[Android 6.1] BUG: unable to handle kernel NULL pointer dereference in read_pages
0 views
Skip to first unread message
syzbot
Apr 8, 2024, 5:09:41 AMApr 8
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 60534eef4739 UPSTREAM: ALSA: virtio: Fix "Coverity: virtsn..
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=125f2915180000
kernel config: https://syzkaller.appspot.com/x/.config?x=7bd1a415c6de5d9d
dashboard link: https://syzkaller.appspot.com/bug?extid=b8b677753f84c7e1c454
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=115c2cf3180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15979225180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef7ee8ac150e/disk-60534eef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7b3b0e3aafa9/vmlinux-60534eef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/35ec23a24b73/bzImage-60534eef.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5b122c9e08f9/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b8b677...@syzkaller.appspotmail.com
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 11e49a067 P4D 11e49a067
PUD 11f92f067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 297 Comm: syz-executor298 Not tainted 6.1.75-syzkaller-00123-g60534eef4739 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90000f470d8 EFLAGS: 00010246
RAX: 1ffff920001e8ed0 RBX: dffffc0000000000 RCX: ffff88810964bcc0
RDX: 0000000000000000 RSI: ffffea0004892700 RDI: ffff888120e01980
RBP: ffffc90000f47230 R08: ffffffff81a41438 R09: fffff940009124e7
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc90000f47680
R13: ffffea0004892700 R14: ffffc90000f47698 R15: 0000000000000000
FS: 0000555556eef480(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000011e467000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
read_pages+0x89c/0xd40 mm/readahead.c:192
page_cache_ra_order+0x7f4/0xb40 mm/readahead.c:560
ondemand_readahead+0x92a/0xef0 mm/readahead.c:695
page_cache_sync_ra+0x3d6/0x450 mm/readahead.c:722
page_cache_sync_readahead include/linux/pagemap.h:1251 [inline]
collapse_file mm/khugepaged.c:1874 [inline]
hpage_collapse_scan_file+0x19ba/0x46e0 mm/khugepaged.c:2236
madvise_collapse+0x639/0xcf0 mm/khugepaged.c:2691
madvise_vma_behavior mm/madvise.c:1110 [inline]
madvise_walk_vmas mm/madvise.c:1284 [inline]
do_madvise+0x15c1/0x3de0 mm/madvise.c:1463
__do_sys_madvise mm/madvise.c:1476 [inline]
__se_sys_madvise mm/madvise.c:1474 [inline]
__x64_sys_madvise+0xa8/0xc0 mm/madvise.c:1474
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0e869a09b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffb2ed1948 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0e869a09b9
RDX: 0000000000000019 RSI: 0000000000600003 RDI: 0000000020000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0e8696bf92
R13: 00007fffb2ed1c18 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90000f470d8 EFLAGS: 00010246
RAX: 1ffff920001e8ed0 RBX: dffffc0000000000 RCX: ffff88810964bcc0
RDX: 0000000000000000 RSI: ffffea0004892700 RDI: ffff888120e01980
RBP: ffffc90000f47230 R08: ffffffff81a41438 R09: fffff940009124e7
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc90000f47680
R13: ffffea0004892700 R14: ffffc90000f47698 R15: 0000000000000000
FS: 0000555556eef480(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000011e467000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 60534eef4739 UPSTREAM: ALSA: virtio: Fix "Coverity: virtsn..
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=125f2915180000
kernel config: https://syzkaller.appspot.com/x/.config?x=7bd1a415c6de5d9d
dashboard link: https://syzkaller.appspot.com/bug?extid=b8b677753f84c7e1c454
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=115c2cf3180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15979225180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef7ee8ac150e/disk-60534eef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7b3b0e3aafa9/vmlinux-60534eef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/35ec23a24b73/bzImage-60534eef.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5b122c9e08f9/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b8b677...@syzkaller.appspotmail.com
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 11e49a067 P4D 11e49a067
PUD 11f92f067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 297 Comm: syz-executor298 Not tainted 6.1.75-syzkaller-00123-g60534eef4739 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90000f470d8 EFLAGS: 00010246
RAX: 1ffff920001e8ed0 RBX: dffffc0000000000 RCX: ffff88810964bcc0
RDX: 0000000000000000 RSI: ffffea0004892700 RDI: ffff888120e01980
RBP: ffffc90000f47230 R08: ffffffff81a41438 R09: fffff940009124e7
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc90000f47680
R13: ffffea0004892700 R14: ffffc90000f47698 R15: 0000000000000000
FS: 0000555556eef480(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000011e467000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
read_pages+0x89c/0xd40 mm/readahead.c:192
page_cache_ra_order+0x7f4/0xb40 mm/readahead.c:560
ondemand_readahead+0x92a/0xef0 mm/readahead.c:695
page_cache_sync_ra+0x3d6/0x450 mm/readahead.c:722
page_cache_sync_readahead include/linux/pagemap.h:1251 [inline]
collapse_file mm/khugepaged.c:1874 [inline]
hpage_collapse_scan_file+0x19ba/0x46e0 mm/khugepaged.c:2236
madvise_collapse+0x639/0xcf0 mm/khugepaged.c:2691
madvise_vma_behavior mm/madvise.c:1110 [inline]
madvise_walk_vmas mm/madvise.c:1284 [inline]
do_madvise+0x15c1/0x3de0 mm/madvise.c:1463
__do_sys_madvise mm/madvise.c:1476 [inline]
__se_sys_madvise mm/madvise.c:1474 [inline]
__x64_sys_madvise+0xa8/0xc0 mm/madvise.c:1474
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0e869a09b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffb2ed1948 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0e869a09b9
RDX: 0000000000000019 RSI: 0000000000600003 RDI: 0000000020000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0e8696bf92
R13: 00007fffb2ed1c18 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90000f470d8 EFLAGS: 00010246
RAX: 1ffff920001e8ed0 RBX: dffffc0000000000 RCX: ffff88810964bcc0
RDX: 0000000000000000 RSI: ffffea0004892700 RDI: ffff888120e01980
RBP: ffffc90000f47230 R08: ffffffff81a41438 R09: fffff940009124e7
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc90000f47680
R13: ffffea0004892700 R14: ffffc90000f47698 R15: 0000000000000000
FS: 0000555556eef480(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000011e467000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Apr 8, 2024, 11:49:12 PMApr 8
to syzkaller-a...@googlegroups.com
Bug presence analysis results: the bug reproduces only on Android 6.1.
syzbot has run the reproducer on other relevant kernel trees and got
the following results:
android14-6.1 (commit 338203a81721) on 2024/04/09:
BUG: unable to handle kernel NULL pointer dereference in read_pages
Report: https://syzkaller.appspot.com/x/report.txt?x=17a75413180000
lts (commit 883d1a956208) on 2024/04/09:
Didn't crash.
upstream (commit 20cb38a7af88) on 2024/04/09:
Didn't crash.
More details can be found at:
https://syzkaller.appspot.com/bug?extid=b8b677753f84c7e1c454
syzbot has run the reproducer on other relevant kernel trees and got
the following results:
android14-6.1 (commit 338203a81721) on 2024/04/09:
BUG: unable to handle kernel NULL pointer dereference in read_pages
Report: https://syzkaller.appspot.com/x/report.txt?x=17a75413180000
lts (commit 883d1a956208) on 2024/04/09:
Didn't crash.
upstream (commit 20cb38a7af88) on 2024/04/09:
Didn't crash.
More details can be found at:
https://syzkaller.appspot.com/bug?extid=b8b677753f84c7e1c454
Reply all
Reply to author
Forward
0 new messages