Hello,
syzbot found the following crash on:
HEAD commit: c7ecf3e3 Linux 4.19.92
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=143b4e3ee00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=f1b833aa58e7216b
dashboard link:
https://syzkaller.appspot.com/bug?extid=b5b21861490b7cf13a2f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+b5b218...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:27!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 18221 Comm: udevd Not tainted 4.19.92-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
kobject: 'gsmtty12' (00000000768a6779): fill_kobj_path: path
= '/devices/virtual/tty/gsmtty12'
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 26 dc 39 00 48 85 db 75 0f e8
7c da 39 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 6d da 39 00 <0f> 0b e8 66 da
39 00 48 c7 c0 10 50 e7 88 48 ba 00 00 00 00 00 fc
RSP: 0018:ffff88807a77fa58 EFLAGS: 00010293
RAX: ffff8880433e4500 RBX: 0000000707000000 RCX: ffffffff81316ab2
RDX: 0000000000000000 RSI: ffffffff81316b13 RDI: 0000000000000006
RBP: ffff88807a77fa70 R08: ffff8880433e4500 R09: ffff8880433e4da0
R10: 0000000000000000 R11: 0000000000000000 R12: 0000778707000000
R13: 0000000787000000 R14: ffff88807a77fac0 R15: 0000000000000000
FS: 00007fd61349c7a0(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560c25ab5008 CR3: 000000001e303000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
virt_to_head_page include/linux/mm.h:653 [inline]
qlink_to_cache mm/kasan/quarantine.c:127 [inline]
qlist_free_all+0xc7/0x150 mm/kasan/quarantine.c:163
quarantine_reduce+0x169/0x1a0 mm/kasan/quarantine.c:259
kasan_kmalloc+0xa0/0xf0 mm/kasan/kasan.c:538
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc_node mm/slab.c:3340 [inline]
kmem_cache_alloc_node_trace+0x13c/0x720 mm/slab.c:3666
kobject: 'gsmtty12' (00000000768a6779): kobject_cleanup, parent
(null)
__do_kmalloc_node mm/slab.c:3688 [inline]
__kmalloc_node+0x3d/0x80 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0x68/0x100 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
setxattr+0x16f/0x380 fs/xattr.c:432
path_setxattr+0x197/0x1b0 fs/xattr.c:469
__do_sys_lsetxattr fs/xattr.c:491 [inline]
__se_sys_lsetxattr fs/xattr.c:487 [inline]
__x64_sys_lsetxattr+0xc1/0x150 fs/xattr.c:487
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fd612baeffa
Code: 48 8b 0d 41 9e 2a 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90
90 90 90 90 90 90 90 90 90 49 89 ca b8 bd 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d 0e 9e 2a 00 31 d2 48 29 c2 64
kobject: 'gsmtty12' (00000000768a6779): calling ktype release
RSP: 002b:00007fff36a90d88 EFLAGS: 00000206 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fd612baeffa
RDX: 0000000001fe76a0 RSI: 00007fd61307df69 RDI: 0000000001e20240
RBP: 0000000001e20240 R08: 0000000000000000 R09: 65645f7974743a72
R10: 0000000000000022 R11: 0000000000000206 R12: 00000000000023b0
R13: 000000000000f21d R14: 0000000001e596a0 R15: 0000000000000000
Modules linked in:
kobject: 'gsmtty12': free name
kobject: '(null)' (00000000febf8770): kobject_cleanup, parent
(null)
kobject: '(null)' (00000000febf8770): calling ktype release
---[ end trace ce0a3d5da86ba298 ]---
kobject: 'gsmtty13' (000000006f09ab57): kobject_uevent_env
RIP: 0010:__phys_addr+0xb3/0x120 arch/x86/mm/physaddr.c:27
Code: 08 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 26 dc 39 00 48 85 db 75 0f e8
7c da 39 00 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 6d da 39 00 <0f> 0b e8 66 da
39 00 48 c7 c0 10 50 e7 88 48 ba 00 00 00 00 00 fc
kobject: 'gsmtty13' (000000006f09ab57): fill_kobj_path: path
= '/devices/virtual/tty/gsmtty13'
RSP: 0018:ffff88807a77fa58 EFLAGS: 00010293
RAX: ffff8880433e4500 RBX: 0000000707000000 RCX: ffffffff81316ab2
RDX: 0000000000000000 RSI: ffffffff81316b13 RDI: 0000000000000006
kobject: 'gsmtty13' (000000006f09ab57): kobject_cleanup, parent
(null)
RBP: ffff88807a77fa70 R08: ffff8880433e4500 R09: ffff8880433e4da0
R10: 0000000000000000 R11: 0000000000000000 R12: 0000778707000000
kobject: 'gsmtty13' (000000006f09ab57): calling ktype release
R13: 0000000787000000 R14: ffff88807a77fac0 R15: 0000000000000000
FS: 00007fd61349c7a0(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
kobject: 'gsmtty13': free name
kobject: '(null)' (000000006caa201f): kobject_cleanup, parent
(null)
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5fad76ae30 CR3: 000000001e303000 CR4: 00000000001406e0
kobject: '(null)' (000000006caa201f): calling ktype release
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kobject: 'gsmtty14' (00000000c5159e12): kobject_uevent_env
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
kobject: 'gsmtty14' (00000000c5159e12): fill_kobj_path: path
= '/devices/virtual/tty/gsmtty14'
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.