[moderation] [arm?] BUG: unable to handle kernel NULL pointer dereference in handle_percpu_devid_irq
1 view
Skip to first unread message
syzbot
May 18, 2024, 9:19:35 PMMay 18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: fda5695d692c Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=141caa3f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=95dc1de8407c7270
dashboard link: https://syzkaller.appspot.com/bug?extid=04d4ae04e291daaef555
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
CC: [daniel....@linaro.org linux-ar...@lists.infradead.org linux-...@vger.kernel.org mark.r...@arm.com m...@kernel.org tg...@linutronix.de]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/07f3214ff0d9/disk-fda5695d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/70e2e2c864e8/vmlinux-fda5695d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b259942a16dc/Image-fda5695d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+04d4ae...@syzkaller.appspotmail.com
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000086000005
EC = 0x21: IABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
user pgtable: 4k pages, 48-bit VAs, pgdp=00000001288bf000
[0000000000000000] pgd=080000010e113003, p4d=080000010e113003, pud=0000000000000000
Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 6257 Comm: syz-executor.3 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 004000c5 (nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : 0x0
lr : timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
lr : arch_timer_handler_virt+0x74/0x88 drivers/clocksource/arm_arch_timer.c:685
sp : ffff800080007f30
x29: ffff800080007f30 x28: ffff0000c5e9dac0 x27: 0000000000000008
x26: ffff800093742cd0 x25: ffff80008f76a0c0 x24: dfff800000000000
x23: ffff80008f76a0e8 x22: ffff8000882cc31c x21: ffff0000c1086c00
x20: 0000000000000005 x19: ffff0001b3ddff40 x18: 1fffe000367b8996
x17: ffff800124fc3000 x16: ffff80008ae89e3c x15: 0000000000000001
x14: ffff80008eeb0668 x13: dfff800000000000 x12: 00000000222162d1
x11: 00000000cb470884 x10: 1fffe000367bbfe8 x9 : dfff800000000000
x8 : 0000000000000000 x7 : ffff8000803a9534 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000008 x1 : 0000000000000004 x0 : ffff0001b3ddff40
Call trace:
0x0
handle_percpu_devid_irq+0x174/0x308 kernel/irq/chip.c:942
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq_desc kernel/irq/irqdesc.c:688 [inline]
generic_handle_domain_irq+0x7c/0xc4 kernel/irq/irqdesc.c:744
__gic_handle_irq drivers/irqchip/irq-gic-v3.c:771 [inline]
__gic_handle_irq_from_irqson drivers/irqchip/irq-gic-v3.c:822 [inline]
gic_handle_irq+0x6c/0x190 drivers/irqchip/irq-gic-v3.c:866
call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:889
do_interrupt_handler+0xd4/0x138 arch/arm64/kernel/entry-common.c:310
__el1_irq arch/arm64/kernel/entry-common.c:536 [inline]
el1_interrupt+0x34/0x68 arch/arm64/kernel/entry-common.c:551
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:556
el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:594
__daif_local_irq_restore arch/arm64/include/asm/irqflags.h:175 [inline]
arch_local_irq_restore arch/arm64/include/asm/irqflags.h:195 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock_irqrestore+0x44/0x98 kernel/locking/spinlock.c:194
kasan_quarantine_remove_cache+0x1c0/0x2a0 mm/kasan/quarantine.c:372
kasan_cache_shutdown+0x24/0x34 mm/kasan/generic.c:212
shutdown_cache mm/slab_common.c:454 [inline]
kmem_cache_destroy+0x78/0x1b0 mm/slab_common.c:496
bio_put_slab block/bio.c:155 [inline]
bioset_exit+0x330/0x434 block/bio.c:1707
bch2_fs_io_read_exit+0x70/0x80 fs/bcachefs/io_read.c:1203
__bch2_fs_free fs/bcachefs/super.c:559 [inline]
bch2_fs_release+0x1c4/0x56c fs/bcachefs/super.c:610
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x2a8/0x41c lib/kobject.c:737
bch2_fs_free+0x288/0x2f0 fs/bcachefs/super.c:675
bch2_kill_sb+0x48/0x58 fs/bcachefs/fs.c:2013
deactivate_locked_super+0xc4/0x12c fs/super.c:472
deactivate_super+0xe0/0x100 fs/super.c:505
cleanup_mnt+0x34c/0x3dc fs/namespace.c:1267
__cleanup_mnt+0x20/0x30 fs/namespace.c:1274
task_work_run+0x230/0x2e0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: ???????? ???????? ???????? ???????? (????????)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fda5695d692c Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=141caa3f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=95dc1de8407c7270
dashboard link: https://syzkaller.appspot.com/bug?extid=04d4ae04e291daaef555
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
CC: [daniel....@linaro.org linux-ar...@lists.infradead.org linux-...@vger.kernel.org mark.r...@arm.com m...@kernel.org tg...@linutronix.de]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/07f3214ff0d9/disk-fda5695d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/70e2e2c864e8/vmlinux-fda5695d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b259942a16dc/Image-fda5695d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+04d4ae...@syzkaller.appspotmail.com
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000086000005
EC = 0x21: IABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
user pgtable: 4k pages, 48-bit VAs, pgdp=00000001288bf000
[0000000000000000] pgd=080000010e113003, p4d=080000010e113003, pud=0000000000000000
Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 6257 Comm: syz-executor.3 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 004000c5 (nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : 0x0
lr : timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
lr : arch_timer_handler_virt+0x74/0x88 drivers/clocksource/arm_arch_timer.c:685
sp : ffff800080007f30
x29: ffff800080007f30 x28: ffff0000c5e9dac0 x27: 0000000000000008
x26: ffff800093742cd0 x25: ffff80008f76a0c0 x24: dfff800000000000
x23: ffff80008f76a0e8 x22: ffff8000882cc31c x21: ffff0000c1086c00
x20: 0000000000000005 x19: ffff0001b3ddff40 x18: 1fffe000367b8996
x17: ffff800124fc3000 x16: ffff80008ae89e3c x15: 0000000000000001
x14: ffff80008eeb0668 x13: dfff800000000000 x12: 00000000222162d1
x11: 00000000cb470884 x10: 1fffe000367bbfe8 x9 : dfff800000000000
x8 : 0000000000000000 x7 : ffff8000803a9534 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000008 x1 : 0000000000000004 x0 : ffff0001b3ddff40
Call trace:
0x0
handle_percpu_devid_irq+0x174/0x308 kernel/irq/chip.c:942
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq_desc kernel/irq/irqdesc.c:688 [inline]
generic_handle_domain_irq+0x7c/0xc4 kernel/irq/irqdesc.c:744
__gic_handle_irq drivers/irqchip/irq-gic-v3.c:771 [inline]
__gic_handle_irq_from_irqson drivers/irqchip/irq-gic-v3.c:822 [inline]
gic_handle_irq+0x6c/0x190 drivers/irqchip/irq-gic-v3.c:866
call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:889
do_interrupt_handler+0xd4/0x138 arch/arm64/kernel/entry-common.c:310
__el1_irq arch/arm64/kernel/entry-common.c:536 [inline]
el1_interrupt+0x34/0x68 arch/arm64/kernel/entry-common.c:551
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:556
el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:594
__daif_local_irq_restore arch/arm64/include/asm/irqflags.h:175 [inline]
arch_local_irq_restore arch/arm64/include/asm/irqflags.h:195 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock_irqrestore+0x44/0x98 kernel/locking/spinlock.c:194
kasan_quarantine_remove_cache+0x1c0/0x2a0 mm/kasan/quarantine.c:372
kasan_cache_shutdown+0x24/0x34 mm/kasan/generic.c:212
shutdown_cache mm/slab_common.c:454 [inline]
kmem_cache_destroy+0x78/0x1b0 mm/slab_common.c:496
bio_put_slab block/bio.c:155 [inline]
bioset_exit+0x330/0x434 block/bio.c:1707
bch2_fs_io_read_exit+0x70/0x80 fs/bcachefs/io_read.c:1203
__bch2_fs_free fs/bcachefs/super.c:559 [inline]
bch2_fs_release+0x1c4/0x56c fs/bcachefs/super.c:610
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x2a8/0x41c lib/kobject.c:737
bch2_fs_free+0x288/0x2f0 fs/bcachefs/super.c:675
bch2_kill_sb+0x48/0x58 fs/bcachefs/fs.c:2013
deactivate_locked_super+0xc4/0x12c fs/super.c:472
deactivate_super+0xe0/0x100 fs/super.c:505
cleanup_mnt+0x34c/0x3dc fs/namespace.c:1267
__cleanup_mnt+0x20/0x30 fs/namespace.c:1274
task_work_run+0x230/0x2e0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: ???????? ???????? ???????? ???????? (????????)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages