BUG: unable to handle kernel NULL pointer dereference in kthread_stop
35 views
Skip to first unread message
syzbot
Apr 14, 2019, 1:07:07 AM4/14/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12e6062d200000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=fa8adb1ff6f3e0b0750c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fa8adb...@syzkaller.appspotmail.com
IPVS: length: 159 != 8
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
IP: kthread_stop+0x4c/0x650 kernel/kthread.c:525
PGD 961e7067 P4D 961e7067 PUD 9f3b2067 PMD 0
CPU: 0 PID: 24582 Comm: syz-executor.1 Not tainted 4.14.111 #1
Oops: 0002 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Modules linked in:
Call Trace:
CPU: 1 PID: 24585 Comm: syz-executor.3 Not tainted 4.14.111 #1
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
task: ffff8880a969c540 task.stack: ffff888097188000
should_failslab+0xdb/0x130 mm/failslab.c:32
RIP: 0010:atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
RIP: 0010:kthread_stop+0x4c/0x650 kernel/kthread.c:525
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc_trace+0x2ec/0x790 mm/slab.c:3616
RSP: 0018:ffff88809718f760 EFLAGS: 00010297
RAX: ffff8880a969c540 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000282
RBP: ffff88809718f780 R08: ffff8880a969c540 R09: 0000000000000000
kmalloc include/linux/slab.h:488 [inline]
sock_alloc_inode+0x63/0x260 net/socket.c:254
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
alloc_inode+0x66/0x190 fs/inode.c:209
R13: ffff8880981ab4f0 R14: ffff8880981ab4e8 R15: ffffffff89bb8ac0
new_inode_pseudo+0x19/0xf0 fs/inode.c:891
FS: 00007f1333f3a700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
sock_alloc+0x41/0x280 net/socket.c:569
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
SYSC_accept4+0xcd/0x640 net/socket.c:1556
CR2: 0000000000000020 CR3: 0000000090dc0000 CR4: 00000000001406e0
Call Trace:
vivid_stop_generating_vid_cap+0x1b9/0x664
drivers/media/platform/vivid/vivid-kthread-cap.c:934
vid_cap_stop_streaming+0x7c/0xd0
drivers/media/platform/vivid/vivid-vid-cap.c:273
SyS_accept4+0x2c/0x40 net/socket.c:1537
__vb2_queue_cancel+0xa6/0x8a0 drivers/media/v4l2-core/videobuf2-core.c:1655
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
vb2_core_streamoff+0x52/0x110 drivers/media/v4l2-core/videobuf2-core.c:1788
__vb2_cleanup_fileio+0x78/0x150
drivers/media/v4l2-core/videobuf2-core.c:2313
entry_SYSCALL_64_after_hwframe+0x42/0xb7
vb2_core_queue_release+0x1d/0x80
drivers/media/v4l2-core/videobuf2-core.c:2040
RIP: 0033:0x458c29
vb2_queue_release drivers/media/v4l2-core/videobuf2-v4l2.c:669 [inline]
_vb2_fop_release+0x1cf/0x2a0 drivers/media/v4l2-core/videobuf2-v4l2.c:840
RSP: 002b:00007f7ee0e25c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000120
vb2_fop_release+0x75/0xc0 drivers/media/v4l2-core/videobuf2-v4l2.c:854
vivid_fop_release+0x180/0x3f0 drivers/media/platform/vivid/vivid-core.c:486
RAX: ffffffffffffffda RBX: 00007f7ee0e25c90 RCX: 0000000000458c29
RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000006
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000080000 R11: 0000000000000246 R12: 00007f7ee0e266d4
R13: 00000000004beabc R14: 00000000004cf7f8 R15: 0000000000000005
v4l2_release+0xfb/0x190 drivers/media/v4l2-core/v4l2-dev.c:446
__fput+0x277/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x119/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x7df/0x2c10 kernel/exit.c:874
do_group_exit+0x111/0x330 kernel/exit.c:977
get_signal+0x348/0x1a80 kernel/signal.c:2407
do_signal+0x86/0x1980 arch/x86/kernel/signal.c:809
kobject: 'loop2' (ffff8880a4a25220): kobject_uevent_env
exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x4a9/0x630 arch/x86/entry/common.c:294
kobject: 'loop2' (ffff8880a4a25220): fill_kobj_path: path
= '/devices/virtual/block/loop2'
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007f1333f39cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 000000000073bf08 RCX: 0000000000458c29
RDX: 00000000004ca570 RSI: 0000000000000081 RDI: 000000000073bf0c
RBP: 000000000073bf00 R08: 0000000000000009 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 000000000073bf0c
R13: 00007ffe31b7c5bf R14: 00007f1333f3a9c0 R15: 000000000073bf0c
Code: 00 65
==================================================================
8b
BUG: KASAN: use-after-free in __vb2_perform_fileio+0xddf/0xeb0
drivers/media/v4l2-core/videobuf2-core.c:2379
1d
Read of size 4 at addr ffff88807854f0dc by task syz-executor.4/24583
67
3f
CPU: 0 PID: 24583 Comm: syz-executor.4 Not tainted 4.14.111 #1
c3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
7e
Call Trace:
83
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
fb
3f
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
0f
87
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
63
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
04
__vb2_perform_fileio+0xddf/0xeb0
drivers/media/v4l2-core/videobuf2-core.c:2379
00
00
e8
vb2_read+0x3b/0x50 drivers/media/v4l2-core/videobuf2-core.c:2490
79
vb2_fop_read+0x1f5/0x3e0 drivers/media/v4l2-core/videobuf2-v4l2.c:895
95
1e
v4l2_read+0x1ac/0x210 drivers/media/v4l2-core/v4l2-dev.c:309
00
__vfs_read+0x107/0x6b0 fs/read_write.c:411
89
db
48
0f
a3
1d
ff
96
e6
vfs_read+0x137/0x350 fs/read_write.c:447
06
SYSC_read fs/read_write.c:573 [inline]
SyS_read+0xb8/0x180 fs/read_write.c:566
0f
82
4c
03
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
00
00
entry_SYSCALL_64_after_hwframe+0x42/0xb7
e8
RIP: 0033:0x458c29
64
RSP: 002b:00007f8b98d6dc78 EFLAGS: 00000246
95
ORIG_RAX: 0000000000000000
1e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29
00
RDX: 000000000000005d RSI: 0000000020001480 RDI: 0000000000000004
<f0>
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
41
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8b98d6e6d4
ff
R13: 00000000004c4935 R14: 00000000004d9f08 R15: 00000000ffffffff
44
24
Allocated by task 24583:
20
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
49
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
8d
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
7c
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
24
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
__vb2_init_fileio+0x182/0xa90 drivers/media/v4l2-core/videobuf2-core.c:2224
24
__vb2_perform_fileio+0x9f0/0xeb0
drivers/media/v4l2-core/videobuf2-core.c:2358
48
vb2_read+0x3b/0x50 drivers/media/v4l2-core/videobuf2-core.c:2490
b8
vb2_fop_read+0x1f5/0x3e0 drivers/media/v4l2-core/videobuf2-v4l2.c:895
00
v4l2_read+0x1ac/0x210 drivers/media/v4l2-core/v4l2-dev.c:309
00
__vfs_read+0x107/0x6b0 fs/read_write.c:411
00
vfs_read+0x137/0x350 fs/read_write.c:447
00
SYSC_read fs/read_write.c:573 [inline]
SyS_read+0xb8/0x180 fs/read_write.c:566
00
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
fc
entry_SYSCALL_64_after_hwframe+0x42/0xb7
ff
df
Freed by task 24576:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
RIP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline] RSP:
ffff88809718f760
RIP: kthread_stop+0x4c/0x650 kernel/kthread.c:525 RSP: ffff88809718f760
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
CR2: 0000000000000020
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
---[ end trace fea1de067bde83b0 ]---
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12e6062d200000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=fa8adb1ff6f3e0b0750c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fa8adb...@syzkaller.appspotmail.com
IPVS: length: 159 != 8
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
IP: kthread_stop+0x4c/0x650 kernel/kthread.c:525
PGD 961e7067 P4D 961e7067 PUD 9f3b2067 PMD 0
CPU: 0 PID: 24582 Comm: syz-executor.1 Not tainted 4.14.111 #1
Oops: 0002 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Modules linked in:
Call Trace:
CPU: 1 PID: 24585 Comm: syz-executor.3 Not tainted 4.14.111 #1
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
task: ffff8880a969c540 task.stack: ffff888097188000
should_failslab+0xdb/0x130 mm/failslab.c:32
RIP: 0010:atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
RIP: 0010:kthread_stop+0x4c/0x650 kernel/kthread.c:525
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc_trace+0x2ec/0x790 mm/slab.c:3616
RSP: 0018:ffff88809718f760 EFLAGS: 00010297
RAX: ffff8880a969c540 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000282
RBP: ffff88809718f780 R08: ffff8880a969c540 R09: 0000000000000000
kmalloc include/linux/slab.h:488 [inline]
sock_alloc_inode+0x63/0x260 net/socket.c:254
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
alloc_inode+0x66/0x190 fs/inode.c:209
R13: ffff8880981ab4f0 R14: ffff8880981ab4e8 R15: ffffffff89bb8ac0
new_inode_pseudo+0x19/0xf0 fs/inode.c:891
FS: 00007f1333f3a700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
sock_alloc+0x41/0x280 net/socket.c:569
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
SYSC_accept4+0xcd/0x640 net/socket.c:1556
CR2: 0000000000000020 CR3: 0000000090dc0000 CR4: 00000000001406e0
Call Trace:
vivid_stop_generating_vid_cap+0x1b9/0x664
drivers/media/platform/vivid/vivid-kthread-cap.c:934
vid_cap_stop_streaming+0x7c/0xd0
drivers/media/platform/vivid/vivid-vid-cap.c:273
SyS_accept4+0x2c/0x40 net/socket.c:1537
__vb2_queue_cancel+0xa6/0x8a0 drivers/media/v4l2-core/videobuf2-core.c:1655
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
vb2_core_streamoff+0x52/0x110 drivers/media/v4l2-core/videobuf2-core.c:1788
__vb2_cleanup_fileio+0x78/0x150
drivers/media/v4l2-core/videobuf2-core.c:2313
entry_SYSCALL_64_after_hwframe+0x42/0xb7
vb2_core_queue_release+0x1d/0x80
drivers/media/v4l2-core/videobuf2-core.c:2040
RIP: 0033:0x458c29
vb2_queue_release drivers/media/v4l2-core/videobuf2-v4l2.c:669 [inline]
_vb2_fop_release+0x1cf/0x2a0 drivers/media/v4l2-core/videobuf2-v4l2.c:840
RSP: 002b:00007f7ee0e25c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000120
vb2_fop_release+0x75/0xc0 drivers/media/v4l2-core/videobuf2-v4l2.c:854
vivid_fop_release+0x180/0x3f0 drivers/media/platform/vivid/vivid-core.c:486
RAX: ffffffffffffffda RBX: 00007f7ee0e25c90 RCX: 0000000000458c29
RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000006
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000080000 R11: 0000000000000246 R12: 00007f7ee0e266d4
R13: 00000000004beabc R14: 00000000004cf7f8 R15: 0000000000000005
v4l2_release+0xfb/0x190 drivers/media/v4l2-core/v4l2-dev.c:446
__fput+0x277/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x119/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x7df/0x2c10 kernel/exit.c:874
do_group_exit+0x111/0x330 kernel/exit.c:977
get_signal+0x348/0x1a80 kernel/signal.c:2407
do_signal+0x86/0x1980 arch/x86/kernel/signal.c:809
kobject: 'loop2' (ffff8880a4a25220): kobject_uevent_env
exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x4a9/0x630 arch/x86/entry/common.c:294
kobject: 'loop2' (ffff8880a4a25220): fill_kobj_path: path
= '/devices/virtual/block/loop2'
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007f1333f39cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 000000000073bf08 RCX: 0000000000458c29
RDX: 00000000004ca570 RSI: 0000000000000081 RDI: 000000000073bf0c
RBP: 000000000073bf00 R08: 0000000000000009 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 000000000073bf0c
R13: 00007ffe31b7c5bf R14: 00007f1333f3a9c0 R15: 000000000073bf0c
Code: 00 65
==================================================================
8b
BUG: KASAN: use-after-free in __vb2_perform_fileio+0xddf/0xeb0
drivers/media/v4l2-core/videobuf2-core.c:2379
1d
Read of size 4 at addr ffff88807854f0dc by task syz-executor.4/24583
67
3f
CPU: 0 PID: 24583 Comm: syz-executor.4 Not tainted 4.14.111 #1
c3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
7e
Call Trace:
83
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
fb
3f
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
0f
87
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
63
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
04
__vb2_perform_fileio+0xddf/0xeb0
drivers/media/v4l2-core/videobuf2-core.c:2379
00
00
e8
vb2_read+0x3b/0x50 drivers/media/v4l2-core/videobuf2-core.c:2490
79
vb2_fop_read+0x1f5/0x3e0 drivers/media/v4l2-core/videobuf2-v4l2.c:895
95
1e
v4l2_read+0x1ac/0x210 drivers/media/v4l2-core/v4l2-dev.c:309
00
__vfs_read+0x107/0x6b0 fs/read_write.c:411
89
db
48
0f
a3
1d
ff
96
e6
vfs_read+0x137/0x350 fs/read_write.c:447
06
SYSC_read fs/read_write.c:573 [inline]
SyS_read+0xb8/0x180 fs/read_write.c:566
0f
82
4c
03
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
00
00
entry_SYSCALL_64_after_hwframe+0x42/0xb7
e8
RIP: 0033:0x458c29
64
RSP: 002b:00007f8b98d6dc78 EFLAGS: 00000246
95
ORIG_RAX: 0000000000000000
1e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29
00
RDX: 000000000000005d RSI: 0000000020001480 RDI: 0000000000000004
<f0>
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
41
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8b98d6e6d4
ff
R13: 00000000004c4935 R14: 00000000004d9f08 R15: 00000000ffffffff
44
24
Allocated by task 24583:
20
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
49
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
8d
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
7c
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
24
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
__vb2_init_fileio+0x182/0xa90 drivers/media/v4l2-core/videobuf2-core.c:2224
24
__vb2_perform_fileio+0x9f0/0xeb0
drivers/media/v4l2-core/videobuf2-core.c:2358
48
vb2_read+0x3b/0x50 drivers/media/v4l2-core/videobuf2-core.c:2490
b8
vb2_fop_read+0x1f5/0x3e0 drivers/media/v4l2-core/videobuf2-v4l2.c:895
00
v4l2_read+0x1ac/0x210 drivers/media/v4l2-core/v4l2-dev.c:309
00
__vfs_read+0x107/0x6b0 fs/read_write.c:411
00
vfs_read+0x137/0x350 fs/read_write.c:447
00
SYSC_read fs/read_write.c:573 [inline]
SyS_read+0xb8/0x180 fs/read_write.c:566
00
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
fc
entry_SYSCALL_64_after_hwframe+0x42/0xb7
ff
df
Freed by task 24576:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
RIP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline] RSP:
ffff88809718f760
RIP: kthread_stop+0x4c/0x650 kernel/kthread.c:525 RSP: ffff88809718f760
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
CR2: 0000000000000020
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
---[ end trace fea1de067bde83b0 ]---
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 24, 2019, 7:14:06 PM4/24/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fbfb18a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12e637e4a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fa8adb...@syzkaller.appspotmail.com
CPU: 0 PID: 7394 Comm: syz-executor267 Not tainted 4.14.113 #3
RAX: ffff8880a121a0c0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000286
RBP: ffff88808ae87a40 R08: ffff8880a121a0c0 R09: 0000000000000000
FS: 000000000108d880(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000
drivers/media/v4l2-core/videobuf2-core.c:2040
SyS_exit_group+0x1d/0x20 kernel/exit.c:986
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x443b78
RSP: 002b:00007fffdb2d3b78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443b78
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004c34f0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d5180 R14: 0000000000000000 R15: 0000000000000000
Code: 00 65 8b 1d 67 2f c3 7e 83 fb 3f 0f 87 63 04 00 00 e8 29 95 1e 00 89
db 48 0f a3 1d 7f 93 e6 06 0f 82 4c 03 00 00 e8 14 95 1e 00 <f0> 41 ff 44
24 20 49 8d 7c 24 24 48 b8 00 00 00 00 00 fc ff df
RIP: kthread_stop+0x4c/0x650 kernel/kthread.c:525 RSP: ffff88808ae87a20
CR2: 0000000000000020
---[ end trace 88b3314bc4a09a79 ]---
