[v5.15] BUG: unable to handle kernel paging request in hfs_find_init
0 views
Skip to first unread message
syzbot
Apr 5, 2023, 4:29:46 AM4/5/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c957cbb87315 Linux 5.15.105
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12c49865c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=852dc3de44ba1f3f
dashboard link: https://syzkaller.appspot.com/bug?extid=f0a7f52364cc475f0297
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/91d0cf1fc5fb/disk-c957cbb8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/346dc1169521/vmlinux-c957cbb8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f7005bdc0e20/Image-c957cbb8.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f0a7f5...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff800000000008
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000008] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 7938 Comm: syz-executor.3 Not tainted 5.15.105-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
lr : hfs_find_init+0x30/0x1c8 fs/hfs/bfind.c:16
sp : ffff800020a270b0
x29: ffff800020a270b0 x28: dfff800000000000 x27: 0000000000000000
x26: ffff0001285e2880 x25: 0000000000000008 x24: dfff800000000000
x23: ffff700004144e2c x22: ffff800020a27198 x21: 0000000000000040
x20: ffff800020a27180 x19: 0000000000000000 x18: ffff800020a26c00
x17: ff808000088961d4 x16: ffff80000824bf58 x15: ffff8000088961d4
x14: 00000000148ac949 x13: ffffffffffffffff x12: 0000000000040000
x11: 00000000000111f9 x10: ffff80002026c000 x9 : ffff800008fbe268
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff8000176dac38 x4 : 0000000000000000 x3 : 0000000000000030
x2 : 0000000000000008 x1 : ffff800020a27180 x0 : ffff800020a27190
Call trace:
hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
hfs_ext_read_extent fs/hfs/extent.c:200 [inline]
hfs_get_block+0x290/0x9fc fs/hfs/extent.c:366
block_read_full_page+0x2a0/0xc4c fs/buffer.c:2290
hfs_readpage+0x28/0x38 fs/hfs/inode.c:39
do_read_cache_page+0x60c/0x950
read_cache_page+0x68/0x84 mm/filemap.c:3565
read_mapping_page include/linux/pagemap.h:515 [inline]
hfs_btree_open+0x420/0xe50 fs/hfs/btree.c:78
hfs_mdb_get+0x10ec/0x1c4c fs/hfs/mdb.c:199
hfs_fill_super+0xd64/0x13b4 fs/hfs/super.c:406
mount_bdev+0x26c/0x368 fs/super.c:1378
hfs_mount+0x44/0x58 fs/hfs/super.c:456
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1508
do_new_mount+0x25c/0x8c8 fs/namespace.c:2994
path_mount+0x590/0x104c fs/namespace.c:3324
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount fs/namespace.c:3522 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3522
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 97e41464 91010275 f90002df d343feb9 (38f86b28)
---[ end trace 2d837655d7c46ae3 ]---
----------------
Code disassembly (best guess):
0: 97e41464 bl 0xffffffffff905190
4: 91010275 add x21, x19, #0x40
8: f90002df str xzr, [x22]
c: d343feb9 lsr x25, x21, #3
* 10: 38f86b28 ldrsb w8, [x25, x24] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: c957cbb87315 Linux 5.15.105
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12c49865c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=852dc3de44ba1f3f
dashboard link: https://syzkaller.appspot.com/bug?extid=f0a7f52364cc475f0297
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/91d0cf1fc5fb/disk-c957cbb8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/346dc1169521/vmlinux-c957cbb8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f7005bdc0e20/Image-c957cbb8.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f0a7f5...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff800000000008
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000008] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 7938 Comm: syz-executor.3 Not tainted 5.15.105-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
lr : hfs_find_init+0x30/0x1c8 fs/hfs/bfind.c:16
sp : ffff800020a270b0
x29: ffff800020a270b0 x28: dfff800000000000 x27: 0000000000000000
x26: ffff0001285e2880 x25: 0000000000000008 x24: dfff800000000000
x23: ffff700004144e2c x22: ffff800020a27198 x21: 0000000000000040
x20: ffff800020a27180 x19: 0000000000000000 x18: ffff800020a26c00
x17: ff808000088961d4 x16: ffff80000824bf58 x15: ffff8000088961d4
x14: 00000000148ac949 x13: ffffffffffffffff x12: 0000000000040000
x11: 00000000000111f9 x10: ffff80002026c000 x9 : ffff800008fbe268
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff8000176dac38 x4 : 0000000000000000 x3 : 0000000000000030
x2 : 0000000000000008 x1 : ffff800020a27180 x0 : ffff800020a27190
Call trace:
hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
hfs_ext_read_extent fs/hfs/extent.c:200 [inline]
hfs_get_block+0x290/0x9fc fs/hfs/extent.c:366
block_read_full_page+0x2a0/0xc4c fs/buffer.c:2290
hfs_readpage+0x28/0x38 fs/hfs/inode.c:39
do_read_cache_page+0x60c/0x950
read_cache_page+0x68/0x84 mm/filemap.c:3565
read_mapping_page include/linux/pagemap.h:515 [inline]
hfs_btree_open+0x420/0xe50 fs/hfs/btree.c:78
hfs_mdb_get+0x10ec/0x1c4c fs/hfs/mdb.c:199
hfs_fill_super+0xd64/0x13b4 fs/hfs/super.c:406
mount_bdev+0x26c/0x368 fs/super.c:1378
hfs_mount+0x44/0x58 fs/hfs/super.c:456
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1508
do_new_mount+0x25c/0x8c8 fs/namespace.c:2994
path_mount+0x590/0x104c fs/namespace.c:3324
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount fs/namespace.c:3522 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3522
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 97e41464 91010275 f90002df d343feb9 (38f86b28)
---[ end trace 2d837655d7c46ae3 ]---
----------------
Code disassembly (best guess):
0: 97e41464 bl 0xffffffffff905190
4: 91010275 add x21, x19, #0x40
8: f90002df str xzr, [x22]
c: d343feb9 lsr x25, x21, #3
* 10: 38f86b28 ldrsb w8, [x25, x24] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jun 17, 2023, 3:11:00 PM6/17/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 471e639e59d1 Linux 5.15.117
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=129689bb280000
kernel config: https://syzkaller.appspot.com/x/.config?x=eeb4064efec7aa39
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1398ba5b280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2e7359ecba67/disk-471e639e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ef6d17e44bc3/vmlinux-471e639e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/99b68dbd7e00/Image-471e639e.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ec03435eb4f6/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f0a7f5...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 64
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
x29: ffff80001a127090 x28: dfff800000000000 x27: 0000000000000000
x26: ffff0000c9278180 x25: 0000000000000008 x24: dfff800000000000
x23: ffff700003424e28 x22: ffff80001a127178 x21: 0000000000000040
x20: ffff80001a127160 x19: 0000000000000000 x18: ffff80001a126be0
x17: ff8080000889a8ac x16: ffff80000824cbf4 x15: 000000000000b720
x14: 0000000089aedbc0 x13: ffffffffffffffff x12: 0000000000000000
x11: ff80800008fc2978 x10: 0000000000000000 x9 : ffff800008fc2978
x2 : 0000000000000008 x1 : ffff80001a127160 x0 : ffff80001a127170
---[ end trace 482a6d3f9725e994 ]---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 471e639e59d1 Linux 5.15.117
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=129689bb280000
kernel config: https://syzkaller.appspot.com/x/.config?x=eeb4064efec7aa39
dashboard link: https://syzkaller.appspot.com/bug?extid=f0a7f52364cc475f0297
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=116c25ef280000
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1398ba5b280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2e7359ecba67/disk-471e639e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ef6d17e44bc3/vmlinux-471e639e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/99b68dbd7e00/Image-471e639e.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ec03435eb4f6/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f0a7f5...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff800000000008
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000008] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3961 Comm: syz-executor304 Not tainted 5.15.117-syzkaller #0
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000008] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
lr : hfs_find_init+0x30/0x1c8 fs/hfs/bfind.c:16
sp : ffff80001a127090
pc : hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
lr : hfs_find_init+0x30/0x1c8 fs/hfs/bfind.c:16
x29: ffff80001a127090 x28: dfff800000000000 x27: 0000000000000000
x26: ffff0000c9278180 x25: 0000000000000008 x24: dfff800000000000
x23: ffff700003424e28 x22: ffff80001a127178 x21: 0000000000000040
x20: ffff80001a127160 x19: 0000000000000000 x18: ffff80001a126be0
x17: ff8080000889a8ac x16: ffff80000824cbf4 x15: 000000000000b720
x14: 0000000089aedbc0 x13: ffffffffffffffff x12: 0000000000000000
x11: ff80800008fc2978 x10: 0000000000000000 x9 : ffff800008fc2978
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff8000175679b8 x4 : 0000000000000000 x3 : 0000000000000030
x2 : 0000000000000008 x1 : ffff80001a127160 x0 : ffff80001a127170
Call trace:
hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
hfs_ext_read_extent fs/hfs/extent.c:200 [inline]
hfs_get_block+0x290/0x9fc fs/hfs/extent.c:366
block_read_full_page+0x2a0/0xc4c fs/buffer.c:2290
hfs_readpage+0x28/0x38 fs/hfs/inode.c:39
do_read_cache_page+0x60c/0x950
read_cache_page+0x68/0x84 mm/filemap.c:3565
read_mapping_page include/linux/pagemap.h:515 [inline]
hfs_btree_open+0x420/0xe50 fs/hfs/btree.c:78
hfs_mdb_get+0x10ec/0x1c4c fs/hfs/mdb.c:199
hfs_fill_super+0xd64/0x13b4 fs/hfs/super.c:406
mount_bdev+0x274/0x370 fs/super.c:1378
hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
hfs_ext_read_extent fs/hfs/extent.c:200 [inline]
hfs_get_block+0x290/0x9fc fs/hfs/extent.c:366
block_read_full_page+0x2a0/0xc4c fs/buffer.c:2290
hfs_readpage+0x28/0x38 fs/hfs/inode.c:39
do_read_cache_page+0x60c/0x950
read_cache_page+0x68/0x84 mm/filemap.c:3565
read_mapping_page include/linux/pagemap.h:515 [inline]
hfs_btree_open+0x420/0xe50 fs/hfs/btree.c:78
hfs_mdb_get+0x10ec/0x1c4c fs/hfs/mdb.c:199
hfs_fill_super+0xd64/0x13b4 fs/hfs/super.c:406
hfs_mount+0x44/0x58 fs/hfs/super.c:456
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1508
do_new_mount+0x25c/0x8c4 fs/namespace.c:2994
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1508
path_mount+0x590/0x104c fs/namespace.c:3324
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount fs/namespace.c:3522 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3522
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 97e41456 91010275 f90002df d343feb9 (38f86b28)
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount fs/namespace.c:3522 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3522
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
---[ end trace 482a6d3f9725e994 ]---
----------------
Code disassembly (best guess):
0: 97e41456 bl 0xffffffffff905158
Code disassembly (best guess):
4: 91010275 add x21, x19, #0x40
8: f90002df str xzr, [x22]
c: d343feb9 lsr x25, x21, #3
* 10: 38f86b28 ldrsb w8, [x25, x24] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
8: f90002df str xzr, [x22]
c: d343feb9 lsr x25, x21, #3
* 10: 38f86b28 ldrsb w8, [x25, x24] <-- trapping instruction
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages