general protection fault in ioctl_standard_call
9 views
Skip to first unread message
syzbot
Oct 21, 2020, 5:01:18 AM10/21/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ad326970 Linux 4.19.152
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13177207900000
kernel config: https://syzkaller.appspot.com/x/.config?x=35bb7d1d821cf7a9
dashboard link: https://syzkaller.appspot.com/bug?extid=bc15d5b675ec8a17e6d8
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc15d5...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
UDF-fs: warning (device loop4): udf_load_vrs: No anchor found
CPU: 1 PID: 27493 Comm: syz-executor.1 Not tainted 4.19.152-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:call_commit_handler net/wireless/wext-core.c:900 [inline]
RIP: 0010:ioctl_standard_call+0x229/0x2e0 net/wireless/wext-core.c:1029
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 00 00 00 48 8b 9d e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
UDF-fs: Scanning with blocksize 512 failed
RSP: 0018:ffff8880432dfb08 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90007d38000
RDX: 0000000000000000 RSI: ffffffff8805792f RDI: ffff888085f6d128
RBP: ffff888085f6cf40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880432dfbf0 R14: 0000000000008b04 R15: 0000000000000004
FS: 00007f9e30c29700(0000) GS:ffff8880ae100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000016a9e60 CR3: 00000000716e3000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wireless_process_ioctl+0x35b/0x4d0 net/wireless/wext-core.c:954
wext_ioctl_dispatch net/wireless/wext-core.c:987 [inline]
wext_ioctl_dispatch net/wireless/wext-core.c:975 [inline]
wext_handle_ioctl+0x26b/0x280 net/wireless/wext-core.c:1048
sock_ioctl+0x306/0x5f0 net/socket.c:1015
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45de59
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f9e30c28c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000000133c0 RCX: 000000000045de59
RDX: 00000000200001c0 RSI: 0000000000008b04 RDI: 0000000000000005
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffe117a6abf R14: 00007f9e30c299c0 R15: 000000000118bf2c
Modules linked in:
---[ end trace 3aaf94f15c50bf8c ]---
RIP: 0010:call_commit_handler net/wireless/wext-core.c:900 [inline]
RIP: 0010:ioctl_standard_call+0x229/0x2e0 net/wireless/wext-core.c:1029
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 00 00 00 48 8b 9d e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffff8880432dfb08 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90007d38000
RDX: 0000000000000000 RSI: ffffffff8805792f RDI: ffff888085f6d128
RBP: ffff888085f6cf40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880432dfbf0 R14: 0000000000008b04 R15: 0000000000000004
FS: 00007f9e30c29700(0000) GS:ffff8880ae100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001590004 CR3: 00000000716e3000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: ad326970 Linux 4.19.152
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13177207900000
kernel config: https://syzkaller.appspot.com/x/.config?x=35bb7d1d821cf7a9
dashboard link: https://syzkaller.appspot.com/bug?extid=bc15d5b675ec8a17e6d8
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc15d5...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
UDF-fs: warning (device loop4): udf_load_vrs: No anchor found
CPU: 1 PID: 27493 Comm: syz-executor.1 Not tainted 4.19.152-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:call_commit_handler net/wireless/wext-core.c:900 [inline]
RIP: 0010:ioctl_standard_call+0x229/0x2e0 net/wireless/wext-core.c:1029
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 00 00 00 48 8b 9d e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
UDF-fs: Scanning with blocksize 512 failed
RSP: 0018:ffff8880432dfb08 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90007d38000
RDX: 0000000000000000 RSI: ffffffff8805792f RDI: ffff888085f6d128
RBP: ffff888085f6cf40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880432dfbf0 R14: 0000000000008b04 R15: 0000000000000004
FS: 00007f9e30c29700(0000) GS:ffff8880ae100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000016a9e60 CR3: 00000000716e3000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wireless_process_ioctl+0x35b/0x4d0 net/wireless/wext-core.c:954
wext_ioctl_dispatch net/wireless/wext-core.c:987 [inline]
wext_ioctl_dispatch net/wireless/wext-core.c:975 [inline]
wext_handle_ioctl+0x26b/0x280 net/wireless/wext-core.c:1048
sock_ioctl+0x306/0x5f0 net/socket.c:1015
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45de59
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f9e30c28c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000000133c0 RCX: 000000000045de59
RDX: 00000000200001c0 RSI: 0000000000008b04 RDI: 0000000000000005
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffe117a6abf R14: 00007f9e30c299c0 R15: 000000000118bf2c
Modules linked in:
---[ end trace 3aaf94f15c50bf8c ]---
RIP: 0010:call_commit_handler net/wireless/wext-core.c:900 [inline]
RIP: 0010:ioctl_standard_call+0x229/0x2e0 net/wireless/wext-core.c:1029
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 00 00 00 48 8b 9d e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffff8880432dfb08 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90007d38000
RDX: 0000000000000000 RSI: ffffffff8805792f RDI: ffff888085f6d128
RBP: ffff888085f6cf40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880432dfbf0 R14: 0000000000008b04 R15: 0000000000000004
FS: 00007f9e30c29700(0000) GS:ffff8880ae100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001590004 CR3: 00000000716e3000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 21, 2020, 7:55:21 AM10/21/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5b7a52cd Linux 4.14.202
syzbot found the following issue on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13e58ea0500000
kernel config: https://syzkaller.appspot.com/x/.config?x=fa386e02ca459165
dashboard link: https://syzkaller.appspot.com/bug?extid=0b40ce3e073acb2fb4da
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0b40ce...@syzkaller.appspotmail.com
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 16084 Comm: syz-executor.1 Not tainted 4.14.202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880934ac480 task.stack: ffff888055148000
RIP: 0010:call_commit_handler net/wireless/wext-core.c:902 [inline]
RIP: 0010:ioctl_standard_call+0x19b/0x260 net/wireless/wext-core.c:1031
RSP: 0018:ffff88805514fb48 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc900084ec000
RDX: 0000000000000000 RSI: ffffffff86cbd871 RDI: ffff8880663fc7e0
RBP: ffff8880663fc600 R08: ffff8880ba52abf0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88805514fcb8
R13: 0000000000008b04 R14: 0000000000000000 R15: ffff88805514fbf0
FS: 00007fc417f78700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004f1330 CR3: 000000006a85f000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wireless_process_ioctl+0x312/0x450 net/wireless/wext-core.c:956
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wext_ioctl_dispatch net/wireless/wext-core.c:989 [inline]
wext_ioctl_dispatch net/wireless/wext-core.c:977 [inline]
wext_handle_ioctl+0x17e/0x190 net/wireless/wext-core.c:1045
dev_ioctl+0x24c/0xbe0 net/core/dev_ioctl.c:444
sock_do_ioctl net/socket.c:981 [inline]
sock_ioctl+0x164/0x4c0 net/socket.c:1071
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45de59
RSP: 002b:00007fc417f77c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000000133c0 RCX: 000000000045de59
RDX: 00000000200001c0 RSI: 0000000000008b04 RDI: 0000000000000005
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffebcdc9cdf R14: 00007fc417f789c0 R15: 000000000118bf2c
RDX: 00000000200001c0 RSI: 0000000000008b04 RDI: 0000000000000005
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c8 00 00 00 48 8b 9d e0 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 99 00 00 00 48 b8 00 00 00 00 00 fc ff df 48
RIP: call_commit_handler net/wireless/wext-core.c:902 [inline] RSP: ffff88805514fb48
RIP: ioctl_standard_call+0x19b/0x260 net/wireless/wext-core.c:1031 RSP: ffff88805514fb48
---[ end trace 0ae759723e3fbcd0 ]---
syzbot
Oct 21, 2020, 9:35:24 AM10/21/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: ad326970 Linux 4.19.152
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15ba9280500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136d1930500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc15d5...@syzkaller.appspotmail.com
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff88057926
RDX: 0000000000000000 RSI: ffffffff8805792f RDI: ffff8880a909d428
RBP: ffff8880a909d240 R08: 0000000000000000 R09: 0000000000000000
FS: 0000000001a94880(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
Code: e8 ec 05 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 0d fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcc7666ad8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcc7666b00 RCX: 0000000000441579
R10: 0000001d00000000 R11: 0000000000000246 R12: 0000000000000032
R13: 0000000000000000 R14: 000000000000000c R15: 0000000000000004
Modules linked in:
---[ end trace 378d58bb8f9f0166 ]---
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff88057926
RDX: 0000000000000000 RSI: ffffffff8805792f RDI: ffff8880a909d428
RBP: ffff8880a909d240 R08: 0000000000000000 R09: 0000000000000000
FS: 0000000001a94880(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
HEAD commit: ad326970 Linux 4.19.152
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=35bb7d1d821cf7a9
dashboard link: https://syzkaller.appspot.com/bug?extid=bc15d5b675ec8a17e6d8
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137ecc08500000
dashboard link: https://syzkaller.appspot.com/bug?extid=bc15d5b675ec8a17e6d8
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136d1930500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc15d5...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8099 Comm: syz-executor675 Not tainted 4.19.152-syzkaller #0
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:call_commit_handler net/wireless/wext-core.c:900 [inline]
RIP: 0010:ioctl_standard_call+0x229/0x2e0 net/wireless/wext-core.c:1029
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 00 00 00 48 8b 9d e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffff8880a9befb08 EFLAGS: 00010246
RIP: 0010:call_commit_handler net/wireless/wext-core.c:900 [inline]
RIP: 0010:ioctl_standard_call+0x229/0x2e0 net/wireless/wext-core.c:1029
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 00 00 00 48 8b 9d e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff88057926
RDX: 0000000000000000 RSI: ffffffff8805792f RDI: ffff8880a909d428
RBP: ffff8880a909d240 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880a9befbf0 R14: 0000000000008b04 R15: 0000000000000004
FS: 0000000001a94880(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d2090 CR3: 00000000b25b5000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wireless_process_ioctl+0x35b/0x4d0 net/wireless/wext-core.c:954
wext_ioctl_dispatch net/wireless/wext-core.c:987 [inline]
wext_ioctl_dispatch net/wireless/wext-core.c:975 [inline]
wext_handle_ioctl+0x26b/0x280 net/wireless/wext-core.c:1048
sock_ioctl+0x306/0x5f0 net/socket.c:1015
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441579
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wireless_process_ioctl+0x35b/0x4d0 net/wireless/wext-core.c:954
wext_ioctl_dispatch net/wireless/wext-core.c:987 [inline]
wext_ioctl_dispatch net/wireless/wext-core.c:975 [inline]
wext_handle_ioctl+0x26b/0x280 net/wireless/wext-core.c:1048
sock_ioctl+0x306/0x5f0 net/socket.c:1015
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: e8 ec 05 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 0d fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcc7666ad8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcc7666b00 RCX: 0000000000441579
RDX: 00000000200001c0 RSI: 0000000000008b04 RDI: 0000000000000005
RBP: 0000000000000003 R08: 0000001d00000000 R09: 0000001d00000000
R10: 0000001d00000000 R11: 0000000000000246 R12: 0000000000000032
R13: 0000000000000000 R14: 000000000000000c R15: 0000000000000004
Modules linked in:
---[ end trace 378d58bb8f9f0166 ]---
RIP: 0010:call_commit_handler net/wireless/wext-core.c:900 [inline]
RIP: 0010:ioctl_standard_call+0x229/0x2e0 net/wireless/wext-core.c:1029
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 00 00 00 48 8b 9d e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffff8880a9befb08 EFLAGS: 00010246
RIP: 0010:ioctl_standard_call+0x229/0x2e0 net/wireless/wext-core.c:1029
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 00 00 00 48 8b 9d e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff88057926
RDX: 0000000000000000 RSI: ffffffff8805792f RDI: ffff8880a909d428
RBP: ffff8880a909d240 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880a9befbf0 R14: 0000000000008b04 R15: 0000000000000004
FS: 0000000001a94880(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d2090 CR3: 00000000b25b5000 CR4: 00000000001406f0
syzbot
Oct 21, 2020, 10:55:25 AM10/21/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 5b7a52cd Linux 4.14.202
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1450b907900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d5509b900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0b40ce...@syzkaller.appspotmail.com
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff11012b6cf5a
RDX: 0000000000000000 RSI: ffff8880b2ca8e48 RDI: ffff8880b2880e60
RBP: ffff8880b2880c80 R08: ffffffff8b9c1f90 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888095b67cb8
R13: 0000000000008b04 R14: 0000000000000000 R15: ffff888095b67bf0
FS: 000000000174a880(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
RSP: 002b:00007fff971abe68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fff971abe90 RCX: 0000000000441579
R10: 0000001300000000 R11: 0000000000000246 R12: 0000000000000032
RIP: ioctl_standard_call+0x19b/0x260 net/wireless/wext-core.c:1031 RSP: ffff888095b67b48
---[ end trace bc6c94ec31873344 ]---
HEAD commit: 5b7a52cd Linux 4.14.202
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=fa386e02ca459165
dashboard link: https://syzkaller.appspot.com/bug?extid=0b40ce3e073acb2fb4da
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e7c1cf900000
dashboard link: https://syzkaller.appspot.com/bug?extid=0b40ce3e073acb2fb4da
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d5509b900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0b40ce...@syzkaller.appspotmail.com
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7997 Comm: syz-executor227 Not tainted 4.14.202-syzkaller #0
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b2ca85c0 task.stack: ffff888095b60000
RIP: 0010:call_commit_handler net/wireless/wext-core.c:902 [inline]
RIP: 0010:ioctl_standard_call+0x19b/0x260 net/wireless/wext-core.c:1031
RSP: 0018:ffff888095b67b48 EFLAGS: 00010246
RIP: 0010:ioctl_standard_call+0x19b/0x260 net/wireless/wext-core.c:1031
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff11012b6cf5a
RDX: 0000000000000000 RSI: ffff8880b2ca8e48 RDI: ffff8880b2880e60
RBP: ffff8880b2880c80 R08: ffffffff8b9c1f90 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888095b67cb8
R13: 0000000000008b04 R14: 0000000000000000 R15: ffff888095b67bf0
FS: 000000000174a880(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d2090 CR3: 000000009cdf0000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wireless_process_ioctl+0x312/0x450 net/wireless/wext-core.c:956
wext_ioctl_dispatch net/wireless/wext-core.c:989 [inline]
wext_ioctl_dispatch net/wireless/wext-core.c:977 [inline]
wext_handle_ioctl+0x17e/0x190 net/wireless/wext-core.c:1045
dev_ioctl+0x24c/0xbe0 net/core/dev_ioctl.c:444
sock_do_ioctl net/socket.c:981 [inline]
sock_ioctl+0x164/0x4c0 net/socket.c:1071
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x441579
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
wireless_process_ioctl+0x312/0x450 net/wireless/wext-core.c:956
wext_ioctl_dispatch net/wireless/wext-core.c:989 [inline]
wext_ioctl_dispatch net/wireless/wext-core.c:977 [inline]
wext_handle_ioctl+0x17e/0x190 net/wireless/wext-core.c:1045
dev_ioctl+0x24c/0xbe0 net/core/dev_ioctl.c:444
sock_do_ioctl net/socket.c:981 [inline]
sock_ioctl+0x164/0x4c0 net/socket.c:1071
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007fff971abe68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fff971abe90 RCX: 0000000000441579
RDX: 00000000200001c0 RSI: 0000000000008b04 RDI: 0000000000000005
RBP: 0000000000000003 R08: 0000001300000000 R09: 0000001300000000
R10: 0000001300000000 R11: 0000000000000246 R12: 0000000000000032
R13: 0000000000000000 R14: 000000000000000c R15: 0000000000000004
Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c8 00 00 00 48 8b 9d e0 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 99 00 00 00 48 b8 00 00 00 00 00 fc ff df 48
RIP: call_commit_handler net/wireless/wext-core.c:902 [inline] RSP: ffff888095b67b48
RIP: ioctl_standard_call+0x19b/0x260 net/wireless/wext-core.c:1031 RSP: ffff888095b67b48
---[ end trace bc6c94ec31873344 ]---
syzbot
Feb 24, 2021, 7:19:11 AM2/24/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 173b67cf1e72baff9cc02351cbe3c207b6ae29a4
Author: Johannes Berg <johann...@intel.com>
Date: Thu Jan 21 16:16:22 2021 +0000
wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1512e0dad00000
start commit: 27ce4f2a Linux 4.14.206
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=32258a0e1fac372d
dashboard link: https://syzkaller.appspot.com/bug?extid=0b40ce3e073acb2fb4da
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1769009a500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1324ef5c500000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 173b67cf1e72baff9cc02351cbe3c207b6ae29a4
Author: Johannes Berg <johann...@intel.com>
Date: Thu Jan 21 16:16:22 2021 +0000
wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1512e0dad00000
start commit: 27ce4f2a Linux 4.14.206
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=32258a0e1fac372d
dashboard link: https://syzkaller.appspot.com/bug?extid=0b40ce3e073acb2fb4da
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1769009a500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1324ef5c500000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Mar 13, 2021, 9:19:05 PM3/13/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 3f33e522a07f5f8d399d509ff06f7fd87a46e176
Author: Johannes Berg <johann...@intel.com>
Date: Thu Jan 21 16:16:22 2021 +0000
wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1347c406d00000
Date: Thu Jan 21 16:16:22 2021 +0000
wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
start commit: 4abf2685 Linux 4.19.162
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=38565839aa6b0d25
dashboard link: https://syzkaller.appspot.com/bug?extid=bc15d5b675ec8a17e6d8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17a067cf500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=102cd487500000
Reply all
Reply to author
Forward
0 new messages