WARNING: can't dereference registers at ADDR for ip apic_timer_interrupt (2)
15 views
Skip to first unread message
syzbot
Sep 4, 2019, 10:41:07 PM9/4/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 38733bad ANDROID: sched: Disallow WALT with CFS bandwidth ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=15a2e04e600000
kernel config: https://syzkaller.appspot.com/x/.config?x=56a11d56cc83fc65
dashboard link: https://syzkaller.appspot.com/bug?extid=155b6f5d23304dabbb80
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+155b6f...@syzkaller.appspotmail.com
WARNING: can't dereference registers at 000000007d4fc9a9 for ip
apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:792
F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
attempt to access beyond end of device
audit: type=1400 audit(2000000022.860:629): avc: denied { ioctl } for
pid=5304 comm="syz-executor.4" path="socket:[15690]" dev="sockfs" ino=15690
ioctlcmd=0x8906 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
loop0: rw=12288, want=8200, limit=20
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor.3'.
attempt to access beyond end of device
loop0: rw=12288, want=12296, limit=20
F2FS-fs (loop0): Failed to get valid F2FS checkpoint
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor.3'.
F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
attempt to access beyond end of device
loop0: rw=12288, want=8200, limit=20
attempt to access beyond end of device
loop0: rw=12288, want=12296, limit=20
F2FS-fs (loop0): Failed to get valid F2FS checkpoint
tmpfs: No value for mount option '/selinux/policy'
tmpfs: No value for mount option '/selinux/policy'
==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810
arch/x86/kernel/unwind_orc.c:470
Read of size 8 at addr ffff8881dba07720 by task syz-executor.4/5393
CPU: 0 PID: 5393 Comm: syz-executor.4 Not tainted 4.14.141+ #0
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
unwind_next_frame+0x169f/0x1810 arch/x86/kernel/unwind_orc.c:470
perf_callchain_kernel+0x3a0/0x540 arch/x86/events/core.c:2338
capability: warning: `syz-executor.2' uses deprecated v2 capabilities in a
way that may be insecure
get_perf_callchain+0x2f5/0x770 kernel/events/callchain.c:217
perf_callchain+0x147/0x190 kernel/events/callchain.c:190
perf_prepare_sample+0x6a8/0x1360 kernel/events/core.c:6148
__perf_event_output kernel/events/core.c:6264 [inline]
perf_event_output_forward+0xdc/0x220 kernel/events/core.c:6282
__perf_event_overflow+0x12d/0x340 kernel/events/core.c:7520
perf_swevent_overflow+0x7a/0xf0 kernel/events/core.c:7596
perf_swevent_event+0x112/0x270 kernel/events/core.c:7634
perf_tp_event+0x633/0x7f0 kernel/events/core.c:8058
perf_trace_run_bpf_submit kernel/events/core.c:8028 [inline]
perf_trace_run_bpf_submit+0x113/0x170 kernel/events/core.c:8014
perf_trace_lock_acquire+0x341/0x4e0 include/trace/events/lock.h:13
trace_lock_acquire include/trace/events/lock.h:13 [inline]
lock_acquire+0x279/0x360 kernel/locking/lockdep.c:3990
rcu_lock_acquire include/linux/rcupdate.h:242 [inline]
rcu_read_lock include/linux/rcupdate.h:629 [inline]
nf_hook include/linux/netfilter.h:197 [inline]
NF_HOOK include/linux/netfilter.h:248 [inline]
ip_rcv+0x906/0xf55 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x13ad/0x2cf0 net/core/dev.c:4477
__netif_receive_skb+0x66/0x210 net/core/dev.c:4515
netif_receive_skb_internal+0x11f/0x5f0 net/core/dev.c:4588
napi_skb_finish net/core/dev.c:4949 [inline]
napi_gro_receive+0x206/0x410 net/core/dev.c:4980
receive_buf+0x503/0x4310 drivers/net/virtio_net.c:852
virtnet_receive drivers/net/virtio_net.c:1098 [inline]
virtnet_poll+0x4e6/0x9f0 drivers/net/virtio_net.c:1189
napi_poll net/core/dev.c:5598 [inline]
net_rx_action+0x366/0xcd0 net/core/dev.c:5664
__do_softirq+0x234/0x9ec kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x114/0x150 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
do_IRQ+0x104/0x1c0 arch/x86/kernel/irq.c:242
common_interrupt+0x8c/0x8c arch/x86/entry/entry_64.S:576
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779
[inline]
RIP: 0010:lock_release+0x3de/0x740 kernel/locking/lockdep.c:4013
RSP: 0000:ffff8881d102f7e0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff6e
RAX: 0000000000000007 RBX: 1ffff1103a205eff RCX: 1ffff110378ae6e4
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000246
RBP: ffff8881bc572f00 R08: 0000000000000001 R09: 0000000000000003
R10: fffffbfff3385ba5 R11: ffffffff99c2dd2b R12: 043b0cb8406ee156
R13: ffff8881bc572f00 R14: 0000000000000004 R15: ffff8881bc573728
rcu_lock_release include/linux/rcupdate.h:247 [inline]
rcu_read_unlock include/linux/rcupdate.h:685 [inline]
__is_insn_slot_addr+0x130/0x1e0 kernel/kprobes.c:301
is_kprobe_optinsn_slot include/linux/kprobes.h:345 [inline]
kernel_text_address+0x75/0x120 kernel/extable.c:148
__kernel_text_address+0x9/0x30 kernel/extable.c:105
unwind_get_return_address arch/x86/kernel/unwind_orc.c:255 [inline]
unwind_get_return_address+0x51/0x90 arch/x86/kernel/unwind_orc.c:250
__save_stack_trace+0x8a/0xf0 arch/x86/kernel/stacktrace.c:45
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495
slab_post_alloc_hook mm/slab.h:439 [inline]
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2800 [inline]
kmem_cache_alloc+0xee/0x360 mm/slub.c:2805
dup_mmap kernel/fork.c:657 [inline]
dup_mm kernel/fork.c:1213 [inline]
copy_mm kernel/fork.c:1268 [inline]
copy_process.part.0+0x26ef/0x66c0 kernel/fork.c:1895
copy_process kernel/fork.c:1679 [inline]
_do_fork+0x197/0xce0 kernel/fork.c:2220
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459879
RSP: 002b:00007f0d56288c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459879
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0d562896d4
R13: 00000000004bfd46 R14: 00000000004d1af8 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea00076e81c0 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000001000(reserved)
raw: 4000000000001000 0000000000000000 0000000000000000 00000001ffffffff
raw: ffffea00076e81e0 ffffea00076e81e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881dba07600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881dba07680: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1
> ffff8881dba07700: f1 04 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 00
^
ffff8881dba07780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881dba07800: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00
==================================================================
audit: type=1326 audit(2000000024.910:630): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5404
comm="syz-executor.1" exe="/root/syz-executor.1" sig=9 arch=c000003e
syscall=228 compat=0 ip=0x45c6ba code=0x0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 38733bad ANDROID: sched: Disallow WALT with CFS bandwidth ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=15a2e04e600000
kernel config: https://syzkaller.appspot.com/x/.config?x=56a11d56cc83fc65
dashboard link: https://syzkaller.appspot.com/bug?extid=155b6f5d23304dabbb80
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+155b6f...@syzkaller.appspotmail.com
WARNING: can't dereference registers at 000000007d4fc9a9 for ip
apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:792
F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
attempt to access beyond end of device
audit: type=1400 audit(2000000022.860:629): avc: denied { ioctl } for
pid=5304 comm="syz-executor.4" path="socket:[15690]" dev="sockfs" ino=15690
ioctlcmd=0x8906 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
loop0: rw=12288, want=8200, limit=20
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor.3'.
attempt to access beyond end of device
loop0: rw=12288, want=12296, limit=20
F2FS-fs (loop0): Failed to get valid F2FS checkpoint
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor.3'.
F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
attempt to access beyond end of device
loop0: rw=12288, want=8200, limit=20
attempt to access beyond end of device
loop0: rw=12288, want=12296, limit=20
F2FS-fs (loop0): Failed to get valid F2FS checkpoint
tmpfs: No value for mount option '/selinux/policy'
tmpfs: No value for mount option '/selinux/policy'
==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810
arch/x86/kernel/unwind_orc.c:470
Read of size 8 at addr ffff8881dba07720 by task syz-executor.4/5393
CPU: 0 PID: 5393 Comm: syz-executor.4 Not tainted 4.14.141+ #0
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
unwind_next_frame+0x169f/0x1810 arch/x86/kernel/unwind_orc.c:470
perf_callchain_kernel+0x3a0/0x540 arch/x86/events/core.c:2338
capability: warning: `syz-executor.2' uses deprecated v2 capabilities in a
way that may be insecure
get_perf_callchain+0x2f5/0x770 kernel/events/callchain.c:217
perf_callchain+0x147/0x190 kernel/events/callchain.c:190
perf_prepare_sample+0x6a8/0x1360 kernel/events/core.c:6148
__perf_event_output kernel/events/core.c:6264 [inline]
perf_event_output_forward+0xdc/0x220 kernel/events/core.c:6282
__perf_event_overflow+0x12d/0x340 kernel/events/core.c:7520
perf_swevent_overflow+0x7a/0xf0 kernel/events/core.c:7596
perf_swevent_event+0x112/0x270 kernel/events/core.c:7634
perf_tp_event+0x633/0x7f0 kernel/events/core.c:8058
perf_trace_run_bpf_submit kernel/events/core.c:8028 [inline]
perf_trace_run_bpf_submit+0x113/0x170 kernel/events/core.c:8014
perf_trace_lock_acquire+0x341/0x4e0 include/trace/events/lock.h:13
trace_lock_acquire include/trace/events/lock.h:13 [inline]
lock_acquire+0x279/0x360 kernel/locking/lockdep.c:3990
rcu_lock_acquire include/linux/rcupdate.h:242 [inline]
rcu_read_lock include/linux/rcupdate.h:629 [inline]
nf_hook include/linux/netfilter.h:197 [inline]
NF_HOOK include/linux/netfilter.h:248 [inline]
ip_rcv+0x906/0xf55 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x13ad/0x2cf0 net/core/dev.c:4477
__netif_receive_skb+0x66/0x210 net/core/dev.c:4515
netif_receive_skb_internal+0x11f/0x5f0 net/core/dev.c:4588
napi_skb_finish net/core/dev.c:4949 [inline]
napi_gro_receive+0x206/0x410 net/core/dev.c:4980
receive_buf+0x503/0x4310 drivers/net/virtio_net.c:852
virtnet_receive drivers/net/virtio_net.c:1098 [inline]
virtnet_poll+0x4e6/0x9f0 drivers/net/virtio_net.c:1189
napi_poll net/core/dev.c:5598 [inline]
net_rx_action+0x366/0xcd0 net/core/dev.c:5664
__do_softirq+0x234/0x9ec kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x114/0x150 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
do_IRQ+0x104/0x1c0 arch/x86/kernel/irq.c:242
common_interrupt+0x8c/0x8c arch/x86/entry/entry_64.S:576
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779
[inline]
RIP: 0010:lock_release+0x3de/0x740 kernel/locking/lockdep.c:4013
RSP: 0000:ffff8881d102f7e0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff6e
RAX: 0000000000000007 RBX: 1ffff1103a205eff RCX: 1ffff110378ae6e4
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000246
RBP: ffff8881bc572f00 R08: 0000000000000001 R09: 0000000000000003
R10: fffffbfff3385ba5 R11: ffffffff99c2dd2b R12: 043b0cb8406ee156
R13: ffff8881bc572f00 R14: 0000000000000004 R15: ffff8881bc573728
rcu_lock_release include/linux/rcupdate.h:247 [inline]
rcu_read_unlock include/linux/rcupdate.h:685 [inline]
__is_insn_slot_addr+0x130/0x1e0 kernel/kprobes.c:301
is_kprobe_optinsn_slot include/linux/kprobes.h:345 [inline]
kernel_text_address+0x75/0x120 kernel/extable.c:148
__kernel_text_address+0x9/0x30 kernel/extable.c:105
unwind_get_return_address arch/x86/kernel/unwind_orc.c:255 [inline]
unwind_get_return_address+0x51/0x90 arch/x86/kernel/unwind_orc.c:250
__save_stack_trace+0x8a/0xf0 arch/x86/kernel/stacktrace.c:45
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495
slab_post_alloc_hook mm/slab.h:439 [inline]
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2800 [inline]
kmem_cache_alloc+0xee/0x360 mm/slub.c:2805
dup_mmap kernel/fork.c:657 [inline]
dup_mm kernel/fork.c:1213 [inline]
copy_mm kernel/fork.c:1268 [inline]
copy_process.part.0+0x26ef/0x66c0 kernel/fork.c:1895
copy_process kernel/fork.c:1679 [inline]
_do_fork+0x197/0xce0 kernel/fork.c:2220
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459879
RSP: 002b:00007f0d56288c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459879
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0d562896d4
R13: 00000000004bfd46 R14: 00000000004d1af8 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea00076e81c0 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000001000(reserved)
raw: 4000000000001000 0000000000000000 0000000000000000 00000001ffffffff
raw: ffffea00076e81e0 ffffea00076e81e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881dba07600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881dba07680: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1
> ffff8881dba07700: f1 04 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 00
^
ffff8881dba07780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881dba07800: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00
==================================================================
audit: type=1326 audit(2000000024.910:630): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5404
comm="syz-executor.1" exe="/root/syz-executor.1" sig=9 arch=c000003e
syscall=228 compat=0 ip=0x45c6ba code=0x0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 18, 2020, 2:31:11 PM3/18/20
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages