[syzbot] general protection fault in kernfs_find_ns
9 views
Skip to first unread message
syzbot
Dec 4, 2021, 4:56:19 AM12/4/21
to gre...@linuxfoundation.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: 923dcc5eb0c1 Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1699b75eb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8c5999a5ee199b97
dashboard link: https://syzkaller.appspot.com/bug?extid=606682dc540a22b8dbef
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+606682...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc00000297c7: 0000 [#1] PREEMPT SMP KASAN
KASAN: probably user-memory-access in range [0x000000000014be38-0x000000000014be3f]
CPU: 1 PID: 1025 Comm: kworker/u4:4 Not tainted 5.16.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:strlen+0x27/0x60 lib/string.c:487
Code: 0f 1f 00 41 57 41 56 53 49 89 fe 49 bf 00 00 00 00 00 fc ff df 48 89 f8 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 c3 48 c1 e8 03 <42> 0f b6 04 38 84 c0 75 0b 48 8d 43 01 80 3b 00 75 e7 eb 13 89 d9
RSP: 0018:ffffc900045c7960 EFLAGS: 00010202
RAX: 00000000000297c7 RBX: 000000000014be38 RCX: ffff88801ca3ba01
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000014be38
RBP: 0000000000000001 R08: ffffffff82081018 R09: fffffbfff198b682
R10: fffffbfff198b682 R11: 0000000000000000 R12: ffff8880b4e63828
R13: 0000000000000000 R14: 000000000014be38 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f79b499a90 CR3: 00000000447a1000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kernfs_name_hash fs/kernfs/dir.c:302 [inline]
kernfs_find_ns+0xe7/0x4d0 fs/kernfs/dir.c:799
kernfs_remove_by_name_ns+0x32/0x90 fs/kernfs/dir.c:1542
kernfs_remove_by_name include/linux/kernfs.h:570 [inline]
remove_files fs/sysfs/group.c:28 [inline]
sysfs_remove_group+0xf7/0x280 fs/sysfs/group.c:288
sysfs_remove_groups+0x5b/0xb0 fs/sysfs/group.c:312
destroy_port drivers/infiniband/core/sysfs.c:1284 [inline]
ib_free_port_attrs+0x339/0x3c0 drivers/infiniband/core/sysfs.c:1409
remove_one_compat_dev drivers/infiniband/core/device.c:1001 [inline]
rdma_dev_exit_net+0x20d/0x370 drivers/infiniband/core/device.c:1139
ops_exit_list net/core/net_namespace.c:168 [inline]
cleanup_net+0x758/0xc50 net/core/net_namespace.c:593
process_one_work+0x853/0x1140 kernel/workqueue.c:2298
worker_thread+0xac1/0x1320 kernel/workqueue.c:2445
kthread+0x468/0x490 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
---[ end trace 0b26f5c4a2c69aa9 ]---
RIP: 0010:strlen+0x27/0x60 lib/string.c:487
Code: 0f 1f 00 41 57 41 56 53 49 89 fe 49 bf 00 00 00 00 00 fc ff df 48 89 f8 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 c3 48 c1 e8 03 <42> 0f b6 04 38 84 c0 75 0b 48 8d 43 01 80 3b 00 75 e7 eb 13 89 d9
RSP: 0018:ffffc900045c7960 EFLAGS: 00010202
RAX: 00000000000297c7 RBX: 000000000014be38 RCX: ffff88801ca3ba01
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000014be38
RBP: 0000000000000001 R08: ffffffff82081018 R09: fffffbfff198b682
R10: fffffbfff198b682 R11: 0000000000000000 R12: ffff8880b4e63828
R13: 0000000000000000 R14: 000000000014be38 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c72a000 CR3: 000000009369d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 0f 1f 00 nopl (%rax)
3: 41 57 push %r15
5: 41 56 push %r14
7: 53 push %rbx
8: 49 89 fe mov %rdi,%r14
b: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
12: fc ff df
15: 48 89 f8 mov %rdi,%rax
18: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
1f: 00 00 00
22: 90 nop
23: 48 89 c3 mov %rax,%rbx
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 75 0b jne 0x3e
33: 48 8d 43 01 lea 0x1(%rbx),%rax
37: 80 3b 00 cmpb $0x0,(%rbx)
3a: 75 e7 jne 0x23
3c: eb 13 jmp 0x51
3e: 89 d9 mov %ebx,%ecx
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 923dcc5eb0c1 Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1699b75eb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8c5999a5ee199b97
dashboard link: https://syzkaller.appspot.com/bug?extid=606682dc540a22b8dbef
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+606682...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc00000297c7: 0000 [#1] PREEMPT SMP KASAN
KASAN: probably user-memory-access in range [0x000000000014be38-0x000000000014be3f]
CPU: 1 PID: 1025 Comm: kworker/u4:4 Not tainted 5.16.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:strlen+0x27/0x60 lib/string.c:487
Code: 0f 1f 00 41 57 41 56 53 49 89 fe 49 bf 00 00 00 00 00 fc ff df 48 89 f8 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 c3 48 c1 e8 03 <42> 0f b6 04 38 84 c0 75 0b 48 8d 43 01 80 3b 00 75 e7 eb 13 89 d9
RSP: 0018:ffffc900045c7960 EFLAGS: 00010202
RAX: 00000000000297c7 RBX: 000000000014be38 RCX: ffff88801ca3ba01
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000014be38
RBP: 0000000000000001 R08: ffffffff82081018 R09: fffffbfff198b682
R10: fffffbfff198b682 R11: 0000000000000000 R12: ffff8880b4e63828
R13: 0000000000000000 R14: 000000000014be38 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f79b499a90 CR3: 00000000447a1000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kernfs_name_hash fs/kernfs/dir.c:302 [inline]
kernfs_find_ns+0xe7/0x4d0 fs/kernfs/dir.c:799
kernfs_remove_by_name_ns+0x32/0x90 fs/kernfs/dir.c:1542
kernfs_remove_by_name include/linux/kernfs.h:570 [inline]
remove_files fs/sysfs/group.c:28 [inline]
sysfs_remove_group+0xf7/0x280 fs/sysfs/group.c:288
sysfs_remove_groups+0x5b/0xb0 fs/sysfs/group.c:312
destroy_port drivers/infiniband/core/sysfs.c:1284 [inline]
ib_free_port_attrs+0x339/0x3c0 drivers/infiniband/core/sysfs.c:1409
remove_one_compat_dev drivers/infiniband/core/device.c:1001 [inline]
rdma_dev_exit_net+0x20d/0x370 drivers/infiniband/core/device.c:1139
ops_exit_list net/core/net_namespace.c:168 [inline]
cleanup_net+0x758/0xc50 net/core/net_namespace.c:593
process_one_work+0x853/0x1140 kernel/workqueue.c:2298
worker_thread+0xac1/0x1320 kernel/workqueue.c:2445
kthread+0x468/0x490 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
---[ end trace 0b26f5c4a2c69aa9 ]---
RIP: 0010:strlen+0x27/0x60 lib/string.c:487
Code: 0f 1f 00 41 57 41 56 53 49 89 fe 49 bf 00 00 00 00 00 fc ff df 48 89 f8 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 c3 48 c1 e8 03 <42> 0f b6 04 38 84 c0 75 0b 48 8d 43 01 80 3b 00 75 e7 eb 13 89 d9
RSP: 0018:ffffc900045c7960 EFLAGS: 00010202
RAX: 00000000000297c7 RBX: 000000000014be38 RCX: ffff88801ca3ba01
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000014be38
RBP: 0000000000000001 R08: ffffffff82081018 R09: fffffbfff198b682
R10: fffffbfff198b682 R11: 0000000000000000 R12: ffff8880b4e63828
R13: 0000000000000000 R14: 000000000014be38 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c72a000 CR3: 000000009369d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 0f 1f 00 nopl (%rax)
3: 41 57 push %r15
5: 41 56 push %r14
7: 53 push %rbx
8: 49 89 fe mov %rdi,%r14
b: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
12: fc ff df
15: 48 89 f8 mov %rdi,%rax
18: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
1f: 00 00 00
22: 90 nop
23: 48 89 c3 mov %rax,%rbx
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 75 0b jne 0x3e
33: 48 8d 43 01 lea 0x1(%rbx),%rax
37: 80 3b 00 cmpb $0x0,(%rbx)
3a: 75 e7 jne 0x23
3c: eb 13 jmp 0x51
3e: 89 d9 mov %ebx,%ecx
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 28, 2022, 8:22:14 PM3/28/22
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages