[Android 5.10] general protection fault in dir_rename_wrap

0 views
Skip to first unread message

syzbot

unread,
May 19, 2024, 7:46:20 AMMay 19
to syzkaller-a...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 70b6ab09a34b Revert "hrtimer: Report offline hrtimer enque..
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=128ef4b2980000
kernel config: https://syzkaller.appspot.com/x/.config?x=32ace1916c4b73d8
dashboard link: https://syzkaller.appspot.com/bug?extid=fb05fedef83641091a1e
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112e5748980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17f77392980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c2e16761410a/disk-70b6ab09.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d0874dd2861d/vmlinux-70b6ab09.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4e2f94cb7466/bzImage-70b6ab09.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fb05fe...@syzkaller.appspotmail.com

incfs: mount failed -22
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 302 Comm: syz-executor219 Not tainted 5.10.210-syzkaller-00394-g70b6ab09a34b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:dir_rename fs/incfs/vfs.c:1375 [inline]
RIP: 0010:dir_rename_wrap+0x1e5/0x570 fs/incfs/vfs.c:85
Code: bb f0 ff ff ff 4c 8b 75 b8 e9 4c 03 00 00 e8 c2 ca 5f ff 31 db 48 83 c3 08 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 ad 4a 9d ff 48 8b 1b 48 8b 45 c8 48
RSP: 0018:ffffc90000b77b00 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000008 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000b77b70 R08: ffffffff820ade0a R09: fffff5200016ef51
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1102335a303
R13: ffff88811c92f110 R14: ffff888119ad1818 R15: ffff888119ad1828
FS: 00007fbc20f3c6c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffff77ea7c0 CR3: 000000011d38f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
vfs_rename+0x9fb/0xeb0 fs/namei.c:4474
do_renameat2+0xa56/0x1240 fs/namei.c:4619
__do_sys_renameat2 fs/namei.c:4657 [inline]
__se_sys_renameat2 fs/namei.c:4654 [inline]
__x64_sys_renameat2+0xdd/0xf0 fs/namei.c:4654
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fbc20f7ea69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbc20f3c218 EFLAGS: 00000246 ORIG_RAX: 000000000000013c
RAX: ffffffffffffffda RBX: 00007fbc210063c8 RCX: 00007fbc20f7ea69
RDX: 0000000000000004 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00007fbc210063c0 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000020000080 R11: 0000000000000246 R12: 00007fbc20fd31ec
R13: 0031656c69662f2e R14: 00007fbc20fd3052 R15: 676e69646e65702e
Modules linked in:
---[ end trace 4f6f9261e2c83fb0 ]---
RIP: 0010:dir_rename fs/incfs/vfs.c:1375 [inline]
RIP: 0010:dir_rename_wrap+0x1e5/0x570 fs/incfs/vfs.c:85
Code: bb f0 ff ff ff 4c 8b 75 b8 e9 4c 03 00 00 e8 c2 ca 5f ff 31 db 48 83 c3 08 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 ad 4a 9d ff 48 8b 1b 48 8b 45 c8 48
RSP: 0018:ffffc90000b77b00 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000008 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000b77b70 R08: ffffffff820ade0a R09: fffff5200016ef51
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1102335a303
R13: ffff88811c92f110 R14: ffff888119ad1818 R15: ffff888119ad1828
FS: 00007fbc20f3c6c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d5aea86038 CR3: 000000011d38f000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: bb f0 ff ff ff mov $0xfffffff0,%ebx
5: 4c 8b 75 b8 mov -0x48(%rbp),%r14
9: e9 4c 03 00 00 jmp 0x35a
e: e8 c2 ca 5f ff call 0xff5fcad5
13: 31 db xor %ebx,%ebx
15: 48 83 c3 08 add $0x8,%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 ad 4a 9d ff call 0xff9d4ae5
38: 48 8b 1b mov (%rbx),%rbx
3b: 48 8b 45 c8 mov -0x38(%rbp),%rax
3f: 48 rex.W


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,
May 20, 2024, 7:47:37 PMMay 20
to syzkaller-a...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 51cf29fc2bfc ANDROID: 16K: Fix show maps CFI failure
git tree: android12-5.4
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10d04d92980000
kernel config: https://syzkaller.appspot.com/x/.config?x=60c0e8be982a03fd
dashboard link: https://syzkaller.appspot.com/bug?extid=b6c60c3311f9f1295961
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a13df4980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1123d9cc980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/dafe3e59edaa/disk-51cf29fc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3f89dedfe879/vmlinux-51cf29fc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/447bf9d8e870/bzImage-51cf29fc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b6c60c...@syzkaller.appspotmail.com

incfs: mount failed -22
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 384 Comm: syz-executor379 Not tainted 5.4.268-syzkaller-00012-g51cf29fc2bfc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:dir_rename fs/incfs/vfs.c:1374 [inline]
RIP: 0010:dir_rename_wrap+0x1a5/0x4f0 fs/incfs/vfs.c:84
Code: 7a ff eb 05 e8 4c 85 7a ff bb f0 ff ff ff 48 8b 6c 24 18 e9 02 03 00 00 e8 38 85 7a ff 31 db 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 2c 68 aa ff 48 8b 1b 48 8b 44 24
RSP: 0018:ffff8881e2c1fac0 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff8881db22de80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881db671018 R08: ffffffff81e9c0e1 R09: ffffed103c583f49
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff8881db671028 R14: ffff8881dc000000 R15: 1ffff1103b6ce203
FS: 00007f19cd39e6c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f19cd41c450 CR3: 00000001db038000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
vfs_rename+0x90e/0xda0 fs/namei.c:4584
do_renameat2+0x889/0x1110 fs/namei.c:4733
__do_sys_renameat2 fs/namei.c:4768 [inline]
__se_sys_renameat2 fs/namei.c:4765 [inline]
__x64_sys_renameat2+0xb1/0xc0 fs/namei.c:4765
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:
---[ end trace 3c95681bd66b3bfe ]---
RIP: 0010:dir_rename fs/incfs/vfs.c:1374 [inline]
RIP: 0010:dir_rename_wrap+0x1a5/0x4f0 fs/incfs/vfs.c:84
Code: 7a ff eb 05 e8 4c 85 7a ff bb f0 ff ff ff 48 8b 6c 24 18 e9 02 03 00 00 e8 38 85 7a ff 31 db 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 2c 68 aa ff 48 8b 1b 48 8b 44 24
RSP: 0018:ffff8881e2c1fac0 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff8881db22de80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881db671018 R08: ffffffff81e9c0e1 R09: ffffed103c583f49
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff8881db671028 R14: ffff8881dc000000 R15: 1ffff1103b6ce203
FS: 00007f19cd39e6c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555a9bf9b068 CR3: 00000001db038000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 7a ff jp 0x1
2: eb 05 jmp 0x9
4: e8 4c 85 7a ff call 0xff7a8555
9: bb f0 ff ff ff mov $0xfffffff0,%ebx
e: 48 8b 6c 24 18 mov 0x18(%rsp),%rbp
13: e9 02 03 00 00 jmp 0x31a
18: e8 38 85 7a ff call 0xff7a8555
1d: 31 db xor %ebx,%ebx
1f: 48 83 c3 08 add $0x8,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 2c 68 aa ff call 0xffaa6865
39: 48 8b 1b mov (%rbx),%rbx
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 44 rex.R
3f: 24 .byte 0x24

syzbot

unread,
May 25, 2024, 3:40:23 AMMay 25
to syzkaller-a...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 68c821783c76 UPSTREAM: epoll: be better about file lifetimes
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=111b3df4980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4a340f281ebc7608
dashboard link: https://syzkaller.appspot.com/bug?extid=20aaf59fe73fa0b87e67
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ec80ec980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=116226dc980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d1ff24444b8f/disk-68c82178.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6871956ff3e3/vmlinux-68c82178.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4ffb4852b8e7/bzImage-68c82178.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+20aaf5...@syzkaller.appspotmail.com

incfs: mount failed -22
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 395 Comm: syz-executor200 Not tainted 6.1.75-syzkaller-00026-g68c821783c76 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:dir_rename fs/incfs/vfs.c:1384 [inline]
RIP: 0010:dir_rename_wrap+0x256/0x720 fs/incfs/vfs.c:91
Code: 4c 8b 3c 24 e9 3e 04 00 00 e8 06 d2 51 ff 31 db 4c 89 6c 24 18 48 83 c3 08 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 ec d0 98 ff 4c 8b 2b 48 8b 5c 24 28
RSP: 0018:ffffc90000f77980 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000008 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000f77ab0 R08: ffffffff82239d4d R09: fffff520001eef21
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff11020128d03
R13: 1ffff11020128d05 R14: ffff888100946818 R15: ffff888100946828
FS: 00007fb70f2c76c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb70f345450 CR3: 0000000121416000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
vfs_rename+0xbf9/0xf90 fs/namei.c:4862
do_renameat2+0xa9b/0x1400 fs/namei.c:5014
__do_sys_renameat2 fs/namei.c:5047 [inline]
__se_sys_renameat2 fs/namei.c:5044 [inline]
__x64_sys_renameat2+0xdd/0xf0 fs/namei.c:5044
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb70f309789
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb70f2c7218 EFLAGS: 00000246 ORIG_RAX: 000000000000013c
RAX: ffffffffffffffda RBX: 00007fb70f3913c8 RCX: 00007fb70f309789
RDX: 0000000000000004 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00007fb70f3913c0 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000020000080 R11: 0000000000000246 R12: 00007fb70f35e0c4
R13: 0031656c69662f2e R14: 00007fb70f35e070 R15: 676e69646e65702e
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:dir_rename fs/incfs/vfs.c:1384 [inline]
RIP: 0010:dir_rename_wrap+0x256/0x720 fs/incfs/vfs.c:91
Code: 4c 8b 3c 24 e9 3e 04 00 00 e8 06 d2 51 ff 31 db 4c 89 6c 24 18 48 83 c3 08 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 ec d0 98 ff 4c 8b 2b 48 8b 5c 24 28
RSP: 0018:ffffc90000f77980 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000008 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000f77ab0 R08: ffffffff82239d4d R09: fffff520001eef21
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff11020128d03
R13: 1ffff11020128d05 R14: ffff888100946818 R15: ffff888100946828
FS: 00007fb70f2c76c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb70f345450 CR3: 0000000121416000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 4c 8b 3c 24 mov (%rsp),%r15
4: e9 3e 04 00 00 jmp 0x447
9: e8 06 d2 51 ff call 0xff51d214
e: 31 db xor %ebx,%ebx
10: 4c 89 6c 24 18 mov %r13,0x18(%rsp)
15: 48 83 c3 08 add $0x8,%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 ec d0 98 ff call 0xff98d124
38: 4c 8b 2b mov (%rbx),%r13
3b: 48 8b 5c 24 28 mov 0x28(%rsp),%rbx

syzbot

unread,
May 25, 2024, 6:27:21 AMMay 25
to syzkaller-a...@googlegroups.com
Bug presence analysis results: the bug reproduces only on Android 6.1.

syzbot has run the reproducer on other relevant kernel trees and got
the following results:

android14-6.1 (commit 68c821783c76) on 2024/05/25:
general protection fault in dir_rename_wrap
Report: https://syzkaller.appspot.com/x/report.txt?x=14f4dc0c980000

lts (commit 883d1a956208) on 2024/05/25:
Didn't crash.

upstream (commit 56fb6f92854f) on 2024/05/25:
Didn't crash.

More details can be found at:
https://syzkaller.appspot.com/bug?extid=20aaf59fe73fa0b87e67
Reply all
Reply to author
Forward
0 new messages