[Android 5.10] general protection fault in do_unlinkat
1 view
Skip to first unread message
syzbot
Jul 1, 2023, 5:31:05 PM7/1/23
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 28cc6246b5e7 Revert "neighbour: fix unaligned access to pn..
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10cbe50b280000
kernel config: https://syzkaller.appspot.com/x/.config?x=d5879ce73795cfd9
dashboard link: https://syzkaller.appspot.com/bug?extid=d2f9d314d09d40e0ea57
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=101a9fd0a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b4e724a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ddfddcb47ea7/disk-28cc6246.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ac725a616d84/vmlinux-28cc6246.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8f618f432bb6/bzImage-28cc6246.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d2f9d3...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 0 PID: 298 Comm: syz-executor384 Not tainted 5.10.184-syzkaller-01138-g28cc6246b5e7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:do_unlinkat+0x3b2/0x8b0 fs/namei.c:4035
Code: de e8 92 1b b7 ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 bf ec ff ff ff 41 29 c7 e9 99 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 22 2b f4 ff 49 8b 45 30 48 89 44 24 28 4c
RSP: 0018:ffffc90000b27da0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff88811e2da780
RDX: ffff88811e2da780 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000b27f18 R08: ffffffff81b36983 R09: ffffed1021ffe82e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: 1ffff11021ffe828 R15: dffffc0000000000
FS: 00007fe942373700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000a000 CR3: 000000011e3f6000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__do_sys_unlink fs/namei.c:4088 [inline]
__se_sys_unlink fs/namei.c:4086 [inline]
__x64_sys_unlink+0x49/0x50 fs/namei.c:4086
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fe9423c14a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe9423732f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 00007fe94244b4c0 RCX: 00007fe9423c14a9
RDX: 00007fe9423c14a9 RSI: 00000000000f4240 RDI: 0000000020000100
RBP: 00007fe942419024 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000030 R11: 0000000000000246 R12: 00007fff952f03ce
R13: 00007fe942419040 R14: 0000000800000000 R15: 00007fe94244b4c8
Modules linked in:
---[ end trace 789a1eac0345dbcb ]---
RIP: 0010:do_unlinkat+0x3b2/0x8b0 fs/namei.c:4035
Code: de e8 92 1b b7 ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 bf ec ff ff ff 41 29 c7 e9 99 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 22 2b f4 ff 49 8b 45 30 48 89 44 24 28 4c
RSP: 0018:ffffc90000b27da0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff88811e2da780
RDX: ffff88811e2da780 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000b27f18 R08: ffffffff81b36983 R09: ffffed1021ffe82e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: 1ffff11021ffe828 R15: dffffc0000000000
FS: 00007fe942373700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe942416c28 CR3: 000000011e3f6000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: de e8 fsubrp %st,%st(0)
2: 92 xchg %eax,%edx
3: 1b b7 ff 31 c0 81 sbb -0x7e3fce01(%rdi),%esi
9: fb sti
a: 00 00 add %al,(%rax)
c: 20 00 and %al,(%rax)
e: 0f 94 c0 sete %al
11: 41 bf ec ff ff ff mov $0xffffffec,%r15d
17: 41 29 c7 sub %eax,%r15d
1a: e9 99 00 00 00 jmpq 0xb8
1f: 49 8d 7d 30 lea 0x30(%r13),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 05 je 0x36
31: e8 22 2b f4 ff callq 0xfff42b58
36: 49 8b 45 30 mov 0x30(%r13),%rax
3a: 48 89 44 24 28 mov %rax,0x28(%rsp)
3f: 4c rex.WR
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 28cc6246b5e7 Revert "neighbour: fix unaligned access to pn..
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10cbe50b280000
kernel config: https://syzkaller.appspot.com/x/.config?x=d5879ce73795cfd9
dashboard link: https://syzkaller.appspot.com/bug?extid=d2f9d314d09d40e0ea57
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=101a9fd0a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b4e724a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ddfddcb47ea7/disk-28cc6246.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ac725a616d84/vmlinux-28cc6246.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8f618f432bb6/bzImage-28cc6246.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d2f9d3...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 0 PID: 298 Comm: syz-executor384 Not tainted 5.10.184-syzkaller-01138-g28cc6246b5e7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:do_unlinkat+0x3b2/0x8b0 fs/namei.c:4035
Code: de e8 92 1b b7 ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 bf ec ff ff ff 41 29 c7 e9 99 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 22 2b f4 ff 49 8b 45 30 48 89 44 24 28 4c
RSP: 0018:ffffc90000b27da0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff88811e2da780
RDX: ffff88811e2da780 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000b27f18 R08: ffffffff81b36983 R09: ffffed1021ffe82e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: 1ffff11021ffe828 R15: dffffc0000000000
FS: 00007fe942373700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000a000 CR3: 000000011e3f6000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__do_sys_unlink fs/namei.c:4088 [inline]
__se_sys_unlink fs/namei.c:4086 [inline]
__x64_sys_unlink+0x49/0x50 fs/namei.c:4086
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fe9423c14a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe9423732f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 00007fe94244b4c0 RCX: 00007fe9423c14a9
RDX: 00007fe9423c14a9 RSI: 00000000000f4240 RDI: 0000000020000100
RBP: 00007fe942419024 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000030 R11: 0000000000000246 R12: 00007fff952f03ce
R13: 00007fe942419040 R14: 0000000800000000 R15: 00007fe94244b4c8
Modules linked in:
---[ end trace 789a1eac0345dbcb ]---
RIP: 0010:do_unlinkat+0x3b2/0x8b0 fs/namei.c:4035
Code: de e8 92 1b b7 ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 bf ec ff ff ff 41 29 c7 e9 99 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 22 2b f4 ff 49 8b 45 30 48 89 44 24 28 4c
RSP: 0018:ffffc90000b27da0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff88811e2da780
RDX: ffff88811e2da780 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000b27f18 R08: ffffffff81b36983 R09: ffffed1021ffe82e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: 1ffff11021ffe828 R15: dffffc0000000000
FS: 00007fe942373700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe942416c28 CR3: 000000011e3f6000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: de e8 fsubrp %st,%st(0)
2: 92 xchg %eax,%edx
3: 1b b7 ff 31 c0 81 sbb -0x7e3fce01(%rdi),%esi
9: fb sti
a: 00 00 add %al,(%rax)
c: 20 00 and %al,(%rax)
e: 0f 94 c0 sete %al
11: 41 bf ec ff ff ff mov $0xffffffec,%r15d
17: 41 29 c7 sub %eax,%r15d
1a: e9 99 00 00 00 jmpq 0xb8
1f: 49 8d 7d 30 lea 0x30(%r13),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 05 je 0x36
31: e8 22 2b f4 ff callq 0xfff42b58
36: 49 8b 45 30 mov 0x30(%r13),%rax
3a: 48 89 44 24 28 mov %rax,0x28(%rsp)
3f: 4c rex.WR
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jul 1, 2023, 6:19:53 PM7/1/23
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ed2a228522b9 ANDROID: fix build error when use cpu_cgroup_..
syzbot found the following issue on:
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=111a2dfb280000
kernel config: https://syzkaller.appspot.com/x/.config?x=c25288e8257ec4da
dashboard link: https://syzkaller.appspot.com/bug?extid=7463da04bf95c393a7b7
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1096a47f280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e1fd8f280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/faee87725138/disk-ed2a2285.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/11133ca2cd73/vmlinux-ed2a2285.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1b78d440d6e6/bzImage-ed2a2285.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:do_unlinkat+0x3db/0x910 fs/namei.c:4312
Code: de e8 89 8f ad ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 be ec ff ff ff 41 29 c6 e9 bd 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 e9 a7 f3 ff 49 8b 45 30 48 89 44 24 38 4c
RSP: 0018:ffffc90000da7d80 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff888109712880
RDX: ffff888109712880 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000da7f08 R08: ffffffff81c7584c R09: fffff520001b4f8f
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: dffffc0000000000 R15: 1ffff11023f9455a
FS: 00007fcd7a57f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000a000 CR3: 000000011f4e2000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
<TASK>
__do_sys_unlink fs/namei.c:4368 [inline]
__se_sys_unlink fs/namei.c:4366 [inline]
__x64_sys_unlink+0x49/0x50 fs/namei.c:4366
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fcd7a5cd4a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcd7a57f2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 00007fcd7a6574c0 RCX: 00007fcd7a5cd4a9
RDX: 00007fcd7a5cd4a9 RSI: 00000000000f4240 RDI: 0000000020000100
RBP: 00007fcd7a625024 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000030 R11: 0000000000000246 R12: 00007ffeed11800e
R13: 00007fcd7a625040 R14: 0000000800000000 R15: 00007fcd7a6574c8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:do_unlinkat+0x3db/0x910 fs/namei.c:4312
Code: de e8 89 8f ad ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 be ec ff ff ff 41 29 c6 e9 bd 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 e9 a7 f3 ff 49 8b 45 30 48 89 44 24 38 4c
RSP: 0018:ffffc90000da7d80 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff888109712880
RDX: ffff888109712880 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000da7f08 R08: ffffffff81c7584c R09: fffff520001b4f8f
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: dffffc0000000000 R15: 1ffff11023f9455a
FS: 00007fcd7a57f700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcd7a5cd320 CR3: 000000011f4e2000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: de e8 fsubrp %st,%st(0)
2: 89 8f ad ff 31 c0 mov %ecx,-0x3fce0053(%rdi)
Code disassembly (best guess):
0: de e8 fsubrp %st,%st(0)
8: 81 fb 00 00 20 00 cmp $0x200000,%ebx
e: 0f 94 c0 sete %al
11: 41 be ec ff ff ff mov $0xffffffec,%r14d
17: 41 29 c6 sub %eax,%r14d
1a: e9 bd 00 00 00 jmpq 0xdc
1f: 49 8d 7d 30 lea 0x30(%r13),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 05 je 0x36
31: e8 e9 a7 f3 ff callq 0xfff3a81f
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 05 je 0x36
36: 49 8b 45 30 mov 0x30(%r13),%rax
3a: 48 89 44 24 38 mov %rax,0x38(%rsp)
syzbot
Jul 1, 2023, 6:19:53 PM7/1/23
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 241da2ad5601 Revert "net: Remove DECnet leftovers from flo..
syzbot found the following issue on:
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11ea5cfb280000
kernel config: https://syzkaller.appspot.com/x/.config?x=c231d926affe11e9
dashboard link: https://syzkaller.appspot.com/bug?extid=401c1e2e29c32961e4bd
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10fdb4f0a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c56068a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fe9e20a8468e/disk-241da2ad.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b1f406640656/vmlinux-241da2ad.xz
kernel image: https://storage.googleapis.com/syzbot-assets/36a487430de4/bzImage-241da2ad.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:do_unlinkat+0x3db/0x910 fs/namei.c:4269
Code: de e8 99 0d b3 ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 be ec ff ff ff 41 29 c6 e9 bd 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 99 6d f4 ff 49 8b 45 30 48 89 44 24 38 4c
RSP: 0018:ffffc90000957d80 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff88811e043b40
RDX: ffff88811e043b40 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000957f08 R08: ffffffff81bccc6c R09: ffffed102381c672
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: dffffc0000000000 R15: 1ffff1102381c66c
FS: 00007fcecea21700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f4710b3008 CR3: 000000011dfe5000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
<TASK>
__do_sys_unlink fs/namei.c:4325 [inline]
__se_sys_unlink fs/namei.c:4323 [inline]
__x64_sys_unlink+0x49/0x50 fs/namei.c:4323
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
RIP: 0033:0x7fcecea6f4a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcecea212f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 00007fceceaf94c0 RCX: 00007fcecea6f4a9
RDX: 00007fcecea6f4a9 RSI: 00000000000f4240 RDI: 0000000020000100
RBP: 00007fceceac7024 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000030 R11: 0000000000000246 R12: 00007ffc03e080de
R13: 00007fceceac7040 R14: 0000000800000000 R15: 00007fceceaf94c8
</TASK>
Modules linked in:
---[ end trace cc6a787e070136d9 ]---
RIP: 0010:do_unlinkat+0x3db/0x910 fs/namei.c:4269
Code: de e8 99 0d b3 ff 31 c0 81 fb 00 00 20 00 0f 94 c0 41 be ec ff ff ff 41 29 c6 e9 bd 00 00 00 49 8d 7d 30 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 05 e8 99 6d f4 ff 49 8b 45 30 48 89 44 24 38 4c
RSP: 0018:ffffc90000957d80 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff88811e043b40
RDX: ffff88811e043b40 RSI: 0000000000000000 RDI: 0000000000000032
RBP: ffffc90000957f08 R08: ffffffff81bccc6c R09: ffffed102381c672
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: dffffc0000000000 R15: 1ffff1102381c66c
FS: 00007fcecea21700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f4710b3008 CR3: 000000011dfe5000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: de e8 fsubrp %st,%st(0)
2: 99 cltd
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: de e8 fsubrp %st,%st(0)
3: 0d b3 ff 31 c0 or $0xc031ffb3,%eax
8: 81 fb 00 00 20 00 cmp $0x200000,%ebx
e: 0f 94 c0 sete %al
11: 41 be ec ff ff ff mov $0xffffffec,%r14d
17: 41 29 c6 sub %eax,%r14d
1a: e9 bd 00 00 00 jmpq 0xdc
1f: 49 8d 7d 30 lea 0x30(%r13),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 05 je 0x36
31: e8 99 6d f4 ff callq 0xfff46dcf
e: 0f 94 c0 sete %al
11: 41 be ec ff ff ff mov $0xffffffec,%r14d
17: 41 29 c6 sub %eax,%r14d
1a: e9 bd 00 00 00 jmpq 0xdc
1f: 49 8d 7d 30 lea 0x30(%r13),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 05 je 0x36
syzbot
Jul 2, 2023, 2:09:23 AM7/2/23
to syzkaller-a...@googlegroups.com
syzbot has bisected this issue to:
commit f5f4199c102aa676998b42abff60d071385c1c0c
Author: Daniel Rosenberg <dro...@google.com>
Date: Thu Dec 2 21:50:02 2021 +0000
ANDROID: fuse-bpf v1.1
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=126509c8a80000
start commit: 241da2ad5601 Revert "net: Remove DECnet leftovers from flo..
git tree: android13-5.15-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=116509c8a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=166509c8a80000
Fixes: f5f4199c102a ("ANDROID: fuse-bpf v1.1")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit f5f4199c102aa676998b42abff60d071385c1c0c
Author: Daniel Rosenberg <dro...@google.com>
Date: Thu Dec 2 21:50:02 2021 +0000
ANDROID: fuse-bpf v1.1
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=126509c8a80000
start commit: 241da2ad5601 Revert "net: Remove DECnet leftovers from flo..
git tree: android13-5.15-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=116509c8a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=166509c8a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c231d926affe11e9
dashboard link: https://syzkaller.appspot.com/bug?extid=401c1e2e29c32961e4bd
dashboard link: https://syzkaller.appspot.com/bug?extid=401c1e2e29c32961e4bd
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10fdb4f0a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c56068a80000
Reported-by: syzbot+401c1e...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c56068a80000
Fixes: f5f4199c102a ("ANDROID: fuse-bpf v1.1")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Jul 2, 2023, 8:54:34 AM7/2/23
to syzkaller-a...@googlegroups.com
syzbot has bisected this issue to:
commit 57f3ff9648991998d008ecf32f2f9e78a08bfb8b
Author: Daniel Rosenberg <dro...@google.com>
Date: Thu Dec 2 21:50:02 2021 +0000
ANDROID: fuse-bpf v1.1
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17adff80a80000
Date: Thu Dec 2 21:50:02 2021 +0000
ANDROID: fuse-bpf v1.1
start commit: ed2a228522b9 ANDROID: fix build error when use cpu_cgroup_..
git tree: android14-6.1
final oops: https://syzkaller.appspot.com/x/report.txt?x=146dff80a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=106dff80a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c25288e8257ec4da
dashboard link: https://syzkaller.appspot.com/bug?extid=7463da04bf95c393a7b7
dashboard link: https://syzkaller.appspot.com/bug?extid=7463da04bf95c393a7b7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1096a47f280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e1fd8f280000
Reported-by: syzbot+7463da...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e1fd8f280000
Fixes: 57f3ff964899 ("ANDROID: fuse-bpf v1.1")
syzbot
Jul 2, 2023, 5:09:22 PM7/2/23
to syzkaller-a...@googlegroups.com
syzbot has bisected this issue to:
commit 6be5b06e4195b002c52a1c2c82573ea7a76ce111
Author: Daniel Rosenberg <dro...@google.com>
Date: Thu Dec 2 22:38:56 2021 +0000
ANDROID: fuse-bpf v1
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14fff210a80000
start commit: 28cc6246b5e7 Revert "neighbour: fix unaligned access to pn..
git tree: android13-5.10-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=16fff210a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=12fff210a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d5879ce73795cfd9
dashboard link: https://syzkaller.appspot.com/bug?extid=d2f9d314d09d40e0ea57
dashboard link: https://syzkaller.appspot.com/bug?extid=d2f9d314d09d40e0ea57
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=101a9fd0a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b4e724a80000
Reported-by: syzbot+d2f9d3...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b4e724a80000
Fixes: 6be5b06e4195 ("ANDROID: fuse-bpf v1")
syzbot
Jul 4, 2023, 9:53:44 PM7/4/23
to syzkaller-a...@googlegroups.com
Bug presence analysis results: the bug reproduces only on Android 6.1.
syzbot has run the reproducer on other relevant kernel trees and got
the following results:
android14-6.1 (commit f63b2625af7c) on 2023/07/05:
general protection fault in do_unlinkat
Report: https://syzkaller.appspot.com/x/report.txt?x=155434aca80000
lts (commit b1644a0031cf) on 2023/07/05:
Didn't crash.
upstream (commit d528014517f2) on 2023/07/05:
Didn't crash.
More details can be found at:
https://syzkaller.appspot.com/bug?extid=7463da04bf95c393a7b7
syzbot has run the reproducer on other relevant kernel trees and got
the following results:
android14-6.1 (commit f63b2625af7c) on 2023/07/05:
general protection fault in do_unlinkat
Report: https://syzkaller.appspot.com/x/report.txt?x=155434aca80000
lts (commit b1644a0031cf) on 2023/07/05:
Didn't crash.
upstream (commit d528014517f2) on 2023/07/05:
Didn't crash.
More details can be found at:
https://syzkaller.appspot.com/bug?extid=7463da04bf95c393a7b7
Reply all
Reply to author
Forward
0 new messages