general protection fault in debug_check_no_obj_freed (2)
4 views
Skip to first unread message
syzbot
Sep 29, 2021, 10:11:22 AM9/29/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c2276d585654 Linux 4.19.208
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15b6eda7300000
kernel config: https://syzkaller.appspot.com/x/.config?x=9080caca9deef589
dashboard link: https://syzkaller.appspot.com/bug?extid=6a8cfe91600a5287f2ab
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6a8cfe...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 15474 Comm: syz-executor.2 Not tainted 4.19.208-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:777 [inline]
RIP: 0010:debug_check_no_obj_freed+0x1c9/0x490 lib/debugobjects.c:817
Code: 48 b8 00 01 00 00 00 00 ad de 4d 89 60 08 4c 89 c7 49 89 00 e8 a8 d6 ff ff 09 c3 4d 85 f6 74 2c 4d 89 f0 4c 89 c0 48 c1 e8 03 <42> 80 3c 38 00 0f 84 23 ff ff ff 4c 89 c7 4c 89 44 24 38 e8 bf 19
RSP: 0018:ffff88817e997898 EFLAGS: 00010802
RAX: 1e001fea7e001fea RBX: 0000000000000000 RCX: ffffffff814bddcb
RDX: 1ffffffff1a87883 RSI: 0000000000000004 RDI: ffff888000000018
RBP: 0000000000000005 R08: f000ff53f000ff53 R09: f000ff53f000ff53
R10: ffffffff8d43c40b R11: 0000000000000000 R12: dead000000000200
R13: ffff88804c87c250 R14: f000ff53f000ff53 R15: dffffc0000000000
FS: 00007fad3eae1700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f325b0e2000 CR3: 000000009e765000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kmem_cache_free+0xff/0x260 mm/slab.c:3764
remove_vma+0x132/0x170 mm/mmap.c:180
exit_mmap+0x359/0x530 mm/mmap.c:3104
__mmput kernel/fork.c:1016 [inline]
mmput+0x14e/0x4a0 kernel/fork.c:1037
exit_mm kernel/exit.c:549 [inline]
do_exit+0xaec/0x2be0 kernel/exit.c:857
do_group_exit+0x125/0x310 kernel/exit.c:967
get_signal+0x3f2/0x1f70 kernel/signal.c:2589
do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799
exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fad4158b709
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fad3eae1188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: 0000000000000048 RBX: 00007fad41690020 RCX: 00007fad4158b709
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00007fad415e5cb4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffca04c393f R14: 00007fad3eae1300 R15: 0000000000022000
Modules linked in:
======================================================
----------------
Code disassembly (best guess):
0: 48 b8 00 01 00 00 00 movabs $0xdead000000000100,%rax
7: 00 ad de
a: 4d 89 60 08 mov %r12,0x8(%r8)
e: 4c 89 c7 mov %r8,%rdi
11: 49 89 00 mov %rax,(%r8)
14: e8 a8 d6 ff ff callq 0xffffd6c1
19: 09 c3 or %eax,%ebx
1b: 4d 85 f6 test %r14,%r14
1e: 74 2c je 0x4c
20: 4d 89 f0 mov %r14,%r8
23: 4c 89 c0 mov %r8,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 0f 84 23 ff ff ff je 0xffffff58
35: 4c 89 c7 mov %r8,%rdi
38: 4c 89 44 24 38 mov %r8,0x38(%rsp)
3d: e8 .byte 0xe8
3e: bf .byte 0xbf
3f: 19 .byte 0x19
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: c2276d585654 Linux 4.19.208
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15b6eda7300000
kernel config: https://syzkaller.appspot.com/x/.config?x=9080caca9deef589
dashboard link: https://syzkaller.appspot.com/bug?extid=6a8cfe91600a5287f2ab
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6a8cfe...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 15474 Comm: syz-executor.2 Not tainted 4.19.208-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:777 [inline]
RIP: 0010:debug_check_no_obj_freed+0x1c9/0x490 lib/debugobjects.c:817
Code: 48 b8 00 01 00 00 00 00 ad de 4d 89 60 08 4c 89 c7 49 89 00 e8 a8 d6 ff ff 09 c3 4d 85 f6 74 2c 4d 89 f0 4c 89 c0 48 c1 e8 03 <42> 80 3c 38 00 0f 84 23 ff ff ff 4c 89 c7 4c 89 44 24 38 e8 bf 19
RSP: 0018:ffff88817e997898 EFLAGS: 00010802
RAX: 1e001fea7e001fea RBX: 0000000000000000 RCX: ffffffff814bddcb
RDX: 1ffffffff1a87883 RSI: 0000000000000004 RDI: ffff888000000018
RBP: 0000000000000005 R08: f000ff53f000ff53 R09: f000ff53f000ff53
R10: ffffffff8d43c40b R11: 0000000000000000 R12: dead000000000200
R13: ffff88804c87c250 R14: f000ff53f000ff53 R15: dffffc0000000000
FS: 00007fad3eae1700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f325b0e2000 CR3: 000000009e765000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kmem_cache_free+0xff/0x260 mm/slab.c:3764
remove_vma+0x132/0x170 mm/mmap.c:180
exit_mmap+0x359/0x530 mm/mmap.c:3104
__mmput kernel/fork.c:1016 [inline]
mmput+0x14e/0x4a0 kernel/fork.c:1037
exit_mm kernel/exit.c:549 [inline]
do_exit+0xaec/0x2be0 kernel/exit.c:857
do_group_exit+0x125/0x310 kernel/exit.c:967
get_signal+0x3f2/0x1f70 kernel/signal.c:2589
do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799
exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fad4158b709
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fad3eae1188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: 0000000000000048 RBX: 00007fad41690020 RCX: 00007fad4158b709
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00007fad415e5cb4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffca04c393f R14: 00007fad3eae1300 R15: 0000000000022000
Modules linked in:
======================================================
----------------
Code disassembly (best guess):
0: 48 b8 00 01 00 00 00 movabs $0xdead000000000100,%rax
7: 00 ad de
a: 4d 89 60 08 mov %r12,0x8(%r8)
e: 4c 89 c7 mov %r8,%rdi
11: 49 89 00 mov %rax,(%r8)
14: e8 a8 d6 ff ff callq 0xffffd6c1
19: 09 c3 or %eax,%ebx
1b: 4d 85 f6 test %r14,%r14
1e: 74 2c je 0x4c
20: 4d 89 f0 mov %r14,%r8
23: 4c 89 c0 mov %r8,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 0f 84 23 ff ff ff je 0xffffff58
35: 4c 89 c7 mov %r8,%rdi
38: 4c 89 44 24 38 mov %r8,0x38(%rsp)
3d: e8 .byte 0xe8
3e: bf .byte 0xbf
3f: 19 .byte 0x19
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 11, 2022, 1:22:14 PM5/11/22
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages