general protection fault in iov_iter_fault_in_readable (3)
8 views
Skip to first unread message
syzbot
Dec 21, 2017, 12:01:05 PM12/21/17
to linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzkaller hit the following crash on
7dc9f647127d6955ffacaf51cb6a627b31dceec2
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
irq bypass consumer (token 00000000487ae081) registration fails: -16
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
handle_userfault: 57 callbacks suppressed
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 6396 Comm: syz-executor1 Not tainted 4.15.0-rc4-next-20171220+
#77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
handle_userfault+0xbd9/0x2500 fs/userfaultfd.c:430
do_anonymous_page mm/memory.c:3131 [inline]
handle_pte_fault mm/memory.c:3945 [inline]
__handle_mm_fault+0x32a3/0x3ce0 mm/memory.c:4071
handle_mm_fault+0x38f/0x930 mm/memory.c:4108
__do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429
do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504
page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1243
RIP: 0010:fault_in_pages_readable include/linux/pagemap.h:601 [inline]
RIP: 0010:iov_iter_fault_in_readable+0x1a7/0x410 lib/iov_iter.c:421
RSP: 0018:ffff8801c39cf928 EFLAGS: 00010246
RAX: 0000000000010000 RBX: 0000000020011fd2 RCX: ffffffff8251cad1
RDX: 00000000000000c9 RSI: ffffc90004137000 RDI: ffff8801c39cfd28
RBP: ffff8801c39cfa08 R08: 1ffff100382b38fa R09: 0000000000000000
R10: ffff8801c39cf858 R11: 0000000000000000 R12: 1ffff10038739f28
R13: ffff8801c39cf9e0 R14: 0000000000000000 R15: ffff8801c39cfd20
generic_perform_write+0x200/0x600 mm/filemap.c:3128
__generic_file_write_iter+0x366/0x5b0 mm/filemap.c:3263
generic_file_write_iter+0x399/0x790 mm/filemap.c:3291
call_write_iter include/linux/fs.h:1776 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a09
RSP: 002b:00007f87cb04ac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452a09
RDX: 0000000000000030 RSI: 0000000020011fd2 RDI: 0000000000000014
RBP: 0000000000000058 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ed8e0
R13: 00000000ffffffff R14: 00007f87cb04b6d4 R15: 0000000000000000
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 6389 Comm: syz-executor7 Not tainted 4.15.0-rc4-next-20171220+
#77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:76
RSP: 0018:ffff8801c392f058 EFLAGS: 00010093
RAX: ffff8801c38b2200 RBX: 00000000001606f0 RCX: ffffffff811a4932
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000001606f0
RBP: ffff8801c392f058 R08: 1ffff10038725d67 R09: 0000000000000004
R10: ffff8801c392efc8 R11: 0000000000000005 R12: 0000000000000093
R13: ffff8801c38b2200 R14: ffff8801db21a130 R15: ffff8801db21a130
FS: 00007f6b6a863700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004635e0 CR3: 0000000006422006 CR4: 00000000001626f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__write_cr4 arch/x86/include/asm/paravirt.h:76 [inline]
__cr4_set arch/x86/include/asm/tlbflush.h:252 [inline]
cr4_clear_bits arch/x86/include/asm/tlbflush.h:275 [inline]
kvm_cpu_vmxoff arch/x86/kvm/vmx.c:3737 [inline]
hardware_disable+0x34a/0x4b0 arch/x86/kvm/vmx.c:3743
kvm_arch_hardware_disable+0x35/0xd0 arch/x86/kvm/x86.c:8110
hardware_disable_nolock+0x30/0x40
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3283
on_each_cpu+0xca/0x1b0 kernel/smp.c:604
hardware_disable_all_nolock+0x3e/0x50
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3301
hardware_disable_all arch/x86/kvm/../../../virt/kvm/kvm_main.c:3307
[inline]
kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:736 [inline]
kvm_put_kvm+0x956/0xde0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:749
kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:760
__fput+0x327/0x7e0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9bb/0x1ad0 kernel/exit.c:869
do_group_exit+0x149/0x400 kernel/exit.c:972
get_signal+0x73f/0x16c0 kernel/signal.c:2337
do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x94/0x96
RIP: 0033:0x452a09
RSP: 002b:00007f6b6a862ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000071c038 RCX: 0000000000452a09
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000071c038
RBP: 000000000071c038 R08: 0000000000000241 R09: 000000000071c010
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000a2f7ff R14: 00007f6b6a8639c0 R15: 000000000000000a
Code: 0f 1f 80 00 00 00 00 55 48 89 e5 0f 20 d8 5d c3 0f 1f 80 00 00 00 00
55 48 89 e5 0f 22 df 5d c3 0f 1f 80 00 00 00 00 55 48 89 e5 <0f> 22 e7 5d
c3 0f 1f 80 00 00 00 00 55 48 89 e5 44 0f 20 c0 5d
RIP: native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:76 RSP:
ffff8801c392f058
---[ end trace 5db7c92fdc4a11b5 ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
7dc9f647127d6955ffacaf51cb6a627b31dceec2
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
irq bypass consumer (token 00000000487ae081) registration fails: -16
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
handle_userfault: 57 callbacks suppressed
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 6396 Comm: syz-executor1 Not tainted 4.15.0-rc4-next-20171220+
#77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
handle_userfault+0xbd9/0x2500 fs/userfaultfd.c:430
do_anonymous_page mm/memory.c:3131 [inline]
handle_pte_fault mm/memory.c:3945 [inline]
__handle_mm_fault+0x32a3/0x3ce0 mm/memory.c:4071
handle_mm_fault+0x38f/0x930 mm/memory.c:4108
__do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429
do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504
page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1243
RIP: 0010:fault_in_pages_readable include/linux/pagemap.h:601 [inline]
RIP: 0010:iov_iter_fault_in_readable+0x1a7/0x410 lib/iov_iter.c:421
RSP: 0018:ffff8801c39cf928 EFLAGS: 00010246
RAX: 0000000000010000 RBX: 0000000020011fd2 RCX: ffffffff8251cad1
RDX: 00000000000000c9 RSI: ffffc90004137000 RDI: ffff8801c39cfd28
RBP: ffff8801c39cfa08 R08: 1ffff100382b38fa R09: 0000000000000000
R10: ffff8801c39cf858 R11: 0000000000000000 R12: 1ffff10038739f28
R13: ffff8801c39cf9e0 R14: 0000000000000000 R15: ffff8801c39cfd20
generic_perform_write+0x200/0x600 mm/filemap.c:3128
__generic_file_write_iter+0x366/0x5b0 mm/filemap.c:3263
generic_file_write_iter+0x399/0x790 mm/filemap.c:3291
call_write_iter include/linux/fs.h:1776 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a09
RSP: 002b:00007f87cb04ac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452a09
RDX: 0000000000000030 RSI: 0000000020011fd2 RDI: 0000000000000014
RBP: 0000000000000058 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ed8e0
R13: 00000000ffffffff R14: 00007f87cb04b6d4 R15: 0000000000000000
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 6389 Comm: syz-executor7 Not tainted 4.15.0-rc4-next-20171220+
#77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:76
RSP: 0018:ffff8801c392f058 EFLAGS: 00010093
RAX: ffff8801c38b2200 RBX: 00000000001606f0 RCX: ffffffff811a4932
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000001606f0
RBP: ffff8801c392f058 R08: 1ffff10038725d67 R09: 0000000000000004
R10: ffff8801c392efc8 R11: 0000000000000005 R12: 0000000000000093
R13: ffff8801c38b2200 R14: ffff8801db21a130 R15: ffff8801db21a130
FS: 00007f6b6a863700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004635e0 CR3: 0000000006422006 CR4: 00000000001626f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__write_cr4 arch/x86/include/asm/paravirt.h:76 [inline]
__cr4_set arch/x86/include/asm/tlbflush.h:252 [inline]
cr4_clear_bits arch/x86/include/asm/tlbflush.h:275 [inline]
kvm_cpu_vmxoff arch/x86/kvm/vmx.c:3737 [inline]
hardware_disable+0x34a/0x4b0 arch/x86/kvm/vmx.c:3743
kvm_arch_hardware_disable+0x35/0xd0 arch/x86/kvm/x86.c:8110
hardware_disable_nolock+0x30/0x40
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3283
on_each_cpu+0xca/0x1b0 kernel/smp.c:604
hardware_disable_all_nolock+0x3e/0x50
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3301
hardware_disable_all arch/x86/kvm/../../../virt/kvm/kvm_main.c:3307
[inline]
kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:736 [inline]
kvm_put_kvm+0x956/0xde0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:749
kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:760
__fput+0x327/0x7e0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9bb/0x1ad0 kernel/exit.c:869
do_group_exit+0x149/0x400 kernel/exit.c:972
get_signal+0x73f/0x16c0 kernel/signal.c:2337
do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x94/0x96
RIP: 0033:0x452a09
RSP: 002b:00007f6b6a862ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000071c038 RCX: 0000000000452a09
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000071c038
RBP: 000000000071c038 R08: 0000000000000241 R09: 000000000071c010
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000a2f7ff R14: 00007f6b6a8639c0 R15: 000000000000000a
Code: 0f 1f 80 00 00 00 00 55 48 89 e5 0f 20 d8 5d c3 0f 1f 80 00 00 00 00
55 48 89 e5 0f 22 df 5d c3 0f 1f 80 00 00 00 00 55 48 89 e5 <0f> 22 e7 5d
c3 0f 1f 80 00 00 00 00 55 48 89 e5 44 0f 20 c0 5d
RIP: native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:76 RSP:
ffff8801c392f058
---[ end trace 5db7c92fdc4a11b5 ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Eric Biggers
Apr 19, 2018, 1:07:29 AM4/19/18
to syzbot, syzkall...@googlegroups.com
"general protection fault in native_write_cr4", main thread here:
https://groups.google.com/d/msg/syzkaller-bugs/4CdNkcXYEC8/nbkiPcwPAQAJ.
It got intermixed with some other dump_stack(), causing the log output to be
misparsed.
#syz invalid
- Eric
Reply all
Reply to author
Forward
0 new messages