general protection fault in ext4_xattr_set_entry (2)
14 views
Skip to first unread message
syzbot
Oct 15, 2022, 7:08:54 AM10/15/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: bc7618b4936f Merge 5.10.147 into android12-5.10-lts
git tree: android12-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1086bcb4880000
kernel config: https://syzkaller.appspot.com/x/.config?x=5da2dc1c84f53d19
dashboard link: https://syzkaller.appspot.com/bug?extid=ef9a5c13ae0a7dc1b6b7
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12cf4206880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=107a3978880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b144b4b7dd1/disk-bc7618b4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b369288ae974/vmlinux-bc7618b4.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef9a5c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 383 Comm: syz-executor271 Not tainted 5.10.147-syzkaller-01341-gbc7618b4936f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
RIP: 0010:ext4_xattr_set_entry+0x4a7/0x3820 fs/ext4/xattr.c:1586
Code: 00 00 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 20 00 74 08 48 89 df e8 13 88 ba ff 4c 8b 33 4c 89 f0 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 8f 2d 00 00 4c 89 f8 48 2b 44 24 18 48 89
RSP: 0018:ffffc9000026f3c0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc9000026f7c0 RCX: ffff8881067d4f00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
RBP: ffffc9000026f658 R08: ffffffff81ec7899 R09: ffffed1021df082a
R10: ffffed1021df082a R11: 1ffff11021df0829 R12: dffffc0000000000
R13: 1ffff9200004def2 R14: 0000000000000000 R15: 0000000000000000
FS: 000055555676d300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffdb7ae26c8 CR3: 00000001083ae000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_xattr_ibody_set+0x7c/0x2a0 fs/ext4/xattr.c:2227
ext4_xattr_set_handle+0xc5d/0x15a0 fs/ext4/xattr.c:2384
ext4_initxattrs+0xb2/0x120 fs/ext4/xattr_security.c:43
security_inode_init_security+0x26c/0x3c0 security/security.c:1033
ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
__ext4_new_inode+0x3648/0x4530 fs/ext4/ialloc.c:1322
ext4_mkdir+0x3b3/0xbb0 fs/ext4/namei.c:2947
vfs_mkdir+0x435/0x610 fs/namei.c:3729
do_mkdirat+0x1b6/0x2d0 fs/namei.c:3752
__do_sys_mkdir fs/namei.c:3768 [inline]
__se_sys_mkdir fs/namei.c:3766 [inline]
__x64_sys_mkdir+0x60/0x70 fs/namei.c:3766
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fbbc8721ff7
Code: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffde03a8d28 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 0000000000005325 RCX: 00007fbbc8721ff7
RDX: 0000000000000000 RSI: 00000000000001ff RDI: 00007ffde03a8d60
RBP: 0000000000000181 R08: 0000000000000000 R09: 0000000000000003
R10: 00007ffde03a8ac7 R11: 0000000000000206 R12: 00007ffde03a8d4c
R13: 00007ffde03a8d80 R14: 00007ffde03a8d60 R15: 0000000000000001
Modules linked in:
---[ end trace 0e5a4b7a0dcdcf68 ]---
RIP: 0010:ext4_xattr_set_entry+0x4a7/0x3820 fs/ext4/xattr.c:1586
Code: 00 00 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 20 00 74 08 48 89 df e8 13 88 ba ff 4c 8b 33 4c 89 f0 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 8f 2d 00 00 4c 89 f8 48 2b 44 24 18 48 89
RSP: 0018:ffffc9000026f3c0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc9000026f7c0 RCX: ffff8881067d4f00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
RBP: ffffc9000026f658 R08: ffffffff81ec7899 R09: ffffed1021df082a
R10: ffffed1021df082a R11: 1ffff11021df0829 R12: dffffc0000000000
R13: 1ffff9200004def2 R14: 0000000000000000 R15: 0000000000000000
FS: 000055555676d300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555677e668 CR3: 00000001083ae000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 48 89 d8 mov %rbx,%rax
5: 48 c1 e8 03 shr $0x3,%rax
9: 48 89 84 24 28 01 00 mov %rax,0x128(%rsp)
10: 00
11: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
16: 74 08 je 0x20
18: 48 89 df mov %rbx,%rdi
1b: e8 13 88 ba ff callq 0xffba8833
20: 4c 8b 33 mov (%rbx),%r14
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 8a 04 20 mov (%rax,%r12,1),%al <-- trapping instruction
2e: 84 c0 test %al,%al
30: 0f 85 8f 2d 00 00 jne 0x2dc5
36: 4c 89 f8 mov %r15,%rax
39: 48 2b 44 24 18 sub 0x18(%rsp),%rax
3e: 48 rex.W
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: bc7618b4936f Merge 5.10.147 into android12-5.10-lts
git tree: android12-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1086bcb4880000
kernel config: https://syzkaller.appspot.com/x/.config?x=5da2dc1c84f53d19
dashboard link: https://syzkaller.appspot.com/bug?extid=ef9a5c13ae0a7dc1b6b7
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12cf4206880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=107a3978880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b144b4b7dd1/disk-bc7618b4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b369288ae974/vmlinux-bc7618b4.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef9a5c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 383 Comm: syz-executor271 Not tainted 5.10.147-syzkaller-01341-gbc7618b4936f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
RIP: 0010:ext4_xattr_set_entry+0x4a7/0x3820 fs/ext4/xattr.c:1586
Code: 00 00 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 20 00 74 08 48 89 df e8 13 88 ba ff 4c 8b 33 4c 89 f0 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 8f 2d 00 00 4c 89 f8 48 2b 44 24 18 48 89
RSP: 0018:ffffc9000026f3c0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc9000026f7c0 RCX: ffff8881067d4f00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
RBP: ffffc9000026f658 R08: ffffffff81ec7899 R09: ffffed1021df082a
R10: ffffed1021df082a R11: 1ffff11021df0829 R12: dffffc0000000000
R13: 1ffff9200004def2 R14: 0000000000000000 R15: 0000000000000000
FS: 000055555676d300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffdb7ae26c8 CR3: 00000001083ae000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_xattr_ibody_set+0x7c/0x2a0 fs/ext4/xattr.c:2227
ext4_xattr_set_handle+0xc5d/0x15a0 fs/ext4/xattr.c:2384
ext4_initxattrs+0xb2/0x120 fs/ext4/xattr_security.c:43
security_inode_init_security+0x26c/0x3c0 security/security.c:1033
ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
__ext4_new_inode+0x3648/0x4530 fs/ext4/ialloc.c:1322
ext4_mkdir+0x3b3/0xbb0 fs/ext4/namei.c:2947
vfs_mkdir+0x435/0x610 fs/namei.c:3729
do_mkdirat+0x1b6/0x2d0 fs/namei.c:3752
__do_sys_mkdir fs/namei.c:3768 [inline]
__se_sys_mkdir fs/namei.c:3766 [inline]
__x64_sys_mkdir+0x60/0x70 fs/namei.c:3766
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fbbc8721ff7
Code: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffde03a8d28 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 0000000000005325 RCX: 00007fbbc8721ff7
RDX: 0000000000000000 RSI: 00000000000001ff RDI: 00007ffde03a8d60
RBP: 0000000000000181 R08: 0000000000000000 R09: 0000000000000003
R10: 00007ffde03a8ac7 R11: 0000000000000206 R12: 00007ffde03a8d4c
R13: 00007ffde03a8d80 R14: 00007ffde03a8d60 R15: 0000000000000001
Modules linked in:
---[ end trace 0e5a4b7a0dcdcf68 ]---
RIP: 0010:ext4_xattr_set_entry+0x4a7/0x3820 fs/ext4/xattr.c:1586
Code: 00 00 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 20 00 74 08 48 89 df e8 13 88 ba ff 4c 8b 33 4c 89 f0 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 8f 2d 00 00 4c 89 f8 48 2b 44 24 18 48 89
RSP: 0018:ffffc9000026f3c0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc9000026f7c0 RCX: ffff8881067d4f00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
RBP: ffffc9000026f658 R08: ffffffff81ec7899 R09: ffffed1021df082a
R10: ffffed1021df082a R11: 1ffff11021df0829 R12: dffffc0000000000
R13: 1ffff9200004def2 R14: 0000000000000000 R15: 0000000000000000
FS: 000055555676d300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555677e668 CR3: 00000001083ae000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 48 89 d8 mov %rbx,%rax
5: 48 c1 e8 03 shr $0x3,%rax
9: 48 89 84 24 28 01 00 mov %rax,0x128(%rsp)
10: 00
11: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
16: 74 08 je 0x20
18: 48 89 df mov %rbx,%rdi
1b: e8 13 88 ba ff callq 0xffba8833
20: 4c 8b 33 mov (%rbx),%r14
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 8a 04 20 mov (%rax,%r12,1),%al <-- trapping instruction
2e: 84 c0 test %al,%al
30: 0f 85 8f 2d 00 00 jne 0x2dc5
36: 4c 89 f8 mov %r15,%rax
39: 48 2b 44 24 18 sub 0x18(%rsp),%rax
3e: 48 rex.W
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages