general protection fault in open_xa_dir (2)
4 views
Skip to first unread message
syzbot
Apr 9, 2022, 1:05:36 PM4/9/22
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 312310928417 Linux 5.18-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15a0896f700000
kernel config: https://syzkaller.appspot.com/x/.config?x=35385e2813897b18
dashboard link: https://syzkaller.appspot.com/bug?extid=8f108cb55aab961d8ce0
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [linux-...@vger.kernel.org reiserf...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8f108c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xf1287c058b117d2a: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x8944002c588be950-0x8944002c588be957]
CPU: 0 PID: 12710 Comm: syz-executor.2 Not tainted 5.18.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0xcf/0x2b00 kernel/locking/lockdep.c:4899
Code: 85 d1 1d 00 00 83 3d 53 54 ba 0c 00 48 89 9c 24 b8 00 00 00 0f 84 9d 11 00 00 83 3d aa 9a 57 0b 00 74 2d 48 89 f8 48 c1 e8 03 <80> 3c 30 00 74 14 e8 c6 b2 70 00 48 8b 7c 24 40 48 be 00 00 00 00
RSP: 0018:ffffc9000eaef200 EFLAGS: 00010803
RAX: 112880058b117d2a RBX: 1ffff92001d5de58 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 8944002c588be955
RBP: ffffc9000eaef350 R08: 0000000000000001 R09: 0000000000000000
R10: fffffbfff1c426fe R11: 0000000000000000 R12: 0000000000000003
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS: 00007f09e97fe700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8086b691b8 CR3: 0000000076f34000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000009448
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5641
down_write_nested+0xa1/0x180 kernel/locking/rwsem.c:1624
inode_lock_nested include/linux/fs.h:783 [inline]
open_xa_root fs/reiserfs/xattr.c:127 [inline]
open_xa_dir+0x132/0x5e0 fs/reiserfs/xattr.c:152
xattr_lookup+0x24/0x280 fs/reiserfs/xattr.c:395
reiserfs_xattr_get+0xfb/0x4f0 fs/reiserfs/xattr.c:684
reiserfs_get_acl+0x7b/0x690 fs/reiserfs/xattr_acl.c:214
get_acl+0x154/0x2e0 fs/posix_acl.c:152
check_acl fs/namei.c:305 [inline]
acl_permission_check fs/namei.c:350 [inline]
generic_permission+0x3a4/0x710 fs/namei.c:403
do_inode_permission fs/namei.c:457 [inline]
inode_permission+0x2b6/0x6b0 fs/namei.c:524
may_open+0x228/0x3e0 fs/namei.c:3101
do_open fs/namei.c:3474 [inline]
path_openat+0x25ad/0x3690 fs/namei.c:3609
do_filp_open+0x277/0x4f0 fs/namei.c:3636
do_sys_openat2+0x13b/0x500 fs/open.c:1213
do_sys_open fs/open.c:1229 [inline]
__do_sys_openat fs/open.c:1245 [inline]
__se_sys_openat fs/open.c:1240 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1240
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f09ea83bf64
Code: 84 00 00 00 00 00 44 89 54 24 0c e8 96 f9 ff ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 89 44 24 0c e8 c8 f9 ff ff 8b 44
RSP: 002b:00007f09e97fdf10 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f09ea83bf64
RDX: 0000000000010000 RSI: 0000000020000100 RDI: 00000000ffffff9c
RBP: 0000000020000100 R08: 0000000000000000 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000010000
R13: 0000000020000100 R14: 00007f09e97fdfe0 R15: 000000002006d200
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0xcf/0x2b00 kernel/locking/lockdep.c:4899
Code: 85 d1 1d 00 00 83 3d 53 54 ba 0c 00 48 89 9c 24 b8 00 00 00 0f 84 9d 11 00 00 83 3d aa 9a 57 0b 00 74 2d 48 89 f8 48 c1 e8 03 <80> 3c 30 00 74 14 e8 c6 b2 70 00 48 8b 7c 24 40 48 be 00 00 00 00
RSP: 0018:ffffc9000eaef200 EFLAGS: 00010803
RAX: 112880058b117d2a RBX: 1ffff92001d5de58 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 8944002c588be955
RBP: ffffc9000eaef350 R08: 0000000000000001 R09: 0000000000000000
R10: fffffbfff1c426fe R11: 0000000000000000 R12: 0000000000000003
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS: 00007f09e97fe700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8086b691b8 CR3: 0000000076f34000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000009448
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 85 d1 test %edx,%ecx
2: 1d 00 00 83 3d sbb $0x3d830000,%eax
7: 53 push %rbx
8: 54 push %rsp
9: ba 0c 00 48 89 mov $0x8948000c,%edx
e: 9c pushfq
f: 24 b8 and $0xb8,%al
11: 00 00 add %al,(%rax)
13: 00 0f add %cl,(%rdi)
15: 84 9d 11 00 00 83 test %bl,-0x7cffffef(%rbp)
1b: 3d aa 9a 57 0b cmp $0xb579aaa,%eax
20: 00 74 2d 48 add %dh,0x48(%rbp,%rbp,1)
24: 89 f8 mov %edi,%eax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 30 00 cmpb $0x0,(%rax,%rsi,1) <-- trapping instruction
2e: 74 14 je 0x44
30: e8 c6 b2 70 00 callq 0x70b2fb
35: 48 8b 7c 24 40 mov 0x40(%rsp),%rdi
3a: 48 rex.W
3b: be 00 00 00 00 mov $0x0,%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 312310928417 Linux 5.18-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15a0896f700000
kernel config: https://syzkaller.appspot.com/x/.config?x=35385e2813897b18
dashboard link: https://syzkaller.appspot.com/bug?extid=8f108cb55aab961d8ce0
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [linux-...@vger.kernel.org reiserf...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8f108c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xf1287c058b117d2a: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x8944002c588be950-0x8944002c588be957]
CPU: 0 PID: 12710 Comm: syz-executor.2 Not tainted 5.18.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0xcf/0x2b00 kernel/locking/lockdep.c:4899
Code: 85 d1 1d 00 00 83 3d 53 54 ba 0c 00 48 89 9c 24 b8 00 00 00 0f 84 9d 11 00 00 83 3d aa 9a 57 0b 00 74 2d 48 89 f8 48 c1 e8 03 <80> 3c 30 00 74 14 e8 c6 b2 70 00 48 8b 7c 24 40 48 be 00 00 00 00
RSP: 0018:ffffc9000eaef200 EFLAGS: 00010803
RAX: 112880058b117d2a RBX: 1ffff92001d5de58 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 8944002c588be955
RBP: ffffc9000eaef350 R08: 0000000000000001 R09: 0000000000000000
R10: fffffbfff1c426fe R11: 0000000000000000 R12: 0000000000000003
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS: 00007f09e97fe700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8086b691b8 CR3: 0000000076f34000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000009448
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5641
down_write_nested+0xa1/0x180 kernel/locking/rwsem.c:1624
inode_lock_nested include/linux/fs.h:783 [inline]
open_xa_root fs/reiserfs/xattr.c:127 [inline]
open_xa_dir+0x132/0x5e0 fs/reiserfs/xattr.c:152
xattr_lookup+0x24/0x280 fs/reiserfs/xattr.c:395
reiserfs_xattr_get+0xfb/0x4f0 fs/reiserfs/xattr.c:684
reiserfs_get_acl+0x7b/0x690 fs/reiserfs/xattr_acl.c:214
get_acl+0x154/0x2e0 fs/posix_acl.c:152
check_acl fs/namei.c:305 [inline]
acl_permission_check fs/namei.c:350 [inline]
generic_permission+0x3a4/0x710 fs/namei.c:403
do_inode_permission fs/namei.c:457 [inline]
inode_permission+0x2b6/0x6b0 fs/namei.c:524
may_open+0x228/0x3e0 fs/namei.c:3101
do_open fs/namei.c:3474 [inline]
path_openat+0x25ad/0x3690 fs/namei.c:3609
do_filp_open+0x277/0x4f0 fs/namei.c:3636
do_sys_openat2+0x13b/0x500 fs/open.c:1213
do_sys_open fs/open.c:1229 [inline]
__do_sys_openat fs/open.c:1245 [inline]
__se_sys_openat fs/open.c:1240 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1240
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f09ea83bf64
Code: 84 00 00 00 00 00 44 89 54 24 0c e8 96 f9 ff ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 89 44 24 0c e8 c8 f9 ff ff 8b 44
RSP: 002b:00007f09e97fdf10 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f09ea83bf64
RDX: 0000000000010000 RSI: 0000000020000100 RDI: 00000000ffffff9c
RBP: 0000000020000100 R08: 0000000000000000 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000010000
R13: 0000000020000100 R14: 00007f09e97fdfe0 R15: 000000002006d200
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0xcf/0x2b00 kernel/locking/lockdep.c:4899
Code: 85 d1 1d 00 00 83 3d 53 54 ba 0c 00 48 89 9c 24 b8 00 00 00 0f 84 9d 11 00 00 83 3d aa 9a 57 0b 00 74 2d 48 89 f8 48 c1 e8 03 <80> 3c 30 00 74 14 e8 c6 b2 70 00 48 8b 7c 24 40 48 be 00 00 00 00
RSP: 0018:ffffc9000eaef200 EFLAGS: 00010803
RAX: 112880058b117d2a RBX: 1ffff92001d5de58 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 8944002c588be955
RBP: ffffc9000eaef350 R08: 0000000000000001 R09: 0000000000000000
R10: fffffbfff1c426fe R11: 0000000000000000 R12: 0000000000000003
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS: 00007f09e97fe700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8086b691b8 CR3: 0000000076f34000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000009448
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 85 d1 test %edx,%ecx
2: 1d 00 00 83 3d sbb $0x3d830000,%eax
7: 53 push %rbx
8: 54 push %rsp
9: ba 0c 00 48 89 mov $0x8948000c,%edx
e: 9c pushfq
f: 24 b8 and $0xb8,%al
11: 00 00 add %al,(%rax)
13: 00 0f add %cl,(%rdi)
15: 84 9d 11 00 00 83 test %bl,-0x7cffffef(%rbp)
1b: 3d aa 9a 57 0b cmp $0xb579aaa,%eax
20: 00 74 2d 48 add %dh,0x48(%rbp,%rbp,1)
24: 89 f8 mov %edi,%eax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 30 00 cmpb $0x0,(%rax,%rsi,1) <-- trapping instruction
2e: 74 14 je 0x44
30: e8 c6 b2 70 00 callq 0x70b2fb
35: 48 8b 7c 24 40 mov 0x40(%rsp),%rdi
3a: 48 rex.W
3b: be 00 00 00 00 mov $0x0,%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jul 4, 2022, 1:03:22 PM7/4/22
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages