general protection fault in get_work_pool
19 views
Skip to first unread message
syzbot
Apr 11, 2019, 4:44:57 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 5541782c Merge 4.4.150 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11dcceba400000
kernel config: https://syzkaller.appspot.com/x/.config?x=84bf0e72c8eb0c7d
dashboard link: https://syzkaller.appspot.com/bug?extid=4a232c03a912af0f3b7b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1484479a400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17eef0a6400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4a232c...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 2478 Comm: syz-executor596 Not tainted 4.4.150-g5541782 #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d9440000 task.stack: ffff8801d7a18000
RIP: 0010:[<ffffffff8117c4ab>] [<ffffffff8117c4ab>]
get_work_pool+0xfb/0x1e0 kernel/workqueue.c:724
RSP: 0018:ffff8801d7a1f478 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 00000000fffffe00 RCX: 0000000000000000
RDX: 000000001fffffc0 RSI: ffffffff8117c493 RDI: 0000000000000046
RBP: ffff8801d7a1f490 R08: 0000000000000092 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8801d9440000 R12: 0000000000000000
R13: ffff8801d991e000 R14: ffff8801db223c00 R15: ffff8800ac9d1638
FS: 0000000000e0e880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000415020 CR3: 00000001d3b62000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
dffffc0000000000 0000000000000000 ffff8801d991e000 ffff8801d7a1f510
ffffffff8117f166 ffff8801d94408d8 0000000600000007 ffff8801d991e188
0000000000000010 ffff8801d991e180 0000000000023c00 ffffed003b323c31
Call Trace:
[<ffffffff8117f166>] __queue_work+0x146/0xea0 kernel/workqueue.c:1375
[<ffffffff81180a6b>] queue_work_on+0x4b/0xb0 kernel/workqueue.c:1458
[<ffffffff833d1251>] queue_work include/linux/workqueue.h:475 [inline]
[<ffffffff833d1251>] schedule_work include/linux/workqueue.h:533 [inline]
[<ffffffff833d1251>] xfrm_policy_insert+0xa41/0xed0
net/xfrm/xfrm_policy.c:813
[<ffffffff83402bf8>] xfrm_add_policy+0x248/0x500 net/xfrm/xfrm_user.c:1561
[<ffffffff833ff336>] xfrm_user_rcv_msg+0x3d6/0x6c0
net/xfrm/xfrm_user.c:2544
[<ffffffff830c2135>] netlink_rcv_skb+0x145/0x370
net/netlink/af_netlink.c:2361
[<ffffffff833fbeef>] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2552
[<ffffffff830c0ce9>] netlink_unicast_kernel net/netlink/af_netlink.c:1277
[inline]
[<ffffffff830c0ce9>] netlink_unicast+0x4e9/0x700
net/netlink/af_netlink.c:1303
[<ffffffff830c1695>] netlink_sendmsg+0x795/0xc30
net/netlink/af_netlink.c:1859
[<ffffffff82f25d2c>] sock_sendmsg_nosec net/socket.c:626 [inline]
[<ffffffff82f25d2c>] sock_sendmsg+0xcc/0x110 net/socket.c:636
[<ffffffff82f277f5>] ___sys_sendmsg+0x745/0x880 net/socket.c:1963
[<ffffffff82f29896>] __sys_sendmsg+0xd6/0x190 net/socket.c:1997
[<ffffffff82f2997d>] SYSC_sendmsg net/socket.c:2008 [inline]
[<ffffffff82f2997d>] SyS_sendmsg+0x2d/0x50 net/socket.c:2004
[<ffffffff838cb0a5>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: 5c 80 1d 00 48 89 d8 5b 41 5c 41 5d 5d c3 e8 4d 80 1d 00 48 81 e3 00
fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00
0f 85 c2 00 00 00 48 8b 1b e8 23 80 1d 00 48 89 d8
RIP [<ffffffff8117c4ab>] get_work_pool+0xfb/0x1e0 kernel/workqueue.c:724
RSP <ffff8801d7a1f478>
---[ end trace 4ed6c42e14e11fa0 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 5541782c Merge 4.4.150 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11dcceba400000
kernel config: https://syzkaller.appspot.com/x/.config?x=84bf0e72c8eb0c7d
dashboard link: https://syzkaller.appspot.com/bug?extid=4a232c03a912af0f3b7b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1484479a400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17eef0a6400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4a232c...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 2478 Comm: syz-executor596 Not tainted 4.4.150-g5541782 #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d9440000 task.stack: ffff8801d7a18000
RIP: 0010:[<ffffffff8117c4ab>] [<ffffffff8117c4ab>]
get_work_pool+0xfb/0x1e0 kernel/workqueue.c:724
RSP: 0018:ffff8801d7a1f478 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 00000000fffffe00 RCX: 0000000000000000
RDX: 000000001fffffc0 RSI: ffffffff8117c493 RDI: 0000000000000046
RBP: ffff8801d7a1f490 R08: 0000000000000092 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8801d9440000 R12: 0000000000000000
R13: ffff8801d991e000 R14: ffff8801db223c00 R15: ffff8800ac9d1638
FS: 0000000000e0e880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000415020 CR3: 00000001d3b62000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
dffffc0000000000 0000000000000000 ffff8801d991e000 ffff8801d7a1f510
ffffffff8117f166 ffff8801d94408d8 0000000600000007 ffff8801d991e188
0000000000000010 ffff8801d991e180 0000000000023c00 ffffed003b323c31
Call Trace:
[<ffffffff8117f166>] __queue_work+0x146/0xea0 kernel/workqueue.c:1375
[<ffffffff81180a6b>] queue_work_on+0x4b/0xb0 kernel/workqueue.c:1458
[<ffffffff833d1251>] queue_work include/linux/workqueue.h:475 [inline]
[<ffffffff833d1251>] schedule_work include/linux/workqueue.h:533 [inline]
[<ffffffff833d1251>] xfrm_policy_insert+0xa41/0xed0
net/xfrm/xfrm_policy.c:813
[<ffffffff83402bf8>] xfrm_add_policy+0x248/0x500 net/xfrm/xfrm_user.c:1561
[<ffffffff833ff336>] xfrm_user_rcv_msg+0x3d6/0x6c0
net/xfrm/xfrm_user.c:2544
[<ffffffff830c2135>] netlink_rcv_skb+0x145/0x370
net/netlink/af_netlink.c:2361
[<ffffffff833fbeef>] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2552
[<ffffffff830c0ce9>] netlink_unicast_kernel net/netlink/af_netlink.c:1277
[inline]
[<ffffffff830c0ce9>] netlink_unicast+0x4e9/0x700
net/netlink/af_netlink.c:1303
[<ffffffff830c1695>] netlink_sendmsg+0x795/0xc30
net/netlink/af_netlink.c:1859
[<ffffffff82f25d2c>] sock_sendmsg_nosec net/socket.c:626 [inline]
[<ffffffff82f25d2c>] sock_sendmsg+0xcc/0x110 net/socket.c:636
[<ffffffff82f277f5>] ___sys_sendmsg+0x745/0x880 net/socket.c:1963
[<ffffffff82f29896>] __sys_sendmsg+0xd6/0x190 net/socket.c:1997
[<ffffffff82f2997d>] SYSC_sendmsg net/socket.c:2008 [inline]
[<ffffffff82f2997d>] SyS_sendmsg+0x2d/0x50 net/socket.c:2004
[<ffffffff838cb0a5>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: 5c 80 1d 00 48 89 d8 5b 41 5c 41 5d 5d c3 e8 4d 80 1d 00 48 81 e3 00
fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00
0f 85 c2 00 00 00 48 8b 1b e8 23 80 1d 00 48 89 d8
RIP [<ffffffff8117c4ab>] get_work_pool+0xfb/0x1e0 kernel/workqueue.c:724
RSP <ffff8801d7a1f478>
---[ end trace 4ed6c42e14e11fa0 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 12, 2019, 8:00:41 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 54068d61 Merge 4.9.122 into android-4.9
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=13642bee400000
kernel config: https://syzkaller.appspot.com/x/.config?x=c7451be69185755b
dashboard link: https://syzkaller.appspot.com/bug?extid=53b01ea766c021081d44
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11ca76ba400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d64282400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d03e9800 task.stack: ffff8801cc6e0000
Google 01/01/2011
RIP: 0010:[<ffffffff811862e6>] [<ffffffff811862e6>]
get_work_pool+0xf6/0x1e0 kernel/workqueue.c:716
RSP: 0018:ffff8801cc6e7418 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 00000000fffffe00 RCX: 0000000000000000
RDX: 000000001fffffc0 RSI: ffffffff811862ce RDI: 0000000000000046
RBP: ffff8801cc6e7430 R08: 0000000000000096 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff1003a07d41d R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8801d9984500 R15: ffffffff84b5af70
FS: 0000000001e27880(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffea48e0a8c CR3: 00000001d06db000 CR4: 00000000001606f0
Stack:
ffff8801db226000 dffffc0000000000 0000000000000000 ffff8801cc6e74a8
ffffffff8118a4ac ffff8801d03ea0c0 0000000600000007 ffff8801d03e9800
fffffbfff098c050 0000000000000029 ffff8801d9984680 0000004000000000
Call Trace:
[<ffffffff8118a4ac>] __queue_work+0x14c/0xf10 kernel/workqueue.c:1401
[<ffffffff8118beb7>] queue_work_on+0x97/0xa0 kernel/workqueue.c:1486
[<ffffffff834fdd98>] queue_work include/linux/workqueue.h:477 [inline]
[<ffffffff834fdd98>] schedule_work include/linux/workqueue.h:535 [inline]
[<ffffffff834fdd98>] xfrm_policy_insert+0xa78/0xf20
net/xfrm/xfrm_policy.c:830
[<ffffffff8352eed8>] xfrm_add_policy+0x248/0x4f0 net/xfrm/xfrm_user.c:1565
[<ffffffff8352b647>] xfrm_user_rcv_msg+0x3c7/0x6b0
net/xfrm/xfrm_user.c:2531
[<ffffffff831d8615>] netlink_rcv_skb+0x145/0x370
net/netlink/af_netlink.c:2365
[<ffffffff835281ef>] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2539
[<ffffffff831d71c8>] netlink_unicast_kernel net/netlink/af_netlink.c:1285
[inline]
[<ffffffff831d71c8>] netlink_unicast+0x4d8/0x6f0
net/netlink/af_netlink.c:1311
[<ffffffff831d7b75>] netlink_sendmsg+0x795/0xc30
net/netlink/af_netlink.c:1859
[<ffffffff8301cfcc>] sock_sendmsg_nosec net/socket.c:636 [inline]
[<ffffffff8301cfcc>] sock_sendmsg+0xcc/0x110 net/socket.c:646
[<ffffffff8301ea6c>] ___sys_sendmsg+0x6fc/0x840 net/socket.c:1970
[<ffffffff83020ad9>] __sys_sendmsg+0xd9/0x190 net/socket.c:2004
[<ffffffff83020bbd>] SYSC_sendmsg net/socket.c:2015 [inline]
[<ffffffff83020bbd>] SyS_sendmsg+0x2d/0x50 net/socket.c:2011
[<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
[<ffffffff83a00cd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: b1 aa 1d 00 48 89 d8 5b 41 5c 41 5d 5d c3 e8 a2 aa 1d 00 48 81 e3 00
fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00
0f 85 c6 00 00 00 48 8b 1b e8 78 aa 1d 00 48 89 d8
RIP [<ffffffff811862e6>] get_work_pool+0xf6/0x1e0 kernel/workqueue.c:716
RSP <ffff8801cc6e7418>
---[ end trace 58f8fa4901d30e69 ]---
syzbot
Apr 13, 2019, 8:02:20 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 666c420f FROMLIST: ANDROID: binder: Add BINDER_GET_NODE_IN..
syzbot found the following crash on:
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=175573ae400000
kernel config: https://syzkaller.appspot.com/x/.config?x=89d929f317ea847c
dashboard link: https://syzkaller.appspot.com/bug?extid=c319627a782e302fb57c
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
audit: type=1400 audit(2000000749.030:111739): avc: denied { map } for
pid=27310 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0"
dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
kasan: GPF could be caused by NULL-ptr deref or user memory access
Modules linked in:
CPU: 0 PID: 9462 Comm: kworker/u4:10 Not tainted 4.14.71+ #8
Workqueue: netns cleanup_net
task: ffff88011f4eaf00 task.stack: ffff88013b398000
RIP: 0010:get_work_pool+0x9b/0x130 kernel/workqueue.c:718
RSP: 0018:ffff88013b39fa50 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000001ffffffe00 RCX: 1ffff10023e9d6e5
RDX: 00000003ffffffc0 RSI: 0000000000000000 RDI: 0000000000000046
RBP: ffff88013b39fb80 R08: 0000000000000001 R09: 0000000000000000
R10: ffff88011f4eb7a8 R11: 0000000000000001 R12: ffff8801aa26f0d0
R13: 1ffff10027673f4f R14: ffff8801aa26f0b0 R15: fffffbfff36feceb
FS: 0000000000000000(0000) GS:ffff8801db800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c429fb3010 CR3: 00000001d6e22006 CR4: 00000000001606b0
DR0: ffffffffffffffff DR1: 00000000200001c0 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
start_flush_work kernel/workqueue.c:2819 [inline]
flush_work+0xf1/0x6e0 kernel/workqueue.c:2884
xfrm_policy_fini+0x29/0x260 net/xfrm/xfrm_policy.c:2998
xfrm_net_exit+0x19/0x30 net/xfrm/xfrm_policy.c:3059
ops_exit_list.isra.3+0xa8/0x150 net/core/net_namespace.c:142
cleanup_net+0x3e9/0x880 net/core/net_namespace.c:483
process_one_work+0x86e/0x15c0 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Code: 01 48 89 c3 e8 67 87 1e 00 48 89 d8 5b c3 e8 5d 87 1e 00 48 81 e3 00
fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00
75 7b 48 8b 1b e8 37 87 1e 00 48 89 d8 5b c3 e8 2d
RIP: get_work_pool+0x9b/0x130 kernel/workqueue.c:718 RSP: ffff88013b39fa50
---[ end trace afc2306d1bb74854 ]---
syzbot
Aug 20, 2019, 5:55:04 AM8/20/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages