BUG: unable to handle kernel paging request in free_block (5)
1 view
Skip to first unread message
syzbot
Mar 7, 2019, 10:52:05 AM3/7/19
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: afe6fe7036c6 Merge tag 'armsoc-late' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=111dcc9d200000
kernel config: https://syzkaller.appspot.com/x/.config?x=bd349f14600e1305
dashboard link: https://syzkaller.appspot.com/bug?extid=1fc9b4cbf0ccf2996449
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1fc9b4...@syzkaller.appspotmail.com
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor.2'.
1 : renamed from 0
ucma_write: process 214 (syz-executor.3) changed security contexts after
opening file descriptor, this is not allowed.
BUG: unable to handle kernel paging request at 00000000ffffff80
#PF error: [WRITE]
PGD 8588b067 P4D 8588b067 PUD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 27318 Comm: kworker/1:1 Not tainted 5.0.0+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
kobject: 'loop3' (000000002de468f8): kobject_uevent_env
Workqueue: events cache_reap
RIP: 0010:slab_put_obj mm/slab.c:2616 [inline]
RIP: 0010:free_block+0x149/0x250 mm/slab.c:3414
Code: b6 4c 24 1c 48 c1 ee 20 29 f0 d3 e8 41 0f b6 4c 24 1d 01 f0 49 8b 75
20 d3 e8 8d 4f ff 48 85 f6 41 89 4d 30 0f 84 f0 00 00 00 <88> 04 0e 41 8b
45 30 85 c0 0f 84 fa fe ff ff 49 8b 76 40 4c 89 ff
kobject: 'loop3' (000000002de468f8): fill_kobj_path: path
= '/devices/virtual/block/loop3'
RSP: 0018:ffff888069807c00 EFLAGS: 00010002
RAX: 00000000012bb2bd RBX: ffffe8ffffd69e50 RCX: 00000000ffffff7e
RDX: ffff888095d95e80 RSI: 0000000000000002 RDI: 00000000ffffff7f
RBP: ffff888069807c50 R08: ffff8880950fa200 R09: ffffed100d300f80
R10: ffffed100d300f7f R11: 0000000000000003 R12: ffff8880a90fb300
R13: ffffea0002576540 R14: ffff88808a29fd00 R15: ffffea0002576548
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffff80 CR3: 0000000096e7d000 CR4: 00000000001426e0
Call Trace:
drain_array_locked+0x36/0x90 mm/slab.c:2197
drain_array+0x8c/0xb0 mm/slab.c:4016
cache_reap+0xf4/0x280 mm/slab.c:4057
process_one_work+0x98e/0x1790 kernel/workqueue.c:2175
worker_thread+0x98/0xe40 kernel/workqueue.c:2321
kthread+0x357/0x430 kernel/kthread.c:252
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
CR2: 00000000ffffff80
---[ end trace dc4af5664c7741e0 ]---
RIP: 0010:slab_put_obj mm/slab.c:2616 [inline]
RIP: 0010:free_block+0x149/0x250 mm/slab.c:3414
Code: b6 4c 24 1c 48 c1 ee 20 29 f0 d3 e8 41 0f b6 4c 24 1d 01 f0 49 8b 75
20 d3 e8 8d 4f ff 48 85 f6 41 89 4d 30 0f 84 f0 00 00 00 <88> 04 0e 41 8b
45 30 85 c0 0f 84 fa fe ff ff 49 8b 76 40 4c 89 ff
RSP: 0018:ffff888069807c00 EFLAGS: 00010002
RAX: 00000000012bb2bd RBX: ffffe8ffffd69e50 RCX: 00000000ffffff7e
RDX: ffff888095d95e80 RSI: 0000000000000002 RDI: 00000000ffffff7f
RBP: ffff888069807c50 R08: ffff8880950fa200 R09: ffffed100d300f80
R10: ffffed100d300f7f R11: 0000000000000003 R12: ffff8880a90fb300
R13: ffffea0002576540 R14: ffff88808a29fd00 R15: ffffea0002576548
kobject: 'loop3' (000000002de468f8): kobject_uevent_env
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffff80 CR3: 0000000096e7d000 CR4: 00000000001426e0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: afe6fe7036c6 Merge tag 'armsoc-late' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=111dcc9d200000
kernel config: https://syzkaller.appspot.com/x/.config?x=bd349f14600e1305
dashboard link: https://syzkaller.appspot.com/bug?extid=1fc9b4cbf0ccf2996449
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1fc9b4...@syzkaller.appspotmail.com
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor.2'.
1 : renamed from 0
ucma_write: process 214 (syz-executor.3) changed security contexts after
opening file descriptor, this is not allowed.
BUG: unable to handle kernel paging request at 00000000ffffff80
#PF error: [WRITE]
PGD 8588b067 P4D 8588b067 PUD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 27318 Comm: kworker/1:1 Not tainted 5.0.0+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
kobject: 'loop3' (000000002de468f8): kobject_uevent_env
Workqueue: events cache_reap
RIP: 0010:slab_put_obj mm/slab.c:2616 [inline]
RIP: 0010:free_block+0x149/0x250 mm/slab.c:3414
Code: b6 4c 24 1c 48 c1 ee 20 29 f0 d3 e8 41 0f b6 4c 24 1d 01 f0 49 8b 75
20 d3 e8 8d 4f ff 48 85 f6 41 89 4d 30 0f 84 f0 00 00 00 <88> 04 0e 41 8b
45 30 85 c0 0f 84 fa fe ff ff 49 8b 76 40 4c 89 ff
kobject: 'loop3' (000000002de468f8): fill_kobj_path: path
= '/devices/virtual/block/loop3'
RSP: 0018:ffff888069807c00 EFLAGS: 00010002
RAX: 00000000012bb2bd RBX: ffffe8ffffd69e50 RCX: 00000000ffffff7e
RDX: ffff888095d95e80 RSI: 0000000000000002 RDI: 00000000ffffff7f
RBP: ffff888069807c50 R08: ffff8880950fa200 R09: ffffed100d300f80
R10: ffffed100d300f7f R11: 0000000000000003 R12: ffff8880a90fb300
R13: ffffea0002576540 R14: ffff88808a29fd00 R15: ffffea0002576548
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffff80 CR3: 0000000096e7d000 CR4: 00000000001426e0
Call Trace:
drain_array_locked+0x36/0x90 mm/slab.c:2197
drain_array+0x8c/0xb0 mm/slab.c:4016
cache_reap+0xf4/0x280 mm/slab.c:4057
process_one_work+0x98e/0x1790 kernel/workqueue.c:2175
worker_thread+0x98/0xe40 kernel/workqueue.c:2321
kthread+0x357/0x430 kernel/kthread.c:252
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
CR2: 00000000ffffff80
---[ end trace dc4af5664c7741e0 ]---
RIP: 0010:slab_put_obj mm/slab.c:2616 [inline]
RIP: 0010:free_block+0x149/0x250 mm/slab.c:3414
Code: b6 4c 24 1c 48 c1 ee 20 29 f0 d3 e8 41 0f b6 4c 24 1d 01 f0 49 8b 75
20 d3 e8 8d 4f ff 48 85 f6 41 89 4d 30 0f 84 f0 00 00 00 <88> 04 0e 41 8b
45 30 85 c0 0f 84 fa fe ff ff 49 8b 76 40 4c 89 ff
RSP: 0018:ffff888069807c00 EFLAGS: 00010002
RAX: 00000000012bb2bd RBX: ffffe8ffffd69e50 RCX: 00000000ffffff7e
RDX: ffff888095d95e80 RSI: 0000000000000002 RDI: 00000000ffffff7f
RBP: ffff888069807c50 R08: ffff8880950fa200 R09: ffffed100d300f80
R10: ffffed100d300f7f R11: 0000000000000003 R12: ffff8880a90fb300
R13: ffffea0002576540 R14: ffff88808a29fd00 R15: ffffea0002576548
kobject: 'loop3' (000000002de468f8): kobject_uevent_env
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffff80 CR3: 0000000096e7d000 CR4: 00000000001426e0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Apr 18, 2019, 1:08:04 AM4/18/19
to syzkaller-upst...@googlegroups.com
Sending this report upstream.
Reply all
Reply to author
Forward
0 new messages