android-4.9 boot error: general protection fault in corrupted
4 views
Skip to first unread message
syzbot
Apr 14, 2019, 5:30:15 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 3de7f845 BACKPORT: userfaultfd: shmem/hugetlbfs: only allo..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=16068847400000
kernel config: https://syzkaller.appspot.com/x/.config?x=b3fda9ca913be9d7
dashboard link: https://syzkaller.appspot.com/bug?extid=f43381386f68d865cbf9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f43381...@syzkaller.appspotmail.com
usbhid: USB HID core driver
ion_heap_create: Heap type is disabled: 1
kasan: CONFIG_KASAN_INLINE enabled
sd 0:0:1:0: [sda] Attached SCSI disk
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before
kernel/locking/spinlock_debug.c:83 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1a5/0x1e0
kernel/locking/spinlock_debug.c:112
Read of size 4 at addr ffff8801d5c92334 by task system/347
CPU: 1 PID: 347 Comm: system Not tainted 4.9.158+ #47
ffff8801d5cafbc8 ffffffff81b480e1 0000000000000000 ffffea0007572480
ffff8801d5c92334 0000000000000004 ffffffff812156f5 ffff8801d5cafc00
ffffffff81502fd5 0000000000000000 ffff8801d5c92334 ffff8801d5c92334
Call Trace:
[<ffffffff81b480e1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b480e1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff81502fd5>] print_address_description+0x6f/0x238
mm/kasan/report.c:256
[<ffffffff8150322a>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff8150322a>] kasan_report mm/kasan/report.c:412 [inline]
[<ffffffff8150322a>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
[<ffffffff814f5404>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:432
[<ffffffff812156f5>] debug_spin_lock_before
kernel/locking/spinlock_debug.c:83 [inline]
[<ffffffff812156f5>] do_raw_spin_lock+0x1a5/0x1e0
kernel/locking/spinlock_debug.c:112
[<ffffffff82805650>] __raw_spin_lock include/linux/spinlock_api_smp.h:145
[inline]
[<ffffffff82805650>] _raw_spin_lock+0x40/0x50 kernel/locking/spinlock.c:151
[<ffffffff821e6c79>] spin_lock include/linux/spinlock.h:302 [inline]
[<ffffffff821e6c79>] ion_heap_freelist_size
drivers/staging/android/ion/ion_heap.c:176 [inline]
[<ffffffff821e6c79>] ion_heap_deferred_free+0xf9/0x560
drivers/staging/android/ion/ion_heap.c:232
[<ffffffff811426c8>] kthread+0x278/0x310 kernel/kthread.c:211
[<ffffffff8280649c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Allocated by task 1:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:594
kmem_cache_alloc_trace+0x115/0x2d0 mm/slub.c:2742
kmalloc include/linux/slab.h:490 [inline]
kzalloc include/linux/slab.h:636 [inline]
ion_system_heap_create+0x42/0x1c0
drivers/staging/android/ion/ion_system_heap.c:334
ion_heap_create+0x156/0x1b0 drivers/staging/android/ion/ion_heap.c:328
ion_dummy_init+0x22e/0x3b6
drivers/staging/android/ion/ion_dummy_driver.c:108
do_one_initcall+0xb1/0x1c0 init/main.c:780
do_initcall_level init/main.c:846 [inline]
do_initcalls init/main.c:854 [inline]
do_basic_setup init/main.c:872 [inline]
kernel_init_freeable+0x2ff/0x3c3 init/main.c:1018
kernel_init+0x12/0x163 init/main.c:946
ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Freed by task 1:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
ion_system_heap_destroy+0x72/0x90
drivers/staging/android/ion/ion_system_heap.c:369
ion_heap_destroy+0x6a/0xd0 drivers/staging/android/ion/ion_heap.c:369
ion_dummy_init+0x30a/0x3b6
drivers/staging/android/ion/ion_dummy_driver.c:118
do_one_initcall+0xb1/0x1c0 init/main.c:780
do_initcall_level init/main.c:846 [inline]
do_initcalls init/main.c:854 [inline]
do_basic_setup init/main.c:872 [inline]
kernel_init_freeable+0x2ff/0x3c3 init/main.c:1018
kernel_init+0x12/0x163 init/main.c:946
ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
The buggy address belongs to the object at ffff8801d5c92280
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 180 bytes inside of
512-byte region [ffff8801d5c92280, ffff8801d5c92480)
The buggy address belongs to the page:
page:ffffea0007572480 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d5c92200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d5c92280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801d5c92300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d5c92380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d5c92400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 3de7f845 BACKPORT: userfaultfd: shmem/hugetlbfs: only allo..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=16068847400000
