BUG: stack guard page was hit in corrupted (12)
0 views
Skip to first unread message
syzbot
Mar 19, 2022, 2:41:16 AM3/19/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5287773dba0d Merge 5.10.106 into android12-5.10-lts
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=112304ed700000
kernel config: https://syzkaller.appspot.com/x/.config?x=58f0ccb364b6905c
dashboard link: https://syzkaller.appspot.com/bug?extid=24caeae808251614089e
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1327a113700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16888135700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+24caea...@syzkaller.appspotmail.com
BUG: stack guard page was hit at ffffc90000277fe8 (stack is ffffc90000278000..ffffc9000027ffff)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 365 Comm: syz-executor128 Not tainted 5.10.106-syzkaller-00514-g5287773dba0d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:update_stack_state+0x127/0x530 arch/x86/kernel/unwind_frame.c:205
Code: 45 b8 48 01 c1 48 89 4d 98 4d 8d 67 18 49 8d 47 28 48 89 45 c8 4d 89 fd 49 8d 47 20 48 89 85 78 ff ff ff 4c 89 f0 48 c1 e8 03 <48> 89 85 68 ff ff ff 48 89 55 80 48 c1 ea 03 48 89 95 70 ff ff ff
RSP: 0018:ffffc90000277ff0 EFLAGS: 00010a02
RAX: 1ffff9200004f025 RBX: dffffc0000000000 RCX: ffffc90000278120
RDX: ffffc90000278130 RSI: ffffc90000278110 RDI: ffffc90000278120
RBP: ffffc90000278088 R08: dffffc0000000000 R09: ffffc90000278120
R10: fffff5200004f030 R11: 0000000000000000 R12: ffffc90000278138
R13: ffffc90000278120 R14: ffffc90000278128 R15: ffffc90000278120
FS: 00005555561ac300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000277fe8 CR3: 0000000107181000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace b01e1835f654bd38 ]---
RIP: 0010:update_stack_state+0x127/0x530 arch/x86/kernel/unwind_frame.c:205
Code: 45 b8 48 01 c1 48 89 4d 98 4d 8d 67 18 49 8d 47 28 48 89 45 c8 4d 89 fd 49 8d 47 20 48 89 85 78 ff ff ff 4c 89 f0 48 c1 e8 03 <48> 89 85 68 ff ff ff 48 89 55 80 48 c1 ea 03 48 89 95 70 ff ff ff
RSP: 0018:ffffc90000277ff0 EFLAGS: 00010a02
RAX: 1ffff9200004f025 RBX: dffffc0000000000 RCX: ffffc90000278120
RDX: ffffc90000278130 RSI: ffffc90000278110 RDI: ffffc90000278120
RBP: ffffc90000278088 R08: dffffc0000000000 R09: ffffc90000278120
R10: fffff5200004f030 R11: 0000000000000000 R12: ffffc90000278138
R13: ffffc90000278120 R14: ffffc90000278128 R15: ffffc90000278120
FS: 00005555561ac300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000277fe8 CR3: 0000000107181000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 45 b8 48 01 c1 48 rex.RB mov $0x48c10148,%r8d
6: 89 4d 98 mov %ecx,-0x68(%rbp)
9: 4d 8d 67 18 lea 0x18(%r15),%r12
d: 49 8d 47 28 lea 0x28(%r15),%rax
11: 48 89 45 c8 mov %rax,-0x38(%rbp)
15: 4d 89 fd mov %r15,%r13
18: 49 8d 47 20 lea 0x20(%r15),%rax
1c: 48 89 85 78 ff ff ff mov %rax,-0x88(%rbp)
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 48 89 85 68 ff ff ff mov %rax,-0x98(%rbp) <-- trapping instruction
31: 48 89 55 80 mov %rdx,-0x80(%rbp)
35: 48 c1 ea 03 shr $0x3,%rdx
39: 48 89 95 70 ff ff ff mov %rdx,-0x90(%rbp)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 5287773dba0d Merge 5.10.106 into android12-5.10-lts
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=112304ed700000
kernel config: https://syzkaller.appspot.com/x/.config?x=58f0ccb364b6905c
dashboard link: https://syzkaller.appspot.com/bug?extid=24caeae808251614089e
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1327a113700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16888135700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+24caea...@syzkaller.appspotmail.com
BUG: stack guard page was hit at ffffc90000277fe8 (stack is ffffc90000278000..ffffc9000027ffff)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 365 Comm: syz-executor128 Not tainted 5.10.106-syzkaller-00514-g5287773dba0d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:update_stack_state+0x127/0x530 arch/x86/kernel/unwind_frame.c:205
Code: 45 b8 48 01 c1 48 89 4d 98 4d 8d 67 18 49 8d 47 28 48 89 45 c8 4d 89 fd 49 8d 47 20 48 89 85 78 ff ff ff 4c 89 f0 48 c1 e8 03 <48> 89 85 68 ff ff ff 48 89 55 80 48 c1 ea 03 48 89 95 70 ff ff ff
RSP: 0018:ffffc90000277ff0 EFLAGS: 00010a02
RAX: 1ffff9200004f025 RBX: dffffc0000000000 RCX: ffffc90000278120
RDX: ffffc90000278130 RSI: ffffc90000278110 RDI: ffffc90000278120
RBP: ffffc90000278088 R08: dffffc0000000000 R09: ffffc90000278120
R10: fffff5200004f030 R11: 0000000000000000 R12: ffffc90000278138
R13: ffffc90000278120 R14: ffffc90000278128 R15: ffffc90000278120
FS: 00005555561ac300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000277fe8 CR3: 0000000107181000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace b01e1835f654bd38 ]---
RIP: 0010:update_stack_state+0x127/0x530 arch/x86/kernel/unwind_frame.c:205
Code: 45 b8 48 01 c1 48 89 4d 98 4d 8d 67 18 49 8d 47 28 48 89 45 c8 4d 89 fd 49 8d 47 20 48 89 85 78 ff ff ff 4c 89 f0 48 c1 e8 03 <48> 89 85 68 ff ff ff 48 89 55 80 48 c1 ea 03 48 89 95 70 ff ff ff
RSP: 0018:ffffc90000277ff0 EFLAGS: 00010a02
RAX: 1ffff9200004f025 RBX: dffffc0000000000 RCX: ffffc90000278120
RDX: ffffc90000278130 RSI: ffffc90000278110 RDI: ffffc90000278120
RBP: ffffc90000278088 R08: dffffc0000000000 R09: ffffc90000278120
R10: fffff5200004f030 R11: 0000000000000000 R12: ffffc90000278138
R13: ffffc90000278120 R14: ffffc90000278128 R15: ffffc90000278120
FS: 00005555561ac300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000277fe8 CR3: 0000000107181000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 45 b8 48 01 c1 48 rex.RB mov $0x48c10148,%r8d
6: 89 4d 98 mov %ecx,-0x68(%rbp)
9: 4d 8d 67 18 lea 0x18(%r15),%r12
d: 49 8d 47 28 lea 0x28(%r15),%rax
11: 48 89 45 c8 mov %rax,-0x38(%rbp)
15: 4d 89 fd mov %r15,%r13
18: 49 8d 47 20 lea 0x20(%r15),%rax
1c: 48 89 85 78 ff ff ff mov %rax,-0x88(%rbp)
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 48 89 85 68 ff ff ff mov %rax,-0x98(%rbp) <-- trapping instruction
31: 48 89 55 80 mov %rdx,-0x80(%rbp)
35: 48 c1 ea 03 shr $0x3,%rdx
39: 48 89 95 70 ff ff ff mov %rdx,-0x90(%rbp)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Mar 19, 2022, 6:04:13 AM3/19/22
to syzkaller-a...@googlegroups.com
syzbot has bisected this issue to:
commit 07630c80731a93d066b6365b53a033841baebd54
Author: Paul Lawrence <paulla...@google.com>
Date: Fri Feb 4 15:20:46 2022 +0000
Revert "ANDROID: incremental-fs: fix mount_fs issue"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10d51ea3700000
start commit: 5287773dba0d Merge 5.10.106 into android12-5.10-lts
git tree: android12-5.10-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=12d51ea3700000
console output: https://syzkaller.appspot.com/x/log.txt?x=14d51ea3700000
Fixes: 07630c80731a ("Revert "ANDROID: incremental-fs: fix mount_fs issue"")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 07630c80731a93d066b6365b53a033841baebd54
Author: Paul Lawrence <paulla...@google.com>
Date: Fri Feb 4 15:20:46 2022 +0000
Revert "ANDROID: incremental-fs: fix mount_fs issue"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10d51ea3700000
start commit: 5287773dba0d Merge 5.10.106 into android12-5.10-lts
git tree: android12-5.10-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=12d51ea3700000
console output: https://syzkaller.appspot.com/x/log.txt?x=14d51ea3700000
kernel config: https://syzkaller.appspot.com/x/.config?x=58f0ccb364b6905c
dashboard link: https://syzkaller.appspot.com/bug?extid=24caeae808251614089e
dashboard link: https://syzkaller.appspot.com/bug?extid=24caeae808251614089e
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1327a113700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16888135700000
Reported-by: syzbot+24caea...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16888135700000
Fixes: 07630c80731a ("Revert "ANDROID: incremental-fs: fix mount_fs issue"")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Tadeusz Struk
Mar 21, 2022, 10:57:30 AM3/21/22
to syzbot, syzkaller-a...@googlegroups.com
--
Thanks,
Tadeusz
Reply all
Reply to author
Forward
0 new messages