general protection fault in vb2_vmalloc_put
6 views
Skip to first unread message
syzbot
Jun 9, 2019, 3:19:06 PM6/9/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e6a95d88 Linux 4.14.124
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16adf5d2a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ab7251aa14ac721d
dashboard link: https://syzkaller.appspot.com/bug?extid=726378f0b65b367225de
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167f888ea00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11dc108ea00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+726378...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1560105412.780:36): avc: denied { map } for
pid=6869 comm="syz-executor945" path="/root/syz-executor945611094"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 6869 Comm: syz-executor945 Not tainted 4.14.124 #18
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff888094a12440 task.stack: ffff888097290000
RIP: 0010:__read_once_size include/linux/compiler.h:186 [inline]
RIP: 0010:atomic_read arch/x86/include/asm/atomic.h:27 [inline]
RIP: 0010:refcount_sub_and_test+0x2b/0xf0 lib/refcount.c:179
RSP: 0018:ffff888097297a68 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880933a8a00 RCX: ffffffff8424bba0
RDX: 0000000000000004 RSI: 0000000000000020 RDI: 0000000000000001
RBP: ffff888097297a90 R08: 00000000561284a3 R09: ffff888094a12d08
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000020
R13: 0000000000000001 R14: ffff8880933a8a14 R15: 0000000000000000
FS: 0000000001a58880(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000043ea00 CR3: 000000000766a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
refcount_dec_and_test+0x1b/0x20 lib/refcount.c:212
vb2_vmalloc_put+0x18/0x70 drivers/media/v4l2-core/videobuf2-vmalloc.c:68
__vb2_buf_mem_free+0x103/0x1e0 drivers/media/v4l2-core/videobuf2-core.c:240
__vb2_free_mem drivers/media/v4l2-core/videobuf2-core.c:409 [inline]
__vb2_queue_free+0x634/0x7d0 drivers/media/v4l2-core/videobuf2-core.c:454
vb2_core_queue_release+0x64/0x80
drivers/media/v4l2-core/videobuf2-core.c:2043
vb2_queue_release drivers/media/v4l2-core/videobuf2-v4l2.c:669 [inline]
_vb2_fop_release+0x1cf/0x2a0 drivers/media/v4l2-core/videobuf2-v4l2.c:840
vb2_fop_release+0x75/0xc0 drivers/media/v4l2-core/videobuf2-v4l2.c:854
vivid_fop_release+0x180/0x3f0 drivers/media/platform/vivid/vivid-core.c:486
v4l2_release+0xf9/0x190 drivers/media/v4l2-core/v4l2-dev.c:446
__fput+0x275/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x114/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x7df/0x2c10 kernel/exit.c:874
do_group_exit+0x111/0x330 kernel/exit.c:977
SYSC_exit_group kernel/exit.c:988 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:986
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x442e88
RSP: 002b:00007ffd45432c28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000442e88
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004c27a8 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d4180 R14: 0000000000000000 R15: 0000000000000000
Code: 55 48 89 e5 41 56 41 55 41 89 fd 41 54 49 89 f4 53 48 83 ec 08 e8 f6
c4 85 fe 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02
4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP: __read_once_size include/linux/compiler.h:186 [inline] RSP:
ffff888097297a68
RIP: atomic_read arch/x86/include/asm/atomic.h:27 [inline] RSP:
ffff888097297a68
RIP: refcount_sub_and_test+0x2b/0xf0 lib/refcount.c:179 RSP:
ffff888097297a68
---[ end trace 0c039e45dabf2113 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: e6a95d88 Linux 4.14.124
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16adf5d2a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ab7251aa14ac721d
dashboard link: https://syzkaller.appspot.com/bug?extid=726378f0b65b367225de
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167f888ea00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11dc108ea00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+726378...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1560105412.780:36): avc: denied { map } for
pid=6869 comm="syz-executor945" path="/root/syz-executor945611094"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 6869 Comm: syz-executor945 Not tainted 4.14.124 #18
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff888094a12440 task.stack: ffff888097290000
RIP: 0010:__read_once_size include/linux/compiler.h:186 [inline]
RIP: 0010:atomic_read arch/x86/include/asm/atomic.h:27 [inline]
RIP: 0010:refcount_sub_and_test+0x2b/0xf0 lib/refcount.c:179
RSP: 0018:ffff888097297a68 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880933a8a00 RCX: ffffffff8424bba0
RDX: 0000000000000004 RSI: 0000000000000020 RDI: 0000000000000001
RBP: ffff888097297a90 R08: 00000000561284a3 R09: ffff888094a12d08
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000020
R13: 0000000000000001 R14: ffff8880933a8a14 R15: 0000000000000000
FS: 0000000001a58880(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000043ea00 CR3: 000000000766a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
refcount_dec_and_test+0x1b/0x20 lib/refcount.c:212
vb2_vmalloc_put+0x18/0x70 drivers/media/v4l2-core/videobuf2-vmalloc.c:68
__vb2_buf_mem_free+0x103/0x1e0 drivers/media/v4l2-core/videobuf2-core.c:240
__vb2_free_mem drivers/media/v4l2-core/videobuf2-core.c:409 [inline]
__vb2_queue_free+0x634/0x7d0 drivers/media/v4l2-core/videobuf2-core.c:454
vb2_core_queue_release+0x64/0x80
drivers/media/v4l2-core/videobuf2-core.c:2043
vb2_queue_release drivers/media/v4l2-core/videobuf2-v4l2.c:669 [inline]
_vb2_fop_release+0x1cf/0x2a0 drivers/media/v4l2-core/videobuf2-v4l2.c:840
vb2_fop_release+0x75/0xc0 drivers/media/v4l2-core/videobuf2-v4l2.c:854
vivid_fop_release+0x180/0x3f0 drivers/media/platform/vivid/vivid-core.c:486
v4l2_release+0xf9/0x190 drivers/media/v4l2-core/v4l2-dev.c:446
__fput+0x275/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x114/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x7df/0x2c10 kernel/exit.c:874
do_group_exit+0x111/0x330 kernel/exit.c:977
SYSC_exit_group kernel/exit.c:988 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:986
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x442e88
RSP: 002b:00007ffd45432c28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000442e88
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004c27a8 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d4180 R14: 0000000000000000 R15: 0000000000000000
Code: 55 48 89 e5 41 56 41 55 41 89 fd 41 54 49 89 f4 53 48 83 ec 08 e8 f6
c4 85 fe 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02
4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP: __read_once_size include/linux/compiler.h:186 [inline] RSP:
ffff888097297a68
RIP: atomic_read arch/x86/include/asm/atomic.h:27 [inline] RSP:
ffff888097297a68
RIP: refcount_sub_and_test+0x2b/0xf0 lib/refcount.c:179 RSP:
ffff888097297a68
---[ end trace 0c039e45dabf2113 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages