Test for https://syzkaller.appspot.com/bug?id=e7f9a71fe6d0fa94c8e83c04821bc8c5ae9f7c4c
1 view
Skip to first unread message
Jun Nie
Nov 21, 2022, 5:40:08 AM11/21/22
to syzkaller-android-bugs, syzbot+4d15e7...@syzkaller.appspotmail.com
#syz test: https://android.googlesource.com/kernel/common 36de88a85525
Test: Merge 5.15.3 into android13-5.15
Test: Merge 5.15.3 into android13-5.15
syzbot
Nov 21, 2022, 2:35:21 PM11/21/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
04
worker_thread+0x6fd/0xa80 kernel/workqueue.c:2451
kthread+0x34c/0x420 kernel/kthread.c:319
ret_from_fork+0x1f/0x30
</TASK>
================================================================================
Warning: Permanently added '10.128.1.3' (ECDSA) to the list of known hosts.
2022/11/21 19:34:49 fuzzer started
2022/11/21 19:34:49 connecting to host at 10.128.0.163:44327
2022/11/21 19:34:49 checking machine...
2022/11/21 19:34:49 checking revisions...
2022/11/21 19:34:49 testing simple program...
[ 18.804180][ T24] audit: type=1400 audit(1669059289.819:73): avc: denied { integrity } for pid=368 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 18.811761][ T24] audit: type=1400 audit(1669059289.819:74): avc: denied { getattr } for pid=368 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.820041][ T24] audit: type=1400 audit(1669059289.819:75): avc: denied { read } for pid=368 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.827791][ T376] cgroup: Unknown subsys name 'net'
[ 18.832739][ T24] audit: type=1400 audit(1669059289.819:76): avc: denied { open } for pid=368 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.860907][ T24] audit: type=1400 audit(1669059289.829:77): avc: denied { read } for pid=368 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 18.861083][ T376] cgroup: Unknown subsys name 'devices'
[ 18.884221][ T24] audit: type=1400 audit(1669059289.829:78): avc: denied { open } for pid=368 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 18.913516][ T24] audit: type=1400 audit(1669059289.839:79): avc: denied { mounton } for pid=376 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 18.936548][ T24] audit: type=1400 audit(1669059289.839:80): avc: denied { mount } for pid=376 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 18.960146][ T24] audit: type=1400 audit(1669059289.849:81): avc: denied { unmount } for pid=376 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.074782][ T376] cgroup: Unknown subsys name 'hugetlb'
[ 19.080716][ T376] cgroup: Unknown subsys name 'rlimit'
[ 19.233784][ T24] audit: type=1400 audit(1669059290.249:82): avc: denied { setattr } for pid=376 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 19.298371][ T380] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.306043][ T380] bridge0: port 1(bridge_slave_0) entered disabled state
[ 19.313767][ T380] device bridge_slave_0 entered promiscuous mode
[ 19.321005][ T380] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.328438][ T380] bridge0: port 2(bridge_slave_1) entered disabled state
[ 19.335995][ T380] device bridge_slave_1 entered promiscuous mode
[ 19.372812][ T380] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.380209][ T380] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 19.388053][ T380] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.395115][ T380] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 19.414064][ T35] bridge0: port 1(bridge_slave_0) entered disabled state
[ 19.421960][ T35] bridge0: port 2(bridge_slave_1) entered disabled state
[ 19.429844][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 19.437507][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 19.454242][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 19.463038][ T35] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.470863][ T35] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 19.479059][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 19.488432][ T35] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.495857][ T35] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 19.503296][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 19.511625][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 19.523604][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 19.534547][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 19.545961][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 19.556755][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 19.568086][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 19.577313][ T35] ================================================================================
[ 19.586722][ T35] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2048:28
[ 19.594535][ T35] member access within address ffffc9000024f180 with insufficient space
[ 19.602996][ T35] for an object of type 'struct sk_buff'
[ 19.608743][ T35] CPU: 1 PID: 35 Comm: kworker/1:1 Not tainted 5.15.3-syzkaller-03085-g36de88a85525 #0
[ 19.618525][ T35] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 19.628734][ T35] Workqueue: ipv6_addrconf addrconf_dad_work
[ 19.634787][ T35] Call Trace:
[ 19.638047][ T35] <TASK>
[ 19.641048][ T35] dump_stack_lvl+0x151/0x1b7
[ 19.645728][ T35] ? bfq_pos_tree_add_move+0x439/0x439
[ 19.651174][ T35] ? lookup+0x358/0x3b0
[ 19.655489][ T35] dump_stack+0x15/0x17
[ 19.659713][ T35] ubsan_type_mismatch_common+0x1e9/0x390
[ 19.665423][ T35] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 19.671843][ T35] wg_xmit+0x502/0xae0
[ 19.676064][ T35] ? wg_stop+0x140/0x140
[ 19.680374][ T35] netdev_start_xmit+0x8a/0x160
[ 19.685290][ T35] dev_hard_start_xmit+0x18d/0x2f0
[ 19.690470][ T35] __dev_queue_xmit+0x1138/0x1d10
[ 19.695826][ T35] ? dev_queue_xmit+0x20/0x20
[ 19.700589][ T35] ? _raw_write_lock_bh+0xa3/0x170
[ 19.706245][ T35] ? _raw_write_lock_irq+0x170/0x170
[ 19.711735][ T35] ? ndisc_constructor+0x653/0x850
[ 19.716965][ T35] ? __local_bh_enable_ip+0x58/0x80
[ 19.722329][ T35] ? _raw_write_unlock_bh+0x31/0x47
[ 19.727605][ T35] ? ___neigh_create+0x155c/0x1930
[ 19.732706][ T35] ? dev_hard_header+0xdb/0xf0
[ 19.737644][ T35] dev_queue_xmit+0x17/0x20
[ 19.742313][ T35] neigh_connected_output+0x288/0x2b0
[ 19.747991][ T35] ip6_finish_output2+0xb03/0x1080
[ 19.753277][ T35] ? __ip6_finish_output+0x530/0x530
[ 19.758794][ T35] ? ip6_mtu+0xd8/0x120
[ 19.762938][ T35] ? ip6_skb_dst_mtu+0xaf/0x220
[ 19.767892][ T35] __ip6_finish_output+0x3e6/0x530
[ 19.773400][ T35] ip6_finish_output+0x1c9/0x1e0
[ 19.778334][ T35] ? ip6_output+0x1d3/0x4a0
[ 19.782839][ T35] ip6_output+0x1f8/0x4a0
[ 19.787334][ T35] ? xfrm_pols_put+0x102/0x110
[ 19.792352][ T35] ? ac6_get_next+0x2a0/0x2a0
[ 19.797062][ T35] ? ip6_dst_idev+0x40/0x40
[ 19.801545][ T35] ? selinux_ipv6_forward+0x50/0x50
[ 19.806721][ T35] NF_HOOK+0xdd/0x280
[ 19.810785][ T35] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 19.816573][ T35] ? NF_HOOK+0x280/0x280
[ 19.820959][ T35] ? xfrm_lookup+0x38/0x50
[ 19.825399][ T35] ? ndisc_send_skb+0x57e/0xa30
[ 19.830427][ T35] ? memcpy+0x56/0x70
[ 19.834520][ T35] ndisc_send_skb+0x67f/0xa30
[ 19.839186][ T35] ? ndisc_fill_addr_option+0x320/0x320
[ 19.844713][ T35] ? __kasan_check_write+0x14/0x20
[ 19.849808][ T35] ? skb_set_owner_w+0x19e/0x2f0
[ 19.854846][ T35] ? skb_put+0x119/0x200
[ 19.859074][ T35] ndisc_send_rs+0x26c/0x360
[ 19.863737][ T35] addrconf_dad_completed+0x543/0xa70
[ 19.869144][ T35] ? addrconf_dad_stop+0x480/0x480
[ 19.874439][ T35] addrconf_dad_work+0xbdf/0x1440
[ 19.879570][ T35] ? __kasan_check_write+0x14/0x20
[ 19.884765][ T35] ? INIT_LIST_HEAD+0x60/0x60
[ 19.889433][ T35] ? do_raw_spin_lock+0x99/0x170
[ 19.894354][ T35] ? do_raw_spin_trylock+0x1b0/0x1b0
[ 19.899625][ T35] ? __kasan_check_write+0x14/0x20
[ 19.904843][ T35] process_one_work+0x405/0x6c0
[ 19.909689][ T35] worker_thread+0x6fd/0xa80
[ 19.914269][ T35] ? __kthread_parkme+0x139/0x180
[ 19.919423][ T35] kthread+0x34c/0x420
[ 19.923754][ T35] ? pr_cont_work+0x110/0x110
[ 19.928637][ T35] ? __list_add+0xc0/0xc0
[ 19.933093][ T35] ret_from_fork+0x1f/0x30
[ 19.937515][ T35] </TASK>
[ 19.940572][ T35] ================================================================================
[ 19.949973][ T35] ================================================================================
[ 19.959498][ T35] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1941:2
[ 19.967308][ T35] member access within address ffffc9000024f180 with insufficient space
[ 19.975799][ T35] for an object of type 'struct sk_buff'
[ 19.981586][ T35] CPU: 1 PID: 35 Comm: kworker/1:1 Not tainted 5.15.3-syzkaller-03085-g36de88a85525 #0
[ 19.991477][ T35] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 20.001547][ T35] Workqueue: ipv6_addrconf addrconf_dad_work
[ 20.007721][ T35] Call Trace:
[ 20.010990][ T35] <TASK>
[ 20.014021][ T35] dump_stack_lvl+0x151/0x1b7
[ 20.018773][ T35] ? bfq_pos_tree_add_move+0x439/0x439
[ 20.024216][ T35] ? lookup+0x358/0x3b0
[ 20.028561][ T35] dump_stack+0x15/0x17
[ 20.032712][ T35] ubsan_type_mismatch_common+0x1e9/0x390
[ 20.038596][ T35] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 20.044556][ T35] wg_xmit+0x573/0xae0
[ 20.048862][ T35] ? wg_stop+0x140/0x140
[ 20.053264][ T35] netdev_start_xmit+0x8a/0x160
[ 20.058112][ T35] dev_hard_start_xmit+0x18d/0x2f0
[ 20.063495][ T35] __dev_queue_xmit+0x1138/0x1d10
[ 20.068686][ T35] ? dev_queue_xmit+0x20/0x20
[ 20.073442][ T35] ? _raw_write_lock_bh+0xa3/0x170
[ 20.078543][ T35] ? _raw_write_lock_irq+0x170/0x170
[ 20.083813][ T35] ? ndisc_constructor+0x653/0x850
[ 20.088905][ T35] ? __local_bh_enable_ip+0x58/0x80
[ 20.094082][ T35] ? _raw_write_unlock_bh+0x31/0x47
[ 20.099255][ T35] ? ___neigh_create+0x155c/0x1930
[ 20.104355][ T35] ? dev_hard_header+0xdb/0xf0
[ 20.109171][ T35] dev_queue_xmit+0x17/0x20
[ 20.113692][ T35] neigh_connected_output+0x288/0x2b0
[ 20.119056][ T35] ip6_finish_output2+0xb03/0x1080
[ 20.124156][ T35] ? __ip6_finish_output+0x530/0x530
[ 20.129513][ T35] ? ip6_mtu+0xd8/0x120
[ 20.133650][ T35] ? ip6_skb_dst_mtu+0xaf/0x220
[ 20.138480][ T35] __ip6_finish_output+0x3e6/0x530
[ 20.144118][ T35] ip6_finish_output+0x1c9/0x1e0
[ 20.149033][ T35] ? ip6_output+0x1d3/0x4a0
[ 20.153692][ T35] ip6_output+0x1f8/0x4a0
[ 20.158004][ T35] ? xfrm_pols_put+0x102/0x110
[ 20.162864][ T35] ? ac6_get_next+0x2a0/0x2a0
[ 20.167522][ T35] ? ip6_dst_idev+0x40/0x40
[ 20.172012][ T35] ? selinux_ipv6_forward+0x50/0x50
[ 20.177204][ T35] NF_HOOK+0xdd/0x280
[ 20.181173][ T35] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 20.186797][ T35] ? NF_HOOK+0x280/0x280
[ 20.191039][ T35] ? xfrm_lookup+0x38/0x50
[ 20.195569][ T35] ? ndisc_send_skb+0x57e/0xa30
[ 20.200534][ T35] ? memcpy+0x56/0x70
[ 20.204603][ T35] ndisc_send_skb+0x67f/0xa30
[ 20.209278][ T35] ? ndisc_fill_addr_option+0x320/0x320
[ 20.214825][ T35] ? __kasan_check_write+0x14/0x20
[ 20.219921][ T35] ? skb_set_owner_w+0x19e/0x2f0
[ 20.224941][ T35] ? skb_put+0x119/0x200
[ 20.229454][ T35] ndisc_send_rs+0x26c/0x360
[ 20.234305][ T35] addrconf_dad_completed+0x543/0xa70
[ 20.239672][ T35] ? addrconf_dad_stop+0x480/0x480
[ 20.245476][ T35] addrconf_dad_work+0xbdf/0x1440
[ 20.250585][ T35] ? __kasan_check_write+0x14/0x20
[ 20.255679][ T35] ? INIT_LIST_HEAD+0x60/0x60
[ 20.260346][ T35] ? do_raw_spin_lock+0x99/0x170
[ 20.265358][ T35] ? do_raw_spin_trylock+0x1b0/0x1b0
[ 20.270733][ T35] ? __kasan_check_write+0x14/0x20
2022/11/21 19:34:51 building call list...
[ 20.276287][ T35] process_one_work+0x405/0x6c0
[ 20.281208][ T35] worker_thread+0x6fd/0xa80
[ 20.285806][ T35] ? __kthread_parkme+0x139/0x180
[ 20.290908][ T35] kthread+0x34c/0x420
[ 20.295079][ T35] ? pr_cont_work+0x110/0x110
[ 20.300186][ T35] ? __list_add+0xc0/0xc0
[ 20.304810][ T35] ret_from_fork+0x1f/0x30
[ 20.309224][ T35] </TASK>
[ 20.312302][ T35] ================================================================================
[ 20.884535][ T183] device bridge_slave_1 left promiscuous mode
[ 20.890838][ T183] bridge0: port 2(bridge_slave_1) entered disabled state
[ 20.899045][ T183] device bridge_slave_0 left promiscuous mode
[ 20.905515][ T183] bridge0: port 1(bridge_slave_0) entered disabled state
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3298059507=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 80b58a420
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"80b58a4201a50d022574c185b387d54b3d442aae\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10b04819880000
Tested on:
commit: 36de88a8 Merge 5.15.3 into android13-5.15
git tree: https://android.googlesource.com/kernel/common
kernel config: https://syzkaller.appspot.com/x/.config?x=6fa50488744c095f
dashboard link: https://syzkaller.appspot.com/bug?extid=4d15e77deaec58116d46
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
syzbot tried to test the proposed patch but the build/boot failed:
04
worker_thread+0x6fd/0xa80 kernel/workqueue.c:2451
kthread+0x34c/0x420 kernel/kthread.c:319
ret_from_fork+0x1f/0x30
</TASK>
================================================================================
Warning: Permanently added '10.128.1.3' (ECDSA) to the list of known hosts.
2022/11/21 19:34:49 fuzzer started
2022/11/21 19:34:49 connecting to host at 10.128.0.163:44327
2022/11/21 19:34:49 checking machine...
2022/11/21 19:34:49 checking revisions...
2022/11/21 19:34:49 testing simple program...
[ 18.804180][ T24] audit: type=1400 audit(1669059289.819:73): avc: denied { integrity } for pid=368 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 18.811761][ T24] audit: type=1400 audit(1669059289.819:74): avc: denied { getattr } for pid=368 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.820041][ T24] audit: type=1400 audit(1669059289.819:75): avc: denied { read } for pid=368 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.827791][ T376] cgroup: Unknown subsys name 'net'
[ 18.832739][ T24] audit: type=1400 audit(1669059289.819:76): avc: denied { open } for pid=368 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.860907][ T24] audit: type=1400 audit(1669059289.829:77): avc: denied { read } for pid=368 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 18.861083][ T376] cgroup: Unknown subsys name 'devices'
[ 18.884221][ T24] audit: type=1400 audit(1669059289.829:78): avc: denied { open } for pid=368 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 18.913516][ T24] audit: type=1400 audit(1669059289.839:79): avc: denied { mounton } for pid=376 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 18.936548][ T24] audit: type=1400 audit(1669059289.839:80): avc: denied { mount } for pid=376 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 18.960146][ T24] audit: type=1400 audit(1669059289.849:81): avc: denied { unmount } for pid=376 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.074782][ T376] cgroup: Unknown subsys name 'hugetlb'
[ 19.080716][ T376] cgroup: Unknown subsys name 'rlimit'
[ 19.233784][ T24] audit: type=1400 audit(1669059290.249:82): avc: denied { setattr } for pid=376 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 19.298371][ T380] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.306043][ T380] bridge0: port 1(bridge_slave_0) entered disabled state
[ 19.313767][ T380] device bridge_slave_0 entered promiscuous mode
[ 19.321005][ T380] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.328438][ T380] bridge0: port 2(bridge_slave_1) entered disabled state
[ 19.335995][ T380] device bridge_slave_1 entered promiscuous mode
[ 19.372812][ T380] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.380209][ T380] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 19.388053][ T380] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.395115][ T380] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 19.414064][ T35] bridge0: port 1(bridge_slave_0) entered disabled state
[ 19.421960][ T35] bridge0: port 2(bridge_slave_1) entered disabled state
[ 19.429844][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 19.437507][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 19.454242][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 19.463038][ T35] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.470863][ T35] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 19.479059][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 19.488432][ T35] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.495857][ T35] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 19.503296][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 19.511625][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 19.523604][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 19.534547][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 19.545961][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 19.556755][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 19.568086][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 19.577313][ T35] ================================================================================
[ 19.586722][ T35] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2048:28
[ 19.594535][ T35] member access within address ffffc9000024f180 with insufficient space
[ 19.602996][ T35] for an object of type 'struct sk_buff'
[ 19.608743][ T35] CPU: 1 PID: 35 Comm: kworker/1:1 Not tainted 5.15.3-syzkaller-03085-g36de88a85525 #0
[ 19.618525][ T35] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 19.628734][ T35] Workqueue: ipv6_addrconf addrconf_dad_work
[ 19.634787][ T35] Call Trace:
[ 19.638047][ T35] <TASK>
[ 19.641048][ T35] dump_stack_lvl+0x151/0x1b7
[ 19.645728][ T35] ? bfq_pos_tree_add_move+0x439/0x439
[ 19.651174][ T35] ? lookup+0x358/0x3b0
[ 19.655489][ T35] dump_stack+0x15/0x17
[ 19.659713][ T35] ubsan_type_mismatch_common+0x1e9/0x390
[ 19.665423][ T35] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 19.671843][ T35] wg_xmit+0x502/0xae0
[ 19.676064][ T35] ? wg_stop+0x140/0x140
[ 19.680374][ T35] netdev_start_xmit+0x8a/0x160
[ 19.685290][ T35] dev_hard_start_xmit+0x18d/0x2f0
[ 19.690470][ T35] __dev_queue_xmit+0x1138/0x1d10
[ 19.695826][ T35] ? dev_queue_xmit+0x20/0x20
[ 19.700589][ T35] ? _raw_write_lock_bh+0xa3/0x170
[ 19.706245][ T35] ? _raw_write_lock_irq+0x170/0x170
[ 19.711735][ T35] ? ndisc_constructor+0x653/0x850
[ 19.716965][ T35] ? __local_bh_enable_ip+0x58/0x80
[ 19.722329][ T35] ? _raw_write_unlock_bh+0x31/0x47
[ 19.727605][ T35] ? ___neigh_create+0x155c/0x1930
[ 19.732706][ T35] ? dev_hard_header+0xdb/0xf0
[ 19.737644][ T35] dev_queue_xmit+0x17/0x20
[ 19.742313][ T35] neigh_connected_output+0x288/0x2b0
[ 19.747991][ T35] ip6_finish_output2+0xb03/0x1080
[ 19.753277][ T35] ? __ip6_finish_output+0x530/0x530
[ 19.758794][ T35] ? ip6_mtu+0xd8/0x120
[ 19.762938][ T35] ? ip6_skb_dst_mtu+0xaf/0x220
[ 19.767892][ T35] __ip6_finish_output+0x3e6/0x530
[ 19.773400][ T35] ip6_finish_output+0x1c9/0x1e0
[ 19.778334][ T35] ? ip6_output+0x1d3/0x4a0
[ 19.782839][ T35] ip6_output+0x1f8/0x4a0
[ 19.787334][ T35] ? xfrm_pols_put+0x102/0x110
[ 19.792352][ T35] ? ac6_get_next+0x2a0/0x2a0
[ 19.797062][ T35] ? ip6_dst_idev+0x40/0x40
[ 19.801545][ T35] ? selinux_ipv6_forward+0x50/0x50
[ 19.806721][ T35] NF_HOOK+0xdd/0x280
[ 19.810785][ T35] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 19.816573][ T35] ? NF_HOOK+0x280/0x280
[ 19.820959][ T35] ? xfrm_lookup+0x38/0x50
[ 19.825399][ T35] ? ndisc_send_skb+0x57e/0xa30
[ 19.830427][ T35] ? memcpy+0x56/0x70
[ 19.834520][ T35] ndisc_send_skb+0x67f/0xa30
[ 19.839186][ T35] ? ndisc_fill_addr_option+0x320/0x320
[ 19.844713][ T35] ? __kasan_check_write+0x14/0x20
[ 19.849808][ T35] ? skb_set_owner_w+0x19e/0x2f0
[ 19.854846][ T35] ? skb_put+0x119/0x200
[ 19.859074][ T35] ndisc_send_rs+0x26c/0x360
[ 19.863737][ T35] addrconf_dad_completed+0x543/0xa70
[ 19.869144][ T35] ? addrconf_dad_stop+0x480/0x480
[ 19.874439][ T35] addrconf_dad_work+0xbdf/0x1440
[ 19.879570][ T35] ? __kasan_check_write+0x14/0x20
[ 19.884765][ T35] ? INIT_LIST_HEAD+0x60/0x60
[ 19.889433][ T35] ? do_raw_spin_lock+0x99/0x170
[ 19.894354][ T35] ? do_raw_spin_trylock+0x1b0/0x1b0
[ 19.899625][ T35] ? __kasan_check_write+0x14/0x20
[ 19.904843][ T35] process_one_work+0x405/0x6c0
[ 19.909689][ T35] worker_thread+0x6fd/0xa80
[ 19.914269][ T35] ? __kthread_parkme+0x139/0x180
[ 19.919423][ T35] kthread+0x34c/0x420
[ 19.923754][ T35] ? pr_cont_work+0x110/0x110
[ 19.928637][ T35] ? __list_add+0xc0/0xc0
[ 19.933093][ T35] ret_from_fork+0x1f/0x30
[ 19.937515][ T35] </TASK>
[ 19.940572][ T35] ================================================================================
[ 19.949973][ T35] ================================================================================
[ 19.959498][ T35] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1941:2
[ 19.967308][ T35] member access within address ffffc9000024f180 with insufficient space
[ 19.975799][ T35] for an object of type 'struct sk_buff'
[ 19.981586][ T35] CPU: 1 PID: 35 Comm: kworker/1:1 Not tainted 5.15.3-syzkaller-03085-g36de88a85525 #0
[ 19.991477][ T35] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 20.001547][ T35] Workqueue: ipv6_addrconf addrconf_dad_work
[ 20.007721][ T35] Call Trace:
[ 20.010990][ T35] <TASK>
[ 20.014021][ T35] dump_stack_lvl+0x151/0x1b7
[ 20.018773][ T35] ? bfq_pos_tree_add_move+0x439/0x439
[ 20.024216][ T35] ? lookup+0x358/0x3b0
[ 20.028561][ T35] dump_stack+0x15/0x17
[ 20.032712][ T35] ubsan_type_mismatch_common+0x1e9/0x390
[ 20.038596][ T35] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 20.044556][ T35] wg_xmit+0x573/0xae0
[ 20.048862][ T35] ? wg_stop+0x140/0x140
[ 20.053264][ T35] netdev_start_xmit+0x8a/0x160
[ 20.058112][ T35] dev_hard_start_xmit+0x18d/0x2f0
[ 20.063495][ T35] __dev_queue_xmit+0x1138/0x1d10
[ 20.068686][ T35] ? dev_queue_xmit+0x20/0x20
[ 20.073442][ T35] ? _raw_write_lock_bh+0xa3/0x170
[ 20.078543][ T35] ? _raw_write_lock_irq+0x170/0x170
[ 20.083813][ T35] ? ndisc_constructor+0x653/0x850
[ 20.088905][ T35] ? __local_bh_enable_ip+0x58/0x80
[ 20.094082][ T35] ? _raw_write_unlock_bh+0x31/0x47
[ 20.099255][ T35] ? ___neigh_create+0x155c/0x1930
[ 20.104355][ T35] ? dev_hard_header+0xdb/0xf0
[ 20.109171][ T35] dev_queue_xmit+0x17/0x20
[ 20.113692][ T35] neigh_connected_output+0x288/0x2b0
[ 20.119056][ T35] ip6_finish_output2+0xb03/0x1080
[ 20.124156][ T35] ? __ip6_finish_output+0x530/0x530
[ 20.129513][ T35] ? ip6_mtu+0xd8/0x120
[ 20.133650][ T35] ? ip6_skb_dst_mtu+0xaf/0x220
[ 20.138480][ T35] __ip6_finish_output+0x3e6/0x530
[ 20.144118][ T35] ip6_finish_output+0x1c9/0x1e0
[ 20.149033][ T35] ? ip6_output+0x1d3/0x4a0
[ 20.153692][ T35] ip6_output+0x1f8/0x4a0
[ 20.158004][ T35] ? xfrm_pols_put+0x102/0x110
[ 20.162864][ T35] ? ac6_get_next+0x2a0/0x2a0
[ 20.167522][ T35] ? ip6_dst_idev+0x40/0x40
[ 20.172012][ T35] ? selinux_ipv6_forward+0x50/0x50
[ 20.177204][ T35] NF_HOOK+0xdd/0x280
[ 20.181173][ T35] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 20.186797][ T35] ? NF_HOOK+0x280/0x280
[ 20.191039][ T35] ? xfrm_lookup+0x38/0x50
[ 20.195569][ T35] ? ndisc_send_skb+0x57e/0xa30
[ 20.200534][ T35] ? memcpy+0x56/0x70
[ 20.204603][ T35] ndisc_send_skb+0x67f/0xa30
[ 20.209278][ T35] ? ndisc_fill_addr_option+0x320/0x320
[ 20.214825][ T35] ? __kasan_check_write+0x14/0x20
[ 20.219921][ T35] ? skb_set_owner_w+0x19e/0x2f0
[ 20.224941][ T35] ? skb_put+0x119/0x200
[ 20.229454][ T35] ndisc_send_rs+0x26c/0x360
[ 20.234305][ T35] addrconf_dad_completed+0x543/0xa70
[ 20.239672][ T35] ? addrconf_dad_stop+0x480/0x480
[ 20.245476][ T35] addrconf_dad_work+0xbdf/0x1440
[ 20.250585][ T35] ? __kasan_check_write+0x14/0x20
[ 20.255679][ T35] ? INIT_LIST_HEAD+0x60/0x60
[ 20.260346][ T35] ? do_raw_spin_lock+0x99/0x170
[ 20.265358][ T35] ? do_raw_spin_trylock+0x1b0/0x1b0
[ 20.270733][ T35] ? __kasan_check_write+0x14/0x20
2022/11/21 19:34:51 building call list...
[ 20.276287][ T35] process_one_work+0x405/0x6c0
[ 20.281208][ T35] worker_thread+0x6fd/0xa80
[ 20.285806][ T35] ? __kthread_parkme+0x139/0x180
[ 20.290908][ T35] kthread+0x34c/0x420
[ 20.295079][ T35] ? pr_cont_work+0x110/0x110
[ 20.300186][ T35] ? __list_add+0xc0/0xc0
[ 20.304810][ T35] ret_from_fork+0x1f/0x30
[ 20.309224][ T35] </TASK>
[ 20.312302][ T35] ================================================================================
[ 20.884535][ T183] device bridge_slave_1 left promiscuous mode
[ 20.890838][ T183] bridge0: port 2(bridge_slave_1) entered disabled state
[ 20.899045][ T183] device bridge_slave_0 left promiscuous mode
[ 20.905515][ T183] bridge0: port 1(bridge_slave_0) entered disabled state
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3298059507=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 80b58a420
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"80b58a4201a50d022574c185b387d54b3d442aae\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10b04819880000
Tested on:
commit: 36de88a8 Merge 5.15.3 into android13-5.15
git tree: https://android.googlesource.com/kernel/common
kernel config: https://syzkaller.appspot.com/x/.config?x=6fa50488744c095f
dashboard link: https://syzkaller.appspot.com/bug?extid=4d15e77deaec58116d46
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Jun Nie
Nov 21, 2022, 8:07:59 PM11/21/22
to syzkaller-android-bugs, syzbot+4d15e7...@syzkaller.appspotmail.com
syzbot
Nov 22, 2022, 12:55:27 AM11/22/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
nline]
syzbot tried to test the proposed patch but the build/boot failed:
NF_HOOK+0xdd/0x280 include/linux/netfilter.h:307
ndisc_send_skb+0x67f/0xa30 net/ipv6/ndisc.c:508
ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702
addrconf_dad_completed+0x543/0xa70 net/ipv6/addrconf.c:4211
addrconf_dad_work+0xbdf/0x1440
process_one_work+0x405/0x6c0 kernel/workqueue.c:2297
worker_thread+0x6fd/0xa80 kernel/workqueue.c:2444
kthread+0x34c/0x420 kernel/kthread.c:319
ret_from_fork+0x1f/0x30
================================================================================
Warning: Permanently added '10.128.1.43' (ECDSA) to the list of known hosts.
2022/11/22 05:54:11 fuzzer started
2022/11/22 05:54:12 connecting to host at 10.128.0.163:39683
2022/11/22 05:54:12 checking machine...
2022/11/22 05:54:12 checking revisions...
2022/11/22 05:54:12 testing simple program...
[ 22.009184][ T24] audit: type=1400 audit(1669096452.210:73): avc: denied { integrity } for pid=367 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 22.031728][ T24] audit: type=1400 audit(1669096452.210:74): avc: denied { getattr } for pid=367 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.038148][ T375] cgroup: Unknown subsys name 'net'
[ 22.055904][ T24] audit: type=1400 audit(1669096452.210:75): avc: denied { read } for pid=367 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.081957][ T24] audit: type=1400 audit(1669096452.210:76): avc: denied { open } for pid=367 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.082028][ T375] cgroup: Unknown subsys name 'devices'
[ 22.105106][ T24] audit: type=1400 audit(1669096452.210:77): avc: denied { read } for pid=367 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 22.105131][ T24] audit: type=1400 audit(1669096452.210:78): avc: denied { open } for pid=367 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 22.105150][ T24] audit: type=1400 audit(1669096452.230:79): avc: denied { mounton } for pid=375 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 22.180642][ T24] audit: type=1400 audit(1669096452.230:80): avc: denied { mount } for pid=375 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 22.202888][ T24] audit: type=1400 audit(1669096452.260:81): avc: denied { unmount } for pid=375 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 22.320127][ T375] cgroup: Unknown subsys name 'hugetlb'
[ 22.325817][ T375] cgroup: Unknown subsys name 'rlimit'
[ 22.479523][ T24] audit: type=1400 audit(1669096452.680:82): avc: denied { setattr } for pid=375 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 22.553995][ T379] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.561234][ T379] bridge0: port 1(bridge_slave_0) entered disabled state
[ 22.568937][ T379] device bridge_slave_0 entered promiscuous mode
[ 22.575674][ T379] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.582810][ T379] bridge0: port 2(bridge_slave_1) entered disabled state
[ 22.590418][ T379] device bridge_slave_1 entered promiscuous mode
[ 22.624703][ T379] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.631774][ T379] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 22.639059][ T379] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.646080][ T379] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 22.663257][ T77] bridge0: port 1(bridge_slave_0) entered disabled state
[ 22.670487][ T77] bridge0: port 2(bridge_slave_1) entered disabled state
[ 22.677803][ T77] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 22.685442][ T77] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 22.694417][ T377] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 22.702559][ T377] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.709597][ T377] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 22.729961][ T77] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 22.738441][ T77] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 22.746394][ T77] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 22.754927][ T77] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 22.763155][ T77] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.770174][ T77] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 22.777454][ T77] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 22.785476][ T77] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 22.798577][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 22.807167][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 22.816162][ T127] ================================================================================
[ 22.825453][ T127] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2048:28
[ 22.833336][ T127] member access within address ffffc900008e7180 with insufficient space
[ 22.841736][ T127] for an object of type 'struct sk_buff'
[ 22.847341][ T127] CPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 5.15.0-syzkaller #0
[ 22.855546][ T127] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 22.865588][ T127] Workqueue: ipv6_addrconf addrconf_dad_work
[ 22.871560][ T127] Call Trace:
[ 22.874822][ T127] dump_stack_lvl+0x151/0x1b7
[ 22.879484][ T127] ? bfq_pos_tree_add_move+0x439/0x439
[ 22.884919][ T127] ? lookup+0x358/0x3b0
[ 22.889053][ T127] dump_stack+0x15/0x17
[ 22.893184][ T127] ubsan_type_mismatch_common+0x1e9/0x390
[ 22.899154][ T127] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 22.905395][ T127] wg_xmit+0x502/0xae0
[ 22.909442][ T127] ? wg_stop+0x140/0x140
[ 22.913660][ T127] netdev_start_xmit+0x8a/0x160
[ 22.918500][ T127] dev_hard_start_xmit+0x18d/0x2f0
[ 22.923621][ T127] __dev_queue_xmit+0x1138/0x1d10
[ 22.928622][ T127] ? dev_queue_xmit+0x20/0x20
[ 22.933285][ T127] ? __kasan_check_write+0x14/0x20
[ 22.938373][ T127] ? _raw_write_lock_bh+0xa3/0x170
[ 22.943482][ T127] ? _raw_write_lock_irq+0x170/0x170
[ 22.948827][ T127] ? __kasan_check_write+0x14/0x20
[ 22.953939][ T127] ? ndisc_constructor+0x653/0x850
[ 22.959033][ T127] ? __local_bh_enable_ip+0x58/0x80
[ 22.964207][ T127] ? _raw_write_unlock_bh+0x31/0x47
[ 22.969460][ T127] ? dev_hard_header+0xdb/0xf0
[ 22.974233][ T127] dev_queue_xmit+0x17/0x20
[ 22.978736][ T127] neigh_connected_output+0x288/0x2b0
[ 22.984087][ T127] ip6_finish_output2+0xb03/0x1080
[ 22.989178][ T127] ? __ip6_finish_output+0x530/0x530
[ 22.994440][ T127] ? ip6_mtu+0xd8/0x120
[ 22.998712][ T127] ? ip6_skb_dst_mtu+0xaf/0x220
[ 23.003535][ T127] __ip6_finish_output+0x3e6/0x530
[ 23.008634][ T127] ip6_finish_output+0x1c9/0x1e0
[ 23.013608][ T127] ? ip6_output+0x1d3/0x4a0
[ 23.018086][ T127] ip6_output+0x1f8/0x4a0
[ 23.022394][ T127] ? xfrm_pols_put+0x102/0x110
[ 23.027134][ T127] ? ac6_get_next+0x2a0/0x2a0
[ 23.031798][ T127] ? ip6_dst_idev+0x40/0x40
[ 23.036275][ T127] ? selinux_ipv6_forward+0x50/0x50
[ 23.041450][ T127] NF_HOOK+0xdd/0x280
[ 23.045406][ T127] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 23.051054][ T127] ? NF_HOOK+0x280/0x280
[ 23.055269][ T127] ? xfrm_lookup+0x38/0x50
[ 23.059668][ T127] ? ndisc_send_skb+0x57e/0xa30
[ 23.064491][ T127] ? memcpy+0x56/0x70
[ 23.068447][ T127] ndisc_send_skb+0x67f/0xa30
[ 23.073097][ T127] ? ndisc_fill_addr_option+0x320/0x320
[ 23.078619][ T127] ? __kasan_check_write+0x14/0x20
[ 23.083704][ T127] ? skb_set_owner_w+0x19e/0x2f0
[ 23.088618][ T127] ? skb_put+0x119/0x200
[ 23.092832][ T127] ndisc_send_rs+0x26c/0x360
[ 23.097399][ T127] addrconf_dad_completed+0x543/0xa70
[ 23.102751][ T127] ? addrconf_dad_stop+0x480/0x480
[ 23.107834][ T127] addrconf_dad_work+0xbdf/0x1440
[ 23.112832][ T127] ? INIT_LIST_HEAD+0x60/0x60
[ 23.117491][ T127] ? __schedule+0x83e/0xba0
[ 23.121970][ T127] ? __kasan_check_write+0x14/0x20
[ 23.127060][ T127] process_one_work+0x405/0x6c0
[ 23.132050][ T127] worker_thread+0x6fd/0xa80
[ 23.136618][ T127] ? __kthread_parkme+0x139/0x180
[ 23.141626][ T127] kthread+0x34c/0x420
[ 23.145669][ T127] ? pr_cont_work+0x110/0x110
[ 23.150321][ T127] ? __list_add+0xc0/0xc0
[ 23.154625][ T127] ret_from_fork+0x1f/0x30
[ 23.159076][ T127] ================================================================================
[ 23.168334][ T127] ================================================================================
[ 23.177709][ T127] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1941:2
[ 23.185431][ T127] member access within address ffffc900008e7180 with insufficient space
[ 23.193772][ T127] for an object of type 'struct sk_buff'
[ 23.199499][ T127] CPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 5.15.0-syzkaller #0
[ 23.207541][ T127] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 23.217572][ T127] Workqueue: ipv6_addrconf addrconf_dad_work
[ 23.223535][ T127] Call Trace:
[ 23.226884][ T127] dump_stack_lvl+0x151/0x1b7
[ 23.231653][ T127] ? bfq_pos_tree_add_move+0x439/0x439
[ 23.237090][ T127] ? lookup+0x358/0x3b0
[ 23.241220][ T127] dump_stack+0x15/0x17
[ 23.245355][ T127] ubsan_type_mismatch_common+0x1e9/0x390
[ 23.251047][ T127] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 23.257012][ T127] wg_xmit+0x573/0xae0
[ 23.261059][ T127] ? wg_stop+0x140/0x140
[ 23.265277][ T127] netdev_start_xmit+0x8a/0x160
[ 23.270199][ T127] dev_hard_start_xmit+0x18d/0x2f0
[ 23.275286][ T127] __dev_queue_xmit+0x1138/0x1d10
[ 23.280286][ T127] ? dev_queue_xmit+0x20/0x20
[ 23.284937][ T127] ? __kasan_check_write+0x14/0x20
[ 23.290021][ T127] ? _raw_write_lock_bh+0xa3/0x170
[ 23.295106][ T127] ? _raw_write_lock_irq+0x170/0x170
[ 23.300371][ T127] ? __kasan_check_write+0x14/0x20
[ 23.305463][ T127] ? ndisc_constructor+0x653/0x850
[ 23.310643][ T127] ? __local_bh_enable_ip+0x58/0x80
[ 23.315818][ T127] ? _raw_write_unlock_bh+0x31/0x47
[ 23.320998][ T127] ? dev_hard_header+0xdb/0xf0
[ 23.325753][ T127] dev_queue_xmit+0x17/0x20
[ 23.330249][ T127] neigh_connected_output+0x288/0x2b0
[ 23.335611][ T127] ip6_finish_output2+0xb03/0x1080
[ 23.340699][ T127] ? __ip6_finish_output+0x530/0x530
[ 23.345960][ T127] ? ip6_mtu+0xd8/0x120
[ 23.350097][ T127] ? ip6_skb_dst_mtu+0xaf/0x220
[ 23.354918][ T127] __ip6_finish_output+0x3e6/0x530
[ 23.360008][ T127] ip6_finish_output+0x1c9/0x1e0
[ 23.364942][ T127] ? ip6_output+0x1d3/0x4a0
[ 23.369508][ T127] ip6_output+0x1f8/0x4a0
[ 23.374136][ T127] ? xfrm_pols_put+0x102/0x110
[ 23.378880][ T127] ? ac6_get_next+0x2a0/0x2a0
[ 23.383531][ T127] ? ip6_dst_idev+0x40/0x40
[ 23.388026][ T127] ? selinux_ipv6_forward+0x50/0x50
[ 23.393220][ T127] NF_HOOK+0xdd/0x280
[ 23.397190][ T127] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 23.402801][ T127] ? NF_HOOK+0x280/0x280
[ 23.407104][ T127] ? xfrm_lookup+0x38/0x50
[ 23.411496][ T127] ? ndisc_send_skb+0x57e/0xa30
[ 23.416441][ T127] ? memcpy+0x56/0x70
[ 23.420410][ T127] ndisc_send_skb+0x67f/0xa30
[ 23.425071][ T127] ? ndisc_fill_addr_option+0x320/0x320
[ 23.430769][ T127] ? __kasan_check_write+0x14/0x20
[ 23.435859][ T127] ? skb_set_owner_w+0x19e/0x2f0
[ 23.440867][ T127] ? skb_put+0x119/0x200
[ 23.445097][ T127] ndisc_send_rs+0x26c/0x360
[ 23.449775][ T127] addrconf_dad_completed+0x543/0xa70
[ 23.455142][ T127] ? addrconf_dad_stop+0x480/0x480
[ 23.460246][ T127] addrconf_dad_work+0xbdf/0x1440
[ 23.465252][ T127] ? INIT_LIST_HEAD+0x60/0x60
[ 23.469908][ T127] ? __schedule+0x83e/0xba0
[ 23.474386][ T127] ? __kasan_check_write+0x14/0x20
2022/11/22 05:54:13 building call list...
[ 23.479473][ T127] process_one_work+0x405/0x6c0
[ 23.484306][ T127] worker_thread+0x6fd/0xa80
[ 23.488873][ T127] ? __kthread_parkme+0x139/0x180
[ 23.493878][ T127] kthread+0x34c/0x420
[ 23.497954][ T127] ? pr_cont_work+0x110/0x110
[ 23.502617][ T127] ? __list_add+0xc0/0xc0
[ 23.506937][ T127] ret_from_fork+0x1f/0x30
[ 23.511380][ T127] ================================================================================
[ 24.048801][ T9] device bridge_slave_1 left promiscuous mode
[ 24.054961][ T9] bridge0: port 2(bridge_slave_1) entered disabled state
[ 24.062980][ T9] device bridge_slave_0 left promiscuous mode
[ 24.069352][ T9] bridge0: port 1(bridge_slave_0) entered disabled state
git status (err=<nil>)
HEAD detached at 80b58a420
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"80b58a4201a50d022574c185b387d54b3d442aae\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: 8bb7eca9 Linux 5.15
git tree: https://android.googlesource.com/kernel/common
kernel config: https://syzkaller.appspot.com/x/.config?x=c78e407c8db2ba90
Jun Nie
Nov 23, 2022, 2:36:03 AM11/23/22
to syzkaller-android-bugs, syzbot+4d15e7...@syzkaller.appspotmail.com
Jun Nie
Nov 23, 2022, 3:41:50 AM11/23/22
to syzkaller-android-bugs, syzbot+4d15e7...@syzkaller.appspotmail.com
#syz test: https://android.googlesource.com/kernel/common android13-5.15-lts
syzbot
Nov 23, 2022, 4:29:23 AM11/23/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in __prepare_to_swait
R13: 0000000020000100 R14: 00007f120e657fe0 R15: 0000000020010880
</TASK>
---[ end trace 0000000000000000 ]---
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 461 Comm: syz-executor.2 Tainted: G W 5.17.0-syzkaller #0
Code: df 48 8d 5a 08 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 f6 d7 57 ff 48 8b 13 4c 39 e2 75 5a 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 d8 d7 57 ff 49 8b 14 24 4c 39 f2
RSP: 0018:ffffc90000f478e0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff888124213538 RCX: ffff888124213530
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90000f479e8
RBP: ffffc90000f47908 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff520001e8f1d R11: 1ffff920001e8f1c R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888124213530 R15: ffffc90000f479e8
FS: 00007f120e658700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f753d49b000 CR3: 00000001241d2000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_add include/linux/list.h:69 [inline]
list_add_tail include/linux/list.h:102 [inline]
__prepare_to_swait+0xad/0x140 kernel/sched/swait.c:89
do_wait_for_common kernel/sched/completion.c:82 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common+0x257/0x430 kernel/sched/completion.c:117
wait_for_completion+0x18/0x20 kernel/sched/completion.c:138
erofs_unregister_sysfs+0x5e/0x70 fs/erofs/sysfs.c:226
erofs_put_super+0x46/0xa0 fs/erofs/super.c:771
generic_shutdown_super+0x147/0x330 fs/super.c:462
kill_block_super+0x80/0xe0 fs/super.c:1394
erofs_kill_sb+0x66/0x130 fs/erofs/super.c:752
deactivate_locked_super+0xa8/0x100 fs/super.c:332
get_tree_bdev+0x434/0x630 fs/super.c:1294
erofs_fc_get_tree+0x1c/0x20 fs/erofs/super.c:664
vfs_get_tree+0x88/0x290 fs/super.c:1497
do_new_mount+0x289/0xac0 fs/namespace.c:3024
path_mount+0x60c/0x1060 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount+0x2d2/0x3c0 fs/namespace.c:3552
__x64_sys_mount+0xbf/0xd0 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f120e6e4ada
Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f120e657f88 EFLAGS: 00000246
ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f120e6e4ada
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f120e657fe0
RBP: 00007f120e658020 R08: 00007f120e658020 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f120e657fe0 R15: 0000000020010880
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid+0x49/0xd0 lib/list_debug.c:26
Code: df 48 8d 5a 08 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 f6 d7 57 ff 48 8b 13 4c 39 e2 75 5a 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 d8 d7 57 ff 49 8b 14 24 4c 39 f2
RSP: 0018:ffffc90000f478e0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff888124213538 RCX: ffff888124213530
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90000f479e8
RBP: ffffc90000f47908 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff520001e8f1d R11: 1ffff920001e8f1c R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888124213530 R15: ffffc90000f479e8
FS: 00007f120e658700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f753d49b000 CR3: 00000001241d2000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df 48 8d fisttps -0x73(%rax)
3: 5a pop %rdx
4: 08 48 89 or %cl,-0x77(%rax)
7: d8 48 c1 fmuls -0x3f(%rax)
a: e8 03 42 80 3c callq 0x3c804212
f: 28 00 sub %al,(%rax)
11: 74 08 je 0x1b
13: 48 89 df mov %rbx,%rdi
16: e8 f6 d7 57 ff callq 0xff57d811
1b: 48 8b 13 mov (%rbx),%rdx
1e: 4c 39 e2 cmp %r12,%rdx
21: 75 5a jne 0x7d
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 e7 mov %r12,%rdi
34: e8 d8 d7 57 ff callq 0xff57d811
39: 49 8b 14 24 mov (%r12),%rdx
3d: 4c 39 f2 cmp %r14,%rdx
Tested on:
commit: f443e374 Linux 5.17
git tree: https://android.googlesource.com/kernel/common
console output: https://syzkaller.appspot.com/x/log.txt?x=11a1c4e5880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e96178dfbe44c12
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in __prepare_to_swait
R13: 0000000020000100 R14: 00007f120e657fe0 R15: 0000000020010880
</TASK>
---[ end trace 0000000000000000 ]---
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 461 Comm: syz-executor.2 Tainted: G W 5.17.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:__list_add_valid+0x49/0xd0 lib/list_debug.c:26
Code: df 48 8d 5a 08 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 f6 d7 57 ff 48 8b 13 4c 39 e2 75 5a 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 d8 d7 57 ff 49 8b 14 24 4c 39 f2
RSP: 0018:ffffc90000f478e0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff888124213538 RCX: ffff888124213530
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90000f479e8
RBP: ffffc90000f47908 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff520001e8f1d R11: 1ffff920001e8f1c R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888124213530 R15: ffffc90000f479e8
FS: 00007f120e658700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f753d49b000 CR3: 00000001241d2000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_add include/linux/list.h:69 [inline]
list_add_tail include/linux/list.h:102 [inline]
__prepare_to_swait+0xad/0x140 kernel/sched/swait.c:89
do_wait_for_common kernel/sched/completion.c:82 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common+0x257/0x430 kernel/sched/completion.c:117
wait_for_completion+0x18/0x20 kernel/sched/completion.c:138
erofs_unregister_sysfs+0x5e/0x70 fs/erofs/sysfs.c:226
erofs_put_super+0x46/0xa0 fs/erofs/super.c:771
generic_shutdown_super+0x147/0x330 fs/super.c:462
kill_block_super+0x80/0xe0 fs/super.c:1394
erofs_kill_sb+0x66/0x130 fs/erofs/super.c:752
deactivate_locked_super+0xa8/0x100 fs/super.c:332
get_tree_bdev+0x434/0x630 fs/super.c:1294
erofs_fc_get_tree+0x1c/0x20 fs/erofs/super.c:664
vfs_get_tree+0x88/0x290 fs/super.c:1497
do_new_mount+0x289/0xac0 fs/namespace.c:3024
path_mount+0x60c/0x1060 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount+0x2d2/0x3c0 fs/namespace.c:3552
__x64_sys_mount+0xbf/0xd0 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f120e6e4ada
Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f120e657f88 EFLAGS: 00000246
ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f120e6e4ada
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f120e657fe0
RBP: 00007f120e658020 R08: 00007f120e658020 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f120e657fe0 R15: 0000000020010880
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid+0x49/0xd0 lib/list_debug.c:26
Code: df 48 8d 5a 08 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 f6 d7 57 ff 48 8b 13 4c 39 e2 75 5a 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 d8 d7 57 ff 49 8b 14 24 4c 39 f2
RSP: 0018:ffffc90000f478e0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff888124213538 RCX: ffff888124213530
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90000f479e8
RBP: ffffc90000f47908 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff520001e8f1d R11: 1ffff920001e8f1c R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888124213530 R15: ffffc90000f479e8
FS: 00007f120e658700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f753d49b000 CR3: 00000001241d2000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df 48 8d fisttps -0x73(%rax)
3: 5a pop %rdx
4: 08 48 89 or %cl,-0x77(%rax)
7: d8 48 c1 fmuls -0x3f(%rax)
a: e8 03 42 80 3c callq 0x3c804212
f: 28 00 sub %al,(%rax)
11: 74 08 je 0x1b
13: 48 89 df mov %rbx,%rdi
16: e8 f6 d7 57 ff callq 0xff57d811
1b: 48 8b 13 mov (%rbx),%rdx
1e: 4c 39 e2 cmp %r12,%rdx
21: 75 5a jne 0x7d
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 e7 mov %r12,%rdi
34: e8 d8 d7 57 ff callq 0xff57d811
39: 49 8b 14 24 mov (%r12),%rdx
3d: 4c 39 f2 cmp %r14,%rdx
Tested on:
commit: f443e374 Linux 5.17
git tree: https://android.googlesource.com/kernel/common
console output: https://syzkaller.appspot.com/x/log.txt?x=11a1c4e5880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e96178dfbe44c12
syzbot
Nov 23, 2022, 4:35:27 AM11/23/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to create VM pool: failed to create GCE image: create image operation failed: &{Code:PERMISSIONS_ERROR ErrorDetails:[] Location: Message:Required 'read' permission for 'ci2-android-5-15-test-job-test-job-image.tar.gz' ForceSendFields:[] NullFields:[]}.
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2953736102=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 80b58a420
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"80b58a4201a50d022574c185b387d54b3d442aae\"
Tested on:
commit: 4ec71a9e ANDROID: cpu/hotplug: call perf event through..
git tree: android13-5.15-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=e49ce696089d33
syzbot tried to test the proposed patch but the build/boot failed:
failed to create VM pool: failed to create GCE image: create image operation failed: &{Code:PERMISSIONS_ERROR ErrorDetails:[] Location: Message:Required 'read' permission for 'ci2-android-5-15-test-job-test-job-image.tar.gz' ForceSendFields:[] NullFields:[]}.
git status (err=<nil>)
HEAD detached at 80b58a420
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=80b58a4201a50d022574c185b387d54b3d442aae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221006-140716'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"80b58a4201a50d022574c185b387d54b3d442aae\"
commit: 4ec71a9e ANDROID: cpu/hotplug: call perf event through..
git tree: android13-5.15-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=e49ce696089d33
dashboard link: https://syzkaller.appspot.com/bug?extid=4d15e77deaec58116d46
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=176c9681880000
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Jun Nie
Nov 23, 2022, 5:01:29 AM11/23/22
to syzkaller-android-bugs, syzbot+4d15e7...@syzkaller.appspotmail.com
The last test does not show boot failure, while no clear build error. try again.
syzbot
Nov 23, 2022, 5:22:15 AM11/23/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+4d15e7...@syzkaller.appspotmail.com
Tested on:
commit: 4ec71a9e ANDROID: cpu/hotplug: call perf event through..
git tree: android13-5.15-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=10aaa531880000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+4d15e7...@syzkaller.appspotmail.com
Tested on:
commit: 4ec71a9e ANDROID: cpu/hotplug: call perf event through..
git tree: android13-5.15-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=e49ce696089d33
dashboard link: https://syzkaller.appspot.com/bug?extid=4d15e77deaec58116d46
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17569d63880000
dashboard link: https://syzkaller.appspot.com/bug?extid=4d15e77deaec58116d46
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: testing is done by a robot and is best-effort only.
Jun Nie
Nov 23, 2022, 5:28:00 AM11/23/22
to syzkaller-android-bugs, syzbot+4d15e7...@syzkaller.appspotmail.com
#syz fix: "fs: erofs: add sanity check for kobject in erofs_unregister_sysfs"
Reply all
Reply to author
Forward
0 new messages