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fbfb18a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=fa8adb1ff6f3e0b0750c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a15cf4a00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12e637e4a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fa8adb...@syzkaller.appspotmail.com
BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
IP: kthread_stop+0x4c/0x650 kernel/kthread.c:525
PGD 92a52067 P4D 92a52067 PUD 92a4e067 PMD 0
IP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
IP: kthread_stop+0x4c/0x650 kernel/kthread.c:525
Oops: 0002 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7394 Comm: syz-executor267 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8880a121a0c0 task.stack: ffff88808ae80000
Google 01/01/2011
RIP: 0010:atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
RIP: 0010:kthread_stop+0x4c/0x650 kernel/kthread.c:525
RSP: 0018:ffff88808ae87a20 EFLAGS: 00010297
RIP: 0010:kthread_stop+0x4c/0x650 kernel/kthread.c:525
RAX: ffff8880a121a0c0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000286
RBP: ffff88808ae87a40 R08: ffff8880a121a0c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88809bc90730 R14: ffff88809bc90728 R15: ffffffff89bb9b80
FS: 000000000108d880(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000020 CR3: 0000000092a4c000 CR4: 00000000001406f0
Call Trace:
vivid_stop_generating_vid_cap+0x1b9/0x664
drivers/media/platform/vivid/vivid-kthread-cap.c:934
vid_cap_stop_streaming+0x7c/0xd0
drivers/media/platform/vivid/vivid-vid-cap.c:273
__vb2_queue_cancel+0xa6/0x8a0 drivers/media/v4l2-core/videobuf2-core.c:1655
vivid_stop_generating_vid_cap+0x1b9/0x664
drivers/media/platform/vivid/vivid-kthread-cap.c:934
vid_cap_stop_streaming+0x7c/0xd0
drivers/media/platform/vivid/vivid-vid-cap.c:273
vb2_core_streamoff+0x52/0x110 drivers/media/v4l2-core/videobuf2-core.c:1788
__vb2_cleanup_fileio+0x78/0x150
drivers/media/v4l2-core/videobuf2-core.c:2313
vb2_core_queue_release+0x1d/0x80
__vb2_cleanup_fileio+0x78/0x150
drivers/media/v4l2-core/videobuf2-core.c:2313
drivers/media/v4l2-core/videobuf2-core.c:2040
vb2_queue_release drivers/media/v4l2-core/videobuf2-v4l2.c:669 [inline]
_vb2_fop_release+0x1cf/0x2a0 drivers/media/v4l2-core/videobuf2-v4l2.c:840
_vb2_fop_release+0x1cf/0x2a0 drivers/media/v4l2-core/videobuf2-v4l2.c:840
vb2_fop_release+0x75/0xc0 drivers/media/v4l2-core/videobuf2-v4l2.c:854
vivid_fop_release+0x180/0x3f0 drivers/media/platform/vivid/vivid-core.c:486
vivid_fop_release+0x180/0x3f0 drivers/media/platform/vivid/vivid-core.c:486
v4l2_release+0xfb/0x190 drivers/media/v4l2-core/v4l2-dev.c:446
__fput+0x277/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x119/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x7df/0x2c10 kernel/exit.c:874
do_group_exit+0x111/0x330 kernel/exit.c:977
SYSC_exit_group kernel/exit.c:988 [inline]
__fput+0x277/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x119/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x7df/0x2c10 kernel/exit.c:874
do_group_exit+0x111/0x330 kernel/exit.c:977
SyS_exit_group+0x1d/0x20 kernel/exit.c:986
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x443b78
RSP: 002b:00007fffdb2d3b78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443b78
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004c34f0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d5180 R14: 0000000000000000 R15: 0000000000000000
Code: 00 65 8b 1d 67 2f c3 7e 83 fb 3f 0f 87 63 04 00 00 e8 29 95 1e 00 89
db 48 0f a3 1d 7f 93 e6 06 0f 82 4c 03 00 00 e8 14 95 1e 00 <f0> 41 ff 44
24 20 49 8d 7c 24 24 48 b8 00 00 00 00 00 fc ff df
RIP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline] RSP:
ffff88808ae87a20
RIP: kthread_stop+0x4c/0x650 kernel/kthread.c:525 RSP: ffff88808ae87a20
CR2: 0000000000000020
---[ end trace 88b3314bc4a09a79 ]---
Reply all
Reply to author
Forward
0 new messages