general protection fault in do_syscall_64
瀏覽次數:35 次
跳到第一則未讀訊息
syzbot
2020年3月28日 下午3:34:152020/3/28
收件者:b...@alien8.de、h...@zytor.com、linux-...@vger.kernel.org、lu...@kernel.org、mi...@redhat.com、syzkall...@googlegroups.com、tg...@linutronix.de、x...@kernel.org
Hello,
syzbot found the following crash on:
HEAD commit: 69c5eea3 Merge branch 'parisc-5.6-2' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d3517be00000
kernel config: https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9
dashboard link: https://syzkaller.appspot.com/bug?extid=f9b2c53f55a9270fc778
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15059d05e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e5d5a3e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f9b2c5...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0x1ffffffff1215a85: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7207 Comm: syz-executor045 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:do_syscall_64+0x5f/0x1b0 arch/x86/entry/common.c:289
Code: 48 c7 c7 28 d4 0a 89 e8 bf 5d b0 00 48 83 3d af 5b 0a 08 00 0f 84 58 01 00 00 fb 66 0f 1f 44 00 00 65 48 8b 1c 25 c0 1d 02 00 <48> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc90001617f28 EFLAGS: 00010282
RAX: 1ffffffff1215a85 RBX: ffff888095530380 RCX: ffff888095530380
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff888095530bc4
RBP: 0000000000000000 R08: ffffffff817a2210 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000023
R13: dffffc0000000000 R14: ffffc90001617f58 R15: 0000000000000000
FS: 0000000001333880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87bf9aae78 CR3: 00000000a6a3f000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4454e1
Code: 75 14 b8 23 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 64 1f fc ff c3 48 83 ec 08 e8 9a 42 00 00 48 89 04 24 b8 23 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 e3 42 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd72d164b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000023
RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00000000004454e1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffd72d164c0
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffd72d164e0 R11: 0000000000000293 R12: 0000000000000000
R13: 00000000006dbc2c R14: 000000000000000a R15: 0000000000000000
Modules linked in:
---[ end trace 3da67f82bf6bae14 ]---
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:do_syscall_64+0x5f/0x1b0 arch/x86/entry/common.c:289
Code: 48 c7 c7 28 d4 0a 89 e8 bf 5d b0 00 48 83 3d af 5b 0a 08 00 0f 84 58 01 00 00 fb 66 0f 1f 44 00 00 65 48 8b 1c 25 c0 1d 02 00 <48> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc90001617f28 EFLAGS: 00010282
RAX: 1ffffffff1215a85 RBX: ffff888095530380 RCX: ffff888095530380
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff888095530bc4
RBP: 0000000000000000 R08: ffffffff817a2210 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000023
R13: dffffc0000000000 R14: ffffc90001617f58 R15: 0000000000000000
FS: 0000000001333880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87bf9aae78 CR3: 00000000a6a3f000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 69c5eea3 Merge branch 'parisc-5.6-2' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d3517be00000
kernel config: https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9
dashboard link: https://syzkaller.appspot.com/bug?extid=f9b2c53f55a9270fc778
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15059d05e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e5d5a3e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f9b2c5...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0x1ffffffff1215a85: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7207 Comm: syz-executor045 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:do_syscall_64+0x5f/0x1b0 arch/x86/entry/common.c:289
Code: 48 c7 c7 28 d4 0a 89 e8 bf 5d b0 00 48 83 3d af 5b 0a 08 00 0f 84 58 01 00 00 fb 66 0f 1f 44 00 00 65 48 8b 1c 25 c0 1d 02 00 <48> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc90001617f28 EFLAGS: 00010282
RAX: 1ffffffff1215a85 RBX: ffff888095530380 RCX: ffff888095530380
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff888095530bc4
RBP: 0000000000000000 R08: ffffffff817a2210 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000023
R13: dffffc0000000000 R14: ffffc90001617f58 R15: 0000000000000000
FS: 0000000001333880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87bf9aae78 CR3: 00000000a6a3f000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4454e1
Code: 75 14 b8 23 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 64 1f fc ff c3 48 83 ec 08 e8 9a 42 00 00 48 89 04 24 b8 23 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 e3 42 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd72d164b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000023
RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00000000004454e1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffd72d164c0
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffd72d164e0 R11: 0000000000000293 R12: 0000000000000000
R13: 00000000006dbc2c R14: 000000000000000a R15: 0000000000000000
Modules linked in:
---[ end trace 3da67f82bf6bae14 ]---
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:do_syscall_64+0x5f/0x1b0 arch/x86/entry/common.c:289
Code: 48 c7 c7 28 d4 0a 89 e8 bf 5d b0 00 48 83 3d af 5b 0a 08 00 0f 84 58 01 00 00 fb 66 0f 1f 44 00 00 65 48 8b 1c 25 c0 1d 02 00 <48> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc90001617f28 EFLAGS: 00010282
RAX: 1ffffffff1215a85 RBX: ffff888095530380 RCX: ffff888095530380
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff888095530bc4
RBP: 0000000000000000 R08: ffffffff817a2210 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000023
R13: dffffc0000000000 R14: ffffc90001617f58 R15: 0000000000000000
FS: 0000000001333880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87bf9aae78 CR3: 00000000a6a3f000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Andy Lutomirski
2020年3月28日 晚上8:37:372020/3/28
收件者:syzbot、Linux Fbdev development list、Borislav Petkov、H. Peter Anvin、LKML、Andrew Lutomirski、Ingo Molnar、syzkall...@googlegroups.com、Thomas Gleixner、X86 ML
On Sat, Mar 28, 2020 at 12:34 PM syzbot
<syzbot+f9b2c5...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 69c5eea3 Merge branch 'parisc-5.6-2' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14d3517be00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9
> dashboard link: https://syzkaller.appspot.com/bug?extid=f9b2c53f55a9270fc778
> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15059d05e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e5d5a3e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+f9b2c5...@syzkaller.appspotmail.com
Hi framebuffer people-
<syzbot+f9b2c5...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 69c5eea3 Merge branch 'parisc-5.6-2' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14d3517be00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9
> dashboard link: https://syzkaller.appspot.com/bug?extid=f9b2c53f55a9270fc778
> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15059d05e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e5d5a3e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+f9b2c5...@syzkaller.appspotmail.com
Somewhere in the framebuffer code is a horrible bug that spews zeros
over kernel memory (including text, suggesting a *physical* memory
overrun). My suspicion is that there is insufficient validation in
the ioctls that set font parameters.
Could someone who is actually familiar with this code take a look?
--Andy
Bartlomiej Zolnierkiewicz
2020年3月31日 上午8:38:532020/3/31
收件者:Andy Lutomirski、syzbot、Linux Fbdev development list、Borislav Petkov、H. Peter Anvin、LKML、Ingo Molnar、syzkall...@googlegroups.com、Thomas Gleixner、X86 ML、DRI
[ please remember to include dri-devel ML & me on fbdev issues, thank you ]
On 3/29/20 1:37 AM, Andy Lutomirski wrote:
> On Sat, Mar 28, 2020 at 12:34 PM syzbot
> <syzbot+f9b2c5...@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 69c5eea3 Merge branch 'parisc-5.6-2' of git://git.kernel.o..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=14d3517be00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9
>> dashboard link: https://syzkaller.appspot.com/bug?extid=f9b2c53f55a9270fc778
>> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15059d05e00000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e5d5a3e00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+f9b2c5...@syzkaller.appspotmail.com
>
> Hi framebuffer people-
> Somewhere in the framebuffer code is a horrible bug that spews zeros
> over kernel memory (including text, suggesting a *physical* memory
> overrun). My suspicion is that there is insufficient validation in
> the ioctls that set font parameters.
being added so syzbot reports are not for a new bugs (regressions) and
are not a priority (at least to me).
> Could someone who is actually familiar with this code take a look?
resources to review/merge pending fbdev patches from time to time so
any help in fixing this and other syzbot reports is welcomed.
PS fbdev is maintained through drm-misc tree so patches can also be
handled by other drm-misc maintainers in case I'm not available.
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
回覆所有人
回覆作者
轉寄
0 則新訊息