe9a2d1
1c: 48 8b 1b mov (%rbx),%rbx
1f: 48 83 c3 0c add $0xc,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 75 07 jne 0x3a
33: 8b 03 mov (%rbx),%eax
35: 5b pop %rbx
36: 41 5e pop %r14
38: 5d pop %rbp
39: c3 ret
3a: 89 d9 mov %ebx,%ecx
3c: 80 e1 07 and $0x7,%cl
3f: 80 .byte 0x80
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 8d23314f588a Merge 5.10.225 into android13-5.10-lts
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16dadfc7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=889d6bbfedaebd06
dashboard link: https://syzkaller.appspot.com/bug?extid=2c4104481f4e884738e7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14411797980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10dfdd67980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09c1893905da/disk-8d23314f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5294d841c477/vmlinux-8d23314f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a9c3f12eb021/bzImage-8d23314f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/de754e50901c/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2c4104...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_fill_super:4955: inode #2: comm syz-executor154: casefold flag without casefold feature
EXT4-fs (loop0): warning: mounting fs with errors, running e2fsck is recommended
EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsv0,test_dummy_encryption,,errors=continue
fscrypt: AES-256-CTS-CBC using implementation "cts(cbc-aes-aesni)"
fscrypt: AES-256-XTS using implementation "xts-aes-aesni"
incfs: Can't find or create .index dir in ./file0
incfs: mount failed -22
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 290 Comm: syz-executor154 Not tainted 5.10.225-syzkaller-00513-g8d23314f588a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:current_umask+0x49/0x70 fs/fs_struct.c:158
Code: 81 c3 c0 07 00 00 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 b5 a2 e9 ff 48 8b 1b 48 83 c3 0c 48 89 d8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 75 07 8b 03 5b 41 5e 5d c3 89 d9 80 e1 07 80
RSP: 0018:ffffc90000b074b8 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000c RCX: ffff8881210b62c0
RDX: 0000000000000000 RSI: ffffffff8686a330 RDI: 0000000000000000
RBP: ffffc90000b074c8 R08: 0000000000000007 R09: ffffffff81cb18f5
R10: 0000000000000002 R11: ffff8881210b62c0 R12: dffffc0000000000
R13: 1ffff92000160eb4 R14: dffffc0000000000 R15: ffff8881101e36c0
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f94c3ffe130 CR3: 000000010ca21000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
posix_acl_create+0x169/0x400 fs/posix_acl.c:597
ext4_init_acl+0xf3/0x400 fs/ext4/acl.c:279
__ext4_new_inode+0x2f6f/0x3ee0 fs/ext4/ialloc.c:1319
ext4_mknod+0x267/0x530 fs/ext4/namei.c:2856
vfs_mknod+0x53f/0x610 fs/namei.c:3693
vfs_whiteout include/linux/fs.h:1835 [inline]
ovl_do_whiteout fs/overlayfs/overlayfs.h:229 [inline]
ovl_whiteout fs/overlayfs/dir.c:77 [inline]
ovl_cleanup_and_whiteout+0x1b1/0x580 fs/overlayfs/dir.c:117
ovl_remove_and_whiteout fs/overlayfs/dir.c:795 [inline]
ovl_do_remove+0x72a/0xc90 fs/overlayfs/dir.c:922
ovl_rmdir+0x1a/0x20 fs/overlayfs/dir.c:956
vfs_rmdir+0x2b7/0x3f0 fs/namei.c:3852
incfs_kill_sb+0x108/0x220 fs/incfs/vfs.c:1973
deactivate_locked_super+0xad/0x110 fs/super.c:335
deactivate_super+0xbe/0xf0 fs/super.c:366
cleanup_mnt+0x45c/0x510 fs/namespace.c:1118
__cleanup_mnt+0x19/0x20 fs/namespace.c:1125
task_work_run+0x129/0x190 kernel/task_work.c:189
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0xc83/0x2a50 kernel/exit.c:863
do_group_exit+0x141/0x310 kernel/exit.c:985
__do_sys_exit_group kernel/exit.c:996 [inline]
__se_sys_exit_group kernel/exit.c:994 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:994
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f94c3f84809
Code: Unable to access opcode bytes at RIP 0x7f94c3f847df.
RSP: 002b:00007ffe23be76b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f94c3f84809
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 00007f94c40002b0 R08: ffffffffffffffb8 R09: 00007f94c3fd483c
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94c40002b0
R13: 0000000000000000 R14: 00007f94c4001020 R15: 00007f94c3f52b40
Modules linked in:
---[ end trace d0c7fb208f1297e2 ]---
RIP: 0010:current_umask+0x49/0x70 fs/fs_struct.c:158
Code: 81 c3 c0 07 00 00 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 b5 a2 e9 ff 48 8b 1b 48 83 c3 0c 48 89 d8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 75 07 8b 03 5b 41 5e 5d c3 89 d9 80 e1 07 80
RSP: 0018:ffffc90000b074b8 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000c RCX: ffff8881210b62c0
RDX: 0000000000000000 RSI: ffffffff8686a330 RDI: 0000000000000000
RBP: ffffc90000b074c8 R08: 0000000000000007 R09: ffffffff81cb18f5
R10: 0000000000000002 R11: ffff8881210b62c0 R12: dffffc0000000000
R13: 1ffff92000160eb4 R14: dffffc0000000000 R15: ffff8881101e36c0
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f94c3ffe130 CR3: 000000010ca21000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 81 c3 c0 07 00 00 add $0x7c0,%ebx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 b5 a2 e9 ff call 0xffe9a2d1
1c: 48 8b 1b mov (%rbx),%rbx
1f: 48 83 c3 0c add $0xc,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 75 07 jne 0x3a
33: 8b 03 mov (%rbx),%eax
35: 5b pop %rbx
36: 41 5e pop %r14
38: 5d pop %rbp
39: c3 ret
3a: 89 d9 mov %ebx,%ecx
3c: 80 e1 07 and $0x7,%cl
3f: 80 .byte 0x80
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages