kernel BUG at arch/x86/mm/physaddr.c:LINE!
23 views
Skip to first unread message
syzbot
Jun 29, 2019, 1:49:07 AM6/29/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: aec3002d Linux 4.19.56
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17873365a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=48b721ea0070d1cd
dashboard link: https://syzkaller.appspot.com/bug?extid=adf31b087e84fec2543f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1357f44da00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+adf31b...@syzkaller.appspotmail.com
Enabling of bearer <udp:syz2> rejected, already enabled
Enabling of bearer <udp:syz2> rejected, already enabled
Started in network mode
Own node identity 7f000001, cluster identity 4711
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
New replicast peer: 172.20.20.22
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.19.56 #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Enabled bearer <udp:syz2>, priority 2
Workqueue: events cache_reap
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 c6 16 3a 00 48 85 db 75 0f e8
1c 15 3a 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 0d 15 3a 00 <0f> 0b e8 06 15
3a 00 48 c7 c0 10 50 67 88 48 ba 00 00 00 00 00 fc
RSP: 0018:ffff8880aa2b7bd8 EFLAGS: 00010093
Started in network mode
RAX: ffff8880aa2a8500 RBX: 0000000000000000 RCX: ffffffff81310142
RDX: 0000000000000000 RSI: ffffffff813101a3 RDI: 0000000000000006
RBP: ffff8880aa2b7bf0 R08: ffff8880aa2a8500 R09: ffffed1014293ce1
R10: ffffed1014293ce0 R11: ffff8880a149e703 R12: 0000778000000000
R13: 0000000080000000 R14: ffff8880a149e700 R15: ffff8880a149e700
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
Own node identity 7f000001, cluster identity 4711
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000070e158 CR3: 000000009eec3000 CR4: 00000000001406e0
Call Trace:
virt_to_head_page include/linux/mm.h:658 [inline]
free_block+0xa8/0x250 mm/slab.c:3420
drain_array_locked+0x36/0x90 mm/slab.c:2213
New replicast peer: 172.20.20.22
drain_array+0x8c/0xb0 mm/slab.c:4027
cache_reap+0xf4/0x280 mm/slab.c:4068
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
Enabled bearer <udp:syz2>, priority 2
Enabling of bearer <udp:syz2> rejected, already enabled
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
Enabling of bearer <udp:syz2> rejected, already enabled
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
---[ end trace a5e277d1d5a6e4d2 ]---
Enabling of bearer <udp:syz2> rejected, already enabled
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 c6 16 3a 00 48 85 db 75 0f e8
1c 15 3a 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 0d 15 3a 00 <0f> 0b e8 06 15
3a 00 48 c7 c0 10 50 67 88 48 ba 00 00 00 00 00 fc
RSP: 0018:ffff8880aa2b7bd8 EFLAGS: 00010093
RAX: ffff8880aa2a8500 RBX: 0000000000000000 RCX: ffffffff81310142
RDX: 0000000000000000 RSI: ffffffff813101a3 RDI: 0000000000000006
RBP: ffff8880aa2b7bf0 R08: ffff8880aa2a8500 R09: ffffed1014293ce1
R10: ffffed1014293ce0 R11: ffff8880a149e703 R12: 0000778000000000
R13: 0000000080000000 R14: ffff8880a149e700 R15: ffff8880a149e700
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000070e158 CR3: 000000009eec3000 CR4: 00000000001406e0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: aec3002d Linux 4.19.56
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17873365a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=48b721ea0070d1cd
dashboard link: https://syzkaller.appspot.com/bug?extid=adf31b087e84fec2543f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1357f44da00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+adf31b...@syzkaller.appspotmail.com
Enabling of bearer <udp:syz2> rejected, already enabled
Enabling of bearer <udp:syz2> rejected, already enabled
Started in network mode
Own node identity 7f000001, cluster identity 4711
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
New replicast peer: 172.20.20.22
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.19.56 #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Enabled bearer <udp:syz2>, priority 2
Workqueue: events cache_reap
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 c6 16 3a 00 48 85 db 75 0f e8
1c 15 3a 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 0d 15 3a 00 <0f> 0b e8 06 15
3a 00 48 c7 c0 10 50 67 88 48 ba 00 00 00 00 00 fc
RSP: 0018:ffff8880aa2b7bd8 EFLAGS: 00010093
Started in network mode
RAX: ffff8880aa2a8500 RBX: 0000000000000000 RCX: ffffffff81310142
RDX: 0000000000000000 RSI: ffffffff813101a3 RDI: 0000000000000006
RBP: ffff8880aa2b7bf0 R08: ffff8880aa2a8500 R09: ffffed1014293ce1
R10: ffffed1014293ce0 R11: ffff8880a149e703 R12: 0000778000000000
R13: 0000000080000000 R14: ffff8880a149e700 R15: ffff8880a149e700
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
Own node identity 7f000001, cluster identity 4711
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000070e158 CR3: 000000009eec3000 CR4: 00000000001406e0
Call Trace:
virt_to_head_page include/linux/mm.h:658 [inline]
free_block+0xa8/0x250 mm/slab.c:3420
drain_array_locked+0x36/0x90 mm/slab.c:2213
New replicast peer: 172.20.20.22
drain_array+0x8c/0xb0 mm/slab.c:4027
cache_reap+0xf4/0x280 mm/slab.c:4068
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
Enabled bearer <udp:syz2>, priority 2
Enabling of bearer <udp:syz2> rejected, already enabled
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
Enabling of bearer <udp:syz2> rejected, already enabled
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
---[ end trace a5e277d1d5a6e4d2 ]---
Enabling of bearer <udp:syz2> rejected, already enabled
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 c6 16 3a 00 48 85 db 75 0f e8
1c 15 3a 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 0d 15 3a 00 <0f> 0b e8 06 15
3a 00 48 c7 c0 10 50 67 88 48 ba 00 00 00 00 00 fc
RSP: 0018:ffff8880aa2b7bd8 EFLAGS: 00010093
RAX: ffff8880aa2a8500 RBX: 0000000000000000 RCX: ffffffff81310142
RDX: 0000000000000000 RSI: ffffffff813101a3 RDI: 0000000000000006
RBP: ffff8880aa2b7bf0 R08: ffff8880aa2a8500 R09: ffffed1014293ce1
R10: ffffed1014293ce0 R11: ffff8880a149e703 R12: 0000778000000000
R13: 0000000080000000 R14: ffff8880a149e700 R15: ffff8880a149e700
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000070e158 CR3: 000000009eec3000 CR4: 00000000001406e0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 15, 2019, 10:29:01 PM12/15/19
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 4736bb27774449cf759ee81663b4126a297ba9d4
Author: Xin Long <lucie...@gmail.com>
Date: Mon Jun 17 13:34:13 2019 +0000
ip_tunnel: allow not to count pkts on tstats by setting skb's dev to
NULL
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=152c86fae00000
start commit: aec3002d Linux 4.19.56
git tree: linux-4.19.y
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: ip_tunnel: allow not to count pkts on tstats by setting skb's dev
to NULL
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 4736bb27774449cf759ee81663b4126a297ba9d4
Author: Xin Long <lucie...@gmail.com>
Date: Mon Jun 17 13:34:13 2019 +0000
ip_tunnel: allow not to count pkts on tstats by setting skb's dev to
NULL
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=152c86fae00000
start commit: aec3002d Linux 4.19.56
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=48b721ea0070d1cd
dashboard link: https://syzkaller.appspot.com/bug?extid=adf31b087e84fec2543f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1357f44da00000
dashboard link: https://syzkaller.appspot.com/bug?extid=adf31b087e84fec2543f
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: ip_tunnel: allow not to count pkts on tstats by setting skb's dev
to NULL
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Dec 25, 2019, 9:01:12 PM12/25/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e1f7d50a Linux 4.14.160
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17f896c1e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=46599517442ad9fb
dashboard link: https://syzkaller.appspot.com/bug?extid=f3c6a35e3859372ab734
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
block group descriptors
proc: unrecognized mount option "appraise" or missing value
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 13685 Comm: blkid Not tainted 4.14.160-syzkaller #0
proc: unrecognized mount option "appraise" or missing value
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff888091f363c0 task.stack: ffff888045f38000
Google 01/01/2011
RIP: 0010:__phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27
RSP: 0018:ffff888045f3f798 EFLAGS: 00010297
RAX: ffff888091f363c0 RBX: 0808080808080808 RCX: 1ffff110123e6d8c
RDX: 0000000000000000 RSI: 0808080808080808 RDI: 0808080808080808
RBP: ffff888045f3f7b0 R08: ffff888091f363c0 R09: ffff888091f36c60
R10: 0000000000000000 R11: 0000000000000000 R12: 08087f8808080808
R13: 0808080888080808 R14: ffff888045f3f800 R15: 0000000000000000
FS: 00007f448392e7a0(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff8a952918 CR3: 000000007b924000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:600 [inline]
qlink_to_cache mm/kasan/quarantine.c:127 [inline]
qlist_free_all+0xc7/0x150 mm/kasan/quarantine.c:163
quarantine_reduce+0x147/0x180 mm/kasan/quarantine.c:259
kasan_kmalloc+0xa0/0xf0 mm/kasan/kasan.c:536
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc mm/slab.c:3390 [inline]
kmem_cache_alloc+0x11b/0x780 mm/slab.c:3550
ptlock_alloc mm/memory.c:4741 [inline]
ptlock_init include/linux/mm.h:1752 [inline]
pgtable_pmd_page_ctor include/linux/mm.h:1844 [inline]
pmd_alloc_one arch/x86/include/asm/pgalloc.h:105 [inline]
__pmd_alloc+0xbd/0x410 mm/memory.c:4229
pmd_alloc include/linux/mm.h:1702 [inline]
alloc_new_pmd mm/mremap.c:75 [inline]
move_page_tables+0xffc/0x1740 mm/mremap.c:223
shift_arg_pages+0x1a6/0x460 fs/exec.c:647
setup_arg_pages+0x5b2/0x740 fs/exec.c:759
load_elf_binary+0xa68/0x4d60 fs/binfmt_elf.c:873
search_binary_handler fs/exec.c:1638 [inline]
search_binary_handler+0x149/0x6f0 fs/exec.c:1616
exec_binprm fs/exec.c:1680 [inline]
do_execveat_common.isra.0+0x1000/0x1dd0 fs/exec.c:1802
do_execve fs/exec.c:1847 [inline]
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x39/0x50 fs/exec.c:1923
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f4483012207
RSP: 002b:00007ffdb45be598 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f4483012207
RDX: 00000000024bbe90 RSI: 00007ffdb45be690 RDI: 00007ffdb45bf6a0
RBP: 0000000000625500 R08: 0000000000003464 R09: 0000000000003464
R10: 0000000000000000 R11: 0000000000000202 R12: 00000000024bbe90
R13: 0000000000000007 R14: 0000000002472030 R15: 0000000000000005
Code: 04 84 d2 75 28 0f b6 0d d1 41 87 07 4c 89 e0 48 d3 e8 48 85 c0 75 0f
e8 a8 61 32 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 99 61 32 00 <0f> 0b 48 c7
c7 89 2f b2 88 e8 ab ee 5c 00 eb ca e8 84 61 32 00
RIP: __phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27 RSP: ffff888045f3f798
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
EXT4-fs (loop1): ext4_check_descriptors: Inode table for group 0 overlaps
kernel BUG at arch/x86/mm/physaddr.c:27!
superblock
invalid opcode: 0000 [#2] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 3610 Comm: udevd Tainted: G D 4.14.160-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff88809677e6c0 task.stack: ffff888096780000
Google 01/01/2011
RIP: 0010:__phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27
RSP: 0018:ffff888096787bd0 EFLAGS: 00010297
kobject: 'loop1' (ffff88808e5c0dc8): kobject_add_internal: parent: 'ext4',
set: 'ext4'
RAX: ffff88809677e6c0 RBX: 0808080808080808 RCX: 1ffffffff1066fb0
RDX: 0000000000000000 RSI: 0808080808080808 RDI: 0808080808080808
RBP: ffff888096787be8 R08: ffff88809677e6c0 R09: 0000000000000000
R10: 0000000000000000 R11: ffff88809677e6c0 R12: 08087f8808080808
R13: 0808080888080808 R14: ffff888096787c38 R15: 0000000000000000
FS: 00007f448392e7a0(0000) GS:ffff8880aec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e929000 CR3: 00000000966d7000 CR4: 00000000001426f0
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:600 [inline]
qlink_to_cache mm/kasan/quarantine.c:127 [inline]
qlist_free_all+0xc7/0x150 mm/kasan/quarantine.c:163
quarantine_reduce+0x147/0x180 mm/kasan/quarantine.c:259
kasan_kmalloc+0xa0/0xf0 mm/kasan/kasan.c:536
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc mm/slab.c:3390 [inline]
kmem_cache_alloc_trace+0x13b/0x790 mm/slab.c:3616
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
kernfs_iop_get_link fs/kernfs/symlink.c:127 [inline]
kernfs_iop_get_link+0x6a/0x650 fs/kernfs/symlink.c:118
generic_readlink fs/namei.c:4727 [inline]
vfs_readlink+0x1ac/0x410 fs/namei.c:4762
audit: type=1804 audit(1577325651.483:145): pid=13698 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op="invalid_pcr" cause="open_writers" comm="syz-executor.2"
name="/root/syzkaller-testdir249924112/syzkaller.NZ54Wt/19/bus" dev="sda1"
ino=16657 res=1
SYSC_readlinkat fs/stat.c:406 [inline]
SyS_readlinkat fs/stat.c:382 [inline]
SYSC_readlink fs/stat.c:421 [inline]
SyS_readlink+0x218/0x290 fs/stat.c:418
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f4483037577
RSP: 002b:00007ffdb45c4088 EFLAGS: 00000246 ORIG_RAX: 0000000000000059
RAX: ffffffffffffffda RBX: 0000000002472030 RCX: 00007f4483037577
RDX: 0000000000000400 RSI: 00007ffdb45c4090 RDI: 00007ffdb45c4570
RBP: 00007ffdb45c4dd0 R08: 00007ffdb45c4dd0 R09: 00007f448308bde0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb45c4570
audit: type=1804 audit(1577325651.483:146): pid=13698 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op="invalid_pcr" cause="open_writers" comm="syz-executor.2"
name="/root/syzkaller-testdir249924112/syzkaller.NZ54Wt/19/bus" dev="sda1"
ino=16657 res=1
R13: 0000000000000400 R14: 00000000024c6100 R15: 0000000002472030
Code: 04 84 d2 75 28 0f b6 0d d1 41 87 07 4c 89 e0 48 d3 e8 48 85 c0 75 0f
e8 a8 61 32 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 99 61 32 00 <0f> 0b 48 c7
c7 89 2f b2 88 e8 ab ee 5c 00 eb ca e8 84 61 32 00
RIP: __phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27 RSP: ffff888096787bd0
---[ end trace d7390c370cfc5df7 ]---
syzbot
Feb 24, 2020, 12:30:13 AM2/24/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 98db2bf2 Linux 4.14.171
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10df4265e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=365f8162d5a0794b
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d3e265e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f3c6a3...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1582522046.771:36): avc: denied { map } for pid=7234 comm="syz-executor700" path="/root/syz-executor700685718" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
RAX: ffff8880976260c0 RBX: 0000000002777259 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000002777259
RBP: ffff88809694f638 R08: ffff8880976260c0 R09: ffff888097626960
R10: 0000000000000000 R11: 0000000000000000 R12: 0000778002777259
R13: 0000000082777259 R14: ffff88809ee3cdc0 R15: 0000000000000007
FS: 00000000014de880(0000) GS:ffff8880aec00000(0000) knlGS:0000000000000000
kfree+0x7b/0x270 mm/slab.c:3811
audit_free_lsm_field kernel/auditfilter.c:87 [inline]
audit_free_rule kernel/auditfilter.c:102 [inline]
audit_data_to_entry+0xa71/0x2170 kernel/auditfilter.c:583
audit_rule_change+0x56d/0xdd0 kernel/auditfilter.c:1106
audit_receive_msg+0xdaa/0x21d0 kernel/audit.c:1330
audit_receive+0xe1/0x1c0 kernel/audit.c:1473
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4401a9
RSP: 002b:00007ffe173236b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9
RDX: 0000000000000000 RSI: 00000000200004c0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a30
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
Code: 04 84 d2 75 28 0f b6 0d a1 12 87 07 4c 89 e0 48 d3 e8 48 85 c0 75 0f e8 e8 dd 31 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 d9 dd 31 00 <0f> 0b 48 c7 c7 09 fd b1 88 e8 2b 6d 5c 00 eb ca e8 c4 dd 31 00
RIP: __phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27 RSP: ffff88809694f620
---[ end trace 25672fef3f7000ab ]---
HEAD commit: 98db2bf2 Linux 4.14.171
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10df4265e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=365f8162d5a0794b
dashboard link: https://syzkaller.appspot.com/bug?extid=f3c6a35e3859372ab734
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1716127ee00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d3e265e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f3c6a3...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1582522046.771:36): avc: denied { map } for pid=7234 comm="syz-executor700" path="/root/syz-executor700685718" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
kernel BUG at arch/x86/mm/physaddr.c:27!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7234 Comm: syz-executor700 Not tainted 4.14.171-syzkaller #0
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880976260c0 task.stack: ffff888096948000
RIP: 0010:__phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27
RSP: 0018:ffff88809694f620 EFLAGS: 00010097
RAX: ffff8880976260c0 RBX: 0000000002777259 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000002777259
RBP: ffff88809694f638 R08: ffff8880976260c0 R09: ffff888097626960
R10: 0000000000000000 R11: 0000000000000000 R12: 0000778002777259
R13: 0000000082777259 R14: ffff88809ee3cdc0 R15: 0000000000000007
FS: 00000000014de880(0000) GS:ffff8880aec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200004c0 CR3: 000000009757b000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:600 [inline]
virt_to_cache mm/slab.c:399 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:600 [inline]
kfree+0x7b/0x270 mm/slab.c:3811
audit_free_lsm_field kernel/auditfilter.c:87 [inline]
audit_free_rule kernel/auditfilter.c:102 [inline]
audit_data_to_entry+0xa71/0x2170 kernel/auditfilter.c:583
audit_rule_change+0x56d/0xdd0 kernel/auditfilter.c:1106
audit_receive_msg+0xdaa/0x21d0 kernel/audit.c:1330
audit_receive+0xe1/0x1c0 kernel/audit.c:1473
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4401a9
RSP: 002b:00007ffe173236b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9
RDX: 0000000000000000 RSI: 00000000200004c0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a30
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
Code: 04 84 d2 75 28 0f b6 0d a1 12 87 07 4c 89 e0 48 d3 e8 48 85 c0 75 0f e8 e8 dd 31 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 d9 dd 31 00 <0f> 0b 48 c7 c7 09 fd b1 88 e8 2b 6d 5c 00 eb ca e8 c4 dd 31 00
RIP: __phys_addr+0x87/0xe0 arch/x86/mm/physaddr.c:27 RSP: ffff88809694f620
---[ end trace 25672fef3f7000ab ]---
Reply all
Reply to author
Forward
0 new messages