general protection fault in copy_user_enhanced_fast_string
34 views
Skip to first unread message
syzbot
Apr 21, 2019, 8:27:06 PM4/21/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10b60dc4a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=10394ef0da92980f226c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+10394e...@syzkaller.appspotmail.com
__do_huge_pmd_anonymous_page mm/huge_memory.c:565 [inline]
do_huge_pmd_anonymous_page+0x582/0x1470 mm/huge_memory.c:729
kasan: GPF could be caused by NULL-ptr deref or user memory access
create_huge_pmd mm/memory.c:3875 [inline]
__handle_mm_fault+0x22c4/0x3470 mm/memory.c:4078
handle_mm_fault+0x293/0x7c0 mm/memory.c:4144
__do_page_fault+0x4c1/0xb80 arch/x86/mm/fault.c:1425
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
do_page_fault+0x71/0x515 arch/x86/mm/fault.c:1500
page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1104
CPU: 1 PID: 14675 Comm: syz-executor.5 Not tainted 4.14.113 #3
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20
arch/x86/lib/copy_user_64.S:181
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RSP: 0018:ffff8880601c7b58 EFLAGS: 00010206
task: ffff888095d5e140 task.stack: ffff88805f880000
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:167 [inline]
RIP: 0010:rb_erase+0x29/0x1c10 lib/rbtree.c:459
RAX: 0000000000000000 RBX: 0000000000000100 RCX: 0000000000000100
RSP: 0018:ffff88805f8879d0 EFLAGS: 00010282
RDX: 0000000000000100 RSI: ffff88805b6c28c0 RDI: 0000000020e3e000
RBP: ffff8880601c7b88 R08: ffffed100b6d8538 R09: 0000000000000000
RAX: dffffc0000000000 RBX: ffff8880946aa7b0 RCX: ffffc90005e3d000
R10: ffffed100b6d8537 R11: ffff88805b6c29bf R12: 0000000020e3e000
RDX: 0000000000000001 RSI: ffffffff892478c0 RDI: 0000000000000008
R13: ffff88805b6c28c0 R14: 00007ffffffff000 R15: 0000000020e3e100
RBP: ffff88805f887a18 R08: 0000000000003bf8 R09: ffffffff88c97380
R10: ffff888095d5e9e8 R11: ffff888095d5e140 R12: 0000000000000000
copy_to_user include/linux/uaccess.h:155 [inline]
pagemap_read+0x425/0x520 fs/proc/task_mmu.c:1544
R13: ffff888094634430 R14: 0000000000000000 R15: ffffffff867a2600
FS: 00007fde2001a700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f313f1ecdb8 CR3: 0000000090d5f000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__vfs_read+0x107/0x6b0 fs/read_write.c:411
integrity_inode_free+0x126/0x320 security/integrity/iint.c:146
security_inode_free+0x19/0x90 security/security.c:443
__destroy_inode+0x1ef/0x4e0 fs/inode.c:237
destroy_inode+0x50/0x130 fs/inode.c:264
evict+0x3e9/0x630 fs/inode.c:571
iput_final fs/inode.c:1516 [inline]
iput fs/inode.c:1543 [inline]
iput+0x476/0x900 fs/inode.c:1528
swap_inode_boot_loader fs/ext4/ioctl.c:197 [inline]
ext4_ioctl+0x16bb/0x39b0 fs/ext4/ioctl.c:883
vfs_read+0x137/0x350 fs/read_write.c:447
SYSC_pread64 fs/read_write.c:611 [inline]
SyS_pread64+0x115/0x140 fs/read_write.c:598
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007fec2eb7ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
RAX: ffffffffffffffda RBX: 00007fec2eb7ec90 RCX: 0000000000458c29
RDX: 000000000000ffd8 RSI: 0000000020e3e000 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
R10: 0000000000103f00 R11: 0000000000000246 R12: 00007fec2eb7f6d4
R13: 00000000004c5961 R14: 00000000004d9cb0 R15: 0000000000000005
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007fde20019c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000458c29
RDX: 0000000000000000 RSI: 0000000000006611 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fde2001a6d4
R13: 00000000004c0e5f R14: 00000000004d3410 R15: 00000000ffffffff
Code: 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 57 41 56 49 89 fe
48 83 c7 08 48 89 fa 41 55 48 c1 ea 03 41 54 53 48 83 ec 20 <80> 3c 02 00
0f 85 0c 11 00 00 49 8d 7e 10 4d 8b 7e 08 48 b8 00
RIP: __rb_erase_augmented include/linux/rbtree_augmented.h:167 [inline]
RSP: ffff88805f8879d0
RIP: rb_erase+0x29/0x1c10 lib/rbtree.c:459 RSP: ffff88805f8879d0
net_ratelimit: 14 callbacks suppressed
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_1
---[ end trace 729bd53dfa1f9ba9 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10b60dc4a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=10394ef0da92980f226c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+10394e...@syzkaller.appspotmail.com
__do_huge_pmd_anonymous_page mm/huge_memory.c:565 [inline]
do_huge_pmd_anonymous_page+0x582/0x1470 mm/huge_memory.c:729
kasan: GPF could be caused by NULL-ptr deref or user memory access
create_huge_pmd mm/memory.c:3875 [inline]
__handle_mm_fault+0x22c4/0x3470 mm/memory.c:4078
handle_mm_fault+0x293/0x7c0 mm/memory.c:4144
__do_page_fault+0x4c1/0xb80 arch/x86/mm/fault.c:1425
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
do_page_fault+0x71/0x515 arch/x86/mm/fault.c:1500
page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1104
CPU: 1 PID: 14675 Comm: syz-executor.5 Not tainted 4.14.113 #3
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20
arch/x86/lib/copy_user_64.S:181
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RSP: 0018:ffff8880601c7b58 EFLAGS: 00010206
task: ffff888095d5e140 task.stack: ffff88805f880000
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:167 [inline]
RIP: 0010:rb_erase+0x29/0x1c10 lib/rbtree.c:459
RAX: 0000000000000000 RBX: 0000000000000100 RCX: 0000000000000100
RSP: 0018:ffff88805f8879d0 EFLAGS: 00010282
RDX: 0000000000000100 RSI: ffff88805b6c28c0 RDI: 0000000020e3e000
RBP: ffff8880601c7b88 R08: ffffed100b6d8538 R09: 0000000000000000
RAX: dffffc0000000000 RBX: ffff8880946aa7b0 RCX: ffffc90005e3d000
R10: ffffed100b6d8537 R11: ffff88805b6c29bf R12: 0000000020e3e000
RDX: 0000000000000001 RSI: ffffffff892478c0 RDI: 0000000000000008
R13: ffff88805b6c28c0 R14: 00007ffffffff000 R15: 0000000020e3e100
RBP: ffff88805f887a18 R08: 0000000000003bf8 R09: ffffffff88c97380
R10: ffff888095d5e9e8 R11: ffff888095d5e140 R12: 0000000000000000
copy_to_user include/linux/uaccess.h:155 [inline]
pagemap_read+0x425/0x520 fs/proc/task_mmu.c:1544
R13: ffff888094634430 R14: 0000000000000000 R15: ffffffff867a2600
FS: 00007fde2001a700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f313f1ecdb8 CR3: 0000000090d5f000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__vfs_read+0x107/0x6b0 fs/read_write.c:411
integrity_inode_free+0x126/0x320 security/integrity/iint.c:146
security_inode_free+0x19/0x90 security/security.c:443
__destroy_inode+0x1ef/0x4e0 fs/inode.c:237
destroy_inode+0x50/0x130 fs/inode.c:264
evict+0x3e9/0x630 fs/inode.c:571
iput_final fs/inode.c:1516 [inline]
iput fs/inode.c:1543 [inline]
iput+0x476/0x900 fs/inode.c:1528
swap_inode_boot_loader fs/ext4/ioctl.c:197 [inline]
ext4_ioctl+0x16bb/0x39b0 fs/ext4/ioctl.c:883
vfs_read+0x137/0x350 fs/read_write.c:447
SYSC_pread64 fs/read_write.c:611 [inline]
SyS_pread64+0x115/0x140 fs/read_write.c:598
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007fec2eb7ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
RAX: ffffffffffffffda RBX: 00007fec2eb7ec90 RCX: 0000000000458c29
RDX: 000000000000ffd8 RSI: 0000000020e3e000 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
R10: 0000000000103f00 R11: 0000000000000246 R12: 00007fec2eb7f6d4
R13: 00000000004c5961 R14: 00000000004d9cb0 R15: 0000000000000005
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007fde20019c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000458c29
RDX: 0000000000000000 RSI: 0000000000006611 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fde2001a6d4
R13: 00000000004c0e5f R14: 00000000004d3410 R15: 00000000ffffffff
Code: 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 57 41 56 49 89 fe
48 83 c7 08 48 89 fa 41 55 48 c1 ea 03 41 54 53 48 83 ec 20 <80> 3c 02 00
0f 85 0c 11 00 00 49 8d 7e 10 4d 8b 7e 08 48 b8 00
RIP: __rb_erase_augmented include/linux/rbtree_augmented.h:167 [inline]
RSP: ffff88805f8879d0
RIP: rb_erase+0x29/0x1c10 lib/rbtree.c:459 RSP: ffff88805f8879d0
net_ratelimit: 14 callbacks suppressed
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_1
---[ end trace 729bd53dfa1f9ba9 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 18, 2019, 7:27:05 PM10/18/19
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages