BUG: unable to handle kernel NULL pointer dereference in qlist_free_all
41 views
Skip to first unread message
syzbot
Apr 16, 2020, 9:04:18 AM4/16/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: c10b57a5 Linux 4.14.176
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13649aabe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=457897b554d08537
dashboard link: https://syzkaller.appspot.com/bug?extid=be4ab0e2bc0ecd3c428c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+be4ab0...@syzkaller.appspotmail.com
BUG: unable to handle kernel NULL pointer dereference at 00000000000000fc
IP: qlink_to_object mm/kasan/quarantine.c:136 [inline]
IP: qlink_free mm/kasan/quarantine.c:141 [inline]
IP: qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 3638 Comm: systemd-udevd Not tainted 4.14.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88808f48e6c0 task.stack: ffff88808f490000
RIP: 0010:qlink_to_object mm/kasan/quarantine.c:136 [inline]
RIP: 0010:qlink_free mm/kasan/quarantine.c:141 [inline]
RIP: 0010:qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
RSP: 0018:ffff88808f497bb8 EFLAGS: 00010246
RAX: ffffea0000000000 RBX: ffff888000000000 RCX: ffffea000000001f
RDX: 0000000000000000 RSI: ffff88808f48ef40 RDI: ffff888000000000
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888000000000
R13: ffff88808f497bf0 R14: 0000000000000000 R15: 0000000000000282
FS: 00007f29c3b578c0(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000fc CR3: 000000008fb58000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
quarantine_reduce+0x140/0x170 mm/kasan/quarantine.c:259
kasan_kmalloc+0x95/0xe0 mm/kasan/kasan.c:536
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc mm/slab.c:3390 [inline]
kmem_cache_alloc+0x114/0x770 mm/slab.c:3550
getname_flags fs/namei.c:138 [inline]
getname_flags+0xc8/0x560 fs/namei.c:128
user_path_at_empty+0x2a/0x50 fs/namei.c:2631
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xd1/0x160 fs/stat.c:185
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat+0x83/0xe0 fs/stat.c:350
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f29c29ca335
RSP: 002b:00007fffea0a2048 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
RAX: ffffffffffffffda RBX: 000055702efd28f0 RCX: 00007f29c29ca335
RDX: 00007fffea0a2080 RSI: 00007fffea0a2080 RDI: 000055702efd18f0
RBP: 00007fffea0a2140 R08: 00007f29c2c891d8 R09: 0000000000001010
R10: 0000000000000020 R11: 0000000000000246 R12: 000055702efd18f0
R13: 000055702efd191a R14: 000055702efcae56 R15: 000055702efcae5a
Code: eb d6 90 41 57 41 56 41 55 41 54 55 53 48 8b 1f 48 85 db 0f 84 08 01 00 00 48 89 f5 49 89 fd 48 85 ed 49 89 ee 0f 84 8b 00 00 00 <49> 63 86 fc 00 00 00 4c 8b 23 48 29 c3 48 83 3d 03 c3 4d 06 00
RIP: qlink_to_object mm/kasan/quarantine.c:136 [inline] RSP: ffff88808f497bb8
RIP: qlink_free mm/kasan/quarantine.c:141 [inline] RSP: ffff88808f497bb8
RIP: qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166 RSP: ffff88808f497bb8
CR2: 00000000000000fc
---[ end trace f6b0c7d4e108bfd1 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: c10b57a5 Linux 4.14.176
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13649aabe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=457897b554d08537
dashboard link: https://syzkaller.appspot.com/bug?extid=be4ab0e2bc0ecd3c428c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+be4ab0...@syzkaller.appspotmail.com
BUG: unable to handle kernel NULL pointer dereference at 00000000000000fc
IP: qlink_to_object mm/kasan/quarantine.c:136 [inline]
IP: qlink_free mm/kasan/quarantine.c:141 [inline]
IP: qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 3638 Comm: systemd-udevd Not tainted 4.14.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88808f48e6c0 task.stack: ffff88808f490000
RIP: 0010:qlink_to_object mm/kasan/quarantine.c:136 [inline]
RIP: 0010:qlink_free mm/kasan/quarantine.c:141 [inline]
RIP: 0010:qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
RSP: 0018:ffff88808f497bb8 EFLAGS: 00010246
RAX: ffffea0000000000 RBX: ffff888000000000 RCX: ffffea000000001f
RDX: 0000000000000000 RSI: ffff88808f48ef40 RDI: ffff888000000000
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888000000000
R13: ffff88808f497bf0 R14: 0000000000000000 R15: 0000000000000282
FS: 00007f29c3b578c0(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000fc CR3: 000000008fb58000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
quarantine_reduce+0x140/0x170 mm/kasan/quarantine.c:259
kasan_kmalloc+0x95/0xe0 mm/kasan/kasan.c:536
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc mm/slab.c:3390 [inline]
kmem_cache_alloc+0x114/0x770 mm/slab.c:3550
getname_flags fs/namei.c:138 [inline]
getname_flags+0xc8/0x560 fs/namei.c:128
user_path_at_empty+0x2a/0x50 fs/namei.c:2631
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xd1/0x160 fs/stat.c:185
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat+0x83/0xe0 fs/stat.c:350
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f29c29ca335
RSP: 002b:00007fffea0a2048 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
RAX: ffffffffffffffda RBX: 000055702efd28f0 RCX: 00007f29c29ca335
RDX: 00007fffea0a2080 RSI: 00007fffea0a2080 RDI: 000055702efd18f0
RBP: 00007fffea0a2140 R08: 00007f29c2c891d8 R09: 0000000000001010
R10: 0000000000000020 R11: 0000000000000246 R12: 000055702efd18f0
R13: 000055702efd191a R14: 000055702efcae56 R15: 000055702efcae5a
Code: eb d6 90 41 57 41 56 41 55 41 54 55 53 48 8b 1f 48 85 db 0f 84 08 01 00 00 48 89 f5 49 89 fd 48 85 ed 49 89 ee 0f 84 8b 00 00 00 <49> 63 86 fc 00 00 00 4c 8b 23 48 29 c3 48 83 3d 03 c3 4d 06 00
RIP: qlink_to_object mm/kasan/quarantine.c:136 [inline] RSP: ffff88808f497bb8
RIP: qlink_free mm/kasan/quarantine.c:141 [inline] RSP: ffff88808f497bb8
RIP: qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166 RSP: ffff88808f497bb8
CR2: 00000000000000fc
---[ end trace f6b0c7d4e108bfd1 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 20, 2020, 4:06:11 AM4/20/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8488c3f3 Linux 4.19.116
syzbot found the following crash on:
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=141f31d7e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f57eb167d8072371
dashboard link: https://syzkaller.appspot.com/bug?extid=35564d40863d265ca978
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+35564d...@syzkaller.appspotmail.com
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
BUG: unable to handle kernel NULL pointer dereference at 00000000000000fc
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 29107 Comm: syz-executor.5 Not tainted 4.19.116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:qlink_to_object mm/kasan/quarantine.c:136 [inline]
RIP: 0010:qlink_free mm/kasan/quarantine.c:141 [inline]
RIP: 0010:qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
Code: d6 90 41 57 41 56 41 55 41 54 55 53 48 8b 1f 48 85 db 0f 84 08 01 00 00 48 89 f5 49 89 fd 48 85 ed 49 89 ee 0f 84 8b 00 00 00 <49> 63 86 fc 00 00 00 4c 8b 23 48 29 c3 48 83 3d b3 ce 34 07 00 0f
RIP: 0010:qlink_free mm/kasan/quarantine.c:141 [inline]
RIP: 0010:qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
RSP: 0000:ffff888213de7a90 EFLAGS: 00010246
RAX: ffffea0002b9a740 RBX: ffff8880ae69d940 RCX: ffffffffffffffff
RDX: 0000000000000000 RSI: ffffffff813001da RDI: 0000000000000007
RBP: 0000000000000000 R08: ffff88804da00400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880ae69d940
R13: ffff888213de7ac8 R14: 0000000000000000 R15: 0000000000000282
FS: 0000000000fdb940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
CR2: 00000000000000fc CR3: 0000000213518000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
quarantine_reduce+0x164/0x1a0 mm/kasan/quarantine.c:259
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan_kmalloc+0x95/0xe0 mm/kasan/kasan.c:538
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc mm/slab.c:3397 [inline]
kmem_cache_alloc+0x114/0x710 mm/slab.c:3557
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
anon_vma_chain_alloc mm/rmap.c:129 [inline]
__anon_vma_prepare+0x59/0x3a0 mm/rmap.c:183
anon_vma_prepare include/linux/rmap.h:153 [inline]
do_huge_pmd_anonymous_page+0xe68/0x13e0 mm/huge_memory.c:688
create_huge_pmd mm/memory.c:3932 [inline]
__handle_mm_fault+0x2a04/0x3b60 mm/memory.c:4136
handle_mm_fault+0x1a5/0x670 mm/memory.c:4202
__do_page_fault+0x5ed/0xdd0 arch/x86/mm/fault.c:1412
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1204
RIP: 0033:0x400604
Code: 06 e9 49 01 00 00 48 8b 44 24 10 48 0b 44 24 28 75 1f 48 8b 14 24 48 8b 7c 24 20 be 04 00 00 00 e8 f1 58 00 00 48 8b 74 24 08 <89> 06 e9 1e 01 00 00 48 8b 44 24 08 48 8b 14 24 be 04 00 00 00 8b
RSP: 002b:00007ffd0baaa280 EFLAGS: 00010206
RAX: 0000000100000001 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000100000001
RBP: 0000000000790060 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffd0baaa3a0 R11: 0000000000000246 R12: 0000000000790068
R13: 00000000001c34ea R14: fffffffffffffffe R15: 000000000078bf0c
Modules linked in:
CR2: 00000000000000fc
---[ end trace d23e7f52987eab72 ]---
RIP: 0010:qlink_to_object mm/kasan/quarantine.c:136 [inline]
RIP: 0010:qlink_free mm/kasan/quarantine.c:141 [inline]
RIP: 0010:qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
Code: d6 90 41 57 41 56 41 55 41 54 55 53 48 8b 1f 48 85 db 0f 84 08 01 00 00 48 89 f5 49 89 fd 48 85 ed 49 89 ee 0f 84 8b 00 00 00 <49> 63 86 fc 00 00 00 4c 8b 23 48 29 c3 48 83 3d b3 ce 34 07 00 0f
RIP: 0010:qlink_free mm/kasan/quarantine.c:141 [inline]
RIP: 0010:qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
RSP: 0000:ffff888213de7a90 EFLAGS: 00010246
RAX: ffffea0002b9a740 RBX: ffff8880ae69d940 RCX: ffffffffffffffff
RDX: 0000000000000000 RSI: ffffffff813001da RDI: 0000000000000007
RBP: 0000000000000000 R08: ffff88804da00400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880ae69d940
R13: ffff888213de7ac8 R14: 0000000000000000 R15: 0000000000000282
FS: 0000000000fdb940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000073b138 CR3: 0000000213518000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
syzbot
Aug 18, 2020, 4:06:18 AM8/18/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
syzbot
Sep 17, 2020, 3:42:12 AM9/17/20
to syzkaller...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages