Re: general protection fault in syscall_return_slowpath

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

syzkaller build failed: failed to run ["make" "target"]: exit status 2
GOOS=linux GOARCH=amd64 go install ./syz-fuzzer
# github.com/google/syzkaller/sys/akaros/gen
sys/akaros/gen/amd64.go:23:55: undefined: Field
sys/akaros/gen/amd64.go:26:61: undefined: Field
sys/akaros/gen/amd64.go:29:48: undefined: Field
sys/akaros/gen/amd64.go:34:44: undefined: Field
sys/akaros/gen/amd64.go:39:59: undefined: Field
sys/akaros/gen/amd64.go:43:46: undefined: Field
sys/akaros/gen/amd64.go:48:46: undefined: Field
sys/akaros/gen/amd64.go:51:56: undefined: Field
sys/akaros/gen/amd64.go:56:43: undefined: Field
sys/akaros/gen/amd64.go:62:48: undefined: Field
sys/akaros/gen/amd64.go:62:48: too many errors
# github.com/google/syzkaller/sys/netbsd/gen
sys/netbsd/gen/amd64.go:47:68: undefined: Field
sys/netbsd/gen/amd64.go:51:70: undefined: Field
sys/netbsd/gen/amd64.go:55:70: undefined: Field
sys/netbsd/gen/amd64.go:59:50: undefined: Field
sys/netbsd/gen/amd64.go:62:7: undefined: Ref
sys/netbsd/gen/amd64.go:63:54: undefined: Field
sys/netbsd/gen/amd64.go:67:58: undefined: Field
sys/netbsd/gen/amd64.go:71:52: undefined: Field
sys/netbsd/gen/amd64.go:75:60: undefined: Field
sys/netbsd/gen/amd64.go:80:62: undefined: Field
sys/netbsd/gen/amd64.go:80:62: too many errors
# github.com/google/syzkaller/sys/test/gen
sys/test/gen/32_fork_shmem.go:29:50: unknown field 'Attrs' in struct literal of type prog.Syscall
sys/test/gen/32_fork_shmem.go:30:40: unknown field 'Attrs' in struct literal of type prog.Syscall
sys/test/gen/32_fork_shmem.go:31:44: undefined: Ref
sys/test/gen/32_fork_shmem.go:31:53: unknown field 'Attrs' in struct literal of type prog.Syscall
sys/test/gen/32_fork_shmem.go:32:47: undefined: Field
sys/test/gen/32_fork_shmem.go:34:3: unknown field 'Attrs' in struct literal of type prog.Syscall
sys/test/gen/32_fork_shmem.go:35:58: undefined: Ref
sys/test/gen/32_fork_shmem.go:36:47: undefined: Field
sys/test/gen/32_fork_shmem.go:39:54: undefined: Field
sys/test/gen/32_fork_shmem.go:42:42: undefined: Field
sys/test/gen/32_fork_shmem.go:42:42: too many errors
# github.com/google/syzkaller/sys/openbsd/gen
sys/openbsd/gen/amd64.go:49:47: undefined: Field
sys/openbsd/gen/amd64.go:53:7: undefined: Ref
sys/openbsd/gen/amd64.go:54:52: undefined: Field
sys/openbsd/gen/amd64.go:58:7: undefined: Ref
sys/openbsd/gen/amd64.go:59:53: undefined: Field
sys/openbsd/gen/amd64.go:63:7: undefined: Ref
sys/openbsd/gen/amd64.go:64:52: undefined: Field
sys/openbsd/gen/amd64.go:68:7: undefined: Ref
sys/openbsd/gen/amd64.go:69:43: undefined: Field
sys/openbsd/gen/amd64.go:72:44: undefined: Field
sys/openbsd/gen/amd64.go:72:44: too many errors
# github.com/google/syzkaller/sys/freebsd/gen
sys/freebsd/gen/386.go:49:68: undefined: Field
sys/freebsd/gen/386.go:54:52: undefined: Field
sys/freebsd/gen/386.go:58:60: undefined: Field
sys/freebsd/gen/386.go:65:59: undefined: Field
sys/freebsd/gen/386.go:71:60: undefined: Field
sys/freebsd/gen/386.go:77:59: undefined: Field
sys/freebsd/gen/386.go:83:59: undefined: Field
sys/freebsd/gen/386.go:89:60: undefined: Field
sys/freebsd/gen/386.go:95:61: undefined: Field
sys/freebsd/gen/386.go:101:75: undefined: Field
sys/freebsd/gen/386.go:101:75: too many errors
# github.com/google/syzkaller/sys/fuchsia/gen
sys/fuchsia/gen/amd64.go:91:39: undefined: Field
sys/fuchsia/gen/amd64.go:94:39: undefined: Field
sys/fuchsia/gen/amd64.go:98:39: undefined: Field
sys/fuchsia/gen/amd64.go:103:39: undefined: Field
sys/fuchsia/gen/amd64.go:106:39: undefined: Field
sys/fuchsia/gen/amd64.go:109:7: undefined: Ref
sys/fuchsia/gen/amd64.go:110:35: undefined: Field
sys/fuchsia/gen/amd64.go:112:7: undefined: Ref
sys/fuchsia/gen/amd64.go:113:37: undefined: Field
sys/fuchsia/gen/amd64.go:116:7: undefined: Ref
sys/fuchsia/gen/amd64.go:116:7: too many errors
# github.com/google/syzkaller/sys/windows/gen
sys/windows/gen/amd64.go:23:45: undefined: Field
sys/windows/gen/amd64.go:26:47: undefined: Field
sys/windows/gen/amd64.go:29:53: undefined: Field
sys/windows/gen/amd64.go:32:69: undefined: Field
sys/windows/gen/amd64.go:35:45: undefined: Field
sys/windows/gen/amd64.go:45:51: undefined: Field
sys/windows/gen/amd64.go:55:79: undefined: Field
sys/windows/gen/amd64.go:66:63: undefined: Field
sys/windows/gen/amd64.go:77:91: undefined: Field
sys/windows/gen/amd64.go:88:83: undefined: Field
sys/windows/gen/amd64.go:88:83: too many errors
# github.com/google/syzkaller/sys/linux/gen
sys/linux/gen/386.go:305:50: undefined: Field
sys/linux/gen/386.go:310:7: undefined: Ref
sys/linux/gen/386.go:311:54: undefined: Field
sys/linux/gen/386.go:316:7: undefined: Ref
sys/linux/gen/386.go:317:55: undefined: Field
sys/linux/gen/386.go:322:7: undefined: Ref
sys/linux/gen/386.go:323:59: undefined: Field
sys/linux/gen/386.go:328:7: undefined: Ref
sys/linux/gen/386.go:329:55: undefined: Field
sys/linux/gen/386.go:334:7: undefined: Ref
sys/linux/gen/386.go:334:7: too many errors
Makefile:113: recipe for target 'target' failed
make: *** [target] Error 2

go env (err=<nil>)
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/syzkaller/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/syzkaller/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build696459146=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at c88c7b75
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: sys/akaros/gen/amd64.go
modified: sys/freebsd/gen/386.go
modified: sys/freebsd/gen/amd64.go
modified: sys/fuchsia/gen/amd64.go
modified: sys/fuchsia/gen/arm64.go
modified: sys/linux/gen/386.go
modified: sys/linux/gen/amd64.go
modified: sys/linux/gen/arm.go
modified: sys/linux/gen/arm64.go
modified: sys/linux/gen/mips64le.go
modified: sys/linux/gen/ppc64le.go
modified: sys/netbsd/gen/amd64.go
modified: sys/openbsd/gen/amd64.go
modified: sys/test/gen/32_fork_shmem.go
modified: sys/test/gen/32_shmem.go
modified: sys/test/gen/64.go
modified: sys/test/gen/64_fork.go
modified: sys/trusty/gen/arm.go
modified: sys/windows/gen/amd64.go

Untracked files:
(use "git add <file>..." to include in what will be committed)
.descriptions
sys/linux/gen/riscv64.go
sys/linux/gen/s390x.go

no changes added to commit (use "git add" and/or "git commit -a")



Tested on:

commit: [unknown
git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7
dashboard link: https://syzkaller.appspot.com/bug?extid=cd66e43794b178bb5cd6
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
patch: https://syzkaller.appspot.com/x/patch.diff?x=176360a3100000

[Dmitry Vyukov]

Doh!

The art of resetting git...
I've pushed this fix:
https://github.com/google/syzkaller/commit/0bb197026afef73ebebc26a2e153a3175aef3852
Now we are even better than the best suggested way on stackoverflow:
https://stackoverflow.com/questions/32696310/how-to-reset-git-repository-once-and-for-all-into-a-clean-state

That commit will be deployed only within ~12 hours, but we may try
again now, maybe it will reset from the current state now even without
the change...

#syz test: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git
63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000f36e3205a99024cf%40google.com.

[syzbot]

# github.com/google/syzkaller/sys/openbsd/gen
sys/openbsd/gen/amd64.go:49:47: undefined: Field
sys/openbsd/gen/amd64.go:53:7: undefined: Ref
sys/openbsd/gen/amd64.go:54:52: undefined: Field
sys/openbsd/gen/amd64.go:58:7: undefined: Ref
sys/openbsd/gen/amd64.go:59:53: undefined: Field
sys/openbsd/gen/amd64.go:63:7: undefined: Ref
sys/openbsd/gen/amd64.go:64:52: undefined: Field
sys/openbsd/gen/amd64.go:68:7: undefined: Ref
sys/openbsd/gen/amd64.go:69:43: undefined: Field
sys/openbsd/gen/amd64.go:72:44: undefined: Field
sys/openbsd/gen/amd64.go:72:44: too many errors
# github.com/google/syzkaller/sys/test/gen
sys/test/gen/32_fork_shmem.go:29:50: unknown field 'Attrs' in struct literal of type prog.Syscall
sys/test/gen/32_fork_shmem.go:30:40: unknown field 'Attrs' in struct literal of type prog.Syscall
sys/test/gen/32_fork_shmem.go:31:44: undefined: Ref
sys/test/gen/32_fork_shmem.go:31:53: unknown field 'Attrs' in struct literal of type prog.Syscall
sys/test/gen/32_fork_shmem.go:32:47: undefined: Field
sys/test/gen/32_fork_shmem.go:34:3: unknown field 'Attrs' in struct literal of type prog.Syscall
sys/test/gen/32_fork_shmem.go:35:58: undefined: Ref
sys/test/gen/32_fork_shmem.go:36:47: undefined: Field
sys/test/gen/32_fork_shmem.go:39:54: undefined: Field
sys/test/gen/32_fork_shmem.go:42:42: undefined: Field
sys/test/gen/32_fork_shmem.go:42:42: too many errors

GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build526923622=/tmp/go-build -gno-record-gcc-switches"

sys/linux/gen/riscv64.go
sys/linux/gen/s390x.go

no changes added to commit (use "git add" and/or "git commit -a")



Tested on:

commit: [unknown
git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7
dashboard link: https://syzkaller.appspot.com/bug?extid=cd66e43794b178bb5cd6
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

patch: https://syzkaller.appspot.com/x/patch.diff?x=11b002cd100000

[Dmitry Vyukov]

On Thu, Jul 9, 2020 at 12:20 AM syzbot
<syzbot+cd66e4...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot tried to test the proposed patch but build/boot failed:

I am puzzled how this can happen...

#syz test: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git
63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
general protection fault in syscall_return_slowpath

general protection fault, probably for non-canonical address 0x1ffffffff1255a6b: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8589 Comm: systemd-udevd Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/paravirt.h:757 [inline]
RIP: 0010:syscall_return_slowpath+0xeb/0x4a0 arch/x86/entry/common.c:277
Code: 00 10 0f 85 de 00 00 00 e8 b2 a3 76 00 48 c7 c0 58 d3 2a 89 48 c1 e8 03 80 3c 18 00 74 0c 48 c7 c7 58 d3 2a 89 e8 05 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900049f7ed0 EFLAGS: 00010246
RAX: 1ffffffff1255a6b RBX: dffffc0000000000 RCX: ffff8880a2d9e180
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900049f7f10 R08: ffffffff810075bb R09: ffffed1015d67004
R10: ffffed1015d67004 R11: 0000000000000000 R12: 1ffff110145b3c30
R13: 0000000000000100 R14: ffff8880a2d9e180 R15: ffff8880a2d9e180
FS: 00007fe804b8f8c0(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe803a10270 CR3: 00000000a31b9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:304
entry_SYSCALL_64_after_hwframe+0x49/0xbe
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#2] PREEMPT SMP KASAN
CPU: 1 PID: 8589 Comm: systemd-udevd Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900049f7598 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff8880a2d9e180
RDX: ffff8880a2d9e180 RSI: ffffffff8b026000 RDI: 00007fe803cd6840
RBP: ffffc900049f75e8 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff8880a2d9e180 R11: 0000000000000002 R12: ffffffff8b026000
R13: 00007fe803cd6840 R14: ffffc900049f7610 R15: ffffc900049f7608
FS: 00007fe804b8f8c0(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a31b9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__sprint_symbol+0x4c/0x1b0 kernel/kallsyms.c:365
sprint_symbol+0x24/0x30 kernel/kallsyms.c:396
symbol_string+0xb3/0x210 lib/vsprintf.c:961
pointer+0x388/0x7c0 lib/vsprintf.c:2188
vsnprintf+0xd4c/0x1bc0 lib/vsprintf.c:2578
vscnprintf+0x2d/0x80 lib/vsprintf.c:2677
vprintk_store+0x4b/0x6a0 kernel/printk/printk.c:1917
vprintk_emit+0x12a/0x3a0 kernel/printk/printk.c:1978
vprintk_default+0x28/0x30 kernel/printk/printk.c:2023
vprintk_func+0x158/0x170 kernel/printk/printk_safe.c:386
printk+0x62/0x8d kernel/printk/printk.c:2056
show_ip arch/x86/kernel/dumpstack.c:124 [inline]
show_iret_regs+0x40/0x100 arch/x86/kernel/dumpstack.c:131
__show_regs+0x26/0x760 arch/x86/kernel/process_64.c:74
show_regs_if_on_stack arch/x86/kernel/dumpstack.c:149 [inline]
show_trace_log_lvl+0x2e0/0x3e0 arch/x86/kernel/dumpstack.c:274
show_regs arch/x86/kernel/dumpstack.c:447 [inline]
__die_body+0x5f/0xa0 arch/x86/kernel/dumpstack.c:392
die_addr+0xa9/0xe0 arch/x86/kernel/dumpstack.c:432
do_general_protection+0x325/0x570 arch/x86/kernel/traps.c:564
general_protection+0x2d/0x40 arch/x86/entry/entry_64.S:1202
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/paravirt.h:757 [inline]
RIP: 0010:syscall_return_slowpath+0xeb/0x4a0 arch/x86/entry/common.c:277
Code: 00 10 0f 85 de 00 00 00 e8 b2 a3 76 00 48 c7 c0 58 d3 2a 89 48 c1 e8 03 80 3c 18 00 74 0c 48 c7 c7 58 d3 2a 89 e8 05 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900049f7ed0 EFLAGS: 00010246
RAX: 1ffffffff1255a6b RBX: dffffc0000000000 RCX: ffff8880a2d9e180
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900049f7f10 R08: ffffffff810075bb R09: ffffed1015d67004
R10: ffffed1015d67004 R11: 0000000000000000 R12: 1ffff110145b3c30
R13: 0000000000000100 R14: ffff8880a2d9e180 R15: ffff8880a2d9e180
do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:304
entry_SYSCALL_64_after_hwframe+0x49/0xbe
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#3] PREEMPT SMP KASAN
CPU: 1 PID: 8589 Comm: systemd-udevd Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900049f6bf8 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff8880a2d9e180
RDX: ffff8880a2d9e180 RSI: ffffffff8b026000 RDI: 00007fe803cd6840
RBP: ffffc900049f6c48 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff8880a2d9e180 R11: 0000000000000002 R12: ffffffff8b026000
R13: 00007fe803cd6840 R14: ffffc900049f6c70 R15: ffffc900049f6c68
FS: 00007fe804b8f8c0(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a31b9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__sprint_symbol+0x4c/0x1b0 kernel/kallsyms.c:365
sprint_symbol+0x24/0x30 kernel/kallsyms.c:396
symbol_string+0xb3/0x210 lib/vsprintf.c:961
pointer+0x388/0x7c0 lib/vsprintf.c:2188
vsnprintf+0xd4c/0x1bc0 lib/vsprintf.c:2578
vscnprintf+0x2d/0x80 lib/vsprintf.c:2677
printk_safe_log_store+0xda/0x1c0 kernel/printk/printk_safe.c:93
vprintk_func+0x146/0x170 kernel/printk/printk_safe.c:292
printk+0x62/0x8d kernel/printk/printk.c:2056
show_ip arch/x86/kernel/dumpstack.c:124 [inline]
show_iret_regs+0x40/0x100 arch/x86/kernel/dumpstack.c:131
__show_regs+0x26/0x760 arch/x86/kernel/process_64.c:74
show_regs_if_on_stack arch/x86/kernel/dumpstack.c:149 [inline]
show_trace_log_lvl+0x2e0/0x3e0 arch/x86/kernel/dumpstack.c:274
show_regs arch/x86/kernel/dumpstack.c:447 [inline]
__die_body+0x5f/0xa0 arch/x86/kernel/dumpstack.c:392
__die+0x80/0x90 arch/x86/kernel/dumpstack.c:406
no_context+0xaee/0xd60 arch/x86/mm/fault.c:821
__bad_area_nosemaphore+0x108/0x470 arch/x86/mm/fault.c:913
bad_area_nosemaphore+0x2d/0x40 arch/x86/mm/fault.c:920
do_user_addr_fault+0x7e1/0xaf0 arch/x86/mm/fault.c:1327
do_page_fault+0x13b/0x250 arch/x86/mm/fault.c:1517
page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900049f7598 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff8880a2d9e180
RDX: ffff8880a2d9e180 RSI: ffffffff8b026000 RDI: 00007fe803cd6840
RBP: ffffc900049f75e8 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff8880a2d9e180 R11: 0000000000000002 R12: ffffffff8b026000
R13: 00007fe803cd6840 R14: ffffc900049f7610 R15: ffffc900049f7608
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#4] PREEMPT SMP KASAN
CPU: 1 PID: 8589 Comm: systemd-udevd Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900049f6338 EFLAGS: 00010087
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff8880a2d9e180
RDX: ffff8880a2d9e180 RSI: ffffffff8b026000 RDI: ffffffff80ffffff
RBP: ffffc900049f6388 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff8880a2d9e180 R11: 0000000000000002 R12: ffffffff8b026000
R13: ffffffff80ffffff R14: ffffc900049f63b0 R15: ffffc900049f63a8
FS: 00007fe804b8f8c0(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a31b9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#5] PREEMPT SMP KASAN
CPU: 1 PID: 8589 Comm: systemd-udevd Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900049f5a78 EFLAGS: 00010087
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff8880a2d9e180
RDX: ffff8880a2d9e180 RSI: ffffffff8b026000 RDI: ffffffff80ffffff
RBP: ffffc900049f5ac8 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff8880a2d9e180 R11: 0000000000000002 R12: ffffffff8b026000
R13: ffffffff80ffffff R14: ffffc900049f5af0 R15: ffffc900049f5ae8
FS:
Lost 221 message(s)!


Tested on:

commit: 63623fd4 Merge tag 'for-linus' of git://git.kernel.org/pub..
git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1082862b100000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d2e033af114153f

dashboard link: https://syzkaller.appspot.com/bug?extid=cd66e43794b178bb5cd6
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1453a76b100000

[Dmitry Vyukov]

On Fri, Jul 10, 2020 at 9:27 AM Dmitry Vyukov <dvy...@google.com> wrote:
>
> On Thu, Jul 9, 2020 at 12:20 AM syzbot
> <syzbot+cd66e4...@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot tried to test the proposed patch but build/boot failed:
>
> I am puzzled how this can happen...

I figured out what happened. It has to do with permissions and git
dropping errors on the floor.
If syzbot would understand that there are some errors happening during
git manipulations, it would try to repair it with a fresh checkout...

$ git checkout 8eda0b95 && echo OK
error: unable to unlink old 'sys/linux/gen/386.go': Permission denied
error: unable to unlink old 'sys/linux/gen/amd64.go': Permission denied
error: unable to unlink old 'sys/linux/gen/arm.go': Permission denied
error: unable to unlink old 'sys/linux/gen/arm64.go': Permission denied
error: unable to unlink old 'sys/linux/gen/empty.go': Permission denied
error: unable to unlink old 'sys/linux/gen/mips64le.go': Permission denied
error: unable to unlink old 'sys/linux/gen/ppc64le.go': Permission denied
...
HEAD is now at 8eda0b957e5b docs: add KOOBE research paper
OK

[Dmitry Vyukov]

This git checkout bug should be fixed now with:
https://github.com/google/syzkaller/commit/1ad470c26510d8ad078a0c4cfbd26010491692be