general protection fault in loop_validate_file
18 views
Skip to first unread message
syzbot
Apr 13, 2019, 8:02:16 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1b37d68f ANDROID: Fix massive cpufreq_times memory leaks
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=163db4c8400000
kernel config: https://syzkaller.appspot.com/x/.config?x=36e4962c7a9b82b1
dashboard link: https://syzkaller.appspot.com/bug?extid=99f7858b4f046076e1bd
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14810c44400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+99f785...@syzkaller.appspotmail.com
IPVS: Creating netns size=2552 id=5
IPVS: Creating netns size=2552 id=6
IPVS: Creating netns size=2552 id=7
IPVS: Creating netns size=2552 id=8
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4062 Comm: syz-executor3 Not tainted 4.4.141-g1b37d68 #71
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d9be1800 task.stack: ffff8800b9878000
RIP: 0010:[<ffffffff8251545d>] [<ffffffff8251545d>]
loop_validate_file+0x20d/0x400 drivers/block/loop.c:667
RSP: 0018:ffff8800b987fb70 EFLAGS: 00010206
RAX: 0000000000000036 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8251542d RDI: 00000000000001b0
RBP: ffff8800b987fb88 R08: ffff8801d9be2128 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8801d9be1800 R12: 0000000000000000
R13: ffff8800ba0b2e00 R14: ffff8800ba0b2e00 R15: ffff8801d6fc60d8
FS: 00007fc978052700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000017258c0 CR3: 00000000b2b14000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d6fc5f80 0000000000004c00 ffff8800bb3f7a00 ffff8800b987fc18
ffffffff8251bc77 0000000b0000004c 0000000100000000 0000000000000000
0000000300000001 000000000000004c 0000000041b58ab3 ffff8801d6fc60d0
Call Trace:
[<ffffffff8251bc77>] loop_set_fd drivers/block/loop.c:920 [inline]
[<ffffffff8251bc77>] lo_ioctl+0x6a7/0x16c0 drivers/block/loop.c:1367
[<ffffffff81db73e8>] __blkdev_driver_ioctl block/ioctl.c:288 [inline]
[<ffffffff81db73e8>] blkdev_ioctl+0x7b8/0x19c0 block/ioctl.c:584
blk_update_request: I/O error, dev loop3, sector 0
[<ffffffff815d409e>] block_ioctl+0xde/0x120 fs/block_dev.c:1625
[<ffffffff81559cff>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff81559cff>] file_ioctl fs/ioctl.c:470 [inline]
[<ffffffff81559cff>] do_vfs_ioctl+0x63f/0xf40 fs/ioctl.c:605
[<ffffffff8155a68f>] SYSC_ioctl fs/ioctl.c:622 [inline]
[<ffffffff8155a68f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
[<ffffffff838c2c25>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: 00 00 00 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f7 01 00 00 4d 8b a4
24 f0 00 00 00 49 8d bc 24 b0 01 00 00 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 cc 01 00 00 4d 8b a4 24 b0 01 00 00 4c 89 e0
RIP [<ffffffff8251545d>] loop_validate_file+0x20d/0x400
drivers/block/loop.c:667
RSP <ffff8800b987fb70>
---[ end trace e06a10220708838e ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 1b37d68f ANDROID: Fix massive cpufreq_times memory leaks
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=163db4c8400000
kernel config: https://syzkaller.appspot.com/x/.config?x=36e4962c7a9b82b1
dashboard link: https://syzkaller.appspot.com/bug?extid=99f7858b4f046076e1bd
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14810c44400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+99f785...@syzkaller.appspotmail.com
IPVS: Creating netns size=2552 id=5
IPVS: Creating netns size=2552 id=6
IPVS: Creating netns size=2552 id=7
IPVS: Creating netns size=2552 id=8
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4062 Comm: syz-executor3 Not tainted 4.4.141-g1b37d68 #71
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d9be1800 task.stack: ffff8800b9878000
RIP: 0010:[<ffffffff8251545d>] [<ffffffff8251545d>]
loop_validate_file+0x20d/0x400 drivers/block/loop.c:667
RSP: 0018:ffff8800b987fb70 EFLAGS: 00010206
RAX: 0000000000000036 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8251542d RDI: 00000000000001b0
RBP: ffff8800b987fb88 R08: ffff8801d9be2128 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8801d9be1800 R12: 0000000000000000
R13: ffff8800ba0b2e00 R14: ffff8800ba0b2e00 R15: ffff8801d6fc60d8
FS: 00007fc978052700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000017258c0 CR3: 00000000b2b14000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d6fc5f80 0000000000004c00 ffff8800bb3f7a00 ffff8800b987fc18
ffffffff8251bc77 0000000b0000004c 0000000100000000 0000000000000000
0000000300000001 000000000000004c 0000000041b58ab3 ffff8801d6fc60d0
Call Trace:
[<ffffffff8251bc77>] loop_set_fd drivers/block/loop.c:920 [inline]
[<ffffffff8251bc77>] lo_ioctl+0x6a7/0x16c0 drivers/block/loop.c:1367
[<ffffffff81db73e8>] __blkdev_driver_ioctl block/ioctl.c:288 [inline]
[<ffffffff81db73e8>] blkdev_ioctl+0x7b8/0x19c0 block/ioctl.c:584
blk_update_request: I/O error, dev loop3, sector 0
[<ffffffff815d409e>] block_ioctl+0xde/0x120 fs/block_dev.c:1625
[<ffffffff81559cff>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff81559cff>] file_ioctl fs/ioctl.c:470 [inline]
[<ffffffff81559cff>] do_vfs_ioctl+0x63f/0xf40 fs/ioctl.c:605
[<ffffffff8155a68f>] SYSC_ioctl fs/ioctl.c:622 [inline]
[<ffffffff8155a68f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
[<ffffffff838c2c25>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: 00 00 00 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f7 01 00 00 4d 8b a4
24 f0 00 00 00 49 8d bc 24 b0 01 00 00 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 cc 01 00 00 4d 8b a4 24 b0 01 00 00 4c 89 e0
RIP [<ffffffff8251545d>] loop_validate_file+0x20d/0x400
drivers/block/loop.c:667
RSP <ffff8800b987fb70>
---[ end trace e06a10220708838e ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 13, 2019, 8:02:20 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ff9973a5 ANDROID: arm64: kbuild: only specify code model w..
syzbot found the following crash on:
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=141bb381400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b3b342f97278cde
dashboard link: https://syzkaller.appspot.com/bug?extid=e815d1d3e5e80ec0ecca
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
EXT4-fs (loop5): ext4_check_descriptors: Inode bitmap for group 0 overlaps
superblock
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
kasan: GPF could be caused by NULL-ptr deref or user memory access
Modules linked in:
CPU: 0 PID: 17432 Comm: syz-executor0 Not tainted 4.14.73+ #14
task: ffff8801c977c680 task.stack: ffff8801a3fd0000
RIP: 0010:is_loop_device drivers/block/loop.c:622 [inline]
RIP: 0010:loop_validate_file+0x1f5/0x3e0 drivers/block/loop.c:633
RSP: 0018:ffff8801a3fd7b08 EFLAGS: 00010202
RAX: 0000000000000037 RBX: dffffc0000000000 RCX: 00000000000000a0
RDX: ffffffff81dd93d8 RSI: ffffc90001983000 RDI: 00000000000001b8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8801c977ced8 R11: 0000000000000001 R12: ffff8801da4178c0
R13: ffff8801cab89900 R14: ffff8801da4179a0 R15: ffff8801d93d4a50
FS: 00007f195082a700(0000) GS:ffff8801dba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0b56132000 CR3: 00000001d26ee001 CR4: 00000000001606b0
DR0: 0001000000000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
loop_set_fd drivers/block/loop.c:897 [inline]
lo_ioctl+0x89c/0x17d0 drivers/block/loop.c:1376
__blkdev_driver_ioctl block/ioctl.c:297 [inline]
blkdev_ioctl+0x57d/0x18c0 block/ioctl.c:594
block_ioctl+0xd9/0x120 fs/block_dev.c:1873
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457579
RSP: 002b:00007f1950829c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579
RDX: 0000000000000005 RSI: 0000000000004c00 RDI: 0000000000000004
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f195082a6d4
R13: 00000000004c046d R14: 00000000004d0600 R15: 00000000ffffffff
Code: bd f0 00 00 00 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 e9 01 00 00 48
8b ad f0 00 00 00 48 8d bd b8 01 00 00 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 c0 01 00 00 48 8b ad b8 01 00 00 48 89 e8 48
RIP: is_loop_device drivers/block/loop.c:622 [inline] RSP: ffff8801a3fd7b08
RIP: loop_validate_file+0x1f5/0x3e0 drivers/block/loop.c:633 RSP:
ffff8801a3fd7b08
---[ end trace 6c5f4b19ec4a36b0 ]---
syzbot
Apr 14, 2019, 5:28:15 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 47bbcd6b ANDROID: Fix massive cpufreq_times memory leaks
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=175d8f70400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2dbd0c9dd968786
dashboard link: https://syzkaller.appspot.com/bug?extid=486112e0b304714e563a
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=170131c2400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
IPVS: Creating netns size=2536 id=6
IPVS: Creating netns size=2536 id=7
IPVS: Creating netns size=2536 id=8
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
(ftrace buffer empty)
CPU: 0 PID: 4970 Comm: syz-executor7 Not tainted 4.9.113-g47bbcd6 #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801c754e000 task.stack: ffff8801c50b0000
Google 01/01/2011
RIP: 0010:[<ffffffff825c4eed>] [<ffffffff825c4eed>]
loop_validate_file+0x20d/0x400 drivers/block/loop.c:656
RSP: 0018:ffff8801c50b7ae0 EFLAGS: 00010206
RAX: 0000000000000036 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff825c4ebd RDI: 00000000000001b0
RBP: ffff8801c50b7af8 R08: ffff8801c754e910 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff10038ea9d1d R12: 0000000000000000
R13: ffff8801d5d9a280 R14: ffff8801d5d9a280 R15: ffff8801d4041c58
FS: 00007efd5c725700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000930008 CR3: 00000001c97ca000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d4041b00 0000000000004c00 ffff8801c5d0d400 ffff8801c50b7b80
ffffffff825ca8f7 ffff8801c754e000 0000000000000000 0000000000000000
ffff8801c50b7de0 ffff8801c50b7b80 ffff8801d4041c50 1ffff10038a16f6c
Call Trace:
[<ffffffff825ca8f7>] loop_set_fd drivers/block/loop.c:909 [inline]
[<ffffffff825ca8f7>] lo_ioctl+0x6a7/0x1690 drivers/block/loop.c:1356
[<ffffffff81e56ea6>] __blkdev_driver_ioctl block/ioctl.c:294 [inline]
[<ffffffff81e56ea6>] blkdev_ioctl+0x7b6/0x1a70 block/ioctl.c:590
[<ffffffff81632d3e>] block_ioctl+0xde/0x120 fs/block_dev.c:1688
[<ffffffff815b2cec>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff815b2cec>] file_ioctl fs/ioctl.c:493 [inline]
[<ffffffff815b2cec>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
[<ffffffff815b3d6f>] SYSC_ioctl fs/ioctl.c:694 [inline]
[<ffffffff815b3d6f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
[<ffffffff839f9f93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 00 00 00 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f7 01 00 00 4d 8b a4
24 f0 00 00 00 49 8d bc 24 b0 01 00 00 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 cc 01 00 00 4d 8b a4 24 b0 01 00 00 4c 89 e0
RIP [<ffffffff825c4eed>] loop_validate_file+0x20d/0x400
24 f0 00 00 00 49 8d bc 24 b0 01 00 00 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 cc 01 00 00 4d 8b a4 24 b0 01 00 00 4c 89 e0
drivers/block/loop.c:656
RSP <ffff8801c50b7ae0>
---[ end trace b29d9e91091a916a ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jul 13, 2019, 4:46:03 AM7/13/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages