Hello,
syzbot found the following issue on:
HEAD commit: 28cc6246b5e7 Revert "neighbour: fix unaligned access to pn..
git tree: android13-5.10-lts
console+strace:
https://syzkaller.appspot.com/x/log.txt?x=10cbe50b280000
kernel config:
https://syzkaller.appspot.com/x/.config?x=d5879ce73795cfd9
dashboard link:
https://syzkaller.appspot.com/bug?extid=d2f9d314d09d40e0ea57
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=101a9fd0a80000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=17b4e724a80000
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/ddfddcb47ea7/disk-28cc6246.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/ac725a616d84/vmlinux-28cc6246.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/8f618f432bb6/bzImage-28cc6246.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+d2f9d3...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 0 PID: 298 Comm: syz-executor384 Not tainted 5.10.184-syzkaller-01138-g28cc6246b5e7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:do_unlinkat+0x3b2/0x8b0 fs/namei.c:4035
Code: de e8 92 1b b7 ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 bf ec ff ff ff 41 29 c7 e9 99 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 22 2b f4 ff 49 8b 45 30 48 89 44 24 28 4c
RSP: 0018:ffffc90000b27da0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff88811e2da780
RDX: ffff88811e2da780 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000b27f18 R08: ffffffff81b36983 R09: ffffed1021ffe82e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: 1ffff11021ffe828 R15: dffffc0000000000
FS: 00007fe942373700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000a000 CR3: 000000011e3f6000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__do_sys_unlink fs/namei.c:4088 [inline]
__se_sys_unlink fs/namei.c:4086 [inline]
__x64_sys_unlink+0x49/0x50 fs/namei.c:4086
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fe9423c14a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe9423732f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 00007fe94244b4c0 RCX: 00007fe9423c14a9
RDX: 00007fe9423c14a9 RSI: 00000000000f4240 RDI: 0000000020000100
RBP: 00007fe942419024 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000030 R11: 0000000000000246 R12: 00007fff952f03ce
R13: 00007fe942419040 R14: 0000000800000000 R15: 00007fe94244b4c8
Modules linked in:
---[ end trace 789a1eac0345dbcb ]---
RIP: 0010:do_unlinkat+0x3b2/0x8b0 fs/namei.c:4035
Code: de e8 92 1b b7 ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 bf ec ff ff ff 41 29 c7 e9 99 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 22 2b f4 ff 49 8b 45 30 48 89 44 24 28 4c
RSP: 0018:ffffc90000b27da0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff88811e2da780
RDX: ffff88811e2da780 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000b27f18 R08: ffffffff81b36983 R09: ffffed1021ffe82e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: 1ffff11021ffe828 R15: dffffc0000000000
FS: 00007fe942373700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe942416c28 CR3: 000000011e3f6000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: de e8 fsubrp %st,%st(0)
2: 92 xchg %eax,%edx
3: 1b b7 ff 31 c0 81 sbb -0x7e3fce01(%rdi),%esi
9: fb sti
a: 00 00 add %al,(%rax)
c: 20 00 and %al,(%rax)
e: 0f 94 c0 sete %al
11: 41 bf ec ff ff ff mov $0xffffffec,%r15d
17: 41 29 c7 sub %eax,%r15d
1a: e9 99 00 00 00 jmpq 0xb8
1f: 49 8d 7d 30 lea 0x30(%r13),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 05 je 0x36
31: e8 22 2b f4 ff callq 0xfff42b58
36: 49 8b 45 30 mov 0x30(%r13),%rax
3a: 48 89 44 24 28 mov %rax,0x28(%rsp)
3f: 4c rex.WR
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup