kernel BUG at arch/x86/mm/physaddr.c:LINE! (2)
10 views
Skip to first unread message
syzbot
Jan 1, 2020, 10:39:09 PM1/1/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: c7ecf3e3 Linux 4.19.92
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=143b4e3ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1b833aa58e7216b
dashboard link: https://syzkaller.appspot.com/bug?extid=b5b21861490b7cf13a2f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b5b218...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 18221 Comm: udevd Not tainted 4.19.92-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
kobject: 'gsmtty12' (00000000768a6779): fill_kobj_path: path
= '/devices/virtual/tty/gsmtty12'
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 26 dc 39 00 48 85 db 75 0f e8
7c da 39 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 6d da 39 00 <0f> 0b e8 66 da
39 00 48 c7 c0 10 50 e7 88 48 ba 00 00 00 00 00 fc
RSP: 0018:ffff88807a77fa58 EFLAGS: 00010293
RAX: ffff8880433e4500 RBX: 0000000707000000 RCX: ffffffff81316ab2
RDX: 0000000000000000 RSI: ffffffff81316b13 RDI: 0000000000000006
RBP: ffff88807a77fa70 R08: ffff8880433e4500 R09: ffff8880433e4da0
R10: 0000000000000000 R11: 0000000000000000 R12: 0000778707000000
R13: 0000000787000000 R14: ffff88807a77fac0 R15: 0000000000000000
FS: 00007fd61349c7a0(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560c25ab5008 CR3: 000000001e303000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:653 [inline]
qlink_to_cache mm/kasan/quarantine.c:127 [inline]
qlist_free_all+0xc7/0x150 mm/kasan/quarantine.c:163
quarantine_reduce+0x169/0x1a0 mm/kasan/quarantine.c:259
kasan_kmalloc+0xa0/0xf0 mm/kasan/kasan.c:538
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc_node mm/slab.c:3340 [inline]
kmem_cache_alloc_node_trace+0x13c/0x720 mm/slab.c:3666
kobject: 'gsmtty12' (00000000768a6779): kobject_cleanup, parent
(null)
__do_kmalloc_node mm/slab.c:3688 [inline]
__kmalloc_node+0x3d/0x80 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0x68/0x100 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
setxattr+0x16f/0x380 fs/xattr.c:432
path_setxattr+0x197/0x1b0 fs/xattr.c:469
__do_sys_lsetxattr fs/xattr.c:491 [inline]
__se_sys_lsetxattr fs/xattr.c:487 [inline]
__x64_sys_lsetxattr+0xc1/0x150 fs/xattr.c:487
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fd612baeffa
Code: 48 8b 0d 41 9e 2a 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90
90 90 90 90 90 90 90 90 90 49 89 ca b8 bd 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d 0e 9e 2a 00 31 d2 48 29 c2 64
kobject: 'gsmtty12' (00000000768a6779): calling ktype release
RSP: 002b:00007fff36a90d88 EFLAGS: 00000206 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fd612baeffa
RDX: 0000000001fe76a0 RSI: 00007fd61307df69 RDI: 0000000001e20240
RBP: 0000000001e20240 R08: 0000000000000000 R09: 65645f7974743a72
R10: 0000000000000022 R11: 0000000000000206 R12: 00000000000023b0
R13: 000000000000f21d R14: 0000000001e596a0 R15: 0000000000000000
Modules linked in:
kobject: 'gsmtty12': free name
kobject: '(null)' (00000000febf8770): kobject_cleanup, parent
(null)
kobject: '(null)' (00000000febf8770): calling ktype release
---[ end trace ce0a3d5da86ba298 ]---
kobject: 'gsmtty13' (000000006f09ab57): kobject_uevent_env
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 26 dc 39 00 48 85 db 75 0f e8
7c da 39 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 6d da 39 00 <0f> 0b e8 66 da
39 00 48 c7 c0 10 50 e7 88 48 ba 00 00 00 00 00 fc
kobject: 'gsmtty13' (000000006f09ab57): fill_kobj_path: path
= '/devices/virtual/tty/gsmtty13'
RSP: 0018:ffff88807a77fa58 EFLAGS: 00010293
RAX: ffff8880433e4500 RBX: 0000000707000000 RCX: ffffffff81316ab2
RDX: 0000000000000000 RSI: ffffffff81316b13 RDI: 0000000000000006
kobject: 'gsmtty13' (000000006f09ab57): kobject_cleanup, parent
(null)
RBP: ffff88807a77fa70 R08: ffff8880433e4500 R09: ffff8880433e4da0
R10: 0000000000000000 R11: 0000000000000000 R12: 0000778707000000
kobject: 'gsmtty13' (000000006f09ab57): calling ktype release
R13: 0000000787000000 R14: ffff88807a77fac0 R15: 0000000000000000
FS: 00007fd61349c7a0(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
kobject: 'gsmtty13': free name
kobject: '(null)' (000000006caa201f): kobject_cleanup, parent
(null)
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5fad76ae30 CR3: 000000001e303000 CR4: 00000000001406e0
kobject: '(null)' (000000006caa201f): calling ktype release
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kobject: 'gsmtty14' (00000000c5159e12): kobject_uevent_env
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
kobject: 'gsmtty14' (00000000c5159e12): fill_kobj_path: path
= '/devices/virtual/tty/gsmtty14'
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: c7ecf3e3 Linux 4.19.92
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=143b4e3ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1b833aa58e7216b
dashboard link: https://syzkaller.appspot.com/bug?extid=b5b21861490b7cf13a2f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b5b218...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 18221 Comm: udevd Not tainted 4.19.92-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
kobject: 'gsmtty12' (00000000768a6779): fill_kobj_path: path
= '/devices/virtual/tty/gsmtty12'
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 26 dc 39 00 48 85 db 75 0f e8
7c da 39 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 6d da 39 00 <0f> 0b e8 66 da
39 00 48 c7 c0 10 50 e7 88 48 ba 00 00 00 00 00 fc
RSP: 0018:ffff88807a77fa58 EFLAGS: 00010293
RAX: ffff8880433e4500 RBX: 0000000707000000 RCX: ffffffff81316ab2
RDX: 0000000000000000 RSI: ffffffff81316b13 RDI: 0000000000000006
RBP: ffff88807a77fa70 R08: ffff8880433e4500 R09: ffff8880433e4da0
R10: 0000000000000000 R11: 0000000000000000 R12: 0000778707000000
R13: 0000000787000000 R14: ffff88807a77fac0 R15: 0000000000000000
FS: 00007fd61349c7a0(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560c25ab5008 CR3: 000000001e303000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:653 [inline]
qlink_to_cache mm/kasan/quarantine.c:127 [inline]
qlist_free_all+0xc7/0x150 mm/kasan/quarantine.c:163
quarantine_reduce+0x169/0x1a0 mm/kasan/quarantine.c:259
kasan_kmalloc+0xa0/0xf0 mm/kasan/kasan.c:538
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc_node mm/slab.c:3340 [inline]
kmem_cache_alloc_node_trace+0x13c/0x720 mm/slab.c:3666
kobject: 'gsmtty12' (00000000768a6779): kobject_cleanup, parent
(null)
__do_kmalloc_node mm/slab.c:3688 [inline]
__kmalloc_node+0x3d/0x80 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0x68/0x100 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
setxattr+0x16f/0x380 fs/xattr.c:432
path_setxattr+0x197/0x1b0 fs/xattr.c:469
__do_sys_lsetxattr fs/xattr.c:491 [inline]
__se_sys_lsetxattr fs/xattr.c:487 [inline]
__x64_sys_lsetxattr+0xc1/0x150 fs/xattr.c:487
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fd612baeffa
Code: 48 8b 0d 41 9e 2a 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90
90 90 90 90 90 90 90 90 90 49 89 ca b8 bd 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d 0e 9e 2a 00 31 d2 48 29 c2 64
kobject: 'gsmtty12' (00000000768a6779): calling ktype release
RSP: 002b:00007fff36a90d88 EFLAGS: 00000206 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fd612baeffa
RDX: 0000000001fe76a0 RSI: 00007fd61307df69 RDI: 0000000001e20240
RBP: 0000000001e20240 R08: 0000000000000000 R09: 65645f7974743a72
R10: 0000000000000022 R11: 0000000000000206 R12: 00000000000023b0
R13: 000000000000f21d R14: 0000000001e596a0 R15: 0000000000000000
Modules linked in:
kobject: 'gsmtty12': free name
kobject: '(null)' (00000000febf8770): kobject_cleanup, parent
(null)
kobject: '(null)' (00000000febf8770): calling ktype release
---[ end trace ce0a3d5da86ba298 ]---
kobject: 'gsmtty13' (000000006f09ab57): kobject_uevent_env
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 26 dc 39 00 48 85 db 75 0f e8
7c da 39 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 6d da 39 00 <0f> 0b e8 66 da
39 00 48 c7 c0 10 50 e7 88 48 ba 00 00 00 00 00 fc
kobject: 'gsmtty13' (000000006f09ab57): fill_kobj_path: path
= '/devices/virtual/tty/gsmtty13'
RSP: 0018:ffff88807a77fa58 EFLAGS: 00010293
RAX: ffff8880433e4500 RBX: 0000000707000000 RCX: ffffffff81316ab2
RDX: 0000000000000000 RSI: ffffffff81316b13 RDI: 0000000000000006
kobject: 'gsmtty13' (000000006f09ab57): kobject_cleanup, parent
(null)
RBP: ffff88807a77fa70 R08: ffff8880433e4500 R09: ffff8880433e4da0
R10: 0000000000000000 R11: 0000000000000000 R12: 0000778707000000
kobject: 'gsmtty13' (000000006f09ab57): calling ktype release
R13: 0000000787000000 R14: ffff88807a77fac0 R15: 0000000000000000
FS: 00007fd61349c7a0(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
kobject: 'gsmtty13': free name
kobject: '(null)' (000000006caa201f): kobject_cleanup, parent
(null)
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5fad76ae30 CR3: 000000001e303000 CR4: 00000000001406e0
kobject: '(null)' (000000006caa201f): calling ktype release
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kobject: 'gsmtty14' (00000000c5159e12): kobject_uevent_env
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
kobject: 'gsmtty14' (00000000c5159e12): fill_kobj_path: path
= '/devices/virtual/tty/gsmtty14'
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 22, 2020, 12:02:15 AM2/22/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 4fccc250 Linux 4.19.105
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10ebfdd9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d603c1cf5fa8b03d
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149561dde00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b5b218...@syzkaller.appspotmail.com
audit: type=1400 audit(1582347524.002:35): avc: denied { map } for pid=7820 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1582347542.482:36): avc: denied { map } for pid=7832 comm="syz-executor785" path="/root/syz-executor785168857" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
RSP: 0018:ffff88808582f540 EFLAGS: 00010093
RAX: ffff88808e612540 RBX: 0000000002777259 RCX: ffffffff81318752
RDX: 0000000000000000 RSI: ffffffff813187b3 RDI: 0000000000000006
RBP: ffff88808582f558 R08: ffff88808e612540 R09: ffffed1015d24733
R10: ffffed1015d24732 R11: ffff8880ae923993 R12: 0000778002777259
R13: 0000000082777259 R14: ffff8880a9b84480 R15: 0000000000000010
FS: 00000000021a2880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
kfree+0x7b/0x220 mm/slab.c:3818
audit_free_lsm_field kernel/auditfilter.c:89 [inline]
audit_free_rule kernel/auditfilter.c:104 [inline]
audit_data_to_entry+0xb7b/0x2650 kernel/auditfilter.c:599
audit_rule_change+0x642/0x1120 kernel/auditfilter.c:1126
audit_receive_msg+0xd1d/0x2590 kernel/audit.c:1369
audit_receive+0x11a/0x240 kernel/audit.c:1512
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4401a9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc8a30fd28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9
RDX: 0000000000000000 RSI: 00000000200004c0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a30
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace af1840a5d5e473d6 ]---
RSP: 0018:ffff88808582f540 EFLAGS: 00010093
RAX: ffff88808e612540 RBX: 0000000002777259 RCX: ffffffff81318752
RDX: 0000000000000000 RSI: ffffffff813187b3 RDI: 0000000000000006
RBP: ffff88808582f558 R08: ffff88808e612540 R09: ffffed1015d24733
R10: ffffed1015d24732 R11: ffff8880ae923993 R12: 0000778002777259
R13: 0000000082777259 R14: ffff8880a9b84480 R15: 0000000000000010
FS: 00000000021a2880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
HEAD commit: 4fccc250 Linux 4.19.105
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10ebfdd9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d603c1cf5fa8b03d
dashboard link: https://syzkaller.appspot.com/bug?extid=b5b21861490b7cf13a2f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105141a1e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149561dde00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b5b218...@syzkaller.appspotmail.com
audit: type=1400 audit(1582347542.482:36): avc: denied { map } for pid=7832 comm="syz-executor785" path="/root/syz-executor785168857" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7832 Comm: syz-executor785 Not tainted 4.19.105-syzkaller #0
kernel BUG at arch/x86/mm/physaddr.c:27!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 c6 56 39 00 48 85 db 75 0f e8 1c 55 39 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 0d 55 39 00 <0f> 0b e8 06 55 39 00 48 c7 c0 10 50 e7 88 48 ba 00 00 00 00 00 fc
RSP: 0018:ffff88808582f540 EFLAGS: 00010093
RAX: ffff88808e612540 RBX: 0000000002777259 RCX: ffffffff81318752
RDX: 0000000000000000 RSI: ffffffff813187b3 RDI: 0000000000000006
RBP: ffff88808582f558 R08: ffff88808e612540 R09: ffffed1015d24733
R10: ffffed1015d24732 R11: ffff8880ae923993 R12: 0000778002777259
R13: 0000000082777259 R14: ffff8880a9b84480 R15: 0000000000000010
FS: 00000000021a2880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200004c0 CR3: 000000008bf9a000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:653 [inline]
virt_to_cache mm/slab.c:399 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:653 [inline]
kfree+0x7b/0x220 mm/slab.c:3818
audit_free_lsm_field kernel/auditfilter.c:89 [inline]
audit_free_rule kernel/auditfilter.c:104 [inline]
audit_data_to_entry+0xb7b/0x2650 kernel/auditfilter.c:599
audit_rule_change+0x642/0x1120 kernel/auditfilter.c:1126
audit_receive_msg+0xd1d/0x2590 kernel/audit.c:1369
audit_receive+0x11a/0x240 kernel/audit.c:1512
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4401a9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc8a30fd28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9
RDX: 0000000000000000 RSI: 00000000200004c0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a30
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace af1840a5d5e473d6 ]---
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 c6 56 39 00 48 85 db 75 0f e8 1c 55 39 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 0d 55 39 00 <0f> 0b e8 06 55 39 00 48 c7 c0 10 50 e7 88 48 ba 00 00 00 00 00 fc
RSP: 0018:ffff88808582f540 EFLAGS: 00010093
RAX: ffff88808e612540 RBX: 0000000002777259 RCX: ffffffff81318752
RDX: 0000000000000000 RSI: ffffffff813187b3 RDI: 0000000000000006
RBP: ffff88808582f558 R08: ffff88808e612540 R09: ffffed1015d24733
R10: ffffed1015d24732 R11: ffff8880ae923993 R12: 0000778002777259
R13: 0000000082777259 R14: ffff8880a9b84480 R15: 0000000000000010
FS: 00000000021a2880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200004c0 CR3: 000000008bf9a000 CR4: 00000000001406e0
syzbot
Jun 20, 2020, 3:45:04 PM6/20/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit a3da2984a40b2628d43a0b380e9b24d6fb74a76e
Author: Nicolas Pitre <ni...@fluxnic.net>
Date: Sat May 2 15:01:07 2020 +0000
vt: fix unicode console freeing with a common interface
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14d6bb7d100000
start commit: 84920cc7 Linux 4.19.121
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=1deab1e33c1e397b
dashboard link: https://syzkaller.appspot.com/bug?extid=b5b21861490b7cf13a2f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a111cc100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f36f50100000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: vt: fix unicode console freeing with a common interface
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit a3da2984a40b2628d43a0b380e9b24d6fb74a76e
Author: Nicolas Pitre <ni...@fluxnic.net>
Date: Sat May 2 15:01:07 2020 +0000
vt: fix unicode console freeing with a common interface
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14d6bb7d100000
start commit: 84920cc7 Linux 4.19.121
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=1deab1e33c1e397b
dashboard link: https://syzkaller.appspot.com/bug?extid=b5b21861490b7cf13a2f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a111cc100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f36f50100000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: vt: fix unicode console freeing with a common interface
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages