[moderation] [fs?] BUG: unable to handle kernel paging request in put_files_struct
0 views
Skip to first unread message
syzbot
May 28, 2024, 11:37:21 PMMay 28
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 02c438bbfffe Merge tag 'for-6.10-tag' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10da3f84980000
kernel config: https://syzkaller.appspot.com/x/.config?x=21de3d423116c304
dashboard link: https://syzkaller.appspot.com/bug?extid=72b989111b71a2d809b5
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
CC: [bra...@kernel.org ja...@suse.cz linux-...@vger.kernel.org linux-...@vger.kernel.org vi...@zeniv.linux.org.uk]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-02c438bb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/27e89a0db9ef/vmlinux-02c438bb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e281415dcb64/Image-02c438bb.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+72b989...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address 0070000005511a80
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[0070000005511a80] address between user and kernel address ranges
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 30081 Comm: syz-executor.0 Not tainted 6.9.0-syzkaller-12220-g02c438bbfffe #0
Hardware name: linux,dummy-virt (DT)
pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : close_files fs/file.c:432 [inline]
pc : put_files_struct+0x8c/0x134 fs/file.c:452
lr : exit_files+0x40/0x54 fs/file.c:469
sp : ffff800083d8bb30
x29: ffff800083d8bb30 x28: 0000000000000001 x27: f5f00000048787e8
x26: 0000000000000000 x25: 0000000000000001 x24: f2f00000041fcdc0
x23: 0000000000000000 x22: f2f000000d6f1c80 x21: 0000000000000000
x20: f2f00000041fcdc0 x19: f5f0000004878000 x18: ffff800083d8baa8
x17: 0000000000000000 x16: 0000000000000000 x15: 0000fffffacdda78
x14: 00000000000002c5 x13: 0000000000000000 x12: ffff8000825e0028
x11: 0010000000000000 x10: ffffc1ffc0000000 x9 : 0000000000000004
x8 : 0000000000000078 x7 : f2f0000003fbebbc x6 : 0000000000000003
x5 : f5f0000004878000 x4 : fff000007f8f1fb0 x3 : 000000000005ad91
x2 : 0000000000000000 x1 : f170000005511a80 x0 : 0000000000000180
Call trace:
close_files fs/file.c:432 [inline]
put_files_struct+0x8c/0x134 fs/file.c:452
exit_files+0x40/0x54 fs/file.c:469
do_exit+0x710/0x98c kernel/exit.c:869
do_group_exit+0x34/0x90 kernel/exit.c:1023
copy_siginfo_to_user+0x0/0xec kernel/signal.c:2909
do_signal+0xf0/0x1450 arch/arm64/kernel/signal.c:1308
do_notify_resume+0xd8/0x164 arch/arm64/kernel/entry-common.c:148
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
Code: d503201f f9400ec1 2a1903e2 11000739 (f8625833)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: d503201f nop
4: f9400ec1 ldr x1, [x22, #24]
8: 2a1903e2 mov w2, w25
c: 11000739 add w25, w25, #0x1
* 10: f8625833 ldr x19, [x1, w2, uxtw #3] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 02c438bbfffe Merge tag 'for-6.10-tag' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10da3f84980000
kernel config: https://syzkaller.appspot.com/x/.config?x=21de3d423116c304
dashboard link: https://syzkaller.appspot.com/bug?extid=72b989111b71a2d809b5
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
CC: [bra...@kernel.org ja...@suse.cz linux-...@vger.kernel.org linux-...@vger.kernel.org vi...@zeniv.linux.org.uk]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-02c438bb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/27e89a0db9ef/vmlinux-02c438bb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e281415dcb64/Image-02c438bb.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+72b989...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address 0070000005511a80
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[0070000005511a80] address between user and kernel address ranges
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 30081 Comm: syz-executor.0 Not tainted 6.9.0-syzkaller-12220-g02c438bbfffe #0
Hardware name: linux,dummy-virt (DT)
pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : close_files fs/file.c:432 [inline]
pc : put_files_struct+0x8c/0x134 fs/file.c:452
lr : exit_files+0x40/0x54 fs/file.c:469
sp : ffff800083d8bb30
x29: ffff800083d8bb30 x28: 0000000000000001 x27: f5f00000048787e8
x26: 0000000000000000 x25: 0000000000000001 x24: f2f00000041fcdc0
x23: 0000000000000000 x22: f2f000000d6f1c80 x21: 0000000000000000
x20: f2f00000041fcdc0 x19: f5f0000004878000 x18: ffff800083d8baa8
x17: 0000000000000000 x16: 0000000000000000 x15: 0000fffffacdda78
x14: 00000000000002c5 x13: 0000000000000000 x12: ffff8000825e0028
x11: 0010000000000000 x10: ffffc1ffc0000000 x9 : 0000000000000004
x8 : 0000000000000078 x7 : f2f0000003fbebbc x6 : 0000000000000003
x5 : f5f0000004878000 x4 : fff000007f8f1fb0 x3 : 000000000005ad91
x2 : 0000000000000000 x1 : f170000005511a80 x0 : 0000000000000180
Call trace:
close_files fs/file.c:432 [inline]
put_files_struct+0x8c/0x134 fs/file.c:452
exit_files+0x40/0x54 fs/file.c:469
do_exit+0x710/0x98c kernel/exit.c:869
do_group_exit+0x34/0x90 kernel/exit.c:1023
copy_siginfo_to_user+0x0/0xec kernel/signal.c:2909
do_signal+0xf0/0x1450 arch/arm64/kernel/signal.c:1308
do_notify_resume+0xd8/0x164 arch/arm64/kernel/entry-common.c:148
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
Code: d503201f f9400ec1 2a1903e2 11000739 (f8625833)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: d503201f nop
4: f9400ec1 ldr x1, [x22, #24]
8: 2a1903e2 mov w2, w25
c: 11000739 add w25, w25, #0x1
* 10: f8625833 ldr x19, [x1, w2, uxtw #3] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages