general protection fault in incfs_kill_sb
1 view
Skip to first unread message
syzbot
Feb 23, 2022, 12:03:40 PM2/23/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: add227a8d80c Merge branch 'android12-5.10' into `android12..
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=127a53fa700000
kernel config: https://syzkaller.appspot.com/x/.config?x=4b524aba5c4d5a19
dashboard link: https://syzkaller.appspot.com/bug?extid=071207fec3b90d253e91
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ec48c6700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157751de700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+071207...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 PID: 364 Comm: syz-executor982 Not tainted 5.10.101-syzkaller-00043-gadd227a8d80c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:incfs_kill_sb+0x59/0x130 fs/incfs/vfs.c:1907
Code: c1 ef 03 43 80 3c 27 00 74 08 4c 89 f7 e8 bf 7e 9c ff 4d 8b 2e 49 8d 5d 10 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 99 7e 9c ff 48 8b 1b 48 83 c3 30 48
RSP: 0018:ffffc9000022fab0 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffc9000022fa58 RDI: ffff8881075b2000
RBP: ffffc9000022fae0 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000045ec5 R11: 0000000000000004 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8881075b23c8 R15: 1ffff11020eb6479
FS: 0000555556ade300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005630b6567088 CR3: 000000011d10c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
deactivate_locked_super+0xb0/0x100 fs/super.c:335
incfs_mount_fs+0x859/0x950 fs/incfs/vfs.c:1868
legacy_get_tree+0xf0/0x190 fs/fs_context.c:592
vfs_get_tree+0x89/0x270 fs/super.c:1549
do_new_mount fs/namespace.c:2899 [inline]
path_mount+0x1975/0x2ab0 fs/namespace.c:3229
do_mount fs/namespace.c:3242 [inline]
__do_sys_mount fs/namespace.c:3450 [inline]
__se_sys_mount+0x2f7/0x3b0 fs/namespace.c:3427
__x64_sys_mount+0xbf/0xd0 fs/namespace.c:3427
do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f89379374b9
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff62ab5928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f89379374b9
RDX: 0000000020000200 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 00007f89378fb210 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f89378fb2a0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 7b38775908979bfd ]---
RIP: 0010:incfs_kill_sb+0x59/0x130 fs/incfs/vfs.c:1907
Code: c1 ef 03 43 80 3c 27 00 74 08 4c 89 f7 e8 bf 7e 9c ff 4d 8b 2e 49 8d 5d 10 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 99 7e 9c ff 48 8b 1b 48 83 c3 30 48
RSP: 0018:ffffc9000022fab0 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffc9000022fa58 RDI: ffff8881075b2000
RBP: ffffc9000022fae0 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000045ec5 R11: 0000000000000004 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8881075b23c8 R15: 1ffff11020eb6479
FS: 0000555556ade300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005630b6567088 CR3: 000000011d10c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: c1 ef 03 shr $0x3,%edi
3: 43 80 3c 27 00 cmpb $0x0,(%r15,%r12,1)
8: 74 08 je 0x12
a: 4c 89 f7 mov %r14,%rdi
d: e8 bf 7e 9c ff callq 0xff9c7ed1
12: 4d 8b 2e mov (%r14),%r13
15: 49 8d 5d 10 lea 0x10(%r13),%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 99 7e 9c ff callq 0xff9c7ed1
38: 48 8b 1b mov (%rbx),%rbx
3b: 48 83 c3 30 add $0x30,%rbx
3f: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: add227a8d80c Merge branch 'android12-5.10' into `android12..
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=127a53fa700000
kernel config: https://syzkaller.appspot.com/x/.config?x=4b524aba5c4d5a19
dashboard link: https://syzkaller.appspot.com/bug?extid=071207fec3b90d253e91
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ec48c6700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157751de700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+071207...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 PID: 364 Comm: syz-executor982 Not tainted 5.10.101-syzkaller-00043-gadd227a8d80c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:incfs_kill_sb+0x59/0x130 fs/incfs/vfs.c:1907
Code: c1 ef 03 43 80 3c 27 00 74 08 4c 89 f7 e8 bf 7e 9c ff 4d 8b 2e 49 8d 5d 10 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 99 7e 9c ff 48 8b 1b 48 83 c3 30 48
RSP: 0018:ffffc9000022fab0 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffc9000022fa58 RDI: ffff8881075b2000
RBP: ffffc9000022fae0 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000045ec5 R11: 0000000000000004 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8881075b23c8 R15: 1ffff11020eb6479
FS: 0000555556ade300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005630b6567088 CR3: 000000011d10c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
deactivate_locked_super+0xb0/0x100 fs/super.c:335
incfs_mount_fs+0x859/0x950 fs/incfs/vfs.c:1868
legacy_get_tree+0xf0/0x190 fs/fs_context.c:592
vfs_get_tree+0x89/0x270 fs/super.c:1549
do_new_mount fs/namespace.c:2899 [inline]
path_mount+0x1975/0x2ab0 fs/namespace.c:3229
do_mount fs/namespace.c:3242 [inline]
__do_sys_mount fs/namespace.c:3450 [inline]
__se_sys_mount+0x2f7/0x3b0 fs/namespace.c:3427
__x64_sys_mount+0xbf/0xd0 fs/namespace.c:3427
do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f89379374b9
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff62ab5928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f89379374b9
RDX: 0000000020000200 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 00007f89378fb210 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f89378fb2a0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 7b38775908979bfd ]---
RIP: 0010:incfs_kill_sb+0x59/0x130 fs/incfs/vfs.c:1907
Code: c1 ef 03 43 80 3c 27 00 74 08 4c 89 f7 e8 bf 7e 9c ff 4d 8b 2e 49 8d 5d 10 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 99 7e 9c ff 48 8b 1b 48 83 c3 30 48
RSP: 0018:ffffc9000022fab0 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffc9000022fa58 RDI: ffff8881075b2000
RBP: ffffc9000022fae0 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000045ec5 R11: 0000000000000004 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8881075b23c8 R15: 1ffff11020eb6479
FS: 0000555556ade300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005630b6567088 CR3: 000000011d10c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: c1 ef 03 shr $0x3,%edi
3: 43 80 3c 27 00 cmpb $0x0,(%r15,%r12,1)
8: 74 08 je 0x12
a: 4c 89 f7 mov %r14,%rdi
d: e8 bf 7e 9c ff callq 0xff9c7ed1
12: 4d 8b 2e mov (%r14),%r13
15: 49 8d 5d 10 lea 0x10(%r13),%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 99 7e 9c ff callq 0xff9c7ed1
38: 48 8b 1b mov (%rbx),%rbx
3b: 48 83 c3 30 add $0x30,%rbx
3f: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Feb 23, 2022, 3:28:13 PM2/23/22
to syzkaller-a...@googlegroups.com
syzbot has bisected this issue to:
commit 6f915dd2af92ade13d280d83fcce327161b9573c
Author: Tadeusz Struk <tadeus...@linaro.org>
Date: Wed Jan 26 21:09:39 2022 +0000
ANDROID: incremental-fs: remove index and incomplete dir on umount
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17266df2700000
start commit: add227a8d80c Merge branch 'android12-5.10' into `android12..
git tree: android12-5.10-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=14a66df2700000
console output: https://syzkaller.appspot.com/x/log.txt?x=10a66df2700000
Fixes: 6f915dd2af92 ("ANDROID: incremental-fs: remove index and incomplete dir on umount")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 6f915dd2af92ade13d280d83fcce327161b9573c
Author: Tadeusz Struk <tadeus...@linaro.org>
Date: Wed Jan 26 21:09:39 2022 +0000
ANDROID: incremental-fs: remove index and incomplete dir on umount
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17266df2700000
start commit: add227a8d80c Merge branch 'android12-5.10' into `android12..
git tree: android12-5.10-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=14a66df2700000
console output: https://syzkaller.appspot.com/x/log.txt?x=10a66df2700000
kernel config: https://syzkaller.appspot.com/x/.config?x=4b524aba5c4d5a19
dashboard link: https://syzkaller.appspot.com/bug?extid=071207fec3b90d253e91
dashboard link: https://syzkaller.appspot.com/bug?extid=071207fec3b90d253e91
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ec48c6700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157751de700000
Reported-by: syzbot+071207...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157751de700000
Fixes: 6f915dd2af92 ("ANDROID: incremental-fs: remove index and incomplete dir on umount")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Tadeusz Struk
Feb 25, 2022, 3:07:44 PM2/25/22
to syzbot+071207...@syzkaller.appspotmail.com, syzkaller
#syz fix: Revert "ANDROID: incremental-fs: remove index and incomplete dir on
umount"
umount"
Tadeusz Struk
Feb 28, 2022, 8:37:08 PM2/28/22
to syzbot+071207...@syzkaller.appspotmail.com, syzkaller
#syz unfix
Tadeusz Struk
Feb 28, 2022, 8:38:06 PM2/28/22
to syzbot+071207...@syzkaller.appspotmail.com, syzkaller
#syz fix: ANDROID: incremental-fs: remove spurious kfree()
Tadeusz Struk
Mar 4, 2022, 10:50:00 AM3/4/22
to syzbot+071207...@syzkaller.appspotmail.com, syzkaller
#syz unfix
Tadeusz Struk
Mar 7, 2022, 1:06:48 PM3/7/22
to syzbot+071207...@syzkaller.appspotmail.com, syzkaller
Tadeusz Struk
Mar 16, 2022, 1:40:00 PM3/16/22
to syzbot+071207...@syzkaller.appspotmail.com, syzkaller
#syz test: https://android.googlesource.com/kernel/common android12-5.10-lts
syzbot
Mar 16, 2022, 1:52:11 PM3/16/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+071207...@syzkaller.appspotmail.com
Tested on:
commit: 9e96a3d6 Merge 56cf5326bdf9 ("arm64: entry: Add macro ..
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=f4e2b5ee127f8a95
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+071207...@syzkaller.appspotmail.com
Tested on:
commit: 9e96a3d6 Merge 56cf5326bdf9 ("arm64: entry: Add macro ..
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=f4e2b5ee127f8a95
dashboard link: https://syzkaller.appspot.com/bug?extid=071207fec3b90d253e91
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
Note: testing is done by a robot and is best-effort only.
Tadeusz Struk
Mar 16, 2022, 2:15:03 PM3/16/22
to syzbot, syzkaller-a...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages