general protection fault in __blockdev_direct_IO
18 views
Skip to first unread message
syzbot
Aug 17, 2019, 2:06:06 AM8/17/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=156793ee600000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=043e9abba0e249556578
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+043e9a...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 3145 Comm: syz-executor.3 Not tainted 4.9.141+ #23
task: ffff88019de30000 task.stack: ffff88019de38000
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] __read_once_size
include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] compound_head
include/linux/page-flags.h:143 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] get_page
include/linux/mm.h:768 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] submit_page_section
fs/direct-io.c:825 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] do_direct_IO
fs/direct-io.c:1045 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] do_blockdev_direct_IO
fs/direct-io.c:1274 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>]
__blockdev_direct_IO+0x1b20/0xbd10 fs/direct-io.c:1360
RSP: 0018:ffff88019de3f330 EFLAGS: 00010202
RAX: 0000000000000004 RBX: dffffc0000000000 RCX: ffffc9000432c000
RDX: 0000000000000969 RSI: ffffffff815cf79d RDI: 0000000000000020
RBP: ffff88019de3f650 R08: ffffed003965d82e R09: ffff8801cb2ec100
R10: ffffed003965d82d R11: ffff8801cb2ec16f R12: 0000000000000000
R13: ffffea000677981c R14: ffffea0006779800 R15: ffff8801c99370c0
FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f5559b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002da23000 CR3: 00000001cfdec000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000000 fffffbfff0604a02 ffff88019de3f440 ffff8801c9937158
0005080000000000 0000000000001000 000000000002660d ffff8801c9937139
ffff88019de3f540 9547e25400000000 ffff88019de3f4a0 0000000000000fff
Call Trace:
[<ffffffff816de318>] ext4_direct_IO_write fs/ext4/inode.c:3507 [inline]
[<ffffffff816de318>] ext4_direct_IO+0x978/0x29c0 fs/ext4/inode.c:3663
[<ffffffff81411f64>] generic_file_direct_write+0x284/0x510
mm/filemap.c:2655
[<ffffffff8141240f>] __generic_file_write_iter+0x21f/0x540
mm/filemap.c:2835
[<ffffffff816b328d>] ext4_file_write_iter+0x63d/0xd70 fs/ext4/file.c:165
[<ffffffff815071c7>] vfs_iter_write+0x2d7/0x450 fs/read_write.c:390
[<ffffffff815ae4fb>] iter_file_splice_write+0x5fb/0xb30 fs/splice.c:768
[<ffffffff815b066d>] do_splice_from fs/splice.c:870 [inline]
[<ffffffff815b066d>] do_splice fs/splice.c:1166 [inline]
[<ffffffff815b066d>] SYSC_splice fs/splice.c:1416 [inline]
[<ffffffff815b066d>] SyS_splice+0xe4d/0x14d0 fs/splice.c:1399
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Code: ff e8 d5 c2 d4 ff 4c 89 ef e8 8d c1 e6 ff e9 39 ff ff ff e8 c3 c2 d4
ff 48 8b 84 24 c8 00 00 00 48 8d 78 20 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 06 83 00 00 48 8b 84 24 c8 00 00 00 4c 8b 68
RIP [<ffffffff815cf7b0>] __read_once_size include/linux/compiler.h:243
[inline]
RIP [<ffffffff815cf7b0>] compound_head include/linux/page-flags.h:143
[inline]
RIP [<ffffffff815cf7b0>] get_page include/linux/mm.h:768 [inline]
RIP [<ffffffff815cf7b0>] submit_page_section fs/direct-io.c:825 [inline]
RIP [<ffffffff815cf7b0>] do_direct_IO fs/direct-io.c:1045 [inline]
RIP [<ffffffff815cf7b0>] do_blockdev_direct_IO fs/direct-io.c:1274 [inline]
RIP [<ffffffff815cf7b0>] __blockdev_direct_IO+0x1b20/0xbd10
fs/direct-io.c:1360
RSP <ffff88019de3f330>
---[ end trace 6f1d92e22be773c7 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=156793ee600000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=043e9abba0e249556578
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+043e9a...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 3145 Comm: syz-executor.3 Not tainted 4.9.141+ #23
task: ffff88019de30000 task.stack: ffff88019de38000
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] __read_once_size
include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] compound_head
include/linux/page-flags.h:143 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] get_page
include/linux/mm.h:768 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] submit_page_section
fs/direct-io.c:825 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] do_direct_IO
fs/direct-io.c:1045 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>] do_blockdev_direct_IO
fs/direct-io.c:1274 [inline]
RIP: 0010:[<ffffffff815cf7b0>] [<ffffffff815cf7b0>]
__blockdev_direct_IO+0x1b20/0xbd10 fs/direct-io.c:1360
RSP: 0018:ffff88019de3f330 EFLAGS: 00010202
RAX: 0000000000000004 RBX: dffffc0000000000 RCX: ffffc9000432c000
RDX: 0000000000000969 RSI: ffffffff815cf79d RDI: 0000000000000020
RBP: ffff88019de3f650 R08: ffffed003965d82e R09: ffff8801cb2ec100
R10: ffffed003965d82d R11: ffff8801cb2ec16f R12: 0000000000000000
R13: ffffea000677981c R14: ffffea0006779800 R15: ffff8801c99370c0
FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f5559b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002da23000 CR3: 00000001cfdec000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000000 fffffbfff0604a02 ffff88019de3f440 ffff8801c9937158
0005080000000000 0000000000001000 000000000002660d ffff8801c9937139
ffff88019de3f540 9547e25400000000 ffff88019de3f4a0 0000000000000fff
Call Trace:
[<ffffffff816de318>] ext4_direct_IO_write fs/ext4/inode.c:3507 [inline]
[<ffffffff816de318>] ext4_direct_IO+0x978/0x29c0 fs/ext4/inode.c:3663
[<ffffffff81411f64>] generic_file_direct_write+0x284/0x510
mm/filemap.c:2655
[<ffffffff8141240f>] __generic_file_write_iter+0x21f/0x540
mm/filemap.c:2835
[<ffffffff816b328d>] ext4_file_write_iter+0x63d/0xd70 fs/ext4/file.c:165
[<ffffffff815071c7>] vfs_iter_write+0x2d7/0x450 fs/read_write.c:390
[<ffffffff815ae4fb>] iter_file_splice_write+0x5fb/0xb30 fs/splice.c:768
[<ffffffff815b066d>] do_splice_from fs/splice.c:870 [inline]
[<ffffffff815b066d>] do_splice fs/splice.c:1166 [inline]
[<ffffffff815b066d>] SYSC_splice fs/splice.c:1416 [inline]
[<ffffffff815b066d>] SyS_splice+0xe4d/0x14d0 fs/splice.c:1399
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Code: ff e8 d5 c2 d4 ff 4c 89 ef e8 8d c1 e6 ff e9 39 ff ff ff e8 c3 c2 d4
ff 48 8b 84 24 c8 00 00 00 48 8d 78 20 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 06 83 00 00 48 8b 84 24 c8 00 00 00 4c 8b 68
RIP [<ffffffff815cf7b0>] __read_once_size include/linux/compiler.h:243
[inline]
RIP [<ffffffff815cf7b0>] compound_head include/linux/page-flags.h:143
[inline]
RIP [<ffffffff815cf7b0>] get_page include/linux/mm.h:768 [inline]
RIP [<ffffffff815cf7b0>] submit_page_section fs/direct-io.c:825 [inline]
RIP [<ffffffff815cf7b0>] do_direct_IO fs/direct-io.c:1045 [inline]
RIP [<ffffffff815cf7b0>] do_blockdev_direct_IO fs/direct-io.c:1274 [inline]
RIP [<ffffffff815cf7b0>] __blockdev_direct_IO+0x1b20/0xbd10
fs/direct-io.c:1360
RSP <ffff88019de3f330>
---[ end trace 6f1d92e22be773c7 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 17, 2019, 2:12:06 AM8/17/19
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=133b450e600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141a709c600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+043e9a...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 2047 Comm: syz-executor633 Not tainted 4.9.141+ #23
task: ffff8801d0924740 task.stack: ffff8801cf058000
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] __read_once_size
include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] compound_head
include/linux/page-flags.h:143 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] put_page
include/linux/mm.h:782 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] dio_cleanup
fs/direct-io.c:433 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] do_blockdev_direct_IO
fs/direct-io.c:1276 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>]
__blockdev_direct_IO+0x1a99/0xbd10 fs/direct-io.c:1360
RSP: 0018:ffff8801cf05f330 EFLAGS: 00010202
RAX: 0000000000000004 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815cf6f1 RDI: 0000000000000020
RBP: ffff8801cf05f650 R08: ffff8801d0924ff0 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801cf054000
FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:0000000008781840
ffff8801cf068000 0000000000001000 ffffffff83c78930 ffff8801cf054079
ffff8801cf05f540 4df11b3382046275 ffff8801cf05f4a0 0000000000000fff
00 4f 8b ac e7 a8 00 00 00 49 8d 7d 20 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 93 8d 00 00 4d 8b 65 20 41 f6 c4 01 0f 85 8c
RIP [<ffffffff815cf729>] __read_once_size include/linux/compiler.h:243
[inline]
RIP [<ffffffff815cf729>] compound_head include/linux/page-flags.h:143
[inline]
RIP [<ffffffff815cf729>] put_page include/linux/mm.h:782 [inline]
RIP [<ffffffff815cf729>] dio_cleanup fs/direct-io.c:433 [inline]
RIP [<ffffffff815cf729>] do_blockdev_direct_IO fs/direct-io.c:1276 [inline]
RIP [<ffffffff815cf729>] __blockdev_direct_IO+0x1a99/0xbd10
fs/direct-io.c:1360
RSP <ffff8801cf05f330>
---[ end trace 483cb8218c55b0b2 ]---
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=043e9abba0e249556578
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1386d33c600000
dashboard link: https://syzkaller.appspot.com/bug?extid=043e9abba0e249556578
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141a709c600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+043e9a...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
task: ffff8801d0924740 task.stack: ffff8801cf058000
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] __read_once_size
include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] compound_head
include/linux/page-flags.h:143 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] put_page
include/linux/mm.h:782 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] dio_cleanup
fs/direct-io.c:433 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>] do_blockdev_direct_IO
fs/direct-io.c:1276 [inline]
RIP: 0010:[<ffffffff815cf729>] [<ffffffff815cf729>]
__blockdev_direct_IO+0x1a99/0xbd10 fs/direct-io.c:1360
RSP: 0018:ffff8801cf05f330 EFLAGS: 00010202
RAX: 0000000000000004 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815cf6f1 RDI: 0000000000000020
RBP: ffff8801cf05f650 R08: ffff8801d0924ff0 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801cf054000
FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:0000000008781840
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020011000 CR3: 00000001d1f3a000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000246 fffffbfff0604a02 ffff8801cf05f440 ffff8801cf054098
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801cf068000 0000000000001000 ffffffff83c78930 ffff8801cf054079
ffff8801cf05f540 4df11b3382046275 ffff8801cf05f4a0 0000000000000fff
Call Trace:
[<ffffffff816de318>] ext4_direct_IO_write fs/ext4/inode.c:3507 [inline]
[<ffffffff816de318>] ext4_direct_IO+0x978/0x29c0 fs/ext4/inode.c:3663
[<ffffffff81411f64>] generic_file_direct_write+0x284/0x510
mm/filemap.c:2655
[<ffffffff8141240f>] __generic_file_write_iter+0x21f/0x540
mm/filemap.c:2835
[<ffffffff816b328d>] ext4_file_write_iter+0x63d/0xd70 fs/ext4/file.c:165
[<ffffffff815071c7>] vfs_iter_write+0x2d7/0x450 fs/read_write.c:390
[<ffffffff815ae4fb>] iter_file_splice_write+0x5fb/0xb30 fs/splice.c:768
[<ffffffff815b066d>] do_splice_from fs/splice.c:870 [inline]
[<ffffffff815b066d>] do_splice fs/splice.c:1166 [inline]
[<ffffffff815b066d>] SYSC_splice fs/splice.c:1416 [inline]
[<ffffffff815b066d>] SyS_splice+0xe4d/0x14d0 fs/splice.c:1399
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Code: 89 84 24 98 02 00 00 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 7a 8e 00
[<ffffffff816de318>] ext4_direct_IO_write fs/ext4/inode.c:3507 [inline]
[<ffffffff816de318>] ext4_direct_IO+0x978/0x29c0 fs/ext4/inode.c:3663
[<ffffffff81411f64>] generic_file_direct_write+0x284/0x510
mm/filemap.c:2655
[<ffffffff8141240f>] __generic_file_write_iter+0x21f/0x540
mm/filemap.c:2835
[<ffffffff816b328d>] ext4_file_write_iter+0x63d/0xd70 fs/ext4/file.c:165
[<ffffffff815071c7>] vfs_iter_write+0x2d7/0x450 fs/read_write.c:390
[<ffffffff815ae4fb>] iter_file_splice_write+0x5fb/0xb30 fs/splice.c:768
[<ffffffff815b066d>] do_splice_from fs/splice.c:870 [inline]
[<ffffffff815b066d>] do_splice fs/splice.c:1166 [inline]
[<ffffffff815b066d>] SYSC_splice fs/splice.c:1416 [inline]
[<ffffffff815b066d>] SyS_splice+0xe4d/0x14d0 fs/splice.c:1399
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
00 4f 8b ac e7 a8 00 00 00 49 8d 7d 20 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 93 8d 00 00 4d 8b 65 20 41 f6 c4 01 0f 85 8c
RIP [<ffffffff815cf729>] __read_once_size include/linux/compiler.h:243
[inline]
RIP [<ffffffff815cf729>] compound_head include/linux/page-flags.h:143
[inline]
RIP [<ffffffff815cf729>] put_page include/linux/mm.h:782 [inline]
RIP [<ffffffff815cf729>] dio_cleanup fs/direct-io.c:433 [inline]
RIP [<ffffffff815cf729>] do_blockdev_direct_IO fs/direct-io.c:1276 [inline]
RIP [<ffffffff815cf729>] __blockdev_direct_IO+0x1a99/0xbd10
fs/direct-io.c:1360
RSP <ffff8801cf05f330>
---[ end trace 483cb8218c55b0b2 ]---
syzbot
Aug 17, 2019, 3:38:06 AM8/17/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 5d8bfdf8 UPSTREAM: drm/virtio: Fix cache entry creation ra..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=13e50ea6600000
kernel config: https://syzkaller.appspot.com/x/.config?x=ebced6c15132b98
dashboard link: https://syzkaller.appspot.com/bug?extid=8feabe82525e51688f96
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169d4622600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1682ddee600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8feabe...@syzkaller.appspotmail.com
urandom_read: 1 callbacks suppressed
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1566023701.227:7): avc: denied { map } for
pid=1759 comm="syz-executor758" path="/root/syz-executor758101835"
dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Modules linked in:
CPU: 0 PID: 1759 Comm: syz-executor758 Not tainted 4.14.139+ #34
task: (ptrval) task.stack: (ptrval)
RIP: 0010:__read_once_size include/linux/compiler.h:183 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:148 [inline]
RIP: 0010:get_page include/linux/mm.h:836 [inline]
RIP: 0010:submit_page_section fs/direct-io.c:890 [inline]
RIP: 0010:do_direct_IO fs/direct-io.c:1097 [inline]
RIP: 0010:do_blockdev_direct_IO fs/direct-io.c:1336 [inline]
RIP: 0010:__blockdev_direct_IO+0x1dcf/0xe24e fs/direct-io.c:1422
RSP: 0018:ffff8881d100f330 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffea00073f341c RCX: ffffffffa2c36753
RDX: 0000000000000004 RSI: 0000000000000004 RDI: 0000000000000020
RBP: ffff8881d100f668 R08: 0000000000000000 R09: fffff94000e7e684
R10: fffff94000e7e683 R11: ffffea00073f341f R12: ffffea00073f3400
R13: ffffea00073f3400 R14: 0000000000000000 R15: ffff8881d1b08000
FS: 00000000019a0880(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020011000 CR3: 00000001d188c005 CR4: 00000000001606b0
ext4_direct_IO_write fs/ext4/inode.c:3716 [inline]
ext4_direct_IO+0xa4f/0x2820 fs/ext4/inode.c:3869
generic_file_direct_write+0x1e4/0x430 mm/filemap.c:3035
__generic_file_write_iter+0x209/0x550 mm/filemap.c:3214
ext4_file_write_iter+0x58f/0xdb0 fs/ext4/file.c:268
call_write_iter include/linux/fs.h:1788 [inline]
do_iter_readv_writev+0x379/0x580 fs/read_write.c:679
do_iter_write fs/read_write.c:958 [inline]
do_iter_write+0x152/0x550 fs/read_write.c:939
vfs_iter_write+0x70/0xa0 fs/read_write.c:971
iter_file_splice_write+0x560/0xa50 fs/splice.c:749
do_splice_from fs/splice.c:851 [inline]
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xcd6/0x1270 fs/splice.c:1382
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440319
RSP: 002b:00007ffc49acada8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440319
RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ba0
R13: 0000000000401c30 R14: 0000000000000000 R15: 0000000000000000
Code: 4c a4 e8 e5 7f e9 ff 0f 0b e8 3e d4 cd ff 48 8b 84 24 e8 00 00 00 48
8d 78 20 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00
0f 85 37 a0 00 00 48 8b 84 24 e8 00 00 00 4c 8b 60
RIP: __read_once_size include/linux/compiler.h:183 [inline] RSP:
ffff8881d100f330
RIP: compound_head include/linux/page-flags.h:148 [inline] RSP:
ffff8881d100f330
RIP: get_page include/linux/mm.h:836 [inline] RSP: ffff8881d100f330
RIP: submit_page_section fs/direct-io.c:890 [inline] RSP: ffff8881d100f330
RIP: do_direct_IO fs/direct-io.c:1097 [inline] RSP: ffff8881d100f330
RIP: do_blockdev_direct_IO fs/direct-io.c:1336 [inline] RSP:
ffff8881d100f330
RIP: __blockdev_direct_IO+0x1dcf/0xe24e fs/direct-io.c:1422 RSP:
ffff8881d100f330
---[ end trace c4bdc841745cfb7f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 5d8bfdf8 UPSTREAM: drm/virtio: Fix cache entry creation ra..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=13e50ea6600000
kernel config: https://syzkaller.appspot.com/x/.config?x=ebced6c15132b98
dashboard link: https://syzkaller.appspot.com/bug?extid=8feabe82525e51688f96
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169d4622600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1682ddee600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
urandom_read: 1 callbacks suppressed
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1566023701.227:7): avc: denied { map } for
pid=1759 comm="syz-executor758" path="/root/syz-executor758101835"
dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
kasan: GPF could be caused by NULL-ptr deref or user memory access
Modules linked in:
CPU: 0 PID: 1759 Comm: syz-executor758 Not tainted 4.14.139+ #34
task: (ptrval) task.stack: (ptrval)
RIP: 0010:__read_once_size include/linux/compiler.h:183 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:148 [inline]
RIP: 0010:get_page include/linux/mm.h:836 [inline]
RIP: 0010:submit_page_section fs/direct-io.c:890 [inline]
RIP: 0010:do_direct_IO fs/direct-io.c:1097 [inline]
RIP: 0010:do_blockdev_direct_IO fs/direct-io.c:1336 [inline]
RIP: 0010:__blockdev_direct_IO+0x1dcf/0xe24e fs/direct-io.c:1422
RSP: 0018:ffff8881d100f330 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffea00073f341c RCX: ffffffffa2c36753
RDX: 0000000000000004 RSI: 0000000000000004 RDI: 0000000000000020
RBP: ffff8881d100f668 R08: 0000000000000000 R09: fffff94000e7e684
R10: fffff94000e7e683 R11: ffffea00073f341f R12: ffffea00073f3400
R13: ffffea00073f3400 R14: 0000000000000000 R15: ffff8881d1b08000
FS: 00000000019a0880(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020011000 CR3: 00000001d188c005 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
ext4_direct_IO_write fs/ext4/inode.c:3716 [inline]
ext4_direct_IO+0xa4f/0x2820 fs/ext4/inode.c:3869
generic_file_direct_write+0x1e4/0x430 mm/filemap.c:3035
__generic_file_write_iter+0x209/0x550 mm/filemap.c:3214
ext4_file_write_iter+0x58f/0xdb0 fs/ext4/file.c:268
call_write_iter include/linux/fs.h:1788 [inline]
do_iter_readv_writev+0x379/0x580 fs/read_write.c:679
do_iter_write fs/read_write.c:958 [inline]
do_iter_write+0x152/0x550 fs/read_write.c:939
vfs_iter_write+0x70/0xa0 fs/read_write.c:971
iter_file_splice_write+0x560/0xa50 fs/splice.c:749
do_splice_from fs/splice.c:851 [inline]
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xcd6/0x1270 fs/splice.c:1382
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440319
RSP: 002b:00007ffc49acada8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440319
RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ba0
R13: 0000000000401c30 R14: 0000000000000000 R15: 0000000000000000
Code: 4c a4 e8 e5 7f e9 ff 0f 0b e8 3e d4 cd ff 48 8b 84 24 e8 00 00 00 48
8d 78 20 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00
0f 85 37 a0 00 00 48 8b 84 24 e8 00 00 00 4c 8b 60
RIP: __read_once_size include/linux/compiler.h:183 [inline] RSP:
ffff8881d100f330
RIP: compound_head include/linux/page-flags.h:148 [inline] RSP:
ffff8881d100f330
RIP: get_page include/linux/mm.h:836 [inline] RSP: ffff8881d100f330
RIP: submit_page_section fs/direct-io.c:890 [inline] RSP: ffff8881d100f330
RIP: do_direct_IO fs/direct-io.c:1097 [inline] RSP: ffff8881d100f330
RIP: do_blockdev_direct_IO fs/direct-io.c:1336 [inline] RSP:
ffff8881d100f330
RIP: __blockdev_direct_IO+0x1dcf/0xe24e fs/direct-io.c:1422 RSP:
ffff8881d100f330
---[ end trace c4bdc841745cfb7f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
https://goo.gl/tpsmEJ#testing-patches
syzbot
Aug 17, 2019, 3:42:06 AM8/17/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1550e9e2600000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=a0a441a01e31e0a65707
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1616ac4c600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1447e302600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 2055 Comm: syz-executor342 Not tainted 4.4.174+ #17
task: ffff8801d57ec740 task.stack: ffff8801d4930000
RIP: 0010:[<ffffffff8155748a>] [<ffffffff8155748a>] __read_once_size
include/linux/compiler.h:218 [inline]
RIP: 0010:[<ffffffff8155748a>] [<ffffffff8155748a>] PageTail
include/linux/page-flags.h:400 [inline]
RIP: 0010:[<ffffffff8155748a>] [<ffffffff8155748a>] get_page
include/linux/mm.h:508 [inline]
RIP: 0010:[<ffffffff8155748a>] [<ffffffff8155748a>] submit_page_section
fs/direct-io.c:813 [inline]
RIP: 0010:[<ffffffff8155748a>] [<ffffffff8155748a>] do_direct_IO
fs/direct-io.c:1033 [inline]
RIP: 0010:[<ffffffff8155748a>] [<ffffffff8155748a>] do_blockdev_direct_IO
fs/direct-io.c:1256 [inline]
RIP: 0010:[<ffffffff8155748a>] [<ffffffff8155748a>]
__blockdev_direct_IO+0x36ea/0xb030 fs/direct-io.c:1342
RSP: 0018:ffff8801d4937200 EFLAGS: 00010202
RAX: 0000000000000004 RBX: dffffc0000000000 RCX: 000000000000000c
RDX: 0000000000000000 RSI: ffffffff81557477 RDI: 0000000000000020
RBP: ffff8801d4937518 R08: 1ffff1003b0cacc0 R09: ffff8801d8656600
R10: ffffed003b0cacce R11: ffff8801d8656677 R12: ffffea0007523400
R13: ffff8801d8656600 R14: ffff8801da266780 R15: ffff8801d4ea8000
FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:0000000008266840
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002001147f CR3: 00000001d569c000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
fffffbfff05c2202 ffff8801d4937310 0005080000000000 0000000000001000
0000000000008220 ffff8801d4ea8079 0000000041b58ab3 0000000000011000
ffff8801d4937360 00001000d57ed000 fffffffffffff000 0000000000000fff
Call Trace:
[<ffffffff8173cf01>] blockdev_direct_IO include/linux/fs.h:2789 [inline]
[<ffffffff8173cf01>] ext4_ind_direct_IO+0x3e1/0xb90 fs/ext4/indirect.c:709
[<ffffffff8163fe21>] ext4_ext_direct_IO fs/ext4/inode.c:3233 [inline]
[<ffffffff8163fe21>] ext4_direct_IO+0x8c1/0x2a80 fs/ext4/inode.c:3405
[<ffffffff813bcae6>] generic_file_direct_write+0x276/0x4f0
mm/filemap.c:2493
[<ffffffff813bcfa5>] __generic_file_write_iter+0x245/0x540
mm/filemap.c:2673
[<ffffffff81633d3c>] ext4_file_write_iter+0x9ec/0xc70 fs/ext4/file.c:171
[<ffffffff81496220>] vfs_iter_write+0x1d0/0x3f0 fs/read_write.c:364
[<ffffffff81534731>] iter_file_splice_write+0x5c1/0xb30 fs/splice.c:1024
[<ffffffff81537d31>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81537d31>] do_splice fs/splice.c:1404 [inline]
[<ffffffff81537d31>] SYSC_splice fs/splice.c:1707 [inline]
[<ffffffff81537d31>] SyS_splice+0xd71/0x13a0 fs/splice.c:1690
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
Code: 00 00 e8 aa a9 e8 ff 48 c7 84 24 50 02 00 00 00 00 00 00 e8 79 21 db
ff 48 8b 84 24 c8 00 00 00 48 8d 78 20 48 89 f8 48 c1 e8 03 <80> 3c 18 00
0f 85 10 5b 00 00 48 8b 84 24 c8 00 00 00 48 8b 40
RIP [<ffffffff8155748a>] __read_once_size include/linux/compiler.h:218
[inline]
RIP [<ffffffff8155748a>] PageTail include/linux/page-flags.h:400 [inline]
RIP [<ffffffff8155748a>] get_page include/linux/mm.h:508 [inline]
RIP [<ffffffff8155748a>] submit_page_section fs/direct-io.c:813 [inline]
RIP [<ffffffff8155748a>] do_direct_IO fs/direct-io.c:1033 [inline]
RIP [<ffffffff8155748a>] do_blockdev_direct_IO fs/direct-io.c:1256 [inline]
RIP [<ffffffff8155748a>] __blockdev_direct_IO+0x36ea/0xb030
fs/direct-io.c:1342
RSP <ffff8801d4937200>
---[ end trace beb0fa62b94e317a ]---
Reply all
Reply to author
Forward
0 new messages