[moderation] [serial?] general protection fault in n_tty_receive_buf_common (2)
1 view
Skip to first unread message
syzbot
Mar 8, 2024, 1:32:23 AMMar 8
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 58c806d867bf Merge tag 'phy-fixes2-6.8' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1411ff9a180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fad652894fc96962
dashboard link: https://syzkaller.appspot.com/bug?extid=7e8ce8432b7ba3c3388c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
CC: [gre...@linuxfoundation.org jiri...@kernel.org linux-...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/07a10d18e9bf/disk-58c806d8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e9ab3d05fbf0/vmlinux-58c806d8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/35283cdfcf72/bzImage-58c806d8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7e8ce8...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000044c: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000000002260-0x0000000000002267]
CPU: 0 PID: 2432 Comm: kworker/u4:7 Not tainted 6.8.0-rc6-syzkaller-00278-g58c806d867bf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: events_unbound flush_to_ldisc
RIP: 0010:n_tty_receive_buf_common+0x136/0x12c0 drivers/tty/n_tty.c:1708
Code: 00 45 31 ed 48 89 8c 24 e0 00 00 00 48 c1 e9 03 48 89 8c 24 e8 00 00 00 48 89 5c 24 68 4c 89 6c 24 08 48 8b 84 24 e8 00 00 00 <42> 80 3c 30 00 74 0d 48 8b bc 24 e0 00 00 00 e8 b6 0b d5 fc 4c 89
RSP: 0018:ffffc9000a3e79e8 EFLAGS: 00010202
RAX: 000000000000044c RBX: ffff88801110a438 RCX: 000000000000044c
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000001
RBP: 0000000000000000 R08: ffff88801110a287 R09: 1ffff11002221450
R10: dffffc0000000000 R11: ffffed1002221451 R12: ffff888031edd020
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888031edd020
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe3ecf01d58 CR3: 000000001ec0a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tty_port_default_receive_buf+0x6d/0xa0 drivers/tty/tty_port.c:37
receive_buf drivers/tty/tty_buffer.c:444 [inline]
flush_to_ldisc+0x328/0x860 drivers/tty/tty_buffer.c:494
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:n_tty_receive_buf_common+0x136/0x12c0 drivers/tty/n_tty.c:1708
Code: 00 45 31 ed 48 89 8c 24 e0 00 00 00 48 c1 e9 03 48 89 8c 24 e8 00 00 00 48 89 5c 24 68 4c 89 6c 24 08 48 8b 84 24 e8 00 00 00 <42> 80 3c 30 00 74 0d 48 8b bc 24 e0 00 00 00 e8 b6 0b d5 fc 4c 89
RSP: 0018:ffffc9000a3e79e8 EFLAGS: 00010202
RAX: 000000000000044c RBX: ffff88801110a438 RCX: 000000000000044c
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000001
RBP: 0000000000000000 R08: ffff88801110a287 R09: 1ffff11002221450
R10: dffffc0000000000 R11: ffffed1002221451 R12: ffff888031edd020
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888031edd020
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31c21000 CR3: 00000000233f6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 45 31 add %al,0x31(%rbp)
3: ed in (%dx),%eax
4: 48 89 8c 24 e0 00 00 mov %rcx,0xe0(%rsp)
b: 00
c: 48 c1 e9 03 shr $0x3,%rcx
10: 48 89 8c 24 e8 00 00 mov %rcx,0xe8(%rsp)
17: 00
18: 48 89 5c 24 68 mov %rbx,0x68(%rsp)
1d: 4c 89 6c 24 08 mov %r13,0x8(%rsp)
22: 48 8b 84 24 e8 00 00 mov 0xe8(%rsp),%rax
29: 00
* 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction
2f: 74 0d je 0x3e
31: 48 8b bc 24 e0 00 00 mov 0xe0(%rsp),%rdi
38: 00
39: e8 b6 0b d5 fc call 0xfcd50bf4
3e: 4c rex.WR
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 58c806d867bf Merge tag 'phy-fixes2-6.8' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1411ff9a180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fad652894fc96962
dashboard link: https://syzkaller.appspot.com/bug?extid=7e8ce8432b7ba3c3388c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
CC: [gre...@linuxfoundation.org jiri...@kernel.org linux-...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/07a10d18e9bf/disk-58c806d8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e9ab3d05fbf0/vmlinux-58c806d8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/35283cdfcf72/bzImage-58c806d8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7e8ce8...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000044c: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000000002260-0x0000000000002267]
CPU: 0 PID: 2432 Comm: kworker/u4:7 Not tainted 6.8.0-rc6-syzkaller-00278-g58c806d867bf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: events_unbound flush_to_ldisc
RIP: 0010:n_tty_receive_buf_common+0x136/0x12c0 drivers/tty/n_tty.c:1708
Code: 00 45 31 ed 48 89 8c 24 e0 00 00 00 48 c1 e9 03 48 89 8c 24 e8 00 00 00 48 89 5c 24 68 4c 89 6c 24 08 48 8b 84 24 e8 00 00 00 <42> 80 3c 30 00 74 0d 48 8b bc 24 e0 00 00 00 e8 b6 0b d5 fc 4c 89
RSP: 0018:ffffc9000a3e79e8 EFLAGS: 00010202
RAX: 000000000000044c RBX: ffff88801110a438 RCX: 000000000000044c
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000001
RBP: 0000000000000000 R08: ffff88801110a287 R09: 1ffff11002221450
R10: dffffc0000000000 R11: ffffed1002221451 R12: ffff888031edd020
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888031edd020
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe3ecf01d58 CR3: 000000001ec0a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tty_port_default_receive_buf+0x6d/0xa0 drivers/tty/tty_port.c:37
receive_buf drivers/tty/tty_buffer.c:444 [inline]
flush_to_ldisc+0x328/0x860 drivers/tty/tty_buffer.c:494
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
kthread+0x2ef/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:n_tty_receive_buf_common+0x136/0x12c0 drivers/tty/n_tty.c:1708
Code: 00 45 31 ed 48 89 8c 24 e0 00 00 00 48 c1 e9 03 48 89 8c 24 e8 00 00 00 48 89 5c 24 68 4c 89 6c 24 08 48 8b 84 24 e8 00 00 00 <42> 80 3c 30 00 74 0d 48 8b bc 24 e0 00 00 00 e8 b6 0b d5 fc 4c 89
RSP: 0018:ffffc9000a3e79e8 EFLAGS: 00010202
RAX: 000000000000044c RBX: ffff88801110a438 RCX: 000000000000044c
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000001
RBP: 0000000000000000 R08: ffff88801110a287 R09: 1ffff11002221450
R10: dffffc0000000000 R11: ffffed1002221451 R12: ffff888031edd020
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888031edd020
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31c21000 CR3: 00000000233f6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 45 31 add %al,0x31(%rbp)
3: ed in (%dx),%eax
4: 48 89 8c 24 e0 00 00 mov %rcx,0xe0(%rsp)
b: 00
c: 48 c1 e9 03 shr $0x3,%rcx
10: 48 89 8c 24 e8 00 00 mov %rcx,0xe8(%rsp)
17: 00
18: 48 89 5c 24 68 mov %rbx,0x68(%rsp)
1d: 4c 89 6c 24 08 mov %r13,0x8(%rsp)
22: 48 8b 84 24 e8 00 00 mov 0xe8(%rsp),%rax
29: 00
* 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction
2f: 74 0d je 0x3e
31: 48 8b bc 24 e0 00 00 mov 0xe0(%rsp),%rdi
38: 00
39: e8 b6 0b d5 fc call 0xfcd50bf4
3e: 4c rex.WR
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages