general protection fault in release_task
4 views
Skip to first unread message
syzbot
Sep 21, 2019, 7:44:07 AM9/21/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d573e8a7 Linux 4.19.75
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1270773d600000
kernel config: https://syzkaller.appspot.com/x/.config?x=50b385e67c7b7cdf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f7f3937caf1adc5c814
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175b4d09600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128a1555600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3f7f39...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7463 Comm: syz-executor446 Not tainted 4.19.75 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:release_task+0x100/0x1630 kernel/exit.c:193
Code: 1d 4e 25 f8 07 31 ff 89 de e8 7c b8 2b 00 84 db 0f 84 65 0f 00 00 e8
2f b7 2b 00 49 8d bc 24 90 00 00 00 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00
0f 85 9d 10 00 00 49 8b 9c 24 90 00 00 00 be 04 00
RSP: 0018:ffff88808499fa08 EFLAGS: 00010206
RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff813fbac6
RDX: 0000000000000000 RSI: ffffffff813fab51 RDI: 0000000000000090
RBP: ffff88808499fa90 R08: ffff888090b28500 R09: ffffed1015d04733
R10: ffffed1015d04732 R11: ffff8880ae823993 R12: 0000000000000000
R13: 0000000000000010 R14: dffffc0000000000 R15: ffff888085c3e540
FS: 00005555571fc880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c6b88 CR3: 00000000a03c8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wait_task_zombie kernel/exit.c:1164 [inline]
wait_consider_task+0x2c95/0x3910 kernel/exit.c:1391
do_wait_thread kernel/exit.c:1454 [inline]
do_wait+0x439/0x9d0 kernel/exit.c:1525
kernel_wait4+0x171/0x290 kernel/exit.c:1668
__do_sys_wait4+0x147/0x160 kernel/exit.c:1680
__se_sys_wait4 kernel/exit.c:1676 [inline]
__x64_sys_wait4+0x97/0xf0 kernel/exit.c:1676
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x40207a
Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 be 8a 2d 00 85
c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff
ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7
RSP: 002b:00007ffdb8b41518 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 0000000000001d28 RCX: 000000000040207a
RDX: 0000000040000000 RSI: 00007ffdb8b41524 RDI: ffffffffffffffff
RBP: 00000000006d3018 R08: 0000000000000000 R09: 00005555571fc880
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403030
R13: 00000000004030c0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace bd3fe87a4564f788 ]---
RIP: 0010:release_task+0x100/0x1630 kernel/exit.c:193
Code: 1d 4e 25 f8 07 31 ff 89 de e8 7c b8 2b 00 84 db 0f 84 65 0f 00 00 e8
2f b7 2b 00 49 8d bc 24 90 00 00 00 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00
0f 85 9d 10 00 00 49 8b 9c 24 90 00 00 00 be 04 00
RSP: 0018:ffff88808499fa08 EFLAGS: 00010206
RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff813fbac6
RDX: 0000000000000000 RSI: ffffffff813fab51 RDI: 0000000000000090
RBP: ffff88808499fa90 R08: ffff888090b28500 R09: ffffed1015d04733
R10: ffffed1015d04732 R11: ffff8880ae823993 R12: 0000000000000000
R13: 0000000000000010 R14: dffffc0000000000 R15: ffff888085c3e540
FS: 00005555571fc880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c6b88 CR3: 00000000a03c8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: d573e8a7 Linux 4.19.75
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1270773d600000
kernel config: https://syzkaller.appspot.com/x/.config?x=50b385e67c7b7cdf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f7f3937caf1adc5c814
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175b4d09600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128a1555600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3f7f39...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7463 Comm: syz-executor446 Not tainted 4.19.75 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:release_task+0x100/0x1630 kernel/exit.c:193
Code: 1d 4e 25 f8 07 31 ff 89 de e8 7c b8 2b 00 84 db 0f 84 65 0f 00 00 e8
2f b7 2b 00 49 8d bc 24 90 00 00 00 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00
0f 85 9d 10 00 00 49 8b 9c 24 90 00 00 00 be 04 00
RSP: 0018:ffff88808499fa08 EFLAGS: 00010206
RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff813fbac6
RDX: 0000000000000000 RSI: ffffffff813fab51 RDI: 0000000000000090
RBP: ffff88808499fa90 R08: ffff888090b28500 R09: ffffed1015d04733
R10: ffffed1015d04732 R11: ffff8880ae823993 R12: 0000000000000000
R13: 0000000000000010 R14: dffffc0000000000 R15: ffff888085c3e540
FS: 00005555571fc880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c6b88 CR3: 00000000a03c8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wait_task_zombie kernel/exit.c:1164 [inline]
wait_consider_task+0x2c95/0x3910 kernel/exit.c:1391
do_wait_thread kernel/exit.c:1454 [inline]
do_wait+0x439/0x9d0 kernel/exit.c:1525
kernel_wait4+0x171/0x290 kernel/exit.c:1668
__do_sys_wait4+0x147/0x160 kernel/exit.c:1680
__se_sys_wait4 kernel/exit.c:1676 [inline]
__x64_sys_wait4+0x97/0xf0 kernel/exit.c:1676
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x40207a
Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 be 8a 2d 00 85
c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff
ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d0 ff ff ff f7
RSP: 002b:00007ffdb8b41518 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 0000000000001d28 RCX: 000000000040207a
RDX: 0000000040000000 RSI: 00007ffdb8b41524 RDI: ffffffffffffffff
RBP: 00000000006d3018 R08: 0000000000000000 R09: 00005555571fc880
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403030
R13: 00000000004030c0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace bd3fe87a4564f788 ]---
RIP: 0010:release_task+0x100/0x1630 kernel/exit.c:193
Code: 1d 4e 25 f8 07 31 ff 89 de e8 7c b8 2b 00 84 db 0f 84 65 0f 00 00 e8
2f b7 2b 00 49 8d bc 24 90 00 00 00 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00
0f 85 9d 10 00 00 49 8b 9c 24 90 00 00 00 be 04 00
RSP: 0018:ffff88808499fa08 EFLAGS: 00010206
RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff813fbac6
RDX: 0000000000000000 RSI: ffffffff813fab51 RDI: 0000000000000090
RBP: ffff88808499fa90 R08: ffff888090b28500 R09: ffffed1015d04733
R10: ffffed1015d04732 R11: ffff8880ae823993 R12: 0000000000000000
R13: 0000000000000010 R14: dffffc0000000000 R15: ffff888085c3e540
FS: 00005555571fc880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c6b88 CR3: 00000000a03c8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 9, 2019, 1:45:01 PM12/9/19
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 4eb92a1148342af1d6f82018d20cd862e1d3ab7e
Author: Leon Romanovsky <leo...@mellanox.com>
Date: Thu Oct 11 19:10:10 2018 +0000
RDMA/restrack: Protect from reentry to resource return path
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=108a0e41e00000
start commit: d573e8a7 Linux 4.19.75
git tree: linux-4.19.y
#syz fix: RDMA/restrack: Protect from reentry to resource return path
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 4eb92a1148342af1d6f82018d20cd862e1d3ab7e
Author: Leon Romanovsky <leo...@mellanox.com>
Date: Thu Oct 11 19:10:10 2018 +0000
RDMA/restrack: Protect from reentry to resource return path
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=108a0e41e00000
start commit: d573e8a7 Linux 4.19.75
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=50b385e67c7b7cdf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f7f3937caf1adc5c814
dashboard link: https://syzkaller.appspot.com/bug?extid=3f7f3937caf1adc5c814
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175b4d09600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128a1555600000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128a1555600000
#syz fix: RDMA/restrack: Protect from reentry to resource return path
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages