general protection fault in ida_remove
5 views
Skip to first unread message
syzbot
Apr 14, 2019, 4:51:34 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 24189101 ANDROID: Fix cuttlefish redundant vsock connection.
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1386455f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=e76b3f849c857277
dashboard link: https://syzkaller.appspot.com/bug?extid=6b343e96df04b8d9a600
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e4a508c00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6b343e...@syzkaller.appspotmail.com
cache: kmalloc-64, object size: 64, buffer size: 96, default order: 0,
min order: 0
node 0: slabs: 478, objs: 20076, free: 0
tty_init_dev: ldisc open failed, clearing slot 11
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 3032 Comm: syz-executor1 Not tainted 4.4.171+ #11
task: ffff8800babf4740 task.stack: ffff880025fd8000
RIP: 0010:[<ffffffff81aaf941>] [<ffffffff81aaf941>] ida_remove+0x31/0x270
lib/idr.c:1013
RSP: 0018:ffff880025fdf840 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801d8fa1100 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffffff81aaf92c RDI: 0000000000000010
RBP: ffff880025fdf888 R08: 0000000000000000 R09: ffff8800babf5050
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8800ba5c3180 R15: ffff8801d8fa16f0
FS: 00007f62eb731700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001980938 CR3: 000000003f89c000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff813afaa7 0000000000000001 0000000000000010 0000000b2076937d
ffff8801d8fa1100 0000000000000000 000000000000000b ffff8800ba5c3180
ffff8801d8fa16f0 ffff880025fdf8a8 ffffffff8162612c 0000000000000000
Call Trace:
[<ffffffff8162612c>] devpts_kill_index+0x2c/0x50 fs/devpts/inode.c:569
[<ffffffff81ca3a68>] pty_unix98_shutdown+0xf8/0x170 drivers/tty/pty.c:686
[<ffffffff81c887e9>] release_tty+0xb9/0x350 drivers/tty/tty_io.c:1699
[<ffffffff81c8a33c>] tty_init_dev drivers/tty/tty_io.c:1575 [inline]
[<ffffffff81c8a33c>] tty_init_dev+0x1dc/0x420 drivers/tty/tty_io.c:1515
[<ffffffff81ca4826>] ptmx_open drivers/tty/pty.c:770 [inline]
[<ffffffff81ca4826>] ptmx_open+0xf6/0x320 drivers/tty/pty.c:737
[<ffffffff814a3810>] chrdev_open+0x230/0x630 fs/char_dev.c:388
[<ffffffff8149101f>] do_dentry_open+0x38f/0xbd0 fs/open.c:749
[<ffffffff8149480b>] vfs_open+0x10b/0x210 fs/open.c:862
[<ffffffff814c572f>] do_last fs/namei.c:3269 [inline]
[<ffffffff814c572f>] path_openat+0x136f/0x4470 fs/namei.c:3406
[<ffffffff814cc401>] do_filp_open+0x1a1/0x270 fs/namei.c:3440
[<ffffffff81495138>] do_sys_open+0x2f8/0x600 fs/open.c:1038
[<ffffffff814954b0>] SYSC_openat fs/open.c:1065 [inline]
[<ffffffff814954b0>] SyS_openat+0x30/0x40 fs/open.c:1059
[<ffffffff82717c21>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 41 56 41 55 49 89 fd 41 54 53 48 83 ec 20 89 75 d4 e8 b4 9a 85 ff 49
8d 7d 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
84 c0 74 08 3c 03 0f 8e e5 01 00 00 48 63 45 d4 b9
RIP [<ffffffff81aaf941>] ida_remove+0x31/0x270 lib/idr.c:1013
RSP <ffff880025fdf840>
---[ end trace 0653c54fd60f8c1f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 24189101 ANDROID: Fix cuttlefish redundant vsock connection.
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1386455f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=e76b3f849c857277
dashboard link: https://syzkaller.appspot.com/bug?extid=6b343e96df04b8d9a600
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e4a508c00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6b343e...@syzkaller.appspotmail.com
cache: kmalloc-64, object size: 64, buffer size: 96, default order: 0,
min order: 0
node 0: slabs: 478, objs: 20076, free: 0
tty_init_dev: ldisc open failed, clearing slot 11
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 3032 Comm: syz-executor1 Not tainted 4.4.171+ #11
task: ffff8800babf4740 task.stack: ffff880025fd8000
RIP: 0010:[<ffffffff81aaf941>] [<ffffffff81aaf941>] ida_remove+0x31/0x270
lib/idr.c:1013
RSP: 0018:ffff880025fdf840 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801d8fa1100 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffffff81aaf92c RDI: 0000000000000010
RBP: ffff880025fdf888 R08: 0000000000000000 R09: ffff8800babf5050
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8800ba5c3180 R15: ffff8801d8fa16f0
FS: 00007f62eb731700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001980938 CR3: 000000003f89c000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff813afaa7 0000000000000001 0000000000000010 0000000b2076937d
ffff8801d8fa1100 0000000000000000 000000000000000b ffff8800ba5c3180
ffff8801d8fa16f0 ffff880025fdf8a8 ffffffff8162612c 0000000000000000
Call Trace:
[<ffffffff8162612c>] devpts_kill_index+0x2c/0x50 fs/devpts/inode.c:569
[<ffffffff81ca3a68>] pty_unix98_shutdown+0xf8/0x170 drivers/tty/pty.c:686
[<ffffffff81c887e9>] release_tty+0xb9/0x350 drivers/tty/tty_io.c:1699
[<ffffffff81c8a33c>] tty_init_dev drivers/tty/tty_io.c:1575 [inline]
[<ffffffff81c8a33c>] tty_init_dev+0x1dc/0x420 drivers/tty/tty_io.c:1515
[<ffffffff81ca4826>] ptmx_open drivers/tty/pty.c:770 [inline]
[<ffffffff81ca4826>] ptmx_open+0xf6/0x320 drivers/tty/pty.c:737
[<ffffffff814a3810>] chrdev_open+0x230/0x630 fs/char_dev.c:388
[<ffffffff8149101f>] do_dentry_open+0x38f/0xbd0 fs/open.c:749
[<ffffffff8149480b>] vfs_open+0x10b/0x210 fs/open.c:862
[<ffffffff814c572f>] do_last fs/namei.c:3269 [inline]
[<ffffffff814c572f>] path_openat+0x136f/0x4470 fs/namei.c:3406
[<ffffffff814cc401>] do_filp_open+0x1a1/0x270 fs/namei.c:3440
[<ffffffff81495138>] do_sys_open+0x2f8/0x600 fs/open.c:1038
[<ffffffff814954b0>] SYSC_openat fs/open.c:1065 [inline]
[<ffffffff814954b0>] SyS_openat+0x30/0x40 fs/open.c:1059
[<ffffffff82717c21>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 41 56 41 55 49 89 fd 41 54 53 48 83 ec 20 89 75 d4 e8 b4 9a 85 ff 49
8d 7d 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
84 c0 74 08 3c 03 0f 8e e5 01 00 00 48 63 45 d4 b9
RIP [<ffffffff81aaf941>] ida_remove+0x31/0x270 lib/idr.c:1013
RSP <ffff880025fdf840>
---[ end trace 0653c54fd60f8c1f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages