BUG: unable to handle kernel NULL pointer dereference in debug_smp_processor_id
12 views
Skip to first unread message
syzbot
Jun 6, 2020, 2:02:20 PM6/6/20
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 435faf5c Merge tag 'riscv-for-linus-5.8-mw0' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=125b16fe100000
kernel config: https://syzkaller.appspot.com/x/.config?x=3dbb617b9c2a5bdf
dashboard link: https://syzkaller.appspot.com/bug?extid=0516f001db1371c0a13a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
CC: [andriy.s...@linux.intel.com gre...@linuxfoundation.org linux-...@vger.kernel.org linu...@vger.kernel.org one...@suse.com rafael.j...@intel.com st...@rowland.harvard.edu]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0516f0...@syzkaller.appspotmail.com
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6390f067 P4D 6390f067 PUD 65830067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 9919 Comm: syz-executor.3 Not tainted 5.7.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:__read_once_size include/linux/compiler.h:252 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x43/0x60 kernel/kcov.c:202
Code: 24 74 0f 80 e6 01 74 35 8b 90 04 14 00 00 85 d2 74 2b 8b 90 e0 13 00 00 83 fa 02 75 20 48 8b 88 e8 13 00 00 8b 80 e4 13 00 00 <48> 8b 11 48 83 c2 01 48 39 d0 76 07 48 89 34 d1 48 89 11 c3 66 0f
RSP: 0018:ffffc90001176e48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffffff839dff28 RDI: 0000000000000000
RBP: ffffc90001176f30 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff8c349a0f R11: fffffbfff1869341 R12: dffffc0000000000
R13: 0000000000037dc0 R14: 0000000000037dc0 R15: ffff88802d027580
FS: 00007fac8c82d700(0000) GS:ffff88802d000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000006538c000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_preemption_disabled lib/smp_processor_id.c:14 [inline]
debug_smp_processor_id+0x8/0x185 lib/smp_processor_id.c:57
__schedule+0x7b/0x1fc0 kernel/sched/core.c:4082
schedule+0xd0/0x2a0 kernel/sched/core.c:4231
schedule_timeout+0x35c/0x850 kernel/time/timer.c:1897
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion_timeout+0x162/0x280 kernel/sched/completion.c:157
usb_start_wait_urb+0x144/0x2b0 drivers/usb/core/message.c:63
usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153
get_port_status drivers/usb/core/hub.c:573 [inline]
hub_ext_port_status+0x125/0x460 drivers/usb/core/hub.c:590
hub_port_status drivers/usb/core/hub.c:612 [inline]
hub_activate+0x4f4/0x16c0 drivers/usb/core/hub.c:1119
hub_resume+0x97/0x3b0 drivers/usb/core/hub.c:3790
usb_resume_interface drivers/usb/core/driver.c:1298 [inline]
usb_resume_interface.isra.0+0x2db/0x390 drivers/usb/core/driver.c:1256
usb_resume_both+0x26a/0x860 drivers/usb/core/driver.c:1458
__rpm_callback+0x27e/0x3c0 drivers/base/power/runtime.c:357
rpm_callback+0x18f/0x230 drivers/base/power/runtime.c:487
rpm_resume+0x117c/0x1940 drivers/base/power/runtime.c:849
__pm_runtime_resume+0x103/0x170 drivers/base/power/runtime.c:1080
pm_runtime_get_sync include/linux/pm_runtime.h:236 [inline]
usb_autoresume_device+0x1e/0x60 drivers/usb/core/driver.c:1645
usbdev_open+0x1f3/0x930 drivers/usb/core/devio.c:1033
chrdev_open+0x219/0x5c0 fs/char_dev.c:414
do_dentry_open+0x546/0x1340 fs/open.c:828
do_open fs/namei.c:3229 [inline]
path_openat+0x1e59/0x27d0 fs/namei.c:3346
do_filp_open+0x192/0x260 fs/namei.c:3373
do_sys_openat2+0x585/0x7d0 fs/open.c:1179
do_sys_open+0xc3/0x140 fs/open.c:1195
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x4160a1
Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 19 00 00 c3 48 83 ec 08 e8 6a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fac8c82c7a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00000000004160a1
RDX: 0000000000000000 RSI: 0000000000068001 RDI: 00007fac8c82c850
RBP: 00007fac8c82c850 R08: 000000000000000f R09: 0000000000000000
R10: 00007fac8c82d9d0 R11: 0000000000000293 R12: 00007fac8c82d6d4
R13: 0000000000000c1d R14: 00000000006ed5c0 R15: 00000000004b5408
Modules linked in:
CR2: 0000000000000000
---[ end trace d7a24cb277b4c7ea ]---
RIP: 0010:__read_once_size include/linux/compiler.h:252 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x43/0x60 kernel/kcov.c:202
Code: 24 74 0f 80 e6 01 74 35 8b 90 04 14 00 00 85 d2 74 2b 8b 90 e0 13 00 00 83 fa 02 75 20 48 8b 88 e8 13 00 00 8b 80 e4 13 00 00 <48> 8b 11 48 83 c2 01 48 39 d0 76 07 48 89 34 d1 48 89 11 c3 66 0f
RSP: 0018:ffffc90001176e48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffffff839dff28 RDI: 0000000000000000
RBP: ffffc90001176f30 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff8c349a0f R11: fffffbfff1869341 R12: dffffc0000000000
R13: 0000000000037dc0 R14: 0000000000037dc0 R15: ffff88802d027580
FS: 00007fac8c82d700(0000) GS:ffff88802d000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000006538c000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 435faf5c Merge tag 'riscv-for-linus-5.8-mw0' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=125b16fe100000
kernel config: https://syzkaller.appspot.com/x/.config?x=3dbb617b9c2a5bdf
dashboard link: https://syzkaller.appspot.com/bug?extid=0516f001db1371c0a13a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
CC: [andriy.s...@linux.intel.com gre...@linuxfoundation.org linux-...@vger.kernel.org linu...@vger.kernel.org one...@suse.com rafael.j...@intel.com st...@rowland.harvard.edu]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0516f0...@syzkaller.appspotmail.com
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6390f067 P4D 6390f067 PUD 65830067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 9919 Comm: syz-executor.3 Not tainted 5.7.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:__read_once_size include/linux/compiler.h:252 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x43/0x60 kernel/kcov.c:202
Code: 24 74 0f 80 e6 01 74 35 8b 90 04 14 00 00 85 d2 74 2b 8b 90 e0 13 00 00 83 fa 02 75 20 48 8b 88 e8 13 00 00 8b 80 e4 13 00 00 <48> 8b 11 48 83 c2 01 48 39 d0 76 07 48 89 34 d1 48 89 11 c3 66 0f
RSP: 0018:ffffc90001176e48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffffff839dff28 RDI: 0000000000000000
RBP: ffffc90001176f30 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff8c349a0f R11: fffffbfff1869341 R12: dffffc0000000000
R13: 0000000000037dc0 R14: 0000000000037dc0 R15: ffff88802d027580
FS: 00007fac8c82d700(0000) GS:ffff88802d000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000006538c000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_preemption_disabled lib/smp_processor_id.c:14 [inline]
debug_smp_processor_id+0x8/0x185 lib/smp_processor_id.c:57
__schedule+0x7b/0x1fc0 kernel/sched/core.c:4082
schedule+0xd0/0x2a0 kernel/sched/core.c:4231
schedule_timeout+0x35c/0x850 kernel/time/timer.c:1897
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion_timeout+0x162/0x280 kernel/sched/completion.c:157
usb_start_wait_urb+0x144/0x2b0 drivers/usb/core/message.c:63
usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153
get_port_status drivers/usb/core/hub.c:573 [inline]
hub_ext_port_status+0x125/0x460 drivers/usb/core/hub.c:590
hub_port_status drivers/usb/core/hub.c:612 [inline]
hub_activate+0x4f4/0x16c0 drivers/usb/core/hub.c:1119
hub_resume+0x97/0x3b0 drivers/usb/core/hub.c:3790
usb_resume_interface drivers/usb/core/driver.c:1298 [inline]
usb_resume_interface.isra.0+0x2db/0x390 drivers/usb/core/driver.c:1256
usb_resume_both+0x26a/0x860 drivers/usb/core/driver.c:1458
__rpm_callback+0x27e/0x3c0 drivers/base/power/runtime.c:357
rpm_callback+0x18f/0x230 drivers/base/power/runtime.c:487
rpm_resume+0x117c/0x1940 drivers/base/power/runtime.c:849
__pm_runtime_resume+0x103/0x170 drivers/base/power/runtime.c:1080
pm_runtime_get_sync include/linux/pm_runtime.h:236 [inline]
usb_autoresume_device+0x1e/0x60 drivers/usb/core/driver.c:1645
usbdev_open+0x1f3/0x930 drivers/usb/core/devio.c:1033
chrdev_open+0x219/0x5c0 fs/char_dev.c:414
do_dentry_open+0x546/0x1340 fs/open.c:828
do_open fs/namei.c:3229 [inline]
path_openat+0x1e59/0x27d0 fs/namei.c:3346
do_filp_open+0x192/0x260 fs/namei.c:3373
do_sys_openat2+0x585/0x7d0 fs/open.c:1179
do_sys_open+0xc3/0x140 fs/open.c:1195
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x4160a1
Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 19 00 00 c3 48 83 ec 08 e8 6a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fac8c82c7a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00000000004160a1
RDX: 0000000000000000 RSI: 0000000000068001 RDI: 00007fac8c82c850
RBP: 00007fac8c82c850 R08: 000000000000000f R09: 0000000000000000
R10: 00007fac8c82d9d0 R11: 0000000000000293 R12: 00007fac8c82d6d4
R13: 0000000000000c1d R14: 00000000006ed5c0 R15: 00000000004b5408
Modules linked in:
CR2: 0000000000000000
---[ end trace d7a24cb277b4c7ea ]---
RIP: 0010:__read_once_size include/linux/compiler.h:252 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x43/0x60 kernel/kcov.c:202
Code: 24 74 0f 80 e6 01 74 35 8b 90 04 14 00 00 85 d2 74 2b 8b 90 e0 13 00 00 83 fa 02 75 20 48 8b 88 e8 13 00 00 8b 80 e4 13 00 00 <48> 8b 11 48 83 c2 01 48 39 d0 76 07 48 89 34 d1 48 89 11 c3 66 0f
RSP: 0018:ffffc90001176e48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffffff839dff28 RDI: 0000000000000000
RBP: ffffc90001176f30 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff8c349a0f R11: fffffbfff1869341 R12: dffffc0000000000
R13: 0000000000037dc0 R14: 0000000000037dc0 R15: ffff88802d027580
FS: 00007fac8c82d700(0000) GS:ffff88802d000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000006538c000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Dmitry Vyukov
Jun 7, 2020, 5:41:56 AM6/7/20
to Andrey Konovalov, Marco Elver, 'Dmitry Vyukov' via syzkaller-upstream-moderation, syzkaller, syzbot
On Sat, Jun 6, 2020 at 8:02 PM syzbot
<syzbot+0516f0...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 435faf5c Merge tag 'riscv-for-linus-5.8-mw0' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=125b16fe100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=3dbb617b9c2a5bdf
> dashboard link: https://syzkaller.appspot.com/bug?extid=0516f001db1371c0a13a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> CC: [andriy.s...@linux.intel.com gre...@linuxfoundation.org linux-...@vger.kernel.org linu...@vger.kernel.org one...@suse.com rafael.j...@intel.com st...@rowland.harvard.edu]
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+0516f0...@syzkaller.appspotmail.com
>
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 6390f067 P4D 6390f067 PUD 65830067 PMD 0
> Oops: 0000 [#1] PREEMPT SMP KASAN
> CPU: 2 PID: 9919 Comm: syz-executor.3 Not tainted 5.7.0-syzkaller #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> RIP: 0010:__read_once_size include/linux/compiler.h:252 [inline]
> RIP: 0010:__sanitizer_cov_trace_pc+0x43/0x60 kernel/kcov.c:202
Andrey, NULL derefs in KCOV strike back. This is on upstream. And
<syzbot+0516f0...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 435faf5c Merge tag 'riscv-for-linus-5.8-mw0' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=125b16fe100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=3dbb617b9c2a5bdf
> dashboard link: https://syzkaller.appspot.com/bug?extid=0516f001db1371c0a13a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> CC: [andriy.s...@linux.intel.com gre...@linuxfoundation.org linux-...@vger.kernel.org linu...@vger.kernel.org one...@suse.com rafael.j...@intel.com st...@rowland.harvard.edu]
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+0516f0...@syzkaller.appspotmail.com
>
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 6390f067 P4D 6390f067 PUD 65830067 PMD 0
> Oops: 0000 [#1] PREEMPT SMP KASAN
> CPU: 2 PID: 9919 Comm: syz-executor.3 Not tainted 5.7.0-syzkaller #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> RIP: 0010:__read_once_size include/linux/compiler.h:252 [inline]
> RIP: 0010:__sanitizer_cov_trace_pc+0x43/0x60 kernel/kcov.c:202
there is another one:
https://syzkaller.appspot.com/bug?id=52d934ed29fb453cc637b6c095a5e3063ef70e27
We may get lots of them soon.
I am now not sure, is it related to the old softirq issues? Or is it
now somehow related to noinstr? Or the vmalloc faults are not yet
eliminated on the upstream tree?
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/000000000000c26a5a05a76e2d5e%40google.com.
Andrey Konovalov
Jun 7, 2020, 3:27:47 PM6/7/20
to Dmitry Vyukov, Marco Elver, 'Dmitry Vyukov' via syzkaller-upstream-moderation, syzkaller, syzbot
looking into it.
> I am now not sure, is it related to the old softirq issues? Or is it
> now somehow related to noinstr? Or the vmalloc faults are not yet
> eliminated on the upstream tree?
Andrey Konovalov
Jun 10, 2020, 8:27:15 AM6/10/20
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/000000000000c26a5a05a76e2d5e%40google.com.
#syz invalid
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/000000000000c26a5a05a76e2d5e%40google.com.
Reply all
Reply to author
Forward
0 new messages