[Android 5.10] KASAN: null-ptr-deref Write in vfs_rmdir
0 views
Skip to first unread message
syzbot
Apr 11, 2024, 1:14:20 AMApr 11
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4e1bc8d8e8ae Merge branch 'android13-5.10' into branch 'an..
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14bc25a1180000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a6e39f6bdc97aed
dashboard link: https://syzkaller.appspot.com/bug?extid=1f38b4bccc03c336b205
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11512125180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1700bd6b180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cce4facb9f9d/disk-4e1bc8d8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b73ea3cf695a/vmlinux-4e1bc8d8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8d25aa75f46d/bzImage-4e1bc8d8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1f38b4...@syzkaller.appspotmail.com
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fff6f146170
R13: 0000555556f5a800 R14: 431bde82d7b634db R15: 00007fff6f147200
---[ end trace b57c4085c9099394 ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x20/0x60 fs/inode.c:423
Write of size 4 at addr 0000000000000170 by task syz-executor170/287
CPU: 1 PID: 287 Comm: syz-executor170 Tainted: G W 5.10.209-syzkaller-00002-g4e1bc8d8e8ae #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
__kasan_report mm/kasan/report.c:439 [inline]
kasan_report+0x167/0x1c0 mm/kasan/report.c:452
kasan_check_range+0x293/0x2a0 mm/kasan/generic.c:189
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
ihold+0x20/0x60 fs/inode.c:423
d_delete_notify include/linux/fsnotify.h:258 [inline]
vfs_rmdir+0x200/0x3f0 fs/namei.c:3871
incfs_kill_sb+0x108/0x220 fs/incfs/vfs.c:1945
deactivate_locked_super+0xad/0x110 fs/super.c:335
deactivate_super+0xbe/0xf0 fs/super.c:366
cleanup_mnt+0x45c/0x510 fs/namespace.c:1118
__cleanup_mnt+0x19/0x20 fs/namespace.c:1125
task_work_run+0x129/0x190 kernel/task_work.c:164
ptrace_notify+0x29e/0x350 kernel/signal.c:2277
ptrace_report_syscall include/linux/tracehook.h:66 [inline]
tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
arch_syscall_exit_tracehook include/linux/entry-common.h:285 [inline]
syscall_exit_work kernel/entry/common.c:239 [inline]
syscall_exit_to_user_mode_prepare kernel/entry/common.c:266 [inline]
syscall_exit_to_user_mode+0x120/0x1d0 kernel/entry/common.c:272
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fd51d668d07
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff6f144fc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fd51d668d07
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff6f145080
RBP: 00007fff6f145080 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fff6f146170
R13: 0000555556f5a800 R14: 431bde82d7b634db R15: 00007fff6f147200
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000170
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 287 Comm: syz-executor170 Tainted: G B W 5.10.209-syzkaller-00002-g4e1bc8d8e8ae #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:423
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 b1 56 b3 ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 00 d4 f0 ff bb 01 00 00 00 <f0> 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 34 5a b3
RSP: 0018:ffffc90000af7c28 EFLAGS: 00010246
RAX: ffff88811e636200 RBX: 0000000000000001 RCX: ffff88811e6362c0
RDX: 0000000000000000 RSI: 0000000000000282 RDI: 00000000ffffffff
RBP: ffffc90000af7c38 R08: ffffffff813e2edb R09: 0000000000000003
R10: fffffbfff0e10248 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88811c0d6aa0 R14: 0000000000000000 R15: 0000000000000000
FS: 0000555556f51480(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000011e81e000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
d_delete_notify include/linux/fsnotify.h:258 [inline]
vfs_rmdir+0x200/0x3f0 fs/namei.c:3871
incfs_kill_sb+0x108/0x220 fs/incfs/vfs.c:1945
deactivate_locked_super+0xad/0x110 fs/super.c:335
deactivate_super+0xbe/0xf0 fs/super.c:366
cleanup_mnt+0x45c/0x510 fs/namespace.c:1118
__cleanup_mnt+0x19/0x20 fs/namespace.c:1125
task_work_run+0x129/0x190 kernel/task_work.c:164
ptrace_notify+0x29e/0x350 kernel/signal.c:2277
ptrace_report_syscall include/linux/tracehook.h:66 [inline]
tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
arch_syscall_exit_tracehook include/linux/entry-common.h:285 [inline]
syscall_exit_work kernel/entry/common.c:239 [inline]
syscall_exit_to_user_mode_prepare kernel/entry/common.c:266 [inline]
syscall_exit_to_user_mode+0x120/0x1d0 kernel/entry/common.c:272
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fd51d668d07
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff6f144fc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fd51d668d07
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff6f145080
RBP: 00007fff6f145080 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fff6f146170
R13: 0000555556f5a800 R14: 431bde82d7b634db R15: 00007fff6f147200
Modules linked in:
CR2: 0000000000000170
---[ end trace b57c4085c9099395 ]---
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:423
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 b1 56 b3 ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 00 d4 f0 ff bb 01 00 00 00 <f0> 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 34 5a b3
RSP: 0018:ffffc90000af7c28 EFLAGS: 00010246
RAX: ffff88811e636200 RBX: 0000000000000001 RCX: ffff88811e6362c0
RDX: 0000000000000000 RSI: 0000000000000282 RDI: 00000000ffffffff
RBP: ffffc90000af7c38 R08: ffffffff813e2edb R09: 0000000000000003
R10: fffffbfff0e10248 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88811c0d6aa0 R14: 0000000000000000 R15: 0000000000000000
FS: 0000555556f51480(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000011e81e000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 00 55 48 add %dl,0x48(%rbp)
7: 89 e5 mov %esp,%ebp
9: 41 56 push %r14
b: 53 push %rbx
c: 49 89 fe mov %rdi,%r14
f: e8 b1 56 b3 ff call 0xffb356c5
14: 49 8d be 70 01 00 00 lea 0x170(%r14),%rdi
1b: be 04 00 00 00 mov $0x4,%esi
20: e8 00 d4 f0 ff call 0xfff0d425
25: bb 01 00 00 00 mov $0x1,%ebx
* 2a: f0 41 0f c1 9e 70 01 lock xadd %ebx,0x170(%r14) <-- trapping instruction
31: 00 00
33: ff c3 inc %ebx
35: bf 02 00 00 00 mov $0x2,%edi
3a: 89 de mov %ebx,%esi
3c: e8 .byte 0xe8
3d: 34 5a xor $0x5a,%al
3f: b3 .byte 0xb3
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 4e1bc8d8e8ae Merge branch 'android13-5.10' into branch 'an..
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14bc25a1180000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a6e39f6bdc97aed
dashboard link: https://syzkaller.appspot.com/bug?extid=1f38b4bccc03c336b205
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11512125180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1700bd6b180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cce4facb9f9d/disk-4e1bc8d8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b73ea3cf695a/vmlinux-4e1bc8d8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8d25aa75f46d/bzImage-4e1bc8d8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1f38b4...@syzkaller.appspotmail.com
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fff6f146170
R13: 0000555556f5a800 R14: 431bde82d7b634db R15: 00007fff6f147200
---[ end trace b57c4085c9099394 ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x20/0x60 fs/inode.c:423
Write of size 4 at addr 0000000000000170 by task syz-executor170/287
CPU: 1 PID: 287 Comm: syz-executor170 Tainted: G W 5.10.209-syzkaller-00002-g4e1bc8d8e8ae #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
__kasan_report mm/kasan/report.c:439 [inline]
kasan_report+0x167/0x1c0 mm/kasan/report.c:452
kasan_check_range+0x293/0x2a0 mm/kasan/generic.c:189
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
ihold+0x20/0x60 fs/inode.c:423
d_delete_notify include/linux/fsnotify.h:258 [inline]
vfs_rmdir+0x200/0x3f0 fs/namei.c:3871
incfs_kill_sb+0x108/0x220 fs/incfs/vfs.c:1945
deactivate_locked_super+0xad/0x110 fs/super.c:335
deactivate_super+0xbe/0xf0 fs/super.c:366
cleanup_mnt+0x45c/0x510 fs/namespace.c:1118
__cleanup_mnt+0x19/0x20 fs/namespace.c:1125
task_work_run+0x129/0x190 kernel/task_work.c:164
ptrace_notify+0x29e/0x350 kernel/signal.c:2277
ptrace_report_syscall include/linux/tracehook.h:66 [inline]
tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
arch_syscall_exit_tracehook include/linux/entry-common.h:285 [inline]
syscall_exit_work kernel/entry/common.c:239 [inline]
syscall_exit_to_user_mode_prepare kernel/entry/common.c:266 [inline]
syscall_exit_to_user_mode+0x120/0x1d0 kernel/entry/common.c:272
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fd51d668d07
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff6f144fc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fd51d668d07
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff6f145080
RBP: 00007fff6f145080 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fff6f146170
R13: 0000555556f5a800 R14: 431bde82d7b634db R15: 00007fff6f147200
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000170
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 287 Comm: syz-executor170 Tainted: G B W 5.10.209-syzkaller-00002-g4e1bc8d8e8ae #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:423
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 b1 56 b3 ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 00 d4 f0 ff bb 01 00 00 00 <f0> 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 34 5a b3
RSP: 0018:ffffc90000af7c28 EFLAGS: 00010246
RAX: ffff88811e636200 RBX: 0000000000000001 RCX: ffff88811e6362c0
RDX: 0000000000000000 RSI: 0000000000000282 RDI: 00000000ffffffff
RBP: ffffc90000af7c38 R08: ffffffff813e2edb R09: 0000000000000003
R10: fffffbfff0e10248 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88811c0d6aa0 R14: 0000000000000000 R15: 0000000000000000
FS: 0000555556f51480(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000011e81e000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
d_delete_notify include/linux/fsnotify.h:258 [inline]
vfs_rmdir+0x200/0x3f0 fs/namei.c:3871
incfs_kill_sb+0x108/0x220 fs/incfs/vfs.c:1945
deactivate_locked_super+0xad/0x110 fs/super.c:335
deactivate_super+0xbe/0xf0 fs/super.c:366
cleanup_mnt+0x45c/0x510 fs/namespace.c:1118
__cleanup_mnt+0x19/0x20 fs/namespace.c:1125
task_work_run+0x129/0x190 kernel/task_work.c:164
ptrace_notify+0x29e/0x350 kernel/signal.c:2277
ptrace_report_syscall include/linux/tracehook.h:66 [inline]
tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
arch_syscall_exit_tracehook include/linux/entry-common.h:285 [inline]
syscall_exit_work kernel/entry/common.c:239 [inline]
syscall_exit_to_user_mode_prepare kernel/entry/common.c:266 [inline]
syscall_exit_to_user_mode+0x120/0x1d0 kernel/entry/common.c:272
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fd51d668d07
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff6f144fc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fd51d668d07
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff6f145080
RBP: 00007fff6f145080 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007fff6f146170
R13: 0000555556f5a800 R14: 431bde82d7b634db R15: 00007fff6f147200
Modules linked in:
CR2: 0000000000000170
---[ end trace b57c4085c9099395 ]---
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:423
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 b1 56 b3 ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 00 d4 f0 ff bb 01 00 00 00 <f0> 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 34 5a b3
RSP: 0018:ffffc90000af7c28 EFLAGS: 00010246
RAX: ffff88811e636200 RBX: 0000000000000001 RCX: ffff88811e6362c0
RDX: 0000000000000000 RSI: 0000000000000282 RDI: 00000000ffffffff
RBP: ffffc90000af7c38 R08: ffffffff813e2edb R09: 0000000000000003
R10: fffffbfff0e10248 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88811c0d6aa0 R14: 0000000000000000 R15: 0000000000000000
FS: 0000555556f51480(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000011e81e000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 00 55 48 add %dl,0x48(%rbp)
7: 89 e5 mov %esp,%ebp
9: 41 56 push %r14
b: 53 push %rbx
c: 49 89 fe mov %rdi,%r14
f: e8 b1 56 b3 ff call 0xffb356c5
14: 49 8d be 70 01 00 00 lea 0x170(%r14),%rdi
1b: be 04 00 00 00 mov $0x4,%esi
20: e8 00 d4 f0 ff call 0xfff0d425
25: bb 01 00 00 00 mov $0x1,%ebx
* 2a: f0 41 0f c1 9e 70 01 lock xadd %ebx,0x170(%r14) <-- trapping instruction
31: 00 00
33: ff c3 inc %ebx
35: bf 02 00 00 00 mov $0x2,%edi
3a: 89 de mov %ebx,%esi
3c: e8 .byte 0xe8
3d: 34 5a xor $0x5a,%al
3f: b3 .byte 0xb3
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Apr 11, 2024, 1:33:24 AMApr 11
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d0d34dcb02cc FROMLIST: binder: check offset alignment in b..
syzbot found the following issue on:
git tree: android12-5.4
console+strace: https://syzkaller.appspot.com/x/log.txt?x=129e955d180000
kernel config: https://syzkaller.appspot.com/x/.config?x=60c0e8be982a03fd
dashboard link: https://syzkaller.appspot.com/bug?extid=adaf68663d8cf867260f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=110daca3180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17f11175180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/de032a90cf4e/disk-d0d34dcb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f2bae6132625/vmlinux-d0d34dcb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2c3043eb62d8/bzImage-d0d34dcb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
ptrace_report_syscall include/linux/tracehook.h:66 [inline]
tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x19d/0x1c0 arch/x86/entry/common.c:300
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
---[ end trace edf7852fd1837ae0 ]---
==================================================================
BUG: KASAN: null-ptr-deref in atomic_add_return include/asm-generic/atomic-instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/linux/atomic-fallback.h:284 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x1b/0x50 fs/inode.c:421
Write of size 4 at addr 0000000000000160 by task syz-executor212/355
CPU: 0 PID: 355 Comm: syz-executor212 Tainted: G W 5.4.268-syzkaller-00012-gd0d34dcb02cc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
__kasan_report+0xe9/0x120 mm/kasan/report.c:520
kasan_report+0x30/0x60 mm/kasan/common.c:653
check_memory_region_inline mm/kasan/generic.c:141 [inline]
check_memory_region+0x272/0x280 mm/kasan/generic.c:191
atomic_add_return include/asm-generic/atomic-instrumented.h:71 [inline]
atomic_inc_return include/linux/atomic-fallback.h:284 [inline]
ihold+0x1b/0x50 fs/inode.c:421
d_delete_notify include/linux/fsnotify.h:221 [inline]
vfs_rmdir+0x1e0/0x3c0 fs/namei.c:3992
incfs_kill_sb+0x105/0x200 fs/incfs/vfs.c:1944
deactivate_locked_super+0xa8/0x110 fs/super.c:335
deactivate_super+0x1e2/0x2a0 fs/super.c:366
cleanup_mnt+0x44e/0x500 fs/namespace.c:1102
task_work_run+0x140/0x170 kernel/task_work.c:113
ptrace_notify+0x29e/0x350 kernel/signal.c:2271
ptrace_report_syscall include/linux/tracehook.h:66 [inline]
tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
syscall_slow_exit_work+0x167/0x400 arch/x86/entry/common.c:246
tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x19d/0x1c0 arch/x86/entry/common.c:300
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000160
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 355 Comm: syz-executor212 Tainted: G B W 5.4.268-syzkaller-00012-gd0d34dcb02cc #0
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:167 [inline]
RIP: 0010:atomic_add_return include/asm-generic/atomic-instrumented.h:72 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic-fallback.h:284 [inline]
RIP: 0010:ihold+0x20/0x50 fs/inode.c:421
Code: 0f 1f 84 00 00 00 00 00 66 90 55 53 48 89 fb e8 d6 fd c2 ff 48 8d bb 60 01 00 00 be 04 00 00 00 e8 25 a5 f2 ff bd 01 00 00 00 <f0> 0f c1 ab 60 01 00 00 ff c5 bf 02 00 00 00 89 ee e8 9a 00 c3 ff
RSP: 0018:ffff8881dc207ba0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881dc132f40
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff
RBP: 0000000000000001 R08: ffffffff813af685 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8881dc956a00 R15: 0000000000000000
FS: 0000555555d18480(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000160 CR3: 00000001dc66d000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
d_delete_notify include/linux/fsnotify.h:221 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
vfs_rmdir+0x1e0/0x3c0 fs/namei.c:3992
incfs_kill_sb+0x105/0x200 fs/incfs/vfs.c:1944
deactivate_locked_super+0xa8/0x110 fs/super.c:335
deactivate_super+0x1e2/0x2a0 fs/super.c:366
cleanup_mnt+0x44e/0x500 fs/namespace.c:1102
task_work_run+0x140/0x170 kernel/task_work.c:113
ptrace_notify+0x29e/0x350 kernel/signal.c:2271
ptrace_report_syscall include/linux/tracehook.h:66 [inline]
tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
syscall_slow_exit_work+0x167/0x400 arch/x86/entry/common.c:246
tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x19d/0x1c0 arch/x86/entry/common.c:300
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:
CR2: 0000000000000160
---[ end trace edf7852fd1837ae1 ]---
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:167 [inline]
RIP: 0010:atomic_add_return include/asm-generic/atomic-instrumented.h:72 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic-fallback.h:284 [inline]
RIP: 0010:ihold+0x20/0x50 fs/inode.c:421
Code: 0f 1f 84 00 00 00 00 00 66 90 55 53 48 89 fb e8 d6 fd c2 ff 48 8d bb 60 01 00 00 be 04 00 00 00 e8 25 a5 f2 ff bd 01 00 00 00 <f0> 0f c1 ab 60 01 00 00 ff c5 bf 02 00 00 00 89 ee e8 9a 00 c3 ff
RSP: 0018:ffff8881dc207ba0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881dc132f40
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff
RBP: 0000000000000001 R08: ffffffff813af685 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8881dc956a00 R15: 0000000000000000
FS: 0000555555d18480(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000160 CR3: 00000001dc66d000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
7: 00
8: 66 90 xchg %ax,%ax
a: 55 push %rbp
b: 53 push %rbx
c: 48 89 fb mov %rdi,%rbx
f: e8 d6 fd c2 ff call 0xffc2fdea
14: 48 8d bb 60 01 00 00 lea 0x160(%rbx),%rdi
1b: be 04 00 00 00 mov $0x4,%esi
20: e8 25 a5 f2 ff call 0xfff2a54a
25: bd 01 00 00 00 mov $0x1,%ebp
* 2a: f0 0f c1 ab 60 01 00 lock xadd %ebp,0x160(%rbx) <-- trapping instruction
31: 00
32: ff c5 inc %ebp
34: bf 02 00 00 00 mov $0x2,%edi
39: 89 ee mov %ebp,%esi
3b: e8 9a 00 c3 ff call 0xffc300da
syzbot
Apr 11, 2024, 5:39:27 AMApr 11
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: be55946e207c ANDROID: Update the ABI symbol list
syzbot found the following issue on:
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11bdf913180000
kernel config: https://syzkaller.appspot.com/x/.config?x=7bd1a415c6de5d9d
dashboard link: https://syzkaller.appspot.com/bug?extid=4e62caa04a7928cf10c7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11ed00cb180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a1af9d180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2f9166553cd9/disk-be55946e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/06c0a61fd79f/vmlinux-be55946e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c2476932f1eb/bzImage-be55946e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f38eae074c7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffcbf56c1a0
RBP: 00007ffcbf56c1a0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffcbf56d290
R13: 00005555556cc700 R14: 00007ffcbf56e300 R15: 0000000000000001
</TASK>
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/linux/atomic/atomic-instrumented.h:198 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x20/0x60 fs/inode.c:452
Write of size 4 at addr 0000000000000170 by task syz-executor342/294
CPU: 1 PID: 294 Comm: syz-executor342 Tainted: G W 6.1.75-syzkaller-00015-gbe55946e207c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_report+0xe1/0x4e0 mm/kasan/report.c:430
kasan_report+0x13c/0x170 mm/kasan/report.c:531
kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
atomic_inc_return include/linux/atomic/atomic-instrumented.h:198 [inline]
ihold+0x20/0x60 fs/inode.c:452
d_delete_notify include/linux/fsnotify.h:281 [inline]
vfs_rmdir+0x268/0x500 fs/namei.c:4211
incfs_kill_sb+0x113/0x230 fs/incfs/vfs.c:1962
deactivate_locked_super+0xad/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
ptrace_notify+0x29e/0x350 kernel/signal.c:2376
ptrace_report_syscall include/linux/ptrace.h:420 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
syscall_exit_work kernel/entry/common.c:252 [inline]
syscall_exit_to_user_mode_prepare kernel/entry/common.c:279 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:284 [inline]
syscall_exit_to_user_mode+0xa2/0x140 kernel/entry/common.c:297
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f38eae074c7
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffcbf56c0e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f38eae074c7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffcbf56c1a0
RBP: 00007ffcbf56c1a0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffcbf56d290
R13: 00005555556cc700 R14: 00007ffcbf56e300 R15: 0000000000000001
</TASK>
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000170
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 294 Comm: syz-executor342 Tainted: G B W 6.1.75-syzkaller-00015-gbe55946e207c #0
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:arch_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:440 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:199 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:452
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 f1 47 a9 ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 b0 2a f0 ff bb 01 00 00 00 <f0> 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 74 4b a9
RSP: 0018:ffffc90000dd7b70 EFLAGS: 00010246
RAX: ffff888108db0000 RBX: 0000000000000001 RCX: ffff888108db0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000dd7b80 R08: ffffffff814470c3 R09: fffffbfff0ee5efd
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff11023d3097f
R13: ffff88811f521880 R14: 0000000000000000 R15: 1ffff11023ea4316
FS: 00005555556c3380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 0000000121f6c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
d_delete_notify include/linux/fsnotify.h:281 [inline]
vfs_rmdir+0x268/0x500 fs/namei.c:4211
incfs_kill_sb+0x113/0x230 fs/incfs/vfs.c:1962
deactivate_locked_super+0xad/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
ptrace_notify+0x29e/0x350 kernel/signal.c:2376
ptrace_report_syscall include/linux/ptrace.h:420 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
syscall_exit_work kernel/entry/common.c:252 [inline]
syscall_exit_to_user_mode_prepare kernel/entry/common.c:279 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:284 [inline]
syscall_exit_to_user_mode+0xa2/0x140 kernel/entry/common.c:297
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f38eae074c7
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffcbf56c0e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f38eae074c7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffcbf56c1a0
RBP: 00007ffcbf56c1a0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffcbf56d290
R13: 00005555556cc700 R14: 00007ffcbf56e300 R15: 0000000000000001
</TASK>
Modules linked in:
CR2: 0000000000000170
---[ end trace 0000000000000000 ]---
CR2: 0000000000000170
RIP: 0010:arch_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:440 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:199 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:452
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 f1 47 a9 ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 b0 2a f0 ff bb 01 00 00 00 <f0> 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 74 4b a9
RSP: 0018:ffffc90000dd7b70 EFLAGS: 00010246
RAX: ffff888108db0000 RBX: 0000000000000001 RCX: ffff888108db0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000dd7b80 R08: ffffffff814470c3 R09: fffffbfff0ee5efd
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff11023d3097f
R13: ffff88811f521880 R14: 0000000000000000 R15: 1ffff11023ea4316
FS: 00005555556c3380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 0000000121f6c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 00 55 48 add %dl,0x48(%rbp)
7: 89 e5 mov %esp,%ebp
9: 41 56 push %r14
b: 53 push %rbx
2: 00 00 add %al,(%rax)
4: 00 55 48 add %dl,0x48(%rbp)
7: 89 e5 mov %esp,%ebp
9: 41 56 push %r14
c: 49 89 fe mov %rdi,%r14
f: e8 f1 47 a9 ff call 0xffa94805
14: 49 8d be 70 01 00 00 lea 0x170(%r14),%rdi
1b: be 04 00 00 00 mov $0x4,%esi
20: e8 b0 2a f0 ff call 0xfff02ad5
25: bb 01 00 00 00 mov $0x1,%ebx
* 2a: f0 41 0f c1 9e 70 01 lock xadd %ebx,0x170(%r14) <-- trapping instruction
31: 00 00
33: ff c3 inc %ebx
35: bf 02 00 00 00 mov $0x2,%edi
3a: 89 de mov %ebx,%esi
3c: e8 .byte 0xe8
3d: 74 4b je 0x8a
* 2a: f0 41 0f c1 9e 70 01 lock xadd %ebx,0x170(%r14) <-- trapping instruction
31: 00 00
33: ff c3 inc %ebx
35: bf 02 00 00 00 mov $0x2,%edi
3a: 89 de mov %ebx,%esi
3c: e8 .byte 0xe8
3f: a9 .byte 0xa9
syzbot
Apr 11, 2024, 1:58:19 PMApr 11
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 993bed180178 Merge "Merge branch 'android13-5.15' into bra..
syzbot found the following issue on:
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16688d7b180000
kernel config: https://syzkaller.appspot.com/x/.config?x=49ce29477ba81e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=5b10c7b0b58770c64745
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10ac9233180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162beaa3180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4098d24d4c8b/disk-993bed18.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94fbc07ac02d/vmlinux-993bed18.xz
kernel image: https://storage.googleapis.com/syzbot-assets/eed14de06c19/bzImage-993bed18.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
RBP: 00007f06dc483350 R08: ffffffffffffffb8 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000246 R12: 00007f06dc483350
R13: 0000000000000000 R14: 00007f06dc483da0 R15: 00007f06dc3d88f0
</TASK>
---[ end trace 3654bf6f39f27fbf ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/linux/atomic/atomic-instrumented.h:188 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x20/0x60 fs/inode.c:426
Write of size 4 at addr 0000000000000170 by task syz-executor102/294
CPU: 0 PID: 294 Comm: syz-executor102 Tainted: G W 5.15.148-syzkaller-00718-g993bed180178 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:431 [inline]
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
kasan_report+0x16f/0x1c0 mm/kasan/report.c:444
kasan_check_range+0x293/0x2a0 mm/kasan/generic.c:189
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_inc_return include/linux/atomic/atomic-instrumented.h:188 [inline]
ihold+0x20/0x60 fs/inode.c:426
d_delete_notify include/linux/fsnotify.h:267 [inline]
vfs_rmdir+0x201/0x470 fs/namei.c:4168
incfs_kill_sb+0x113/0x230 fs/incfs/vfs.c:1961
deactivate_locked_super+0xad/0x110 fs/super.c:335
deactivate_super+0xbe/0xf0 fs/super.c:366
cleanup_mnt+0x45c/0x510 fs/namespace.c:1143
deactivate_super+0xbe/0xf0 fs/super.c:366
__cleanup_mnt+0x19/0x20 fs/namespace.c:1150
task_work_run+0x129/0x190 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xc48/0x2ca0 kernel/exit.c:878
do_group_exit+0x141/0x310 kernel/exit.c:1000
__do_sys_exit_group kernel/exit.c:1011 [inline]
__se_sys_exit_group kernel/exit.c:1009 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1009
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f06dc407909
Code: Unable to access opcode bytes at RIP 0x7f06dc4078df.
RSP: 002b:00007ffdc4105478 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f06dc407909
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 00007f06dc483350 R08: ffffffffffffffb8 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000246 R12: 00007f06dc483350
R13: 0000000000000000 R14: 00007f06dc483da0 R15: 00007f06dc3d88f0
</TASK>
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000170
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 294 Comm: syz-executor102 Tainted: G B W 5.15.148-syzkaller-00718-g993bed180178 #0
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000170
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:arch_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:370 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:189 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:426
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 51 e1 ae ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 e0 f3 f0 ff bb 01 00 00 00 <f0> 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 d4 e4 ae
RSP: 0018:ffffc90000987b68 EFLAGS: 00010246
RAX: ffff88811e948000 RBX: 0000000000000001 RCX: ffff88811e948000
RDX: 0000000000000000 RSI: 0000000000000286 RDI: 00000000ffffffff
RBP: ffffc90000987b78 R08: ffffffff81416e7b R09: 0000000000000003
R10: fffffbfff0e5224c R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88811bd88660 R14: 0000000000000000 R15: 1ffff110237b10d2
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 0000000116054000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
d_delete_notify include/linux/fsnotify.h:267 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
vfs_rmdir+0x201/0x470 fs/namei.c:4168
incfs_kill_sb+0x113/0x230 fs/incfs/vfs.c:1961
deactivate_locked_super+0xad/0x110 fs/super.c:335
deactivate_super+0xbe/0xf0 fs/super.c:366
cleanup_mnt+0x45c/0x510 fs/namespace.c:1143
deactivate_super+0xbe/0xf0 fs/super.c:366
__cleanup_mnt+0x19/0x20 fs/namespace.c:1150
task_work_run+0x129/0x190 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xc48/0x2ca0 kernel/exit.c:878
do_group_exit+0x141/0x310 kernel/exit.c:1000
__do_sys_exit_group kernel/exit.c:1011 [inline]
__se_sys_exit_group kernel/exit.c:1009 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1009
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f06dc407909
Code: Unable to access opcode bytes at RIP 0x7f06dc4078df.
RSP: 002b:00007ffdc4105478 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f06dc407909
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 00007f06dc483350 R08: ffffffffffffffb8 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000246 R12: 00007f06dc483350
R13: 0000000000000000 R14: 00007f06dc483da0 R15: 00007f06dc3d88f0
</TASK>
Modules linked in:
CR2: 0000000000000170
---[ end trace 3654bf6f39f27fc0 ]---
Modules linked in:
CR2: 0000000000000170
RIP: 0010:arch_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:370 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:189 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:426
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 51 e1 ae ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 e0 f3 f0 ff bb 01 00 00 00 <f0> 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 d4 e4 ae
RSP: 0018:ffffc90000987b68 EFLAGS: 00010246
RAX: ffff88811e948000 RBX: 0000000000000001 RCX: ffff88811e948000
RDX: 0000000000000000 RSI: 0000000000000286 RDI: 00000000ffffffff
RBP: ffffc90000987b78 R08: ffffffff81416e7b R09: 0000000000000003
R10: fffffbfff0e5224c R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88811bd88660 R14: 0000000000000000 R15: 1ffff110237b10d2
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 0000000116054000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 00 55 48 add %dl,0x48(%rbp)
7: 89 e5 mov %esp,%ebp
9: 41 56 push %r14
b: 53 push %rbx
c: 49 89 fe mov %rdi,%r14
f: e8 51 e1 ae ff call 0xffaee165
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 00 55 48 add %dl,0x48(%rbp)
7: 89 e5 mov %esp,%ebp
9: 41 56 push %r14
b: 53 push %rbx
c: 49 89 fe mov %rdi,%r14
14: 49 8d be 70 01 00 00 lea 0x170(%r14),%rdi
1b: be 04 00 00 00 mov $0x4,%esi
20: e8 e0 f3 f0 ff call 0xfff0f405
1b: be 04 00 00 00 mov $0x4,%esi
25: bb 01 00 00 00 mov $0x1,%ebx
* 2a: f0 41 0f c1 9e 70 01 lock xadd %ebx,0x170(%r14) <-- trapping instruction
31: 00 00
33: ff c3 inc %ebx
35: bf 02 00 00 00 mov $0x2,%edi
3a: 89 de mov %ebx,%esi
3c: e8 .byte 0xe8
3d: d4 (bad)
* 2a: f0 41 0f c1 9e 70 01 lock xadd %ebx,0x170(%r14) <-- trapping instruction
31: 00 00
33: ff c3 inc %ebx
35: bf 02 00 00 00 mov $0x2,%edi
3a: 89 de mov %ebx,%esi
3c: e8 .byte 0xe8
3e: e4 ae in $0xae,%al
syzbot
Apr 12, 2024, 1:36:19 AMApr 12
to syzkaller-a...@googlegroups.com
Bug presence analysis results: the bug reproduces only on Android 6.1.
syzbot has run the reproducer on other relevant kernel trees and got
the following results:
android14-6.1 (commit 354782156070) on 2024/04/12:
KASAN: null-ptr-deref Write in vfs_rmdir
Report: https://syzkaller.appspot.com/x/report.txt?x=13371fcb180000
lts (commit 883d1a956208) on 2024/04/12:
Didn't crash.
upstream (commit 586b5dfb51b9) on 2024/04/12:
Didn't crash.
More details can be found at:
https://syzkaller.appspot.com/bug?extid=4e62caa04a7928cf10c7
syzbot has run the reproducer on other relevant kernel trees and got
the following results:
android14-6.1 (commit 354782156070) on 2024/04/12:
KASAN: null-ptr-deref Write in vfs_rmdir
Report: https://syzkaller.appspot.com/x/report.txt?x=13371fcb180000
lts (commit 883d1a956208) on 2024/04/12:
Didn't crash.
upstream (commit 586b5dfb51b9) on 2024/04/12:
Didn't crash.
More details can be found at:
https://syzkaller.appspot.com/bug?extid=4e62caa04a7928cf10c7
Reply all
Reply to author
Forward
0 new messages