kernel config: https://syzkaller.appspot.com/x/.config?x=b3fda9ca913be9d7
dashboard link: https://syzkaller.appspot.com/bug?extid=f43381386f68d865cbf9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f43381...@syzkaller.appspotmail.com
usbhid: USB HID core driver
ion_heap_create: Heap type is disabled: 1
kasan: CONFIG_KASAN_INLINE enabled
sd 0:0:1:0: [sda] Attached SCSI disk
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before
kernel/locking/spinlock_debug.c:83 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1a5/0x1e0
kernel/locking/spinlock_debug.c:112
Read of size 4 at addr ffff8801d5c92334 by task system/347
CPU: 1 PID: 347 Comm: system Not tainted 4.9.158+ #47
ffff8801d5cafbc8 ffffffff81b480e1 0000000000000000 ffffea0007572480
ffff8801d5c92334 0000000000000004 ffffffff812156f5 ffff8801d5cafc00
ffffffff81502fd5 0000000000000000 ffff8801d5c92334 ffff8801d5c92334
Call Trace:
[<ffffffff81b480e1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b480e1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff81502fd5>] print_address_description+0x6f/0x238
mm/kasan/report.c:256
[<ffffffff8150322a>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff8150322a>] kasan_report mm/kasan/report.c:412 [inline]
[<ffffffff8150322a>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
[<ffffffff814f5404>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:432
[<ffffffff812156f5>] debug_spin_lock_before
kernel/locking/spinlock_debug.c:83 [inline]
[<ffffffff812156f5>] do_raw_spin_lock+0x1a5/0x1e0
kernel/locking/spinlock_debug.c:112
[<ffffffff82805650>] __raw_spin_lock include/linux/spinlock_api_smp.h:145
[inline]
[<ffffffff82805650>] _raw_spin_lock+0x40/0x50 kernel/locking/spinlock.c:151
[<ffffffff821e6c79>] spin_lock include/linux/spinlock.h:302 [inline]
[<ffffffff821e6c79>] ion_heap_freelist_size
drivers/staging/android/ion/ion_heap.c:176 [inline]
[<ffffffff821e6c79>] ion_heap_deferred_free+0xf9/0x560
drivers/staging/android/ion/ion_heap.c:232
[<ffffffff811426c8>] kthread+0x278/0x310 kernel/kthread.c:211
[<ffffffff8280649c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Allocated by task 1:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:594
kmem_cache_alloc_trace+0x115/0x2d0 mm/slub.c:2742
kmalloc include/linux/slab.h:490 [inline]
kzalloc include/linux/slab.h:636 [inline]
ion_system_heap_create+0x42/0x1c0
drivers/staging/android/ion/ion_system_heap.c:334
ion_heap_create+0x156/0x1b0 drivers/staging/android/ion/ion_heap.c:328
ion_dummy_init+0x22e/0x3b6
drivers/staging/android/ion/ion_dummy_driver.c:108
do_one_initcall+0xb1/0x1c0 init/main.c:780
do_initcall_level init/main.c:846 [inline]
do_initcalls init/main.c:854 [inline]
do_basic_setup init/main.c:872 [inline]
kernel_init_freeable+0x2ff/0x3c3 init/main.c:1018
kernel_init+0x12/0x163 init/main.c:946
ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Freed by task 1:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
ion_system_heap_destroy+0x72/0x90
drivers/staging/android/ion/ion_system_heap.c:369
ion_heap_destroy+0x6a/0xd0 drivers/staging/android/ion/ion_heap.c:369
ion_dummy_init+0x30a/0x3b6
drivers/staging/android/ion/ion_dummy_driver.c:118
do_one_initcall+0xb1/0x1c0 init/main.c:780
do_initcall_level init/main.c:846 [inline]
do_initcalls init/main.c:854 [inline]
do_basic_setup init/main.c:872 [inline]
kernel_init_freeable+0x2ff/0x3c3 init/main.c:1018
kernel_init+0x12/0x163 init/main.c:946
ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
The buggy address belongs to the object at ffff8801d5c92280
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 180 bytes inside of
512-byte region [ffff8801d5c92280, ffff8801d5c92480)
The buggy address belongs to the page:
page:ffffea0007572480 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d5c92200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d5c92280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801d5c92300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d5c92380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d5c92400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 9, 2019, 6:56:05 PM9/9/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages