[v5.15] general protection fault in jfs_flush_journal
0 views
Skip to first unread message
syzbot
Mar 16, 2023, 6:18:49 PM3/16/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2ddbd0f967b3 Linux 5.15.102
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1053950cc80000
kernel config: https://syzkaller.appspot.com/x/.config?x=fec083380faceb1e
dashboard link: https://syzkaller.appspot.com/bug?extid=c708d902646b38b761e8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/156d2aa91f3c/disk-2ddbd0f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f0e97f5be5fb/vmlinux-2ddbd0f9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/20d0a55a041d/bzImage-2ddbd0f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c708d9...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 3632 Comm: syz-executor.3 Not tainted 5.15.102-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x80d/0xec0 fs/jfs/jfs_logmgr.c:1581
Code: c1 fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 91 4b e4 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 74 4b e4 fe 48 8b 3b e8 2c ec c1
RSP: 0018:ffffc90002dcfbc0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: 288cb886440c0300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002dcfcf0 R08: ffffffff81a7a1e6 R09: ffffc90002dcfb28
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920005b9f84
R13: dffffc0000000000 R14: ffff88807c202800 R15: ffff88814a755038
FS: 00005555564b0400(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe15dbaef8 CR3: 00000000273f8000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
jfs_umount+0xf4/0x370 fs/jfs/jfs_umount.c:58
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
generic_shutdown_super+0x136/0x2c0 fs/super.c:466
kill_block_super+0x7a/0xe0 fs/super.c:1396
deactivate_locked_super+0xa0/0x110 fs/super.c:335
cleanup_mnt+0x44e/0x500 fs/namespace.c:1143
task_work_run+0x129/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:175
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x5d/0x2b0 kernel/entry/common.c:300
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f289a98b567
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe15dbb638 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f289a98b567
RDX: 00007ffe15dbb70b RSI: 000000000000000a RDI: 00007ffe15dbb700
RBP: 00007ffe15dbb700 R08: 00000000ffffffff R09: 00007ffe15dbb4d0
R10: 00005555564b18b3 R11: 0000000000000246 R12: 00007f289a9e4b74
R13: 00007ffe15dbc7c0 R14: 00005555564b1810 R15: 00007ffe15dbc800
</TASK>
Modules linked in:
---[ end trace 4aa060bc7c896bac ]---
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x80d/0xec0 fs/jfs/jfs_logmgr.c:1581
Code: c1 fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 91 4b e4 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 74 4b e4 fe 48 8b 3b e8 2c ec c1
RSP: 0018:ffffc90002dcfbc0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: 288cb886440c0300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002dcfcf0 R08: ffffffff81a7a1e6 R09: ffffc90002dcfb28
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920005b9f84
R13: dffffc0000000000 R14: ffff88807c202800 R15: ffff88814a755038
FS: 00005555564b0400(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f96723b9988 CR3: 00000000273f8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: c1 fe 49 sar $0x49,%esi
3: 8d 5f f0 lea -0x10(%rdi),%ebx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 91 4b e4 fe callq 0xfee44bad
1c: 48 8b 1b mov (%rbx),%rbx
1f: 48 83 c3 30 add $0x30,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 74 4b e4 fe callq 0xfee44bad
39: 48 8b 3b mov (%rbx),%rdi
3c: e8 .byte 0xe8
3d: 2c ec sub $0xec,%al
3f: c1 .byte 0xc1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 2ddbd0f967b3 Linux 5.15.102
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1053950cc80000
kernel config: https://syzkaller.appspot.com/x/.config?x=fec083380faceb1e
dashboard link: https://syzkaller.appspot.com/bug?extid=c708d902646b38b761e8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/156d2aa91f3c/disk-2ddbd0f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f0e97f5be5fb/vmlinux-2ddbd0f9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/20d0a55a041d/bzImage-2ddbd0f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c708d9...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 3632 Comm: syz-executor.3 Not tainted 5.15.102-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x80d/0xec0 fs/jfs/jfs_logmgr.c:1581
Code: c1 fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 91 4b e4 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 74 4b e4 fe 48 8b 3b e8 2c ec c1
RSP: 0018:ffffc90002dcfbc0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: 288cb886440c0300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002dcfcf0 R08: ffffffff81a7a1e6 R09: ffffc90002dcfb28
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920005b9f84
R13: dffffc0000000000 R14: ffff88807c202800 R15: ffff88814a755038
FS: 00005555564b0400(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe15dbaef8 CR3: 00000000273f8000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
jfs_umount+0xf4/0x370 fs/jfs/jfs_umount.c:58
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
generic_shutdown_super+0x136/0x2c0 fs/super.c:466
kill_block_super+0x7a/0xe0 fs/super.c:1396
deactivate_locked_super+0xa0/0x110 fs/super.c:335
cleanup_mnt+0x44e/0x500 fs/namespace.c:1143
task_work_run+0x129/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:175
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x5d/0x2b0 kernel/entry/common.c:300
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f289a98b567
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe15dbb638 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f289a98b567
RDX: 00007ffe15dbb70b RSI: 000000000000000a RDI: 00007ffe15dbb700
RBP: 00007ffe15dbb700 R08: 00000000ffffffff R09: 00007ffe15dbb4d0
R10: 00005555564b18b3 R11: 0000000000000246 R12: 00007f289a9e4b74
R13: 00007ffe15dbc7c0 R14: 00005555564b1810 R15: 00007ffe15dbc800
</TASK>
Modules linked in:
---[ end trace 4aa060bc7c896bac ]---
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x80d/0xec0 fs/jfs/jfs_logmgr.c:1581
Code: c1 fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 91 4b e4 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 74 4b e4 fe 48 8b 3b e8 2c ec c1
RSP: 0018:ffffc90002dcfbc0 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: 288cb886440c0300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002dcfcf0 R08: ffffffff81a7a1e6 R09: ffffc90002dcfb28
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920005b9f84
R13: dffffc0000000000 R14: ffff88807c202800 R15: ffff88814a755038
FS: 00005555564b0400(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f96723b9988 CR3: 00000000273f8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: c1 fe 49 sar $0x49,%esi
3: 8d 5f f0 lea -0x10(%rdi),%ebx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 91 4b e4 fe callq 0xfee44bad
1c: 48 8b 1b mov (%rbx),%rbx
1f: 48 83 c3 30 add $0x30,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 74 4b e4 fe callq 0xfee44bad
39: 48 8b 3b mov (%rbx),%rdi
3c: e8 .byte 0xe8
3d: 2c ec sub $0xec,%al
3f: c1 .byte 0xc1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 20, 2023, 9:13:58 AM3/20/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7eaef76fbc46 Linux 6.1.20
syzbot found the following issue on:
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11f16a86c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=28c36fe4d02f8c88
dashboard link: https://syzkaller.appspot.com/bug?extid=94a5a34d2425f5adc55e
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/610a00ba4375/disk-7eaef76f.raw.xz
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/57c1310f9a30/vmlinux-7eaef76f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/81999f717d3b/bzImage-7eaef76f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x80d/0xec0 fs/jfs/jfs_logmgr.c:1573
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
Code: ac fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 b1 65 d7 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 94 65 d7 fe 48 8b 3b e8 8c e6 ac
RSP: 0018:ffffc90003d6fb20 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: cf2078fce37dba00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003d6fc58 R08: ffffffff81b643f6 R09: ffffc90003d6fa70
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920007adf70
R13: dffffc0000000000 R14: ffff88807d650800 R15: ffff88807e910e38
FS: 0000555556192400(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555619b848 CR3: 00000000598fb000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
jfs_umount+0xf4/0x370 fs/jfs/jfs_umount.c:58
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x340 fs/super.c:492
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
jfs_umount+0xf4/0x370 fs/jfs/jfs_umount.c:58
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
kill_block_super+0x7a/0xe0 fs/super.c:1441
deactivate_locked_super+0xa0/0x110 fs/super.c:332
cleanup_mnt+0x490/0x520 fs/namespace.c:1186
task_work_run+0x246/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xd9/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x60/0x2d0 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7faa0da8d567
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffef41d5d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007faa0da8d567
RDX: 00007ffef41d5dda RSI: 000000000000000a RDI: 00007ffef41d5dd0
RBP: 00007ffef41d5dd0 R08: 00000000ffffffff R09: 00007ffef41d5ba0
R10: 00005555561938b3 R11: 0000000000000246 R12: 00007faa0dae6b74
R13: 00007ffef41d6e90 R14: 0000555556193810 R15: 00007ffef41d6ed0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
RIP: 0010:jfs_flush_journal+0x80d/0xec0 fs/jfs/jfs_logmgr.c:1573
Code: ac fe 49 8d 5f f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 b1 65 d7 fe 48 8b 1b 48 83 c3 30 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 94 65 d7 fe 48 8b 3b e8 8c e6 ac
RSP: 0018:ffffc90003d6fb20 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: cf2078fce37dba00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003d6fc58 R08: ffffffff81b643f6 R09: ffffc90003d6fa70
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920007adf70
R13: dffffc0000000000 R14: ffff88807d650800 R15: ffff88807e910e38
FS: 0000555556192400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd8fa3cff8 CR3: 00000000598fb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: ac lods %ds:(%rsi),%al
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
1: fe 49 8d decb -0x73(%rcx)
4: 5f pop %rdi
5: f0 48 89 d8 lock mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 b1 65 d7 fe callq 0xfed765cd
d: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
1c: 48 8b 1b mov (%rbx),%rbx
1f: 48 83 c3 30 add $0x30,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 94 65 d7 fe callq 0xfed765cd
1f: 48 83 c3 30 add $0x30,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
39: 48 8b 3b mov (%rbx),%rdi
3c: e8 .byte 0xe8
3d: 8c e6 mov %fs,%esi
3c: e8 .byte 0xe8
3f: ac lods %ds:(%rsi),%al
syzbot
Jun 13, 2023, 12:01:10 PM6/13/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 2f3918bc53fb Linux 6.1.33
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10b4dcd9280000
kernel config: https://syzkaller.appspot.com/x/.config?x=64e29382e385f1b9
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b90c75280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b3d475280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f180a77b248f/disk-2f3918bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/582d3206652e/vmlinux-2f3918bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/20934119e0f6/Image-2f3918bc.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/aa7000ccad9a/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+94a5a3...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff800000000006
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000006] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4227 Comm: syz-executor143 Not tainted 6.1.33-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
pc : jfs_flush_journal+0x6a4/0xd64 fs/jfs/jfs_logmgr.c:1573
lr : write_special_inodes fs/jfs/jfs_logmgr.c:207 [inline]
lr : jfs_flush_journal+0x680/0xd64 fs/jfs/jfs_logmgr.c:1573
sp : ffff80001da276e0
x29: ffff80001da277d0 x28: dfff800000000000 x27: dfff800000000000
x26: 1fffe00018963e35 x25: 1fffe00018963e00 x24: 1fffe0001b64c4fb
x23: ffff0000c4b1f1b8 x22: 0000000000000030 x21: ffff0000c0b72238
x20: ffff0000c4b1f1a8 x19: ffff0000c4b1f000 x18: 1fffe000368b5f76
x17: ffff8000155bd000 x16: ffff800012050fc0 x15: 0000000000000000
x14: 1ffff00002ab80b0 x13: dfff800000000000 x12: 0000000000000003
x11: ff80800008741aac x10: 0000000000000000 x9 : 2ed6c0499ce06700
x8 : 0000000000000006 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000000 x3 : 0000000000000010
x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
jfs_flush_journal+0x6a4/0xd64 fs/jfs/jfs_logmgr.c:1573
jfs_umount+0xf8/0x338 fs/jfs/jfs_umount.c:58
jfs_put_super+0x90/0x188 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x328 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1450
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Code: 97bed6aa f94002c8 9100c116 d343fec8 (387c6908)
4: f94002c8 ldr x8, [x22]
8: 9100c116 add x22, x8, #0x30
c: d343fec8 lsr x8, x22, #3
* 10: 387c6908 ldrb w8, [x8, x28] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 2f3918bc53fb Linux 6.1.33
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10b4dcd9280000
kernel config: https://syzkaller.appspot.com/x/.config?x=64e29382e385f1b9
dashboard link: https://syzkaller.appspot.com/bug?extid=94a5a34d2425f5adc55e
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b90c75280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b3d475280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f180a77b248f/disk-2f3918bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/582d3206652e/vmlinux-2f3918bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/20934119e0f6/Image-2f3918bc.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/aa7000ccad9a/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+94a5a3...@syzkaller.appspotmail.com
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000006] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4227 Comm: syz-executor143 Not tainted 6.1.33-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
pc : jfs_flush_journal+0x6a4/0xd64 fs/jfs/jfs_logmgr.c:1573
lr : write_special_inodes fs/jfs/jfs_logmgr.c:207 [inline]
lr : jfs_flush_journal+0x680/0xd64 fs/jfs/jfs_logmgr.c:1573
sp : ffff80001da276e0
x29: ffff80001da277d0 x28: dfff800000000000 x27: dfff800000000000
x26: 1fffe00018963e35 x25: 1fffe00018963e00 x24: 1fffe0001b64c4fb
x23: ffff0000c4b1f1b8 x22: 0000000000000030 x21: ffff0000c0b72238
x20: ffff0000c4b1f1a8 x19: ffff0000c4b1f000 x18: 1fffe000368b5f76
x17: ffff8000155bd000 x16: ffff800012050fc0 x15: 0000000000000000
x14: 1ffff00002ab80b0 x13: dfff800000000000 x12: 0000000000000003
x11: ff80800008741aac x10: 0000000000000000 x9 : 2ed6c0499ce06700
x8 : 0000000000000006 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000000 x3 : 0000000000000010
x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
write_special_inodes fs/jfs/jfs_logmgr.c:208 [inline]
jfs_flush_journal+0x6a4/0xd64 fs/jfs/jfs_logmgr.c:1573
jfs_umount+0xf8/0x338 fs/jfs/jfs_umount.c:58
jfs_put_super+0x90/0x188 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x328 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1450
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Code: 97bed6aa f94002c8 9100c116 d343fec8 (387c6908)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 97bed6aa bl 0xfffffffffefb5aa8
Code disassembly (best guess):
4: f94002c8 ldr x8, [x22]
8: 9100c116 add x22, x8, #0x30
c: d343fec8 lsr x8, x22, #3
* 10: 387c6908 ldrb w8, [x8, x28] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages