[syzbot] [kernel?] general protection fault in proc_sys_call_handler
12 views
Skip to first unread message
syzbot
Jan 3, 2025, 8:20:28 PM1/3/25
to linux-...@vger.kernel.org, lu...@kernel.org, pet...@infradead.org, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,
syzbot found the following issue on:
HEAD commit: ccb98ccef0e5 Merge tag 'platform-drivers-x86-v6.13-4' of g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f1eaf8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=86dd15278dbfe19f
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140888b0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d24eb225cff7/disk-ccb98cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dd81532f8240/vmlinux-ccb98cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/18b08e4bbf40/bzImage-ccb98cce.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e6593...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 5943 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x137/0x4e0 kernel/utsname_sysctl.c:50
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 56 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 12 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc900038f7468 EFLAGS: 00010202
RAX: ffffffff90022485 RBX: 1ffff9200071ee92 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: ffffffff8de39fd8 R08: 0000000000000001 R09: fffffbfff1b8e071
R10: ffffffff8dc7038f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900038f7520 R14: dffffc0000000000 R15: ffffffff8de39fe0
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0544972008 CR3: 000000000db7e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601
__kernel_write_iter+0x318/0xa80 fs/read_write.c:612
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xad8/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3017
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f069358473c
Code: Unable to access opcode bytes at 0x7f0693584712.
RSP: 002b:00007ffd01fb5d30 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00007f069358473c
RDX: 0000000000000030 RSI: 00007ffd01fb5de0 RDI: 00000000000000f9
RBP: 00007ffd01fb5d8c R08: 0000000000000000 R09: 0079746972756365
R10: 00007ffd01fb56f0 R11: 0000000000000246 R12: 0000000000000032
R13: 000000000002bc4a R14: 00007ffd01fb5de0 R15: 0000000000000258
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x137/0x4e0 kernel/utsname_sysctl.c:50
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 56 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 12 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc900038f7468 EFLAGS: 00010202
RAX: ffffffff90022485 RBX: 1ffff9200071ee92 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: ffffffff8de39fd8 R08: 0000000000000001 R09: fffffbfff1b8e071
R10: ffffffff8dc7038f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900038f7520 R14: dffffc0000000000 R15: ffffffff8de39fe0
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc686ce448 CR3: 000000002f9ae000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 c1 ee 03 shr $0x3,%rsi
4: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1)
8: 0f 85 56 03 00 00 jne 0x364
e: 48 8b 92 08 09 00 00 mov 0x908(%rdx),%rdx
15: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
1c: fc ff df
1f: 48 8d 7a 08 lea 0x8(%rdx),%rdi
23: 48 89 fe mov %rdi,%rsi
26: 48 c1 ee 03 shr $0x3,%rsi
* 2a: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1) <-- trapping instruction
2e: 0f 85 12 03 00 00 jne 0x346
34: 48 be 00 00 00 00 00 movabs $0xdffffc0000000000,%rsi
3b: fc ff df
3e: 48 rex.W
3f: 2d .byte 0x2d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ccb98ccef0e5 Merge tag 'platform-drivers-x86-v6.13-4' of g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f1eaf8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=86dd15278dbfe19f
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140888b0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d24eb225cff7/disk-ccb98cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dd81532f8240/vmlinux-ccb98cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/18b08e4bbf40/bzImage-ccb98cce.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e6593...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 5943 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x137/0x4e0 kernel/utsname_sysctl.c:50
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 56 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 12 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc900038f7468 EFLAGS: 00010202
RAX: ffffffff90022485 RBX: 1ffff9200071ee92 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: ffffffff8de39fd8 R08: 0000000000000001 R09: fffffbfff1b8e071
R10: ffffffff8dc7038f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900038f7520 R14: dffffc0000000000 R15: ffffffff8de39fe0
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0544972008 CR3: 000000000db7e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601
__kernel_write_iter+0x318/0xa80 fs/read_write.c:612
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xad8/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3017
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f069358473c
Code: Unable to access opcode bytes at 0x7f0693584712.
RSP: 002b:00007ffd01fb5d30 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00007f069358473c
RDX: 0000000000000030 RSI: 00007ffd01fb5de0 RDI: 00000000000000f9
RBP: 00007ffd01fb5d8c R08: 0000000000000000 R09: 0079746972756365
R10: 00007ffd01fb56f0 R11: 0000000000000246 R12: 0000000000000032
R13: 000000000002bc4a R14: 00007ffd01fb5de0 R15: 0000000000000258
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x137/0x4e0 kernel/utsname_sysctl.c:50
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 56 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 12 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc900038f7468 EFLAGS: 00010202
RAX: ffffffff90022485 RBX: 1ffff9200071ee92 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: ffffffff8de39fd8 R08: 0000000000000001 R09: fffffbfff1b8e071
R10: ffffffff8dc7038f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900038f7520 R14: dffffc0000000000 R15: ffffffff8de39fe0
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc686ce448 CR3: 000000002f9ae000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 c1 ee 03 shr $0x3,%rsi
4: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1)
8: 0f 85 56 03 00 00 jne 0x364
e: 48 8b 92 08 09 00 00 mov 0x908(%rdx),%rdx
15: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
1c: fc ff df
1f: 48 8d 7a 08 lea 0x8(%rdx),%rdi
23: 48 89 fe mov %rdi,%rsi
26: 48 c1 ee 03 shr $0x3,%rsi
* 2a: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1) <-- trapping instruction
2e: 0f 85 12 03 00 00 jne 0x346
34: 48 be 00 00 00 00 00 movabs $0xdffffc0000000000,%rsi
3b: fc ff df
3e: 48 rex.W
3f: 2d .byte 0x2d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Edward Adam Davis
Jan 3, 2025, 10:15:24 PM1/3/25
to syzbot+2e6593...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
utsname: debug ctl table for domainname
Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.
#syz test: https://github.com/ea1davis/linux proc/syz
Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.
#syz test: https://github.com/ea1davis/linux proc/syz
syzbot
Jan 3, 2025, 10:25:04 PM1/3/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, procname: domainname, proc_do_uts_string
tab: ffffffff8de3a458, data: ffffffff90028ec5, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, procname: domainname, proc_do_uts_string
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 6a 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 28 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003657468 EFLAGS: 00010202
RAX: ffffffff90028ec5 RBX: ffffffff8de3a458 RCX: dffffc0000000000
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900036574c0 R14: ffffffff8de3a460 R15: ffffc90003657520
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3016
Code: Unable to access opcode bytes at 0x7f47f6787c1d.
RSP: 002b:00007ffe11e12818 EFLAGS: 00000202 ORIG_RAX: 0000000000000029
RAX: 0000000000000003 RBX: 0000000000000003 RCX: 00007f47f6787c47
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002
RBP: 00007ffe11e12efc R08: 00007ffe11e1280c R09: 00007ffe11e12c17
R10: 00007ffe11e12890 R11: 0000000000000202 R12: 0000000000000032
R13: 000000000002677e R14: 00007ffe11e12f50 R15: 0000000000000258
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 6a 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 28 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003657468 EFLAGS: 00010202
RAX: ffffffff90028ec5 RBX: ffffffff8de3a458 RCX: dffffc0000000000
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900036574c0 R14: ffffffff8de3a460 R15: ffffc90003657520
commit: dcb6ff6b utsname: debug ctl table for domainname
git tree: https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=141938b0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, procname: domainname, proc_do_uts_string
tab: ffffffff8de3a458, data: ffffffff90028ec5, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, procname: domainname, proc_do_uts_string
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 6417 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-gdcb6ff6bb369 #0
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ee/0x5d0 kernel/utsname_sysctl.c:54
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 6a 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 28 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003657468 EFLAGS: 00010202
RAX: ffffffff90028ec5 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006cae92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900036574c0 R14: ffffffff8de3a460 R15: ffffc90003657520
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055e8f20af048 CR3: 0000000034d8c000 CR4: 00000000003526f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_sys_call_handler+0x441/0x610 fs/proc/proc_sysctl.c:602
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__kernel_write_iter+0x318/0xa80 fs/read_write.c:612
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xadd/0x2d70 kernel/exit.c:938
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3016
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f47f6787c47
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: Unable to access opcode bytes at 0x7f47f6787c1d.
RSP: 002b:00007ffe11e12818 EFLAGS: 00000202 ORIG_RAX: 0000000000000029
RAX: 0000000000000003 RBX: 0000000000000003 RCX: 00007f47f6787c47
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002
RBP: 00007ffe11e12efc R08: 00007ffe11e1280c R09: 00007ffe11e12c17
R10: 00007ffe11e12890 R11: 0000000000000202 R12: 0000000000000032
R13: 000000000002677e R14: 00007ffe11e12f50 R15: 0000000000000258
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ee/0x5d0 kernel/utsname_sysctl.c:54
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 6a 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 28 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003657468 EFLAGS: 00010202
RAX: ffffffff90028ec5 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006cae92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900036574c0 R14: ffffffff8de3a460 R15: ffffc90003657520
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27a1ca7d60 CR3: 0000000034d8c000 CR4: 00000000003526f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 c1 ee 03 shr $0x3,%rsi
4: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1)
8: 0f 85 6a 03 00 00 jne 0x378
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 c1 ee 03 shr $0x3,%rsi
4: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1)
e: 48 8b 92 08 09 00 00 mov 0x908(%rdx),%rdx
15: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
1c: fc ff df
1f: 48 8d 7a 08 lea 0x8(%rdx),%rdi
23: 48 89 fe mov %rdi,%rsi
26: 48 c1 ee 03 shr $0x3,%rsi
* 2a: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1) <-- trapping instruction
2e: 0f 85 28 03 00 00 jne 0x35c
15: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
1c: fc ff df
1f: 48 8d 7a 08 lea 0x8(%rdx),%rdi
23: 48 89 fe mov %rdi,%rsi
26: 48 c1 ee 03 shr $0x3,%rsi
* 2a: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1) <-- trapping instruction
34: 48 be 00 00 00 00 00 movabs $0xdffffc0000000000,%rsi
3b: fc ff df
3e: 48 rex.W
3f: 2d .byte 0x2d
Tested on:
3b: fc ff df
3e: 48 rex.W
3f: 2d .byte 0x2d
commit: dcb6ff6b utsname: debug ctl table for domainname
git tree: https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=141938b0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Jan 3, 2025, 11:33:10 PM1/3/25
to syzbot+2e6593...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
utsname: debug ctl table for domainname
Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.
sys_acct accounting records to "/proc/sys/kernel/domainname", if data
which will cause task->nsproxy to be NULL.
too long, can we continue account?
syzbot
Jan 3, 2025, 11:49:03 PM1/3/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler
write buf: , count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028f45, w: 1, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028f45, datalen: 6, maxlen: 65, procname: domainname, proc_do_uts_string
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 6507 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-g85a8463a4d24 #0
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ea/0x5e0 kernel/utsname_sysctl.c:53
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 76 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 32 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003567460 EFLAGS: 00010202
RAX: ffffffff90028f45 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006ace92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900035674c0 R14: ffffc90003567520 R15: ffffffff8de3a460
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056128a1406dd CR3: 000000002cf9c000 CR4: 00000000003526f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_sys_call_handler+0x4b8/0x700 fs/proc/proc_sysctl.c:607
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__kernel_write_iter+0x318/0xa80 fs/read_write.c:612
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xadd/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3016
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efcf8784597
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xadd/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3016
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: Unable to access opcode bytes at 0x7efcf878456d.
RSP: 002b:00007ffe839f29c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000102
RAX: 0000000000000000 RBX: 00007ffe839f2a10 RCX: 00007efcf8784597
RDX: 00000000000001ff RSI: 00007ffe839f2a10 RDI: 00000000ffffff9c
RBP: 00007ffe839f29fc R08: 0000000000000005 R09: 00007ffe839f2765
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000032
R13: 000000000002b475 R14: 00007ffe839f2a50 R15: 0000000000000258
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ea/0x5e0 kernel/utsname_sysctl.c:53
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 76 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 32 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003567460 EFLAGS: 00010202
RAX: ffffffff90028f45 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006ace92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900035674c0 R14: ffffc90003567520 R15: ffffffff8de3a460
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056128a1406dd CR3: 0000000030060000 CR4: 00000000003526f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 c1 ee 03 shr $0x3,%rsi
4: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1)
8: 0f 85 76 03 00 00 jne 0x384
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 c1 ee 03 shr $0x3,%rsi
4: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1)
e: 48 8b 92 08 09 00 00 mov 0x908(%rdx),%rdx
15: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
1c: fc ff df
1f: 48 8d 7a 08 lea 0x8(%rdx),%rdi
23: 48 89 fe mov %rdi,%rsi
26: 48 c1 ee 03 shr $0x3,%rsi
* 2a: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1) <-- trapping instruction
2e: 0f 85 32 03 00 00 jne 0x366
15: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
1c: fc ff df
1f: 48 8d 7a 08 lea 0x8(%rdx),%rdi
23: 48 89 fe mov %rdi,%rsi
26: 48 c1 ee 03 shr $0x3,%rsi
* 2a: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1) <-- trapping instruction
34: 48 be 00 00 00 00 00 movabs $0xdffffc0000000000,%rsi
3b: fc ff df
3e: 48 rex.W
3f: 2d .byte 0x2d
Tested on:
commit: 85a8463a utsname: debug ctl table for domainname
3b: fc ff df
3e: 48 rex.W
3f: 2d .byte 0x2d
Tested on:
git tree: https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=16e566f8580000
Edward Adam Davis
Jan 4, 2025, 12:12:33 AM1/4/25
to syzbot+2e6593...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
utsname: debug ctl table for domainname
Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.
which will cause task->nsproxy to be NULL.
syzbot
Jan 4, 2025, 12:27:07 AM1/4/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler
write buf: , count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, datalen: 6, maxlen: 65, procname: domainname, proc_do_uts_string
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler
write buf: , count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
write buf: , count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, datalen: 6, maxlen: 65, procname: domainname, proc_do_uts_string
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000028: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]
CPU: 0 UID: 0 PID: 6578 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-g224ab98542f8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:proc_do_uts_string+0x256/0x630 kernel/utsname_sysctl.c:55
Code: 03 00 00 4d 8b 7f 08 e8 28 b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f8 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc900037f7460 EFLAGS: 00010207
RAX: 0000000000000145 RBX: ffffffff8de3a458 RCX: 1ffff11005cb9121
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802e5c8908
RBP: 0000000000000001 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: ffffc900037f74c0
R13: ffffc900037f7520 R14: ffffffff8de3a460 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556c83033da8 CR3: 0000000030b94000 CR4: 00000000003526f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_sys_call_handler+0x424/0x5f0 fs/proc/proc_sysctl.c:602
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__kernel_write_iter+0x318/0xa80 fs/read_write.c:612
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xadd/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3016
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6c3438498a
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xadd/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3016
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: Unable to access opcode bytes at 0x7f6c34384960.
RSP: 002b:00007ffe74966a30 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6c3438498a
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffe74966a7c R08: 00007ffe7496637c R09: 0079746972756365
R10: 00007ffe749663e0 R11: 0000000000000293 R12: 0000000000000032
R13: 00000000000276a7 R14: 00007ffe74966ad0 R15: 0000000000000258
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:proc_do_uts_string+0x256/0x630 kernel/utsname_sysctl.c:55
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 03 00 00 4d 8b 7f 08 e8 28 b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f8 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc900037f7460 EFLAGS: 00010207
RAX: 0000000000000145 RBX: ffffffff8de3a458 RCX: 1ffff11005cb9121
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802e5c8908
RBP: 0000000000000001 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: ffffc900037f74c0
R13: ffffc900037f7520 R14: ffffffff8de3a460 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556c83033da8 CR3: 0000000030b94000 CR4: 00000000003526f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 03 00 add (%rax),%eax
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
2: 00 4d 8b add %cl,-0x75(%rbp)
5: 7f 08 jg 0xf
7: e8 28 b1 fe ff call 0xfffeb134
c: 48 8b 04 24 mov (%rsp),%rax
10: 48 be 00 00 00 00 00 movabs $0xdffffc0000000000,%rsi
17: fc ff df
1a: 48 2d 80 8d 02 90 sub $0xffffffff90028d80,%rax
20: 4c 01 f8 add %r15,%rax
23: 48 89 c2 mov %rax,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 0c 32 movzbl (%rdx,%rsi,1),%ecx <-- trapping instruction
2e: 48 8d 50 40 lea 0x40(%rax),%rdx
32: 48 89 d7 mov %rdx,%rdi
35: 48 c1 ef 03 shr $0x3,%rdi
39: 0f b6 34 37 movzbl (%rdi,%rsi,1),%esi
3d: 48 89 c7 mov %rax,%rdi
Tested on:
commit: 224ab985 utsname: debug ctl table for domainname
git tree: https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=106b38b0580000
Edward Adam Davis
Jan 4, 2025, 12:39:28 AM1/4/25
to syzbot+2e6593...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
utsname: debug ctl table for domainname
syzbot
Jan 4, 2025, 12:54:04 AM1/4/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler
nsp: ffff888032f4d340, get_uts
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler
nsp: ffff888032f4d340, get_uts
write buf: , count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000028: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]
CPU: 0 UID: 0 PID: 6593 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-g5009ba366804 #0
KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:proc_do_uts_string+0x1f1/0x610 kernel/utsname_sysctl.c:54
Code: 03 00 00 4d 8b 76 08 e8 8d b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f0 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc90003e6f468 EFLAGS: 00010207
RAX: 0000000000000145 RBX: 1ffff920007cde92 RCX: 1ffff110052538a1
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802929c508
RBP: ffffffff8de3a458 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc90003e6f520 R14: 0000000000000000 R15: ffffffff8de3a460
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562a01053200 CR3: 000000007a9a2000 CR4: 00000000003526f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_sys_call_handler+0x424/0x5f0 fs/proc/proc_sysctl.c:602
__kernel_write_iter+0x318/0xa80 fs/read_write.c:612
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xadd/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3016
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f810a587a6a
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_sys_call_handler+0x424/0x5f0 fs/proc/proc_sysctl.c:602
__kernel_write_iter+0x318/0xa80 fs/read_write.c:612
__kernel_write+0xf6/0x140 fs/read_write.c:632
do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
acct_pin_kill+0x2d/0x100 kernel/acct.c:192
pin_kill+0x194/0x7c0 fs/fs_pin.c:44
mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
task_work_run+0x14e/0x250 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xadd/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x2576/0x2610 kernel/signal.c:3016
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: Unable to access opcode bytes at 0x7f810a587a40.
RSP: 002b:00007ffcd4dfd8c8 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
RAX: 0000000000000000 RBX: 00007ffcd4dfd950 RCX: 00007f810a587a6a
RDX: 0000000000000041 RSI: 0000000000000029 RDI: 0000000000000003
RBP: 0000000000000003 R08: 00007ffcd4dfd8ec R09: 0079746972756365
R10: 00007ffcd4dfd950 R11: 0000000000000212 R12: 00007f810a747a00
R13: 00007ffcd4dfd8ec R14: 0000000000000000 R15: 00007f810a748e40
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:proc_do_uts_string+0x1f1/0x610 kernel/utsname_sysctl.c:54
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 03 00 00 4d 8b 76 08 e8 8d b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f0 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc90003e6f468 EFLAGS: 00010207
RAX: 0000000000000145 RBX: 1ffff920007cde92 RCX: 1ffff110052538a1
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802929c508
RBP: ffffffff8de3a458 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc90003e6f520 R14: 0000000000000000 R15: ffffffff8de3a460
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562a00fcac40 CR3: 000000007c1d4000 CR4: 00000000003526f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 03 00 add (%rax),%eax
2: 00 4d 8b add %cl,-0x75(%rbp)
5: 76 08 jbe 0xf
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 03 00 add (%rax),%eax
2: 00 4d 8b add %cl,-0x75(%rbp)
7: e8 8d b1 fe ff call 0xfffeb199
c: 48 8b 04 24 mov (%rsp),%rax
10: 48 be 00 00 00 00 00 movabs $0xdffffc0000000000,%rsi
17: fc ff df
1a: 48 2d 80 8d 02 90 sub $0xffffffff90028d80,%rax
20: 4c 01 f0 add %r14,%rax
10: 48 be 00 00 00 00 00 movabs $0xdffffc0000000000,%rsi
17: fc ff df
1a: 48 2d 80 8d 02 90 sub $0xffffffff90028d80,%rax
23: 48 89 c2 mov %rax,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 0c 32 movzbl (%rdx,%rsi,1),%ecx <-- trapping instruction
2e: 48 8d 50 40 lea 0x40(%rax),%rdx
32: 48 89 d7 mov %rdx,%rdi
35: 48 c1 ef 03 shr $0x3,%rdi
39: 0f b6 34 37 movzbl (%rdi,%rsi,1),%esi
3d: 48 89 c7 mov %rax,%rdi
Tested on:
commit: 5009ba36 utsname: debug ctl table for domainname
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 0c 32 movzbl (%rdx,%rsi,1),%ecx <-- trapping instruction
2e: 48 8d 50 40 lea 0x40(%rax),%rdx
32: 48 89 d7 mov %rdx,%rdi
35: 48 c1 ef 03 shr $0x3,%rdi
39: 0f b6 34 37 movzbl (%rdi,%rsi,1),%esi
3d: 48 89 c7 mov %rax,%rdi
Tested on:
git tree: https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=123366f8580000
Edward Adam Davis
Jan 4, 2025, 1:01:03 AM1/4/25
to syzbot+2e6593...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
utsname: debug ctl table for domainname
syzbot
Jan 4, 2025, 1:21:05 AM1/4/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+2e6593...@syzkaller.appspotmail.com
Tested-by: syzbot+2e6593...@syzkaller.appspotmail.com
Tested on:
commit: 567d8ea8 utsname: debug ctl table for domainname
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+2e6593...@syzkaller.appspotmail.com
Tested-by: syzbot+2e6593...@syzkaller.appspotmail.com
Tested on:
commit: 567d8ea8 utsname: debug ctl table for domainname
git tree: https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=15ba4edf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Edward Adam Davis
Jan 4, 2025, 7:21:13 AM1/4/25
to syzbot+2e6593...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, lu...@kernel.org, pet...@infradead.org, syzkall...@googlegroups.com, tg...@linutronix.de
syzbot reported a null-ptr-deref in get_uts. [1]
Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.
To avoid this issue, check nsproxy of the task in proc_do_uts_string().
[1]
Reported-by: syzbot+2e6593...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
Tested-by: syzbot+2e6593...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
kernel/utsname_sysctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/utsname_sysctl.c b/kernel/utsname_sysctl.c
index 7282f61a8650..da2a9c92227f 100644
--- a/kernel/utsname_sysctl.c
+++ b/kernel/utsname_sysctl.c
@@ -37,6 +37,9 @@ static int proc_do_uts_string(const struct ctl_table *table, int write,
int r;
char tmp_data[__NEW_UTS_LEN + 1];
+ if (!current->nsproxy)
+ return -EINVAL;
+
memcpy(&uts_table, table, sizeof(uts_table));
uts_table.data = tmp_data;
--
2.47.0
Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.
[1]
Closes: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
Tested-by: syzbot+2e6593...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
kernel/utsname_sysctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/utsname_sysctl.c b/kernel/utsname_sysctl.c
index 7282f61a8650..da2a9c92227f 100644
--- a/kernel/utsname_sysctl.c
+++ b/kernel/utsname_sysctl.c
@@ -37,6 +37,9 @@ static int proc_do_uts_string(const struct ctl_table *table, int write,
int r;
char tmp_data[__NEW_UTS_LEN + 1];
+ if (!current->nsproxy)
+ return -EINVAL;
+
memcpy(&uts_table, table, sizeof(uts_table));
uts_table.data = tmp_data;
--
2.47.0
syzbot
Apr 23, 2025, 9:24:20 PM4/23/25
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages