general protection fault in kmem_cache_free
17 views
Skip to first unread message
syzbot
Sep 1, 2020, 3:29:21 PM9/1/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=121292f5900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6608b656f49b4e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=34def952a19f0cae39dd
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34def9...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 23483 Comm: syz-executor.0 Not tainted 4.14.195-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88805a5426c0 task.stack: ffff8881fa708000
RIP: 0010:__read_once_size include/linux/compiler.h:183 [inline]
RIP: 0010:kasan_slab_free+0x34/0x1a0 mm/kasan/kasan.c:512
RSP: 0018:ffff8881fa70fb78 EFLAGS: 00010096
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000000000004 RSI: 0000000000000000 RDI: dffffc0000000000
RBP: ffff8881fa70fda8 R08: 1ffff1101160cb1b R09: 0000000000000000
R10: 0000000000000000 R11: ffff88805a5426c0 R12: ffff8880aa50b380
R13: 0000000000000000 R14: ffffffff84e70bd0 R15: ffff88809b604cd0
FS: 00007f254dae3700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055daacdd3438 CR3: 0000000064c1a000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
security_file_free+0x42/0x80 security/security.c:879
__fput+0x26c/0x7a0 fs/file_table.c:211
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45d5b9
RSP: 002b:00007f254dae2c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9
RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000005
RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000040 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007fffac1133ef R14: 00007f254dae39c0 R15: 000000000118cf4c
Code: 00 48 b9 00 00 00 00 00 fc ff df 55 48 89 e5 41 55 49 89 f5 41 54 49 89 fc 48 89 f7 48 c1 ef 03 53 48 01 cf 48 81 ec 18 02 00 00 <0f> b6 07 3c 07 0f 87 20 01 00 00 49 63 44 24 74 48 83 e8 01 48
RIP: __read_once_size include/linux/compiler.h:183 [inline] RSP: ffff8881fa70fb78
RIP: kasan_slab_free+0x34/0x1a0 mm/kasan/kasan.c:512 RSP: ffff8881fa70fb78
---[ end trace f15d21fbbab9963a ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=121292f5900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6608b656f49b4e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=34def952a19f0cae39dd
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34def9...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 23483 Comm: syz-executor.0 Not tainted 4.14.195-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88805a5426c0 task.stack: ffff8881fa708000
RIP: 0010:__read_once_size include/linux/compiler.h:183 [inline]
RIP: 0010:kasan_slab_free+0x34/0x1a0 mm/kasan/kasan.c:512
RSP: 0018:ffff8881fa70fb78 EFLAGS: 00010096
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000000000004 RSI: 0000000000000000 RDI: dffffc0000000000
RBP: ffff8881fa70fda8 R08: 1ffff1101160cb1b R09: 0000000000000000
R10: 0000000000000000 R11: ffff88805a5426c0 R12: ffff8880aa50b380
R13: 0000000000000000 R14: ffffffff84e70bd0 R15: ffff88809b604cd0
FS: 00007f254dae3700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055daacdd3438 CR3: 0000000064c1a000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
security_file_free+0x42/0x80 security/security.c:879
__fput+0x26c/0x7a0 fs/file_table.c:211
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45d5b9
RSP: 002b:00007f254dae2c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9
RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000005
RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000040 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007fffac1133ef R14: 00007f254dae39c0 R15: 000000000118cf4c
Code: 00 48 b9 00 00 00 00 00 fc ff df 55 48 89 e5 41 55 49 89 f5 41 54 49 89 fc 48 89 f7 48 c1 ef 03 53 48 01 cf 48 81 ec 18 02 00 00 <0f> b6 07 3c 07 0f 87 20 01 00 00 49 63 44 24 74 48 83 e8 01 48
RIP: __read_once_size include/linux/compiler.h:183 [inline] RSP: ffff8881fa70fb78
RIP: kasan_slab_free+0x34/0x1a0 mm/kasan/kasan.c:512 RSP: ffff8881fa70fb78
---[ end trace f15d21fbbab9963a ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 1, 2020, 4:55:16 PM9/1/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=159e7656900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34def9...@syzkaller.appspotmail.com
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
R10: 0000000000000000 R11: ffff88808bf7c480 R12: ffff8880aa50b380
R13: 0000000000000000 R14: ffffffff84e70bd0 R15: ffff88809694e350
FS: 00000000023b4940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
RSP: 002b:00007ffd4f9bc340 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190358 R09: 0000000000000000
R10: 00007ffd4f9bc420 R11: 0000000000000293 R12: 0000000001190360
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
RIP: kasan_slab_free+0x34/0x1a0 mm/kasan/kasan.c:512 RSP: ffff8880947c7b78
---[ end trace b202e4c77fee0b55 ]---
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=6608b656f49b4e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=34def952a19f0cae39dd
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1173fa1e900000
dashboard link: https://syzkaller.appspot.com/bug?extid=34def952a19f0cae39dd
compiler: gcc (GCC) 10.1.0-syz 20200507
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34def9...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 6630 Comm: syz-executor.0 Not tainted 4.14.195-syzkaller #0
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88808bf7c480 task.stack: ffff8880947c0000
RIP: 0010:__read_once_size include/linux/compiler.h:183 [inline]
RIP: 0010:kasan_slab_free+0x34/0x1a0 mm/kasan/kasan.c:512
RSP: 0018:ffff8880947c7b78 EFLAGS: 00010096
RIP: 0010:kasan_slab_free+0x34/0x1a0 mm/kasan/kasan.c:512
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000000000004 RSI: 0000000000000000 RDI: dffffc0000000000
RBP: ffff8880947c7da8 R08: ffffffff8a083a68 R09: 0000000000000000
RDX: 0000000000000004 RSI: 0000000000000000 RDI: dffffc0000000000
R10: 0000000000000000 R11: ffff88808bf7c480 R12: ffff8880aa50b380
R13: 0000000000000000 R14: ffffffff84e70bd0 R15: ffff88809694e350
FS: 00000000023b4940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005648d41e7010 CR3: 0000000090394000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
security_file_free+0x42/0x80 security/security.c:879
__fput+0x26c/0x7a0 fs/file_table.c:211
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x416f01
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
security_file_free+0x42/0x80 security/security.c:879
__fput+0x26c/0x7a0 fs/file_table.c:211
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007ffd4f9bc340 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190358 R09: 0000000000000000
R10: 00007ffd4f9bc420 R11: 0000000000000293 R12: 0000000001190360
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Code: 00 48 b9 00 00 00 00 00 fc ff df 55 48 89 e5 41 55 49 89 f5 41 54 49 89 fc 48 89 f7 48 c1 ef 03 53 48 01 cf 48 81 ec 18 02 00 00 <0f> b6 07 3c 07 0f 87 20 01 00 00 49 63 44 24 74 48 83 e8 01 48
RIP: __read_once_size include/linux/compiler.h:183 [inline] RSP: ffff8880947c7b78
RIP: kasan_slab_free+0x34/0x1a0 mm/kasan/kasan.c:512 RSP: ffff8880947c7b78
---[ end trace b202e4c77fee0b55 ]---
syzbot
Oct 2, 2020, 7:10:10 PM10/2/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit c5c6e00f6cc5d3ed0d6464b14e33f2f5c8505888
Author: Al Viro <vi...@zeniv.linux.org.uk>
Date: Wed Sep 2 15:30:48 2020 +0000
fix regression in "epoll: Keep a reference on files added to the check list"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12679c93900000
start commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fix regression in "epoll: Keep a reference on files added to the check list"
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit c5c6e00f6cc5d3ed0d6464b14e33f2f5c8505888
Author: Al Viro <vi...@zeniv.linux.org.uk>
Date: Wed Sep 2 15:30:48 2020 +0000
fix regression in "epoll: Keep a reference on files added to the check list"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12679c93900000
start commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=6608b656f49b4e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=34def952a19f0cae39dd
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10f88279900000
dashboard link: https://syzkaller.appspot.com/bug?extid=34def952a19f0cae39dd
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fix regression in "epoll: Keep a reference on files added to the check list"
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages