general protection fault in rcu_sync_func (3)
5 views
Skip to first unread message
syzbot
Aug 27, 2022, 7:11:36 PM8/27/22
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 05477f3653b8 Add linux-next specific files for 20220823
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11befdcb080000
kernel config: https://syzkaller.appspot.com/x/.config?x=4f9734e0329687d5
dashboard link: https://syzkaller.appspot.com/bug?extid=f3192116e62c0f3d1073
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [johan....@gmail.com linux-b...@vger.kernel.org linux-...@vger.kernel.org luiz....@gmail.com mar...@holtmann.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f31921...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 31303 Comm: syz-executor.4 Not tainted 6.0.0-rc2-next-20220823-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
RIP: 0010:__wake_up_common+0xdf/0x650 kernel/sched/wait.c:100
Code: 05 00 00 4c 8b 43 40 49 83 e8 18 49 8d 78 18 48 3b 3c 24 0f 84 6a 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 40 05 00 00 49 8b 40 18 89 54 24 10 31 db 48 bd
RSP: 0018:ffffc900161677a8 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: ffff8880218328c8 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 1ffffffff1bbfdb9 RDI: 0000000000000000
RBP: ffff888021832918 R08: ffffffffffffffe8 R09: 0000000000000000
R10: fffff52002c2ceef R11: 0000000000000001 R12: ffff8880218328c0
R13: 0000000000000297 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555951708 CR3: 00000000316ce000 CR4: 00000000003506e0
Call Trace:
<TASK>
rcu_sync_func+0x119/0x180 kernel/rcu/sync.c:87
rcu_sync_enter+0x150/0x2e0 kernel/rcu/sync.c:150
percpu_down_write+0x62/0x440 kernel/locking/percpu-rwsem.c:225
hci_uart_tty_close+0x13d/0x290 drivers/bluetooth/hci_ldisc.c:539
tty_ldisc_close+0x110/0x190 drivers/tty/tty_ldisc.c:456
tty_ldisc_kill+0x94/0x150 drivers/tty/tty_ldisc.c:608
tty_ldisc_release+0xe1/0x2a0 drivers/tty/tty_ldisc.c:776
tty_release_struct+0x20/0xe0 drivers/tty/tty_io.c:1694
tty_release+0xc70/0x1200 drivers/tty/tty_io.c:1865
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0xdd/0x1a0 kernel/task_work.c:177
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xc3f/0x2b60 kernel/exit.c:818
do_group_exit+0xd0/0x2a0 kernel/exit.c:948
get_signal+0x238c/0x2610 kernel/signal.c:2858
arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1efc089279
Code: Unable to access opcode bytes at RIP 0x7f1efc08924f.
RSP: 002b:00007f1efd281168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007f1efc19c120 RCX: 00007f1efc089279
RDX: 0000000000000002 RSI: 00000000400455c8 RDI: 0000000000000003
RBP: 00007f1efc0e3189 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff891d34af R14: 00007f1efd281300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__wake_up_common+0xdf/0x650 kernel/sched/wait.c:100
Code: 05 00 00 4c 8b 43 40 49 83 e8 18 49 8d 78 18 48 3b 3c 24 0f 84 6a 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 40 05 00 00 49 8b 40 18 89 54 24 10 31 db 48 bd
RSP: 0018:ffffc900161677a8 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: ffff8880218328c8 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 1ffffffff1bbfdb9 RDI: 0000000000000000
RBP: ffff888021832918 R08: ffffffffffffffe8 R09: 0000000000000000
R10: fffff52002c2ceef R11: 0000000000000001 R12: ffff8880218328c0
R13: 0000000000000297 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555951708 CR3: 00000000316ce000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
0: 05 00 00 4c 8b add $0x8b4c0000,%eax
5: 43 rex.XB
6: 40 rex
7: 49 83 e8 18 sub $0x18,%r8
b: 49 8d 78 18 lea 0x18(%r8),%rdi
f: 48 3b 3c 24 cmp (%rsp),%rdi
13: 0f 84 6a 02 00 00 je 0x283
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 f9 mov %rdi,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
* 2a: 80 3c 01 00 cmpb $0x0,(%rcx,%rax,1) <-- trapping instruction
2e: 0f 85 40 05 00 00 jne 0x574
34: 49 8b 40 18 mov 0x18(%r8),%rax
38: 89 54 24 10 mov %edx,0x10(%rsp)
3c: 31 db xor %ebx,%ebx
3e: 48 rex.W
3f: bd .byte 0xbd
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 05477f3653b8 Add linux-next specific files for 20220823
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11befdcb080000
kernel config: https://syzkaller.appspot.com/x/.config?x=4f9734e0329687d5
dashboard link: https://syzkaller.appspot.com/bug?extid=f3192116e62c0f3d1073
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [johan....@gmail.com linux-b...@vger.kernel.org linux-...@vger.kernel.org luiz....@gmail.com mar...@holtmann.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f31921...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 31303 Comm: syz-executor.4 Not tainted 6.0.0-rc2-next-20220823-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
RIP: 0010:__wake_up_common+0xdf/0x650 kernel/sched/wait.c:100
Code: 05 00 00 4c 8b 43 40 49 83 e8 18 49 8d 78 18 48 3b 3c 24 0f 84 6a 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 40 05 00 00 49 8b 40 18 89 54 24 10 31 db 48 bd
RSP: 0018:ffffc900161677a8 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: ffff8880218328c8 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 1ffffffff1bbfdb9 RDI: 0000000000000000
RBP: ffff888021832918 R08: ffffffffffffffe8 R09: 0000000000000000
R10: fffff52002c2ceef R11: 0000000000000001 R12: ffff8880218328c0
R13: 0000000000000297 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555951708 CR3: 00000000316ce000 CR4: 00000000003506e0
Call Trace:
<TASK>
rcu_sync_func+0x119/0x180 kernel/rcu/sync.c:87
rcu_sync_enter+0x150/0x2e0 kernel/rcu/sync.c:150
percpu_down_write+0x62/0x440 kernel/locking/percpu-rwsem.c:225
hci_uart_tty_close+0x13d/0x290 drivers/bluetooth/hci_ldisc.c:539
tty_ldisc_close+0x110/0x190 drivers/tty/tty_ldisc.c:456
tty_ldisc_kill+0x94/0x150 drivers/tty/tty_ldisc.c:608
tty_ldisc_release+0xe1/0x2a0 drivers/tty/tty_ldisc.c:776
tty_release_struct+0x20/0xe0 drivers/tty/tty_io.c:1694
tty_release+0xc70/0x1200 drivers/tty/tty_io.c:1865
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0xdd/0x1a0 kernel/task_work.c:177
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xc3f/0x2b60 kernel/exit.c:818
do_group_exit+0xd0/0x2a0 kernel/exit.c:948
get_signal+0x238c/0x2610 kernel/signal.c:2858
arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1efc089279
Code: Unable to access opcode bytes at RIP 0x7f1efc08924f.
RSP: 002b:00007f1efd281168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007f1efc19c120 RCX: 00007f1efc089279
RDX: 0000000000000002 RSI: 00000000400455c8 RDI: 0000000000000003
RBP: 00007f1efc0e3189 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff891d34af R14: 00007f1efd281300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__wake_up_common+0xdf/0x650 kernel/sched/wait.c:100
Code: 05 00 00 4c 8b 43 40 49 83 e8 18 49 8d 78 18 48 3b 3c 24 0f 84 6a 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 40 05 00 00 49 8b 40 18 89 54 24 10 31 db 48 bd
RSP: 0018:ffffc900161677a8 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: ffff8880218328c8 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 1ffffffff1bbfdb9 RDI: 0000000000000000
RBP: ffff888021832918 R08: ffffffffffffffe8 R09: 0000000000000000
R10: fffff52002c2ceef R11: 0000000000000001 R12: ffff8880218328c0
R13: 0000000000000297 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555951708 CR3: 00000000316ce000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
0: 05 00 00 4c 8b add $0x8b4c0000,%eax
5: 43 rex.XB
6: 40 rex
7: 49 83 e8 18 sub $0x18,%r8
b: 49 8d 78 18 lea 0x18(%r8),%rdi
f: 48 3b 3c 24 cmp (%rsp),%rdi
13: 0f 84 6a 02 00 00 je 0x283
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 f9 mov %rdi,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
* 2a: 80 3c 01 00 cmpb $0x0,(%rcx,%rax,1) <-- trapping instruction
2e: 0f 85 40 05 00 00 jne 0x574
34: 49 8b 40 18 mov 0x18(%r8),%rax
38: 89 54 24 10 mov %edx,0x10(%rsp)
3c: 31 db xor %ebx,%ebx
3e: 48 rex.W
3f: bd .byte 0xbd
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 9, 2022, 3:30:40 PM11/9/22
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages