[syzbot] [netfs?] divide error in netfs_submit_writethrough
9 views
Skip to first unread message
syzbot
Apr 4, 2024, 10:43:35āÆPMApr 4
to dhow...@redhat.com, jla...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, ne...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 39cd87c4eb2b Linux 6.9-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133bffe6180000
kernel config: https://syzkaller.appspot.com/x/.config?x=8c2c72b264636e25
dashboard link: https://syzkaller.appspot.com/bug?extid=f3a09670f3d2a55b89b2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-39cd87c4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9e28c9b1ddc4/vmlinux-39cd87c4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/17cff5c46535/bzImage-39cd87c4.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f3a096...@syzkaller.appspotmail.com
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 2 PID: 7215 Comm: syz-executor.1 Not tainted 6.9.0-rc2-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:netfs_submit_writethrough+0x201/0x280 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> f7 f1 48 89 c5 48 0f af e9 e9 1d ff ff ff e8 6b 1c b9 ff eb df
RSP: 0018:ffffc90001f1f740 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff88801fd08c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82317e29 RDI: ffff88801fd08d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff8880545c2920 R14: ffff88801fd08d20 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88802c400000(0063) knlGS:00000000f5ecab40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000053f7e000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_advance_writethrough+0x13f/0x170 fs/netfs/output.c:449
netfs_perform_write+0x1b9f/0x26b0 fs/netfs/buffered_write.c:385
netfs_buffered_write_iter_locked+0x213/0x2c0 fs/netfs/buffered_write.c:454
netfs_file_write_iter+0x1e0/0x470 fs/netfs/buffered_write.c:493
v9fs_file_write_iter+0xa1/0x100 fs/9p/vfs_file.c:407
call_write_iter include/linux/fs.h:2108 [inline]
do_iter_readv_writev+0x504/0x780 fs/read_write.c:741
vfs_writev+0x36f/0xdb0 fs/read_write.c:971
do_pwritev+0x1b2/0x260 fs/read_write.c:1072
__do_compat_sys_pwritev2 fs/read_write.c:1218 [inline]
__se_compat_sys_pwritev2 fs/read_write.c:1210 [inline]
__ia32_compat_sys_pwritev2+0x121/0x1b0 fs/read_write.c:1210
do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0x7a/0x120 arch/x86/entry/common.c:321
do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:346
entry_SYSENTER_compat_after_hwframe+0x7f/0x89
RIP: 0023:0xf72d0579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f5eca5ac EFLAGS: 00000292 ORIG_RAX: 000000000000017b
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 0000000020000780
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000016 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:netfs_submit_writethrough+0x201/0x280 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> f7 f1 48 89 c5 48 0f af e9 e9 1d ff ff ff e8 6b 1c b9 ff eb df
RSP: 0018:ffffc90001f1f740 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff88801fd08c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82317e29 RDI: ffff88801fd08d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff8880545c2920 R14: ffff88801fd08d20 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88802c400000(0063) knlGS:00000000f5ecab40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000053f7e000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
c: 48 89 f8 mov %rdi,%rax
f: 83 e0 07 and $0x7,%eax
12: 83 c0 03 add $0x3,%eax
15: 38 d0 cmp %dl,%al
17: 7c 04 jl 0x1d
19: 84 d2 test %dl,%dl
1b: 75 1a jne 0x37
1d: 8b 8b 0c 01 00 00 mov 0x10c(%rbx),%ecx
23: 48 89 e8 mov %rbp,%rax
26: 31 d2 xor %edx,%edx
* 28: 48 f7 f1 div %rcx <-- trapping instruction
2b: 48 89 c5 mov %rax,%rbp
2e: 48 0f af e9 imul %rcx,%rbp
32: e9 1d ff ff ff jmp 0xffffff54
37: e8 6b 1c b9 ff call 0xffb91ca7
3c: eb df jmp 0x1d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 39cd87c4eb2b Linux 6.9-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133bffe6180000
kernel config: https://syzkaller.appspot.com/x/.config?x=8c2c72b264636e25
dashboard link: https://syzkaller.appspot.com/bug?extid=f3a09670f3d2a55b89b2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-39cd87c4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9e28c9b1ddc4/vmlinux-39cd87c4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/17cff5c46535/bzImage-39cd87c4.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f3a096...@syzkaller.appspotmail.com
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 2 PID: 7215 Comm: syz-executor.1 Not tainted 6.9.0-rc2-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:netfs_submit_writethrough+0x201/0x280 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> f7 f1 48 89 c5 48 0f af e9 e9 1d ff ff ff e8 6b 1c b9 ff eb df
RSP: 0018:ffffc90001f1f740 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff88801fd08c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82317e29 RDI: ffff88801fd08d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff8880545c2920 R14: ffff88801fd08d20 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88802c400000(0063) knlGS:00000000f5ecab40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000053f7e000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_advance_writethrough+0x13f/0x170 fs/netfs/output.c:449
netfs_perform_write+0x1b9f/0x26b0 fs/netfs/buffered_write.c:385
netfs_buffered_write_iter_locked+0x213/0x2c0 fs/netfs/buffered_write.c:454
netfs_file_write_iter+0x1e0/0x470 fs/netfs/buffered_write.c:493
v9fs_file_write_iter+0xa1/0x100 fs/9p/vfs_file.c:407
call_write_iter include/linux/fs.h:2108 [inline]
do_iter_readv_writev+0x504/0x780 fs/read_write.c:741
vfs_writev+0x36f/0xdb0 fs/read_write.c:971
do_pwritev+0x1b2/0x260 fs/read_write.c:1072
__do_compat_sys_pwritev2 fs/read_write.c:1218 [inline]
__se_compat_sys_pwritev2 fs/read_write.c:1210 [inline]
__ia32_compat_sys_pwritev2+0x121/0x1b0 fs/read_write.c:1210
do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0x7a/0x120 arch/x86/entry/common.c:321
do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:346
entry_SYSENTER_compat_after_hwframe+0x7f/0x89
RIP: 0023:0xf72d0579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f5eca5ac EFLAGS: 00000292 ORIG_RAX: 000000000000017b
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 0000000020000780
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000016 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:netfs_submit_writethrough+0x201/0x280 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> f7 f1 48 89 c5 48 0f af e9 e9 1d ff ff ff e8 6b 1c b9 ff eb df
RSP: 0018:ffffc90001f1f740 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff88801fd08c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82317e29 RDI: ffff88801fd08d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff8880545c2920 R14: ffff88801fd08d20 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88802c400000(0063) knlGS:00000000f5ecab40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000053f7e000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
c: 48 89 f8 mov %rdi,%rax
f: 83 e0 07 and $0x7,%eax
12: 83 c0 03 add $0x3,%eax
15: 38 d0 cmp %dl,%al
17: 7c 04 jl 0x1d
19: 84 d2 test %dl,%dl
1b: 75 1a jne 0x37
1d: 8b 8b 0c 01 00 00 mov 0x10c(%rbx),%ecx
23: 48 89 e8 mov %rbp,%rax
26: 31 d2 xor %edx,%edx
* 28: 48 f7 f1 div %rcx <-- trapping instruction
2b: 48 89 c5 mov %rax,%rbp
2e: 48 0f af e9 imul %rcx,%rbp
32: e9 1d ff ff ff jmp 0xffffff54
37: e8 6b 1c b9 ff call 0xffb91ca7
3c: eb df jmp 0x1d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
xrive...@protonmail.com
Apr 8, 2024, 4:12:15āÆAMApr 8
to syzbot+f3a096...@syzkaller.appspotmail.com, dhow...@redhat.com, jla...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, ne...@lists.linux.dev, syzkall...@googlegroups.com, samsun...@gmail.com
Hello, I reproduced this bug and comfired in the latest upstream with the same config with syzbot instance.
If you fix this issue, please add the following tag to the commit:
Reported-by: xingwei lee <xrive...@gmail.com>
Reported-by: yue sun <samsun...@gmail.com>
kernel version: upstream 39cd87c4eb2b893354f3b850f916353f2658ae6f
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=8c2c72b264636e25 with KASAN enabled
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
BTW, I can only trigger this bug with repro.txt as follows:
root@syzkaller:~/linux_amd64# ./syz-execprog -repeat 0 ../6c9-0.txt
TITLE: divide error in netfs_submit_writethrough
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
netfs_advance_writethrough+0x14a/0x180 fs/netfs/output.c:449
netfs_perform_write+0x1c70/0x27e0 fs/netfs/buffered_write.c:385
netfs_buffered_write_iter_locked+0x232/0x2f0 fs/netfs/buffered_write.c:454
netfs_file_write_iter+0x1f3/0x480 fs/netfs/buffered_write.c:493
v9fs_file_write_iter+0xa8/0x110 fs/9p/vfs_file.c:407
call_write_iter include/linux/fs.h:2110 [inline]
do_iter_readv_writev+0x53a/0x7c0 fs/read_write.c:741
vfs_writev+0x386/0xe10 fs/read_write.c:971
do_pwritev+0x1c1/0x280 fs/read_write.c:1072
__do_sys_pwritev2 fs/read_write.c:1131 [inline]
__se_sys_pwritev2 fs/read_write.c:1122 [inline]
__x64_sys_pwritev2+0xf6/0x160 fs/read_write.c:1122
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x72/0x7a
RIP: 0033:0x7f5d8e4a5559
Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 38
RSP: 002b:00007f5d8df9fd58 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f5d8e4a5559
RDX: 0000000000000001 RSI: 0000000020000780 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbf8c
R13: 000000000000000b R14: 00000000004bbf80 R15: 00007f5d8df80000
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0
PKRU: 55555554
29: ff .byte 0xff
TITLE: kernel panic: Fatal exception
CORRUPTED: true (report format is marked as corrupted)
MAINTAINERS (TO): []
MAINTAINERS (CC): []
CPU: 0 PID: 12946 Comm: syz-executor Not tainted 6.9.0-rc2-00413-gf2f80ac80987-dirty #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
netfs_advance_writethrough+0x14a/0x180 fs/netfs/output.c:449
netfs_perform_write+0x1c70/0x27e0 fs/netfs/buffered_write.c:385
netfs_buffered_write_iter_locked+0x232/0x2f0 fs/netfs/buffered_write.c:454
netfs_file_write_iter+0x1f3/0x480 fs/netfs/buffered_write.c:493
v9fs_file_write_iter+0xa8/0x110 fs/9p/vfs_file.c:407
call_write_iter include/linux/fs.h:2110 [inline]
do_iter_readv_writev+0x53a/0x7c0 fs/read_write.c:741
vfs_writev+0x386/0xe10 fs/read_write.c:971
do_pwritev+0x1c1/0x280 fs/read_write.c:1072
__do_sys_pwritev2 fs/read_write.c:1131 [inline]
__se_sys_pwritev2 fs/read_write.c:1122 [inline]
__x64_sys_pwritev2+0xf6/0x160 fs/read_write.c:1122
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x72/0x7a
RIP: 0033:0x7f5d8e4a5559
Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 38
RSP: 002b:00007f5d8df9fd58 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f5d8e4a5559
RDX: 0000000000000001 RSI: 0000000020000780 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbf8c
R13: 000000000000000b R14: 00000000004bbf80 R15: 00007f5d8df80000
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..
=* repro.c =*
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#ifndef __NR_pwritev2
#define __NR_pwritev2 328
#endif
uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff};
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
intptr_t res = 0;
memcpy((void*)0x20000240, "./file0\000", 8);
syscall(__NR_creat, /*file=*/0x20000240ul, /*mode=*/0ul);
res = syscall(__NR_pipe2, /*pipefd=*/0x20001900ul, /*flags=*/0ul);
if (res != -1) {
r[0] = *(uint32_t*)0x20001900;
r[1] = *(uint32_t*)0x20001904;
}
memcpy((void*)0x20000480,
"\x15\x00\x00\x00\x65\xff\xff\x01\x80\x00\x00\x08\x00\x39\x50\x32\x30"
"\x30\x30",
19);
syscall(__NR_write, /*fd=*/r[1], /*data=*/0x20000480ul, /*size=*/0x15ul);
res = syscall(__NR_dup, /*oldfd=*/r[1]);
if (res != -1)
r[2] = res;
*(uint32_t*)0x20000100 = 0x18;
*(uint32_t*)0x20000104 = 0;
*(uint64_t*)0x20000108 = 0;
*(uint64_t*)0x20000110 = 0;
syscall(__NR_write, /*fd=*/r[2], /*arg=*/0x20000100ul, /*len=*/0x18ul);
*(uint32_t*)0x200000c0 = 0x14c;
*(uint32_t*)0x200000c4 = 5;
*(uint64_t*)0x200000c8 = 0;
*(uint64_t*)0x200000d0 = 0;
*(uint64_t*)0x200000d8 = 0;
*(uint64_t*)0x200000e0 = 0;
*(uint32_t*)0x200000e8 = 0;
*(uint32_t*)0x200000ec = 0;
syscall(__NR_write, /*fd=*/r[2], /*arg=*/0x200000c0ul, /*len=*/0x137ul);
memcpy((void*)0x20000080, "./file0\000", 8);
memcpy((void*)0x20000040, "9p\000", 3);
memcpy((void*)0x20000280, "trans=fd,", 9);
memcpy((void*)0x20000289, "rfdno", 5);
*(uint8_t*)0x2000028e = 0x3d;
sprintf((char*)0x2000028f, "0x%016llx", (long long)r[0]);
*(uint8_t*)0x200002a1 = 0x2c;
memcpy((void*)0x200002a2, "wfdno", 5);
*(uint8_t*)0x200002a7 = 0x3d;
sprintf((char*)0x200002a8, "0x%016llx", (long long)r[2]);
*(uint8_t*)0x200002ba = 0x2c;
memcpy((void*)0x200002bb, "cache=mmap", 10);
*(uint8_t*)0x200002c5 = 0x2c;
*(uint8_t*)0x200002c6 = 0x6b;
syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x20000080ul, /*type=*/0x20000040ul,
/*flags=*/0ul, /*opts=*/0x20000280ul);
memcpy((void*)0x20000140, "./file0\000", 8);
syscall(__NR_chmod, /*file=*/0x20000140ul, /*mode=*/0ul);
memcpy((void*)0x20000300, "./file0\000", 8);
res = syscall(__NR_creat, /*file=*/0x20000300ul, /*mode=*/0ul);
if (res != -1)
r[3] = res;
*(uint64_t*)0x20000780 = 0x20000180;
memset((void*)0x20000180, 142, 1);
*(uint64_t*)0x20000788 = 0xfdef;
syscall(__NR_pwritev2, /*fd=*/r[3], /*vec=*/0x20000780ul, /*vlen=*/1ul,
/*off_low=*/0, /*off_high=*/0, /*flags=*/0x16ul);
return 0;
}
remember to run it syz-execprog -repeat 0 ./repro.txt
=* repro.txt =*
creat(&(0x7f0000000240)='./file0\x00', 0x0)
pipe2$9p(&(0x7f0000001900)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000480)=ANY=[@ANYBLOB="1500000065ffff018000000800395032303030"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137)
mount$9p_fd(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@cache_mmap}], [], 0x6b}})
chmod(&(0x7f0000000140)='./file0\x00', 0x0)
r3 = creat(&(0x7f0000000300)='./file0\x00', 0x0)
pwritev2(r3, &(0x7f0000000780)=[{&(0x7f0000000180)="8e", 0xfdef}], 0x1, 0x0, 0x0, 0x16)
and see also in https://gist.github.com/xrivendell7/8a65b0e5c5109d1ce87acfd56f713544
I hope it helps.
Best regards
If you fix this issue, please add the following tag to the commit:
Reported-by: xingwei lee <xrive...@gmail.com>
Reported-by: yue sun <samsun...@gmail.com>
kernel version: upstream 39cd87c4eb2b893354f3b850f916353f2658ae6f
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=8c2c72b264636e25 with KASAN enabled
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
BTW, I can only trigger this bug with repro.txt as follows:
root@syzkaller:~/linux_amd64# ./syz-execprog -repeat 0 ../6c9-0.txt
TITLE: divide error in netfs_submit_writethrough
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 12946 Comm: syz-executor Not tainted 6.9.0-rc2-00413-gf2f80ac80987-dirty #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff88806caa0008 R14: ffff8880564c2d20 R15: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
netfs_advance_writethrough+0x14a/0x180 fs/netfs/output.c:449
netfs_perform_write+0x1c70/0x27e0 fs/netfs/buffered_write.c:385
netfs_buffered_write_iter_locked+0x232/0x2f0 fs/netfs/buffered_write.c:454
netfs_file_write_iter+0x1f3/0x480 fs/netfs/buffered_write.c:493
v9fs_file_write_iter+0xa8/0x110 fs/9p/vfs_file.c:407
call_write_iter include/linux/fs.h:2110 [inline]
do_iter_readv_writev+0x53a/0x7c0 fs/read_write.c:741
vfs_writev+0x386/0xe10 fs/read_write.c:971
do_pwritev+0x1c1/0x280 fs/read_write.c:1072
__do_sys_pwritev2 fs/read_write.c:1131 [inline]
__se_sys_pwritev2 fs/read_write.c:1122 [inline]
__x64_sys_pwritev2+0xf6/0x160 fs/read_write.c:1122
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x72/0x7a
RIP: 0033:0x7f5d8e4a5559
Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 38
RSP: 002b:00007f5d8df9fd58 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f5d8e4a5559
RDX: 0000000000000001 RSI: 0000000020000780 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbf8c
R13: 000000000000000b R14: 00000000004bbf80 R15: 00007f5d8df80000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff88806caa0008 R14: ffff8880564c2d20 R15: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0
PKRU: 55555554
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
c: 48 89 f8 mov %rdi,%rax
f: 83 e0 07 and $0x7,%eax
12: 83 c0 03 add $0x3,%eax
15: 38 d0 cmp %dl,%al
17: 7c 04 jl 0x1d
19: 84 d2 test %dl,%dl
1b: 75 1a jne 0x37
1d: 8b 8b 0c 01 00 00 mov 0x10c(%rbx),%ecx
23: 48 89 e8 mov %rbp,%rax
26: 31 d2 xor %edx,%edx
* 28: 48 rex.W <-- trapping instruction
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
c: 48 89 f8 mov %rdi,%rax
f: 83 e0 07 and $0x7,%eax
12: 83 c0 03 add $0x3,%eax
15: 38 d0 cmp %dl,%al
17: 7c 04 jl 0x1d
19: 84 d2 test %dl,%dl
1b: 75 1a jne 0x37
1d: 8b 8b 0c 01 00 00 mov 0x10c(%rbx),%ecx
23: 48 89 e8 mov %rbp,%rax
26: 31 d2 xor %edx,%edx
29: ff .byte 0xff
TITLE: kernel panic: Fatal exception
CORRUPTED: true (report format is marked as corrupted)
MAINTAINERS (TO): []
MAINTAINERS (CC): []
CPU: 0 PID: 12946 Comm: syz-executor Not tainted 6.9.0-rc2-00413-gf2f80ac80987-dirty #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff88806caa0008 R14: ffff8880564c2d20 R15: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
netfs_advance_writethrough+0x14a/0x180 fs/netfs/output.c:449
netfs_perform_write+0x1c70/0x27e0 fs/netfs/buffered_write.c:385
netfs_buffered_write_iter_locked+0x232/0x2f0 fs/netfs/buffered_write.c:454
netfs_file_write_iter+0x1f3/0x480 fs/netfs/buffered_write.c:493
v9fs_file_write_iter+0xa8/0x110 fs/9p/vfs_file.c:407
call_write_iter include/linux/fs.h:2110 [inline]
do_iter_readv_writev+0x53a/0x7c0 fs/read_write.c:741
vfs_writev+0x386/0xe10 fs/read_write.c:971
do_pwritev+0x1c1/0x280 fs/read_write.c:1072
__do_sys_pwritev2 fs/read_write.c:1131 [inline]
__se_sys_pwritev2 fs/read_write.c:1122 [inline]
__x64_sys_pwritev2+0xf6/0x160 fs/read_write.c:1122
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x72/0x7a
RIP: 0033:0x7f5d8e4a5559
Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 38
RSP: 002b:00007f5d8df9fd58 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f5d8e4a5559
RDX: 0000000000000001 RSI: 0000000020000780 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbf8c
R13: 000000000000000b R14: 00000000004bbf80 R15: 00007f5d8df80000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff88806caa0008 R14: ffff8880564c2d20 R15: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..
=* repro.c =*
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#ifndef __NR_pwritev2
#define __NR_pwritev2 328
#endif
uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff};
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
intptr_t res = 0;
memcpy((void*)0x20000240, "./file0\000", 8);
syscall(__NR_creat, /*file=*/0x20000240ul, /*mode=*/0ul);
res = syscall(__NR_pipe2, /*pipefd=*/0x20001900ul, /*flags=*/0ul);
if (res != -1) {
r[0] = *(uint32_t*)0x20001900;
r[1] = *(uint32_t*)0x20001904;
}
memcpy((void*)0x20000480,
"\x15\x00\x00\x00\x65\xff\xff\x01\x80\x00\x00\x08\x00\x39\x50\x32\x30"
"\x30\x30",
19);
syscall(__NR_write, /*fd=*/r[1], /*data=*/0x20000480ul, /*size=*/0x15ul);
res = syscall(__NR_dup, /*oldfd=*/r[1]);
if (res != -1)
r[2] = res;
*(uint32_t*)0x20000100 = 0x18;
*(uint32_t*)0x20000104 = 0;
*(uint64_t*)0x20000108 = 0;
*(uint64_t*)0x20000110 = 0;
syscall(__NR_write, /*fd=*/r[2], /*arg=*/0x20000100ul, /*len=*/0x18ul);
*(uint32_t*)0x200000c0 = 0x14c;
*(uint32_t*)0x200000c4 = 5;
*(uint64_t*)0x200000c8 = 0;
*(uint64_t*)0x200000d0 = 0;
*(uint64_t*)0x200000d8 = 0;
*(uint64_t*)0x200000e0 = 0;
*(uint32_t*)0x200000e8 = 0;
*(uint32_t*)0x200000ec = 0;
syscall(__NR_write, /*fd=*/r[2], /*arg=*/0x200000c0ul, /*len=*/0x137ul);
memcpy((void*)0x20000080, "./file0\000", 8);
memcpy((void*)0x20000040, "9p\000", 3);
memcpy((void*)0x20000280, "trans=fd,", 9);
memcpy((void*)0x20000289, "rfdno", 5);
*(uint8_t*)0x2000028e = 0x3d;
sprintf((char*)0x2000028f, "0x%016llx", (long long)r[0]);
*(uint8_t*)0x200002a1 = 0x2c;
memcpy((void*)0x200002a2, "wfdno", 5);
*(uint8_t*)0x200002a7 = 0x3d;
sprintf((char*)0x200002a8, "0x%016llx", (long long)r[2]);
*(uint8_t*)0x200002ba = 0x2c;
memcpy((void*)0x200002bb, "cache=mmap", 10);
*(uint8_t*)0x200002c5 = 0x2c;
*(uint8_t*)0x200002c6 = 0x6b;
syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x20000080ul, /*type=*/0x20000040ul,
/*flags=*/0ul, /*opts=*/0x20000280ul);
memcpy((void*)0x20000140, "./file0\000", 8);
syscall(__NR_chmod, /*file=*/0x20000140ul, /*mode=*/0ul);
memcpy((void*)0x20000300, "./file0\000", 8);
res = syscall(__NR_creat, /*file=*/0x20000300ul, /*mode=*/0ul);
if (res != -1)
r[3] = res;
*(uint64_t*)0x20000780 = 0x20000180;
memset((void*)0x20000180, 142, 1);
*(uint64_t*)0x20000788 = 0xfdef;
syscall(__NR_pwritev2, /*fd=*/r[3], /*vec=*/0x20000780ul, /*vlen=*/1ul,
/*off_low=*/0, /*off_high=*/0, /*flags=*/0x16ul);
return 0;
}
remember to run it syz-execprog -repeat 0 ./repro.txt
=* repro.txt =*
creat(&(0x7f0000000240)='./file0\x00', 0x0)
pipe2$9p(&(0x7f0000001900)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000480)=ANY=[@ANYBLOB="1500000065ffff018000000800395032303030"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137)
mount$9p_fd(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@cache_mmap}], [], 0x6b}})
chmod(&(0x7f0000000140)='./file0\x00', 0x0)
r3 = creat(&(0x7f0000000300)='./file0\x00', 0x0)
pwritev2(r3, &(0x7f0000000780)=[{&(0x7f0000000180)="8e", 0xfdef}], 0x1, 0x0, 0x0, 0x16)
and see also in https://gist.github.com/xrivendell7/8a65b0e5c5109d1ce87acfd56f713544
I hope it helps.
Best regards
syzbot
Apr 23, 2024, 6:29:20āÆAMĀ (7 days ago)Ā Apr 23
to dhow...@redhat.com, jla...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, ne...@lists.linux.dev, samsun...@gmail.com, syzkall...@googlegroups.com, xrive...@protonmail.com
syzbot has found a reproducer for the following issue on:
HEAD commit: a2c63a3f3d68 Merge tag 'bcachefs-2024-04-22' of https://ev..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11623dfd180000
kernel config: https://syzkaller.appspot.com/x/.config?x=545d4b3e07d6ccbc
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15aaab4f180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-a2c63a3f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b64cb6a17a78/vmlinux-a2c63a3f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8984e0f657fd/bzImage-a2c63a3f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f3a096...@syzkaller.appspotmail.com
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 3 PID: 5183 Comm: syz-executor293 Not tainted 6.9.0-rc5-syzkaller-00025-ga2c63a3f3d68 #0
RSP: 0018:ffffc90003477760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff88802d072c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82304719 RDI: ffff88802d072d0c
FS: 0000555585aef480(0000) GS:ffff88806b500000(0000) knlGS:0000000000000000
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fecc4c95b59
Code: 48 83 c4 28 c3 e8 67 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff380e4b18 EFLAGS: 00000216 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffda RBX: 00007fff380e4b30 RCX: 00007fecc4c95b59
RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 00007fff380e4b38 R08: 0000000000000000 R09: 0000000000000015
R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
R13: 00007fff380e4d98 R14: 0000000000000001 R15: 0000000000000001
RSP: 0018:ffffc90003477760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff88802d072c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82304719 RDI: ffff88802d072d0c
FS: 0000555585aef480(0000) GS:ffff88806b500000(0000) knlGS:0000000000000000
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: a2c63a3f3d68 Merge tag 'bcachefs-2024-04-22' of https://ev..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11623dfd180000
kernel config: https://syzkaller.appspot.com/x/.config?x=545d4b3e07d6ccbc
dashboard link: https://syzkaller.appspot.com/bug?extid=f3a09670f3d2a55b89b2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ff809b180000
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15aaab4f180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-a2c63a3f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b64cb6a17a78/vmlinux-a2c63a3f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8984e0f657fd/bzImage-a2c63a3f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f3a096...@syzkaller.appspotmail.com
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:netfs_submit_writethrough+0x201/0x280 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> f7 f1 48 89 c5 48 0f af e9 e9 1d ff ff ff e8 9b a3 b8 ff eb df
RIP: 0010:netfs_submit_writethrough+0x201/0x280 fs/netfs/output.c:427
RSP: 0018:ffffc90003477760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff88802d072c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82304719 RDI: ffff88802d072d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff8880324e05e0 R14: ffff88802d072d20 R15: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
FS: 0000555585aef480(0000) GS:ffff88806b500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc516dc998 CR3: 0000000029bf4000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_advance_writethrough+0x13f/0x170 fs/netfs/output.c:449
netfs_perform_write+0x1b9f/0x26b0 fs/netfs/buffered_write.c:385
netfs_buffered_write_iter_locked+0x213/0x2c0 fs/netfs/buffered_write.c:454
netfs_file_write_iter+0x1e0/0x470 fs/netfs/buffered_write.c:493
v9fs_file_write_iter+0xa1/0x100 fs/9p/vfs_file.c:407
call_write_iter include/linux/fs.h:2110 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_advance_writethrough+0x13f/0x170 fs/netfs/output.c:449
netfs_perform_write+0x1b9f/0x26b0 fs/netfs/buffered_write.c:385
netfs_buffered_write_iter_locked+0x213/0x2c0 fs/netfs/buffered_write.c:454
netfs_file_write_iter+0x1e0/0x470 fs/netfs/buffered_write.c:493
v9fs_file_write_iter+0xa1/0x100 fs/9p/vfs_file.c:407
do_iter_readv_writev+0x504/0x780 fs/read_write.c:741
vfs_writev+0x36f/0xdb0 fs/read_write.c:971
do_pwritev+0x1b2/0x260 fs/read_write.c:1072
vfs_writev+0x36f/0xdb0 fs/read_write.c:971
do_pwritev+0x1b2/0x260 fs/read_write.c:1072
__do_sys_pwritev2 fs/read_write.c:1131 [inline]
__se_sys_pwritev2 fs/read_write.c:1122 [inline]
__x64_sys_pwritev2+0xef/0x160 fs/read_write.c:1122
__se_sys_pwritev2 fs/read_write.c:1122 [inline]
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fecc4c95b59
Code: 48 83 c4 28 c3 e8 67 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff380e4b18 EFLAGS: 00000216 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffda RBX: 00007fff380e4b30 RCX: 00007fecc4c95b59
RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 00007fff380e4b38 R08: 0000000000000000 R09: 0000000000000015
R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
R13: 00007fff380e4d98 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:netfs_submit_writethrough+0x201/0x280 fs/netfs/output.c:427
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> f7 f1 48 89 c5 48 0f af e9 e9 1d ff ff ff e8 9b a3 b8 ff eb df
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:netfs_submit_writethrough+0x201/0x280 fs/netfs/output.c:427
RSP: 0018:ffffc90003477760 EFLAGS: 00010246
RAX: 0000000000001000 RBX: ffff88802d072c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82304719 RDI: ffff88802d072d0c
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff8880324e05e0 R14: ffff88802d072d20 R15: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
FS: 0000555585aef480(0000) GS:ffff88806b500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc516dc998 CR3: 0000000029bf4000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
c: 48 89 f8 mov %rdi,%rax
f: 83 e0 07 and $0x7,%eax
12: 83 c0 03 add $0x3,%eax
15: 38 d0 cmp %dl,%al
17: 7c 04 jl 0x1d
19: 84 d2 test %dl,%dl
1b: 75 1a jne 0x37
1d: 8b 8b 0c 01 00 00 mov 0x10c(%rbx),%ecx
23: 48 89 e8 mov %rbp,%rax
26: 31 d2 xor %edx,%edx
* 28: 48 f7 f1 div %rcx <-- trapping instruction
2b: 48 89 c5 mov %rax,%rbp
2e: 48 0f af e9 imul %rcx,%rbp
32: e9 1d ff ff ff jmp 0xffffff54
37: e8 9b a3 b8 ff call 0xffb8a3d7
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
c: 48 89 f8 mov %rdi,%rax
f: 83 e0 07 and $0x7,%eax
12: 83 c0 03 add $0x3,%eax
15: 38 d0 cmp %dl,%al
17: 7c 04 jl 0x1d
19: 84 d2 test %dl,%dl
1b: 75 1a jne 0x37
1d: 8b 8b 0c 01 00 00 mov 0x10c(%rbx),%ecx
23: 48 89 e8 mov %rbp,%rax
26: 31 d2 xor %edx,%edx
* 28: 48 f7 f1 div %rcx <-- trapping instruction
2b: 48 89 c5 mov %rax,%rbp
2e: 48 0f af e9 imul %rcx,%rbp
32: e9 1d ff ff ff jmp 0xffffff54
3c: eb df jmp 0x1d
---
If you want syzbot to run the reproducer, reply with:
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages