[syzbot] KASAN: use-after-free Read in nilfs_mdt_destroy
109 views
Skip to first unread message
syzbot
Sep 21, 2022, 12:02:42 PM9/21/22
to konishi...@gmail.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a335366bad13 Merge tag 'gpio-fixes-for-v6.0-rc6' of git://..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13af94f8880000
kernel config: https://syzkaller.appspot.com/x/.config?x=98a30118ec9215e9
dashboard link: https://syzkaller.appspot.com/bug?extid=3974efaf68c77533b42d
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e17937080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1570a75d080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3974ef...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in nilfs_mdt_destroy+0x6f/0x80 fs/nilfs2/mdt.c:497
Read of size 8 at addr ffff888020124498 by task syz-executor134/3740
CPU: 0 PID: 3740 Comm: syz-executor134 Not tainted 6.0.0-rc5-syzkaller-00094-ga335366bad13 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
nilfs_mdt_destroy+0x6f/0x80 fs/nilfs2/mdt.c:497
nilfs_free_inode+0x3e/0x60 fs/nilfs2/super.c:168
i_callback fs/inode.c:249 [inline]
alloc_inode+0x13b/0x230 fs/inode.c:274
new_inode_pseudo fs/inode.c:1019 [inline]
new_inode+0x27/0x270 fs/inode.c:1047
nilfs_new_inode+0xca/0x830 fs/nilfs2/inode.c:334
nilfs_create fs/nilfs2/namei.c:85 [inline]
nilfs_create+0xfe/0x300 fs/nilfs2/namei.c:75
vfs_create fs/namei.c:3115 [inline]
vfs_create+0x3e9/0x670 fs/namei.c:3101
do_mknodat+0x3d9/0x530 fs/namei.c:3942
__do_sys_mknodat fs/namei.c:3970 [inline]
__se_sys_mknodat fs/namei.c:3967 [inline]
__x64_sys_mknodat+0xaa/0xe0 fs/namei.c:3967
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2443bec549
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdd9390cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000103
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f2443bec549
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00007ffdd9390cf0 R08: 0000000000000001 R09: 00007ffdd9390d00
R10: 0000000000000103 R11: 0000000000000246 R12: 0000000000000003
R13: 00007ffdd9390d30 R14: 00007ffdd9390d10 R15: 0000000000000009
</TASK>
Allocated by task 3621:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
____kasan_kmalloc mm/kasan/common.c:516 [inline]
____kasan_kmalloc mm/kasan/common.c:475 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
kmalloc include/linux/slab.h:605 [inline]
kzalloc include/linux/slab.h:733 [inline]
nilfs_mdt_init+0x2c/0x1e0 fs/nilfs2/mdt.c:451
nilfs_sufile_read+0x191/0x5a0 fs/nilfs2/sufile.c:1183
nilfs_load_super_root fs/nilfs2/the_nilfs.c:130 [inline]
load_nilfs+0x671/0x1330 fs/nilfs2/the_nilfs.c:269
nilfs_fill_super fs/nilfs2/super.c:1059 [inline]
nilfs_mount+0xa9a/0xfb0 fs/nilfs2/super.c:1317
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1530
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1326/0x1e20 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888020124400
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 152 bytes inside of
256-byte region [ffff888020124400, ffff888020124500)
The buggy address belongs to the physical page:
page:ffffea0000804900 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888020124a00 pfn:0x20124
head:ffffea0000804900 order:1 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001ff2508 ffff888011840708 ffff888011841b40
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 7456347523, free_ts 0
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2103
alloc_pages+0x22f/0x270 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:1824 [inline]
allocate_slab+0x27e/0x3d0 mm/slub.c:1969
new_slab mm/slub.c:2029 [inline]
___slab_alloc+0x7f1/0xe10 mm/slub.c:3031
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
slab_alloc_node mm/slub.c:3209 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmalloc+0x32b/0x340 mm/slub.c:4420
kmalloc include/linux/slab.h:605 [inline]
kzalloc include/linux/slab.h:733 [inline]
rh_call_control drivers/usb/core/hcd.c:514 [inline]
rh_urb_enqueue drivers/usb/core/hcd.c:848 [inline]
usb_hcd_submit_urb+0x661/0x2220 drivers/usb/core/hcd.c:1552
usb_submit_urb+0x86d/0x1880 drivers/usb/core/urb.c:594
usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153
usb_get_string+0xbe/0x1b0 drivers/usb/core/message.c:843
usb_string_sub+0xfa/0x3d0 drivers/usb/core/message.c:882
usb_string+0x2fb/0x530 drivers/usb/core/message.c:987
usb_cache_string+0x82/0x140 drivers/usb/core/message.c:1029
page_owner free stack trace missing
Memory state around the buggy address:
ffff888020124380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888020124400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888020124480: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
^
ffff888020124500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888020124580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: a335366bad13 Merge tag 'gpio-fixes-for-v6.0-rc6' of git://..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13af94f8880000
kernel config: https://syzkaller.appspot.com/x/.config?x=98a30118ec9215e9
dashboard link: https://syzkaller.appspot.com/bug?extid=3974efaf68c77533b42d
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e17937080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1570a75d080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3974ef...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in nilfs_mdt_destroy+0x6f/0x80 fs/nilfs2/mdt.c:497
Read of size 8 at addr ffff888020124498 by task syz-executor134/3740
CPU: 0 PID: 3740 Comm: syz-executor134 Not tainted 6.0.0-rc5-syzkaller-00094-ga335366bad13 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
nilfs_mdt_destroy+0x6f/0x80 fs/nilfs2/mdt.c:497
nilfs_free_inode+0x3e/0x60 fs/nilfs2/super.c:168
i_callback fs/inode.c:249 [inline]
alloc_inode+0x13b/0x230 fs/inode.c:274
new_inode_pseudo fs/inode.c:1019 [inline]
new_inode+0x27/0x270 fs/inode.c:1047
nilfs_new_inode+0xca/0x830 fs/nilfs2/inode.c:334
nilfs_create fs/nilfs2/namei.c:85 [inline]
nilfs_create+0xfe/0x300 fs/nilfs2/namei.c:75
vfs_create fs/namei.c:3115 [inline]
vfs_create+0x3e9/0x670 fs/namei.c:3101
do_mknodat+0x3d9/0x530 fs/namei.c:3942
__do_sys_mknodat fs/namei.c:3970 [inline]
__se_sys_mknodat fs/namei.c:3967 [inline]
__x64_sys_mknodat+0xaa/0xe0 fs/namei.c:3967
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2443bec549
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdd9390cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000103
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f2443bec549
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00007ffdd9390cf0 R08: 0000000000000001 R09: 00007ffdd9390d00
R10: 0000000000000103 R11: 0000000000000246 R12: 0000000000000003
R13: 00007ffdd9390d30 R14: 00007ffdd9390d10 R15: 0000000000000009
</TASK>
Allocated by task 3621:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
____kasan_kmalloc mm/kasan/common.c:516 [inline]
____kasan_kmalloc mm/kasan/common.c:475 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
kmalloc include/linux/slab.h:605 [inline]
kzalloc include/linux/slab.h:733 [inline]
nilfs_mdt_init+0x2c/0x1e0 fs/nilfs2/mdt.c:451
nilfs_sufile_read+0x191/0x5a0 fs/nilfs2/sufile.c:1183
nilfs_load_super_root fs/nilfs2/the_nilfs.c:130 [inline]
load_nilfs+0x671/0x1330 fs/nilfs2/the_nilfs.c:269
nilfs_fill_super fs/nilfs2/super.c:1059 [inline]
nilfs_mount+0xa9a/0xfb0 fs/nilfs2/super.c:1317
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1530
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1326/0x1e20 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888020124400
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 152 bytes inside of
256-byte region [ffff888020124400, ffff888020124500)
The buggy address belongs to the physical page:
page:ffffea0000804900 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888020124a00 pfn:0x20124
head:ffffea0000804900 order:1 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001ff2508 ffff888011840708 ffff888011841b40
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 7456347523, free_ts 0
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2103
alloc_pages+0x22f/0x270 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:1824 [inline]
allocate_slab+0x27e/0x3d0 mm/slub.c:1969
new_slab mm/slub.c:2029 [inline]
___slab_alloc+0x7f1/0xe10 mm/slub.c:3031
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
slab_alloc_node mm/slub.c:3209 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmalloc+0x32b/0x340 mm/slub.c:4420
kmalloc include/linux/slab.h:605 [inline]
kzalloc include/linux/slab.h:733 [inline]
rh_call_control drivers/usb/core/hcd.c:514 [inline]
rh_urb_enqueue drivers/usb/core/hcd.c:848 [inline]
usb_hcd_submit_urb+0x661/0x2220 drivers/usb/core/hcd.c:1552
usb_submit_urb+0x86d/0x1880 drivers/usb/core/urb.c:594
usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153
usb_get_string+0xbe/0x1b0 drivers/usb/core/message.c:843
usb_string_sub+0xfa/0x3d0 drivers/usb/core/message.c:882
usb_string+0x2fb/0x530 drivers/usb/core/message.c:987
usb_cache_string+0x82/0x140 drivers/usb/core/message.c:1029
page_owner free stack trace missing
Memory state around the buggy address:
ffff888020124380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888020124400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888020124480: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
^
ffff888020124500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888020124580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Ryusuke Konishi
Sep 21, 2022, 12:11:21 PM9/21/22
to syzbot, linux-...@vger.kernel.org, linux...@vger.kernel.org, syzkall...@googlegroups.com
[1] https://lore.kernel.org/all/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR...@mail.gmail.com/T/#u
The bug fix patch for this, is queued in the vfs tree with the title
"fs: fix UAF/GPF bug in nilfs_mdt_destroy" [2]:
[2] https://lkml.kernel.org/r/20220816040859...@hust.edu.cn
It's in the latest linux-next as well.
As the outlook for now, this patch would be merged to the mainline
after Linux kernel 6.0 is released, and then backported to stable
trees.
Thanks,
Ryusuke Konishi
syzbot
Sep 23, 2022, 6:29:21 AM9/23/22
to konishi...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
uded
[ 5.524705][ T1] efs: 1.0a - http://aeschi.ch.eu.org/efs/
[ 5.525722][ T1] jffs2: version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 5.529858][ T1] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[ 5.531074][ T1] QNX4 filesystem 0.2.3 registered.
[ 5.532011][ T1] qnx6: QNX6 filesystem 1.0.0 registered.
[ 5.533534][ T1] fuse: init (API version 7.36)
[ 5.537873][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 5.539259][ T1] orangefs_init: module version upstream loaded
[ 5.540865][ T1] JFS: nTxBlock = 8192, nTxLock = 65536
[ 5.554604][ T1] SGI XFS with ACLs, security attributes, realtime, quota, fatal assert, debug enabled
[ 5.566991][ T1] 9p: Installing v9fs 9p2000 file system support
[ 5.569018][ T1] NILFS version 2 loaded
[ 5.569599][ T1] befs: version: 0.9.3
[ 5.571418][ T1] ocfs2: Registered cluster interface o2cb
[ 5.572606][ T1] ocfs2: Registered cluster interface user
[ 5.574013][ T1] OCFS2 User DLM kernel interface loaded
[ 5.584129][ T1] gfs2: GFS2 installed
[ 5.594487][ T1] ceph: loaded (mds proto 32)
[ 5.605812][ T1] NET: Registered PF_ALG protocol family
[ 5.606763][ T1] xor: automatically using best checksumming function avx
[ 5.608447][ T1] async_tx: api initialized (async)
[ 5.609168][ T1] Key type asymmetric registered
[ 5.609850][ T1] Asymmetric key parser 'x509' registered
[ 5.610661][ T1] Asymmetric key parser 'pkcs8' registered
[ 5.611437][ T1] Key type pkcs7_test registered
[ 5.615199][ T1] alg: self-tests for CTR-KDF (hmac(sha256)) passed
[ 5.616620][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 240)
[ 5.618201][ T1] io scheduler mq-deadline registered
[ 5.618945][ T1] io scheduler kyber registered
[ 5.620095][ T1] io scheduler bfq registered
[ 5.639924][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 5.642970][ T1] ACPI: button: Power Button [PWRF]
[ 5.644537][ T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[ 5.646334][ T1] ACPI: button: Sleep Button [SLPF]
[ 5.664889][ T1] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[ 5.666625][ T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[ 5.681352][ T1] ACPI: \_SB_.LNKD: Enabled at IRQ 10
[ 5.682428][ T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[ 5.696830][ T1] ACPI: \_SB_.LNKB: Enabled at IRQ 10
[ 5.697658][ T1] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[ 5.739865][ T256] kworker/u4:0 (256) used greatest stack depth: 27056 bytes left
[ 5.991079][ T693] kworker/u4:0 (693) used greatest stack depth: 26904 bytes left
[ 6.000872][ T1] N_HDLC line discipline registered with maxframe=4096
[ 6.001937][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 6.003672][ T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 6.009591][ T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[ 6.014731][ T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
[ 6.020440][ T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
[ 6.029713][ T1] Non-volatile memory driver v1.3
[ 6.045140][ T1] Linux agpgart interface v0.103
[ 6.048160][ T1] ACPI: bus type drm_connector registered
[ 6.052103][ T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[ 6.058427][ T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
[ 6.115310][ T1] Console: switching to colour frame buffer device 128x48
[ 6.133557][ T1] platform vkms: [drm] fb0: vkmsdrmfb frame buffer device
[ 6.134790][ T1] usbcore: registered new interface driver udl
[ 6.183475][ T1] brd: module loaded
[ 6.233119][ T1] loop: module loaded
[ 6.301831][ T1] zram: Added device: zram0
[ 6.307895][ T1] null_blk: disk nullb0 created
[ 6.308643][ T1] null_blk: module loaded
[ 6.309397][ T1] Guest personality initialized and is inactive
[ 6.310667][ T1] VMCI host device registered (name=vmci, major=10, minor=120)
[ 6.311744][ T1] Initialized host personality
[ 6.312560][ T1] usbcore: registered new interface driver rtsx_usb
[ 6.313951][ T1] usbcore: registered new interface driver viperboard
[ 6.315215][ T1] usbcore: registered new interface driver dln2
[ 6.317366][ T1] usbcore: registered new interface driver pn533_usb
[ 6.321157][ T1] nfcsim 0.2 initialized
[ 6.321943][ T1] usbcore: registered new interface driver port100
[ 6.322994][ T1] usbcore: registered new interface driver nfcmrvl
[ 6.326719][ T1] Loading iSCSI transport class v2.0-870.
[ 6.352593][ T1] scsi host0: Virtio SCSI HBA
[ 6.386430][ T1] st: Version 20160209, fixed bufsize 32768, s/g segs 256
[ 6.389420][ T90] scsi 0:0:1:0: Direct-Access Google PersistentDisk 1 PQ: 0 ANSI: 6
[ 6.418649][ T1] Rounding down aligned max_sectors from 4294967295 to 4294967288
[ 6.420317][ T1] db_root: cannot open: /etc/target
[ 6.421871][ T1] slram: not enough parameters.
[ 6.431286][ T1] ftl_cs: FTL header not found.
[ 6.470244][ T1] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[ 6.473411][ T1] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Ja...@zx2c4.com>. All Rights Reserved.
[ 6.475357][ T1] eql: Equalizer2002: Simon Janes (si...@ncm.com) and David S. Miller (da...@redhat.com)
[ 6.485548][ T1] MACsec IEEE 802.1AE
[ 6.503638][ T1] tun: Universal TUN/TAP device driver, 1.6
[ 6.562816][ T1] vcan: Virtual CAN interface driver
[ 6.563867][ T1] vxcan: Virtual CAN Tunnel driver
[ 6.564683][ T1] slcan: serial line CAN interface driver
[ 6.565614][ T1] CAN device driver interface
[ 6.566935][ T1] usbcore: registered new interface driver usb_8dev
[ 6.568329][ T1] usbcore: registered new interface driver ems_usb
[ 6.569444][ T1] usbcore: registered new interface driver gs_usb
[ 6.570565][ T1] usbcore: registered new interface driver kvaser_usb
[ 6.571815][ T1] usbcore: registered new interface driver mcba_usb
[ 6.573045][ T1] usbcore: registered new interface driver peak_usb
[ 6.574390][ T1] e100: Intel(R) PRO/100 Network Driver
[ 6.575345][ T1] e100: Copyright(c) 1999-2006 Intel Corporation
[ 6.576658][ T1] e1000: Intel(R) PRO/1000 Network Driver
[ 6.577569][ T1] e1000: Copyright (c) 1999-2006 Intel Corporation.
[ 6.578859][ T1] e1000e: Intel(R) PRO/1000 Network Driver
[ 6.579729][ T1] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[ 6.582198][ T1] mkiss: AX.25 Multikiss, Hans Albas PE1AYX
[ 6.583109][ T1] AX.25: 6pack driver, Revision: 0.3.0
[ 6.583977][ T1] AX.25: bpqether driver version 004
[ 6.584742][ T1] PPP generic driver version 2.4.2
[ 6.586609][ T1] PPP BSD Compression module registered
[ 6.587532][ T1] PPP Deflate Compression module registered
[ 6.588476][ T1] PPP MPPE Compression module registered
[ 6.589327][ T1] NET: Registered PF_PPPOX protocol family
[ 6.590228][ T1] PPTP driver version 0.8.5
[ 6.592139][ T1] SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256) (6 bit encapsulation enabled).
[ 6.593587][ T1] CSLIP: code copyright 1989 Regents of the University of California.
[ 6.594753][ T1] SLIP linefill/keepalive option.
[ 6.595504][ T1] hdlc: HDLC support module revision 1.22
[ 6.596747][ T1] LAPB Ethernet driver version 0.02
[ 6.598252][ T1] usbcore: registered new interface driver ath9k_htc
[ 6.599462][ T1] usbcore: registered new interface driver carl9170
[ 6.600603][ T1] usbcore: registered new interface driver ath6kl_usb
[ 6.601809][ T1] usbcore: registered new interface driver ar5523
[ 6.603157][ T1] usbcore: registered new interface driver ath10k_usb
[ 6.604378][ T1] usbcore: registered new interface driver rndis_wlan
[ 6.605775][ T1] mac80211_hwsim: initializing netlink
[ 6.638455][ T1] usbcore: registered new interface driver atusb
[ 6.639514][ T1] general protection fault, probably for non-canonical address 0xffff000000000100: 0000 [#1] PREEMPT SMP KASAN
[ 6.641128][ T1] KASAN: maybe wild-memory-access in range [0xfff8200000000800-0xfff8200000000807]
[ 6.642676][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc1-syzkaller-00001-g2e488f13755f #0
[ 6.644069][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 6.645489][ T1] RIP: 0010:__kmalloc_node_track_caller+0x13d/0x380
[ 6.645840][ T1] Code: 8b 0f 48 83 f9 ff 0f 84 44 02 00 00 48 8b 0f 48 c1 e9 3a 39 4c 24 08 0f 85 b0 01 00 00 49 8b 3c 24 41 8b 4c 24 28 40 f6 c7 0f <48> 8b 1c 08 0f 85 1a 02 00 00 48 8d 4a 08 65 48 0f c7 0f 0f 94 c0
[ 6.645840][ T1] RSP: 0018:ffffc90000067908 EFLAGS: 00010246
[ 6.645840][ T1] RAX: ffff000000000000 RBX: ffff88801f884000 RCX: 0000000000000100
[ 6.645840][ T1] RDX: 0000000000002fe8 RSI: 0000000000000200 RDI: 000000000003dbf0
[ 6.645840][ T1] RBP: 00000000000928c0 R08: 0000000000000001 R09: 0000000000000000
[ 6.645840][ T1] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888011841c80
[ 6.645840][ T1] R13: 00000000000001c0 R14: 0000000000000000 R15: 00000000000928c0
[ 6.645840][ T1] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[ 6.645840][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.657765][ T1] CR2: ffff88823ffff000 CR3: 000000000bc8e000 CR4: 0000000000350ef0
[ 6.658963][ T1089] sd 0:0:1:0: [sda] 4194304 512-byte logical blocks: (2.15 GB/2.00 GiB)
[ 6.658788][ T1] Call Trace:
[ 6.660655][ T1089] sd 0:0:1:0: [sda] 4096-byte physical blocks
[ 6.658788][ T1] <TASK>
[ 6.658788][ T1] ? netlink_trim+0x1ea/0x240
[ 6.662171][ T1089] sd 0:0:1:0: [sda] Write Protect is off
[ 6.658788][ T1] pskb_expand_head+0x203/0x1110
[ 6.663155][ T1089] sd 0:0:1:0: [sda] Mode Sense: 1f 00 00 08
[ 6.658788][ T1] netlink_trim+0x1ea/0x240
[ 6.665232][ T90] sd 0:0:1:0: Attached scsi generic sg0 type 0
[ 6.658788][ T1] netlink_broadcast+0x5f/0xd90
[ 6.666699][ T1089] sd 0:0:1:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 6.658788][ T1] ? __nla_reserve+0x9a/0xc0
[ 6.658788][ T1] ? nla_put+0xfe/0x130
[ 6.658788][ T1] genl_ctrl_event.isra.0+0x3bf/0xa00
[ 6.658788][ T1] ? ctrl_getfamily+0x540/0x540
[ 6.658788][ T1] ? do_raw_read_unlock+0x70/0x70
[ 6.658788][ T1] ? up_write+0x148/0x470
[ 6.658788][ T1] genl_register_family+0xc9b/0x1410
[ 6.658788][ T1] ? console_unlock+0x3f8/0x5a0
[ 6.658788][ T1] ? genl_unregister_family+0x740/0x740
[ 6.675883][ T1] ? console_emit_next_record.constprop.0+0x840/0x840
[ 6.675883][ T1] ? vprintk+0x40/0x90
[ 6.675883][ T1] ? hwsim_del_edge_nl+0x7c0/0x7c0
[ 6.675883][ T1] ? preempt_count_add+0x74/0x140
[ 6.675883][ T1] ? hwsim_del_edge_nl+0x7c0/0x7c0
[ 6.675883][ T1] ? vprintk+0x88/0x90
[ 6.675883][ T1] ? atusb_driver_init+0x1a/0x1a
[ 6.675883][ T1] hwsim_init_module+0x70/0x174
[ 6.675883][ T1] ? atusb_driver_init+0x1a/0x1a
[ 6.675883][ T1] ? atusb_driver_init+0x1a/0x1a
[ 6.675883][ T1] do_one_initcall+0xfe/0x650
[ 6.684099][ T1089] sda: sda1
[ 6.675883][ T1] ? trace_event_raw_event_initcall_level+0x1f0/0x1f0
[ 6.685683][ T1089] sd 0:0:1:0: [sda] Attached SCSI disk
[ 6.685490][ T1] ? parameq+0x110/0x170
[ 6.685490][ T1] kernel_init_freeable+0x6b1/0x73a
[ 6.687528][ T1] ? rest_init+0x270/0x270
[ 6.687528][ T1] kernel_init+0x1a/0x1d0
[ 6.687528][ T1] ? rest_init+0x270/0x270
[ 6.687528][ T1] ret_from_fork+0x1f/0x30
[ 6.687528][ T1] </TASK>
[ 6.687528][ T1] Modules linked in:
[ 6.687528][ C0] vkms_vblank_simulate: vblank timer overrun
[ 6.692902][ T1] ---[ end trace 0000000000000000 ]---
[ 6.693639][ T1] RIP: 0010:__kmalloc_node_track_caller+0x13d/0x380
[ 6.694525][ T1] Code: 8b 0f 48 83 f9 ff 0f 84 44 02 00 00 48 8b 0f 48 c1 e9 3a 39 4c 24 08 0f 85 b0 01 00 00 49 8b 3c 24 41 8b 4c 24 28 40 f6 c7 0f <48> 8b 1c 08 0f 85 1a 02 00 00 48 8d 4a 08 65 48 0f c7 0f 0f 94 c0
[ 6.697284][ T1] RSP: 0018:ffffc90000067908 EFLAGS: 00010246
[ 6.698246][ T1] RAX: ffff000000000000 RBX: ffff88801f884000 RCX: 0000000000000100
[ 6.699336][ T1] RDX: 0000000000002fe8 RSI: 0000000000000200 RDI: 000000000003dbf0
[ 6.700475][ T1] RBP: 00000000000928c0 R08: 0000000000000001 R09: 0000000000000000
[ 6.701559][ T1] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888011841c80
[ 6.702646][ T1] R13: 00000000000001c0 R14: 0000000000000000 R15: 00000000000928c0
[ 6.703699][ T1] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[ 6.704958][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.706946][ T1] CR2: ffff88823ffff000 CR3: 000000000bc8e000 CR4: 0000000000350ef0
[ 6.708073][ T1] Kernel panic - not syncing: Fatal exception
[ 6.709406][ T1] Kernel Offset: disabled
[ 6.710013][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2010545710=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at dd9a85ff3
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=dd9a85ff356d74a765888403f1b70faece9e642b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220915-084224'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=dd9a85ff356d74a765888403f1b70faece9e642b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220915-084224'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=dd9a85ff356d74a765888403f1b70faece9e642b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220915-084224'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"dd9a85ff356d74a765888403f1b70faece9e642b\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16d229d8880000
Tested on:
commit: 2e488f13 fs: fix UAF/GPF bug in nilfs_mdt_destroy
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git
kernel config: https://syzkaller.appspot.com/x/.config?x=c1b00f8f52026440
syzbot tried to test the proposed patch but the build/boot failed:
uded
[ 5.524705][ T1] efs: 1.0a - http://aeschi.ch.eu.org/efs/
[ 5.525722][ T1] jffs2: version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 5.529858][ T1] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[ 5.531074][ T1] QNX4 filesystem 0.2.3 registered.
[ 5.532011][ T1] qnx6: QNX6 filesystem 1.0.0 registered.
[ 5.533534][ T1] fuse: init (API version 7.36)
[ 5.537873][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 5.539259][ T1] orangefs_init: module version upstream loaded
[ 5.540865][ T1] JFS: nTxBlock = 8192, nTxLock = 65536
[ 5.554604][ T1] SGI XFS with ACLs, security attributes, realtime, quota, fatal assert, debug enabled
[ 5.566991][ T1] 9p: Installing v9fs 9p2000 file system support
[ 5.569018][ T1] NILFS version 2 loaded
[ 5.569599][ T1] befs: version: 0.9.3
[ 5.571418][ T1] ocfs2: Registered cluster interface o2cb
[ 5.572606][ T1] ocfs2: Registered cluster interface user
[ 5.574013][ T1] OCFS2 User DLM kernel interface loaded
[ 5.584129][ T1] gfs2: GFS2 installed
[ 5.594487][ T1] ceph: loaded (mds proto 32)
[ 5.605812][ T1] NET: Registered PF_ALG protocol family
[ 5.606763][ T1] xor: automatically using best checksumming function avx
[ 5.608447][ T1] async_tx: api initialized (async)
[ 5.609168][ T1] Key type asymmetric registered
[ 5.609850][ T1] Asymmetric key parser 'x509' registered
[ 5.610661][ T1] Asymmetric key parser 'pkcs8' registered
[ 5.611437][ T1] Key type pkcs7_test registered
[ 5.615199][ T1] alg: self-tests for CTR-KDF (hmac(sha256)) passed
[ 5.616620][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 240)
[ 5.618201][ T1] io scheduler mq-deadline registered
[ 5.618945][ T1] io scheduler kyber registered
[ 5.620095][ T1] io scheduler bfq registered
[ 5.639924][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 5.642970][ T1] ACPI: button: Power Button [PWRF]
[ 5.644537][ T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[ 5.646334][ T1] ACPI: button: Sleep Button [SLPF]
[ 5.664889][ T1] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[ 5.666625][ T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[ 5.681352][ T1] ACPI: \_SB_.LNKD: Enabled at IRQ 10
[ 5.682428][ T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[ 5.696830][ T1] ACPI: \_SB_.LNKB: Enabled at IRQ 10
[ 5.697658][ T1] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[ 5.739865][ T256] kworker/u4:0 (256) used greatest stack depth: 27056 bytes left
[ 5.991079][ T693] kworker/u4:0 (693) used greatest stack depth: 26904 bytes left
[ 6.000872][ T1] N_HDLC line discipline registered with maxframe=4096
[ 6.001937][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 6.003672][ T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 6.009591][ T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[ 6.014731][ T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
[ 6.020440][ T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
[ 6.029713][ T1] Non-volatile memory driver v1.3
[ 6.045140][ T1] Linux agpgart interface v0.103
[ 6.048160][ T1] ACPI: bus type drm_connector registered
[ 6.052103][ T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[ 6.058427][ T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
[ 6.115310][ T1] Console: switching to colour frame buffer device 128x48
[ 6.133557][ T1] platform vkms: [drm] fb0: vkmsdrmfb frame buffer device
[ 6.134790][ T1] usbcore: registered new interface driver udl
[ 6.183475][ T1] brd: module loaded
[ 6.233119][ T1] loop: module loaded
[ 6.301831][ T1] zram: Added device: zram0
[ 6.307895][ T1] null_blk: disk nullb0 created
[ 6.308643][ T1] null_blk: module loaded
[ 6.309397][ T1] Guest personality initialized and is inactive
[ 6.310667][ T1] VMCI host device registered (name=vmci, major=10, minor=120)
[ 6.311744][ T1] Initialized host personality
[ 6.312560][ T1] usbcore: registered new interface driver rtsx_usb
[ 6.313951][ T1] usbcore: registered new interface driver viperboard
[ 6.315215][ T1] usbcore: registered new interface driver dln2
[ 6.317366][ T1] usbcore: registered new interface driver pn533_usb
[ 6.321157][ T1] nfcsim 0.2 initialized
[ 6.321943][ T1] usbcore: registered new interface driver port100
[ 6.322994][ T1] usbcore: registered new interface driver nfcmrvl
[ 6.326719][ T1] Loading iSCSI transport class v2.0-870.
[ 6.352593][ T1] scsi host0: Virtio SCSI HBA
[ 6.386430][ T1] st: Version 20160209, fixed bufsize 32768, s/g segs 256
[ 6.389420][ T90] scsi 0:0:1:0: Direct-Access Google PersistentDisk 1 PQ: 0 ANSI: 6
[ 6.418649][ T1] Rounding down aligned max_sectors from 4294967295 to 4294967288
[ 6.420317][ T1] db_root: cannot open: /etc/target
[ 6.421871][ T1] slram: not enough parameters.
[ 6.431286][ T1] ftl_cs: FTL header not found.
[ 6.470244][ T1] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[ 6.473411][ T1] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Ja...@zx2c4.com>. All Rights Reserved.
[ 6.475357][ T1] eql: Equalizer2002: Simon Janes (si...@ncm.com) and David S. Miller (da...@redhat.com)
[ 6.485548][ T1] MACsec IEEE 802.1AE
[ 6.503638][ T1] tun: Universal TUN/TAP device driver, 1.6
[ 6.562816][ T1] vcan: Virtual CAN interface driver
[ 6.563867][ T1] vxcan: Virtual CAN Tunnel driver
[ 6.564683][ T1] slcan: serial line CAN interface driver
[ 6.565614][ T1] CAN device driver interface
[ 6.566935][ T1] usbcore: registered new interface driver usb_8dev
[ 6.568329][ T1] usbcore: registered new interface driver ems_usb
[ 6.569444][ T1] usbcore: registered new interface driver gs_usb
[ 6.570565][ T1] usbcore: registered new interface driver kvaser_usb
[ 6.571815][ T1] usbcore: registered new interface driver mcba_usb
[ 6.573045][ T1] usbcore: registered new interface driver peak_usb
[ 6.574390][ T1] e100: Intel(R) PRO/100 Network Driver
[ 6.575345][ T1] e100: Copyright(c) 1999-2006 Intel Corporation
[ 6.576658][ T1] e1000: Intel(R) PRO/1000 Network Driver
[ 6.577569][ T1] e1000: Copyright (c) 1999-2006 Intel Corporation.
[ 6.578859][ T1] e1000e: Intel(R) PRO/1000 Network Driver
[ 6.579729][ T1] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[ 6.582198][ T1] mkiss: AX.25 Multikiss, Hans Albas PE1AYX
[ 6.583109][ T1] AX.25: 6pack driver, Revision: 0.3.0
[ 6.583977][ T1] AX.25: bpqether driver version 004
[ 6.584742][ T1] PPP generic driver version 2.4.2
[ 6.586609][ T1] PPP BSD Compression module registered
[ 6.587532][ T1] PPP Deflate Compression module registered
[ 6.588476][ T1] PPP MPPE Compression module registered
[ 6.589327][ T1] NET: Registered PF_PPPOX protocol family
[ 6.590228][ T1] PPTP driver version 0.8.5
[ 6.592139][ T1] SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256) (6 bit encapsulation enabled).
[ 6.593587][ T1] CSLIP: code copyright 1989 Regents of the University of California.
[ 6.594753][ T1] SLIP linefill/keepalive option.
[ 6.595504][ T1] hdlc: HDLC support module revision 1.22
[ 6.596747][ T1] LAPB Ethernet driver version 0.02
[ 6.598252][ T1] usbcore: registered new interface driver ath9k_htc
[ 6.599462][ T1] usbcore: registered new interface driver carl9170
[ 6.600603][ T1] usbcore: registered new interface driver ath6kl_usb
[ 6.601809][ T1] usbcore: registered new interface driver ar5523
[ 6.603157][ T1] usbcore: registered new interface driver ath10k_usb
[ 6.604378][ T1] usbcore: registered new interface driver rndis_wlan
[ 6.605775][ T1] mac80211_hwsim: initializing netlink
[ 6.638455][ T1] usbcore: registered new interface driver atusb
[ 6.639514][ T1] general protection fault, probably for non-canonical address 0xffff000000000100: 0000 [#1] PREEMPT SMP KASAN
[ 6.641128][ T1] KASAN: maybe wild-memory-access in range [0xfff8200000000800-0xfff8200000000807]
[ 6.642676][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc1-syzkaller-00001-g2e488f13755f #0
[ 6.644069][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 6.645489][ T1] RIP: 0010:__kmalloc_node_track_caller+0x13d/0x380
[ 6.645840][ T1] Code: 8b 0f 48 83 f9 ff 0f 84 44 02 00 00 48 8b 0f 48 c1 e9 3a 39 4c 24 08 0f 85 b0 01 00 00 49 8b 3c 24 41 8b 4c 24 28 40 f6 c7 0f <48> 8b 1c 08 0f 85 1a 02 00 00 48 8d 4a 08 65 48 0f c7 0f 0f 94 c0
[ 6.645840][ T1] RSP: 0018:ffffc90000067908 EFLAGS: 00010246
[ 6.645840][ T1] RAX: ffff000000000000 RBX: ffff88801f884000 RCX: 0000000000000100
[ 6.645840][ T1] RDX: 0000000000002fe8 RSI: 0000000000000200 RDI: 000000000003dbf0
[ 6.645840][ T1] RBP: 00000000000928c0 R08: 0000000000000001 R09: 0000000000000000
[ 6.645840][ T1] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888011841c80
[ 6.645840][ T1] R13: 00000000000001c0 R14: 0000000000000000 R15: 00000000000928c0
[ 6.645840][ T1] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[ 6.645840][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.657765][ T1] CR2: ffff88823ffff000 CR3: 000000000bc8e000 CR4: 0000000000350ef0
[ 6.658963][ T1089] sd 0:0:1:0: [sda] 4194304 512-byte logical blocks: (2.15 GB/2.00 GiB)
[ 6.658788][ T1] Call Trace:
[ 6.660655][ T1089] sd 0:0:1:0: [sda] 4096-byte physical blocks
[ 6.658788][ T1] <TASK>
[ 6.658788][ T1] ? netlink_trim+0x1ea/0x240
[ 6.662171][ T1089] sd 0:0:1:0: [sda] Write Protect is off
[ 6.658788][ T1] pskb_expand_head+0x203/0x1110
[ 6.663155][ T1089] sd 0:0:1:0: [sda] Mode Sense: 1f 00 00 08
[ 6.658788][ T1] netlink_trim+0x1ea/0x240
[ 6.665232][ T90] sd 0:0:1:0: Attached scsi generic sg0 type 0
[ 6.658788][ T1] netlink_broadcast+0x5f/0xd90
[ 6.666699][ T1089] sd 0:0:1:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 6.658788][ T1] ? __nla_reserve+0x9a/0xc0
[ 6.658788][ T1] ? nla_put+0xfe/0x130
[ 6.658788][ T1] genl_ctrl_event.isra.0+0x3bf/0xa00
[ 6.658788][ T1] ? ctrl_getfamily+0x540/0x540
[ 6.658788][ T1] ? do_raw_read_unlock+0x70/0x70
[ 6.658788][ T1] ? up_write+0x148/0x470
[ 6.658788][ T1] genl_register_family+0xc9b/0x1410
[ 6.658788][ T1] ? console_unlock+0x3f8/0x5a0
[ 6.658788][ T1] ? genl_unregister_family+0x740/0x740
[ 6.675883][ T1] ? console_emit_next_record.constprop.0+0x840/0x840
[ 6.675883][ T1] ? vprintk+0x40/0x90
[ 6.675883][ T1] ? hwsim_del_edge_nl+0x7c0/0x7c0
[ 6.675883][ T1] ? preempt_count_add+0x74/0x140
[ 6.675883][ T1] ? hwsim_del_edge_nl+0x7c0/0x7c0
[ 6.675883][ T1] ? vprintk+0x88/0x90
[ 6.675883][ T1] ? atusb_driver_init+0x1a/0x1a
[ 6.675883][ T1] hwsim_init_module+0x70/0x174
[ 6.675883][ T1] ? atusb_driver_init+0x1a/0x1a
[ 6.675883][ T1] ? atusb_driver_init+0x1a/0x1a
[ 6.675883][ T1] do_one_initcall+0xfe/0x650
[ 6.684099][ T1089] sda: sda1
[ 6.675883][ T1] ? trace_event_raw_event_initcall_level+0x1f0/0x1f0
[ 6.685683][ T1089] sd 0:0:1:0: [sda] Attached SCSI disk
[ 6.685490][ T1] ? parameq+0x110/0x170
[ 6.685490][ T1] kernel_init_freeable+0x6b1/0x73a
[ 6.687528][ T1] ? rest_init+0x270/0x270
[ 6.687528][ T1] kernel_init+0x1a/0x1d0
[ 6.687528][ T1] ? rest_init+0x270/0x270
[ 6.687528][ T1] ret_from_fork+0x1f/0x30
[ 6.687528][ T1] </TASK>
[ 6.687528][ T1] Modules linked in:
[ 6.687528][ C0] vkms_vblank_simulate: vblank timer overrun
[ 6.692902][ T1] ---[ end trace 0000000000000000 ]---
[ 6.693639][ T1] RIP: 0010:__kmalloc_node_track_caller+0x13d/0x380
[ 6.694525][ T1] Code: 8b 0f 48 83 f9 ff 0f 84 44 02 00 00 48 8b 0f 48 c1 e9 3a 39 4c 24 08 0f 85 b0 01 00 00 49 8b 3c 24 41 8b 4c 24 28 40 f6 c7 0f <48> 8b 1c 08 0f 85 1a 02 00 00 48 8d 4a 08 65 48 0f c7 0f 0f 94 c0
[ 6.697284][ T1] RSP: 0018:ffffc90000067908 EFLAGS: 00010246
[ 6.698246][ T1] RAX: ffff000000000000 RBX: ffff88801f884000 RCX: 0000000000000100
[ 6.699336][ T1] RDX: 0000000000002fe8 RSI: 0000000000000200 RDI: 000000000003dbf0
[ 6.700475][ T1] RBP: 00000000000928c0 R08: 0000000000000001 R09: 0000000000000000
[ 6.701559][ T1] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888011841c80
[ 6.702646][ T1] R13: 00000000000001c0 R14: 0000000000000000 R15: 00000000000928c0
[ 6.703699][ T1] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[ 6.704958][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.706946][ T1] CR2: ffff88823ffff000 CR3: 000000000bc8e000 CR4: 0000000000350ef0
[ 6.708073][ T1] Kernel panic - not syncing: Fatal exception
[ 6.709406][ T1] Kernel Offset: disabled
[ 6.710013][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2010545710=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at dd9a85ff3
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=dd9a85ff356d74a765888403f1b70faece9e642b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220915-084224'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=dd9a85ff356d74a765888403f1b70faece9e642b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220915-084224'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=dd9a85ff356d74a765888403f1b70faece9e642b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220915-084224'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"dd9a85ff356d74a765888403f1b70faece9e642b\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16d229d8880000
Tested on:
commit: 2e488f13 fs: fix UAF/GPF bug in nilfs_mdt_destroy
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git
kernel config: https://syzkaller.appspot.com/x/.config?x=c1b00f8f52026440
dashboard link: https://syzkaller.appspot.com/bug?extid=3974efaf68c77533b42d
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Ryusuke Konishi
Sep 24, 2022, 4:18:09 AM9/24/22
to syzbot, linux-...@vger.kernel.org, linux...@vger.kernel.org, syzkall...@googlegroups.com
According to the stack trace, the crash at nilfs_mdt_destroy() has
happened in the case where inode_init_alway() failed in alloc_inode().
This problem is exactly what the above patch fixes.
Ryusuke Konishi
Reply all
Reply to author
Forward
0 new messages