[v6.1] general protection fault in diRead
0 views
Skip to first unread message
syzbot
May 11, 2024, 10:35:36 PMMay 11
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 909ba1f1b414 Linux 6.1.90
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16f83524980000
kernel config: https://syzkaller.appspot.com/x/.config?x=3be6d6f79b879a67
dashboard link: https://syzkaller.appspot.com/bug?extid=2cf961f89e1c3a110b76
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63178de7cba7/disk-909ba1f1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25dec90d8126/vmlinux-909ba1f1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/25509ea1c6cd/bzImage-909ba1f1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2cf961...@syzkaller.appspotmail.com
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
general protection fault, probably for non-canonical address 0xdffffc0000000104: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000820-0x0000000000000827]
CPU: 1 PID: 7991 Comm: syz-executor.2 Not tainted 6.1.90-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:diIAGRead fs/jfs/jfs_imap.c:2662 [inline]
RIP: 0010:diRead+0x152/0xad0 fs/jfs/jfs_imap.c:316
Code: 8b 6d 80 48 89 6c 24 20 4c 8d b5 98 fc ff ff 4c 89 f7 be 01 00 00 00 e8 6c c4 65 fe 49 8d 9d 20 08 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 2f 10 de fe 4c 8b 3b 49 8d 6f 28
RSP: 0018:ffffc90010377660 EFLAGS: 00010202
RAX: 0000000000000104 RBX: 0000000000000820 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000001
RBP: ffff888056e344f0 R08: dffffc0000000000 R09: ffffed100adc6833
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000004
R13: 0000000000000000 R14: ffff888056e34188 R15: dffffc0000000000
FS: 00007f28fde8e6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b3332e000 CR3: 000000002387f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
jfs_lookup+0x222/0x400 fs/jfs/namei.c:1467
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3552 [inline]
path_openat+0x10fb/0x2e60 fs/namei.c:3782
do_filp_open+0x230/0x480 fs/namei.c:3812
do_sys_openat2+0x13b/0x500 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f28fd07dd69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f28fde8e0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f28fd1abf80 RCX: 00007f28fd07dd69
RDX: 0000000000000000 RSI: 00000000200002c0 RDI: ffffffffffffff9c
RBP: 00007f28fd0ca49e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f28fd1abf80 R15: 00007ffe0db45de8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:diIAGRead fs/jfs/jfs_imap.c:2662 [inline]
RIP: 0010:diRead+0x152/0xad0 fs/jfs/jfs_imap.c:316
Code: 8b 6d 80 48 89 6c 24 20 4c 8d b5 98 fc ff ff 4c 89 f7 be 01 00 00 00 e8 6c c4 65 fe 49 8d 9d 20 08 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 2f 10 de fe 4c 8b 3b 49 8d 6f 28
RSP: 0018:ffffc90010377660 EFLAGS: 00010202
RAX: 0000000000000104 RBX: 0000000000000820 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000001
RBP: ffff888056e344f0 R08: dffffc0000000000 R09: ffffed100adc6833
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000004
R13: 0000000000000000 R14: ffff888056e34188 R15: dffffc0000000000
FS: 00007f28fde8e6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8bd51b5c98 CR3: 000000002387f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 8b 6d 80 mov -0x80(%rbp),%ebp
3: 48 89 6c 24 20 mov %rbp,0x20(%rsp)
8: 4c 8d b5 98 fc ff ff lea -0x368(%rbp),%r14
f: 4c 89 f7 mov %r14,%rdi
12: be 01 00 00 00 mov $0x1,%esi
17: e8 6c c4 65 fe call 0xfe65c488
1c: 49 8d 9d 20 08 00 00 lea 0x820(%r13),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 2f 10 de fe call 0xfede1068
39: 4c 8b 3b mov (%rbx),%r15
3c: 49 8d 6f 28 lea 0x28(%r15),%rbp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 909ba1f1b414 Linux 6.1.90
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16f83524980000
kernel config: https://syzkaller.appspot.com/x/.config?x=3be6d6f79b879a67
dashboard link: https://syzkaller.appspot.com/bug?extid=2cf961f89e1c3a110b76
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63178de7cba7/disk-909ba1f1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25dec90d8126/vmlinux-909ba1f1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/25509ea1c6cd/bzImage-909ba1f1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2cf961...@syzkaller.appspotmail.com
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
general protection fault, probably for non-canonical address 0xdffffc0000000104: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000820-0x0000000000000827]
CPU: 1 PID: 7991 Comm: syz-executor.2 Not tainted 6.1.90-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:diIAGRead fs/jfs/jfs_imap.c:2662 [inline]
RIP: 0010:diRead+0x152/0xad0 fs/jfs/jfs_imap.c:316
Code: 8b 6d 80 48 89 6c 24 20 4c 8d b5 98 fc ff ff 4c 89 f7 be 01 00 00 00 e8 6c c4 65 fe 49 8d 9d 20 08 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 2f 10 de fe 4c 8b 3b 49 8d 6f 28
RSP: 0018:ffffc90010377660 EFLAGS: 00010202
RAX: 0000000000000104 RBX: 0000000000000820 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000001
RBP: ffff888056e344f0 R08: dffffc0000000000 R09: ffffed100adc6833
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000004
R13: 0000000000000000 R14: ffff888056e34188 R15: dffffc0000000000
FS: 00007f28fde8e6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b3332e000 CR3: 000000002387f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
jfs_lookup+0x222/0x400 fs/jfs/namei.c:1467
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3552 [inline]
path_openat+0x10fb/0x2e60 fs/namei.c:3782
do_filp_open+0x230/0x480 fs/namei.c:3812
do_sys_openat2+0x13b/0x500 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f28fd07dd69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f28fde8e0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f28fd1abf80 RCX: 00007f28fd07dd69
RDX: 0000000000000000 RSI: 00000000200002c0 RDI: ffffffffffffff9c
RBP: 00007f28fd0ca49e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f28fd1abf80 R15: 00007ffe0db45de8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:diIAGRead fs/jfs/jfs_imap.c:2662 [inline]
RIP: 0010:diRead+0x152/0xad0 fs/jfs/jfs_imap.c:316
Code: 8b 6d 80 48 89 6c 24 20 4c 8d b5 98 fc ff ff 4c 89 f7 be 01 00 00 00 e8 6c c4 65 fe 49 8d 9d 20 08 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 2f 10 de fe 4c 8b 3b 49 8d 6f 28
RSP: 0018:ffffc90010377660 EFLAGS: 00010202
RAX: 0000000000000104 RBX: 0000000000000820 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000001
RBP: ffff888056e344f0 R08: dffffc0000000000 R09: ffffed100adc6833
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000004
R13: 0000000000000000 R14: ffff888056e34188 R15: dffffc0000000000
FS: 00007f28fde8e6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8bd51b5c98 CR3: 000000002387f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 8b 6d 80 mov -0x80(%rbp),%ebp
3: 48 89 6c 24 20 mov %rbp,0x20(%rsp)
8: 4c 8d b5 98 fc ff ff lea -0x368(%rbp),%r14
f: 4c 89 f7 mov %r14,%rdi
12: be 01 00 00 00 mov $0x1,%esi
17: e8 6c c4 65 fe call 0xfe65c488
1c: 49 8d 9d 20 08 00 00 lea 0x820(%r13),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 2f 10 de fe call 0xfede1068
39: 4c 8b 3b mov (%rbx),%r15
3c: 49 8d 6f 28 lea 0x28(%r15),%rbp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages