BUG: stack guard page was hit in corrupted (18)
0 views
Skip to first unread message
syzbot
Apr 5, 2022, 3:56:23 PM4/5/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 414e6c8e941c ANDROID: fix up abi issue with struct snd_pcm..
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=12aad65f700000
kernel config: https://syzkaller.appspot.com/x/.config?x=c82cd64ef7210f0c
dashboard link: https://syzkaller.appspot.com/bug?extid=01b4c65c7f6bd63a06c6
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17adf510f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e15ca7700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+01b4c6...@syzkaller.appspotmail.com
BUG: stack guard page was hit at ffffc90000987fb8 (stack is ffffc90000988000..ffffc9000098ffff)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 368 Comm: syz-executor496 Not tainted 5.10.109-syzkaller-00693-g414e6c8e941c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__find_get_block+0x1b/0xbd0 fs/buffer.c:1332
Code: 5c 41 5d 41 5e 41 5f 5d c3 e8 91 fe d7 02 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec a0 00 00 00 41 89 d5 <48> 89 34 24 48 89 7c 24 08 65 48 8b 04 25 28 00 00 00 48 89 84 24
RSP: 0018:ffffc90000987fc0 EFLAGS: 00010286
RAX: ffffffff81be3aa1 RBX: 0000000000000008 RCX: ffff888107bb8000
RDX: 0000000000001000 RSI: 00000000000000d8 RDI: ffff88810044bb80
RBP: ffffc900009880a0 R08: ffffffff81e8ca70 R09: ffffc900009881e0
R10: fffff52000131041 R11: 0000000000000000 R12: ffff88810044bb80
R13: 0000000000001000 R14: 0000000000001000 R15: 00000000000000d8
FS: 0000555556cd63c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000987fb8 CR3: 0000000106d95000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace 68d9209dfe673fa6 ]---
RIP: 0010:__find_get_block+0x1b/0xbd0 fs/buffer.c:1332
Code: 5c 41 5d 41 5e 41 5f 5d c3 e8 91 fe d7 02 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec a0 00 00 00 41 89 d5 <48> 89 34 24 48 89 7c 24 08 65 48 8b 04 25 28 00 00 00 48 89 84 24
RSP: 0018:ffffc90000987fc0 EFLAGS: 00010286
RAX: ffffffff81be3aa1 RBX: 0000000000000008 RCX: ffff888107bb8000
RDX: 0000000000001000 RSI: 00000000000000d8 RDI: ffff88810044bb80
RBP: ffffc900009880a0 R08: ffffffff81e8ca70 R09: ffffc900009881e0
R10: fffff52000131041 R11: 0000000000000000 R12: ffff88810044bb80
R13: 0000000000001000 R14: 0000000000001000 R15: 00000000000000d8
FS: 0000555556cd63c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000987fb8 CR3: 0000000106d95000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 5c pop %rsp
1: 41 5d pop %r13
3: 41 5e pop %r14
5: 41 5f pop %r15
7: 5d pop %rbp
8: c3 retq
9: e8 91 fe d7 02 callq 0x2d7fe9f
e: 90 nop
f: 55 push %rbp
10: 48 89 e5 mov %rsp,%rbp
13: 41 57 push %r15
15: 41 56 push %r14
17: 41 55 push %r13
19: 41 54 push %r12
1b: 53 push %rbx
1c: 48 83 e4 e0 and $0xffffffffffffffe0,%rsp
20: 48 81 ec a0 00 00 00 sub $0xa0,%rsp
27: 41 89 d5 mov %edx,%r13d
* 2a: 48 89 34 24 mov %rsi,(%rsp) <-- trapping instruction
2e: 48 89 7c 24 08 mov %rdi,0x8(%rsp)
33: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
3a: 00 00
3c: 48 rex.W
3d: 89 .byte 0x89
3e: 84 .byte 0x84
3f: 24 .byte 0x24
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 414e6c8e941c ANDROID: fix up abi issue with struct snd_pcm..
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=12aad65f700000
kernel config: https://syzkaller.appspot.com/x/.config?x=c82cd64ef7210f0c
dashboard link: https://syzkaller.appspot.com/bug?extid=01b4c65c7f6bd63a06c6
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17adf510f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e15ca7700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+01b4c6...@syzkaller.appspotmail.com
BUG: stack guard page was hit at ffffc90000987fb8 (stack is ffffc90000988000..ffffc9000098ffff)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 368 Comm: syz-executor496 Not tainted 5.10.109-syzkaller-00693-g414e6c8e941c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__find_get_block+0x1b/0xbd0 fs/buffer.c:1332
Code: 5c 41 5d 41 5e 41 5f 5d c3 e8 91 fe d7 02 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec a0 00 00 00 41 89 d5 <48> 89 34 24 48 89 7c 24 08 65 48 8b 04 25 28 00 00 00 48 89 84 24
RSP: 0018:ffffc90000987fc0 EFLAGS: 00010286
RAX: ffffffff81be3aa1 RBX: 0000000000000008 RCX: ffff888107bb8000
RDX: 0000000000001000 RSI: 00000000000000d8 RDI: ffff88810044bb80
RBP: ffffc900009880a0 R08: ffffffff81e8ca70 R09: ffffc900009881e0
R10: fffff52000131041 R11: 0000000000000000 R12: ffff88810044bb80
R13: 0000000000001000 R14: 0000000000001000 R15: 00000000000000d8
FS: 0000555556cd63c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000987fb8 CR3: 0000000106d95000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace 68d9209dfe673fa6 ]---
RIP: 0010:__find_get_block+0x1b/0xbd0 fs/buffer.c:1332
Code: 5c 41 5d 41 5e 41 5f 5d c3 e8 91 fe d7 02 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec a0 00 00 00 41 89 d5 <48> 89 34 24 48 89 7c 24 08 65 48 8b 04 25 28 00 00 00 48 89 84 24
RSP: 0018:ffffc90000987fc0 EFLAGS: 00010286
RAX: ffffffff81be3aa1 RBX: 0000000000000008 RCX: ffff888107bb8000
RDX: 0000000000001000 RSI: 00000000000000d8 RDI: ffff88810044bb80
RBP: ffffc900009880a0 R08: ffffffff81e8ca70 R09: ffffc900009881e0
R10: fffff52000131041 R11: 0000000000000000 R12: ffff88810044bb80
R13: 0000000000001000 R14: 0000000000001000 R15: 00000000000000d8
FS: 0000555556cd63c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000987fb8 CR3: 0000000106d95000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 5c pop %rsp
1: 41 5d pop %r13
3: 41 5e pop %r14
5: 41 5f pop %r15
7: 5d pop %rbp
8: c3 retq
9: e8 91 fe d7 02 callq 0x2d7fe9f
e: 90 nop
f: 55 push %rbp
10: 48 89 e5 mov %rsp,%rbp
13: 41 57 push %r15
15: 41 56 push %r14
17: 41 55 push %r13
19: 41 54 push %r12
1b: 53 push %rbx
1c: 48 83 e4 e0 and $0xffffffffffffffe0,%rsp
20: 48 81 ec a0 00 00 00 sub $0xa0,%rsp
27: 41 89 d5 mov %edx,%r13d
* 2a: 48 89 34 24 mov %rsi,(%rsp) <-- trapping instruction
2e: 48 89 7c 24 08 mov %rdi,0x8(%rsp)
33: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
3a: 00 00
3c: 48 rex.W
3d: 89 .byte 0x89
3e: 84 .byte 0x84
3f: 24 .byte 0x24
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Tadeusz Struk
Apr 5, 2022, 4:08:12 PM4/5/22
to syzbot, syzkaller-a...@googlegroups.com
syzbot
Apr 5, 2022, 4:19:12 PM4/5/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
arch/x86/kvm/emulate.c:3302:5: error: stack frame size of 2552 bytes in function 'emulator_task_switch' [-Werror,-Wframe-larger-than=]
drivers/gpio/gpiolib-cdev.c:2105:13: error: stack frame size of 2328 bytes in function 'gpio_ioctl' [-Werror,-Wframe-larger-than=]
fs/quota/quota.c:766:12: error: stack frame size of 3416 bytes in function 'do_quotactl' [-Werror,-Wframe-larger-than=]
sound/usb/mixer_s1810c.c:543:5: error: stack frame size of 2104 bytes in function 'snd_sc1810_init_mixer' [-Werror,-Wframe-larger-than=]
net/ethtool/ioctl.c:2698:5: error: stack frame size of 3160 bytes in function 'dev_ethtool' [-Werror,-Wframe-larger-than=]
Tested on:
commit: e8bca85b ANDROID: Update the ABI symbol list
git tree: https://android.googlesource.com/kernel/common android13-5.15
syzbot tried to test the proposed patch but the build/boot failed:
arch/x86/kvm/emulate.c:3302:5: error: stack frame size of 2552 bytes in function 'emulator_task_switch' [-Werror,-Wframe-larger-than=]
drivers/gpio/gpiolib-cdev.c:2105:13: error: stack frame size of 2328 bytes in function 'gpio_ioctl' [-Werror,-Wframe-larger-than=]
fs/quota/quota.c:766:12: error: stack frame size of 3416 bytes in function 'do_quotactl' [-Werror,-Wframe-larger-than=]
sound/usb/mixer_s1810c.c:543:5: error: stack frame size of 2104 bytes in function 'snd_sc1810_init_mixer' [-Werror,-Wframe-larger-than=]
net/ethtool/ioctl.c:2698:5: error: stack frame size of 3160 bytes in function 'dev_ethtool' [-Werror,-Wframe-larger-than=]
Tested on:
commit: e8bca85b ANDROID: Update the ABI symbol list
git tree: https://android.googlesource.com/kernel/common android13-5.15
dashboard link: https://syzkaller.appspot.com/bug?extid=01b4c65c7f6bd63a06c6
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
Tadeusz Struk
Apr 5, 2022, 4:24:05 PM4/5/22
to syzbot, syzkaller-a...@googlegroups.com
--
Thanks,
Tadeusz
Reply all
Reply to author
Forward
0 new messages