[moderation] [lsm?] general protection fault in smack_inode_permission (2)
1 view
Skip to first unread message
syzbot
Jul 11, 2025, 7:54:35 PM7/11/25
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d7b8f8e20813 Linux 6.16-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13ce5f70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=72aa0474e3c3b9ac
dashboard link: https://syzkaller.appspot.com/bug?extid=225ced522b1025a72cb9
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
CC: [ca...@schaufler-ca.com jmo...@namei.org linux-...@vger.kernel.org linux-secu...@vger.kernel.org pa...@paul-moore.com se...@hallyn.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/605b3edeb031/disk-d7b8f8e2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3cb6f3ea4a9/vmlinux-d7b8f8e2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd9e0c6a9926/bzImage-d7b8f8e2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+225ced...@syzkaller.appspotmail.com
ERROR: (device loop1): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 6
ERROR: (device loop1): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 7
Oops: general protection fault, probably for non-canonical address 0xdffffc01863ae4f5: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000c31d727a8-0x0000000c31d727af]
CPU: 1 UID: 0 PID: 5840 Comm: syz-executor Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:smk_of_inode security/smack/smack.h:392 [inline]
RIP: 0010:smack_inode_permission+0x271/0x320 security/smack/smack_lsm.c:1217
Code: 03 80 3c 18 00 74 08 4c 89 ff e8 da f2 ac fd 48 63 1d ff 66 47 09 49 03 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 b1 f2 ac fd 48 8b 3b 44 89 f6 48 8d
RSP: 0018:ffffc90003fff9a0 EFLAGS: 00010206
RAX: 00000001863ae4f5 RBX: 0000000c31d727a8 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003fff9f8
RBP: ffffc90003fffab0 R08: ffffc90003fffa27 R09: 0000000000000000
R10: ffffc90003fffa00 R11: fffff520007fff45 R12: 1ffff920007fff38
R13: ffffc90003fff9e0 R14: 0000000000000001 R15: ffff888059da3bb8
FS: 00005555822da500(0000) GS:ffff888125d51000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92c15b7bac CR3: 0000000021bec000 CR4: 00000000003526f0
Call Trace:
<TASK>
security_inode_permission+0xf8/0x310 security/security.c:2324
may_lookup fs/namei.c:1845 [inline]
link_path_walk+0x232/0xea0 fs/namei.c:2454
path_lookupat+0x97/0x430 fs/namei.c:2662
filename_lookup+0x212/0x570 fs/namei.c:2692
user_path_at+0x3a/0x60 fs/namei.c:3136
ksys_umount fs/namespace.c:2147 [inline]
__do_sys_umount fs/namespace.c:2155 [inline]
__se_sys_umount fs/namespace.c:2153 [inline]
__x64_sys_umount+0xee/0x160 fs/namespace.c:2153
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd8cb58fc57
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffe8e3a3968 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 00007fd8cb610925 RCX: 00007fd8cb58fc57
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe8e3a3a20
RBP: 00007ffe8e3a3a20 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffe8e3a4b10
R13: 00007fd8cb610925 R14: 0000000000024145 R15: 00007ffe8e3a5be0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smk_of_inode security/smack/smack.h:392 [inline]
RIP: 0010:smack_inode_permission+0x271/0x320 security/smack/smack_lsm.c:1217
Code: 03 80 3c 18 00 74 08 4c 89 ff e8 da f2 ac fd 48 63 1d ff 66 47 09 49 03 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 b1 f2 ac fd 48 8b 3b 44 89 f6 48 8d
RSP: 0018:ffffc90003fff9a0 EFLAGS: 00010206
RAX: 00000001863ae4f5 RBX: 0000000c31d727a8 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003fff9f8
RBP: ffffc90003fffab0 R08: ffffc90003fffa27 R09: 0000000000000000
R10: ffffc90003fffa00 R11: fffff520007fff45 R12: 1ffff920007fff38
R13: ffffc90003fff9e0 R14: 0000000000000001 R15: ffff888059da3bb8
FS: 00005555822da500(0000) GS:ffff888125d51000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f12f76000 CR3: 0000000021bec000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 03 80 3c 18 00 74 add 0x7400183c(%rax),%eax
6: 08 4c 89 ff or %cl,-0x1(%rcx,%rcx,4)
a: e8 da f2 ac fd call 0xfdacf2e9
f: 48 63 1d ff 66 47 09 movslq 0x94766ff(%rip),%rbx # 0x9476715
16: 49 03 1f add (%r15),%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 b1 f2 ac fd call 0xfdacf2e9
38: 48 8b 3b mov (%rbx),%rdi
3b: 44 89 f6 mov %r14d,%esi
3e: 48 rex.W
3f: 8d .byte 0x8d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d7b8f8e20813 Linux 6.16-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13ce5f70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=72aa0474e3c3b9ac
dashboard link: https://syzkaller.appspot.com/bug?extid=225ced522b1025a72cb9
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
CC: [ca...@schaufler-ca.com jmo...@namei.org linux-...@vger.kernel.org linux-secu...@vger.kernel.org pa...@paul-moore.com se...@hallyn.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/605b3edeb031/disk-d7b8f8e2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3cb6f3ea4a9/vmlinux-d7b8f8e2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd9e0c6a9926/bzImage-d7b8f8e2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+225ced...@syzkaller.appspotmail.com
ERROR: (device loop1): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 6
ERROR: (device loop1): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 7
Oops: general protection fault, probably for non-canonical address 0xdffffc01863ae4f5: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000c31d727a8-0x0000000c31d727af]
CPU: 1 UID: 0 PID: 5840 Comm: syz-executor Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:smk_of_inode security/smack/smack.h:392 [inline]
RIP: 0010:smack_inode_permission+0x271/0x320 security/smack/smack_lsm.c:1217
Code: 03 80 3c 18 00 74 08 4c 89 ff e8 da f2 ac fd 48 63 1d ff 66 47 09 49 03 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 b1 f2 ac fd 48 8b 3b 44 89 f6 48 8d
RSP: 0018:ffffc90003fff9a0 EFLAGS: 00010206
RAX: 00000001863ae4f5 RBX: 0000000c31d727a8 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003fff9f8
RBP: ffffc90003fffab0 R08: ffffc90003fffa27 R09: 0000000000000000
R10: ffffc90003fffa00 R11: fffff520007fff45 R12: 1ffff920007fff38
R13: ffffc90003fff9e0 R14: 0000000000000001 R15: ffff888059da3bb8
FS: 00005555822da500(0000) GS:ffff888125d51000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92c15b7bac CR3: 0000000021bec000 CR4: 00000000003526f0
Call Trace:
<TASK>
security_inode_permission+0xf8/0x310 security/security.c:2324
may_lookup fs/namei.c:1845 [inline]
link_path_walk+0x232/0xea0 fs/namei.c:2454
path_lookupat+0x97/0x430 fs/namei.c:2662
filename_lookup+0x212/0x570 fs/namei.c:2692
user_path_at+0x3a/0x60 fs/namei.c:3136
ksys_umount fs/namespace.c:2147 [inline]
__do_sys_umount fs/namespace.c:2155 [inline]
__se_sys_umount fs/namespace.c:2153 [inline]
__x64_sys_umount+0xee/0x160 fs/namespace.c:2153
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd8cb58fc57
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffe8e3a3968 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 00007fd8cb610925 RCX: 00007fd8cb58fc57
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe8e3a3a20
RBP: 00007ffe8e3a3a20 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffe8e3a4b10
R13: 00007fd8cb610925 R14: 0000000000024145 R15: 00007ffe8e3a5be0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smk_of_inode security/smack/smack.h:392 [inline]
RIP: 0010:smack_inode_permission+0x271/0x320 security/smack/smack_lsm.c:1217
Code: 03 80 3c 18 00 74 08 4c 89 ff e8 da f2 ac fd 48 63 1d ff 66 47 09 49 03 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 b1 f2 ac fd 48 8b 3b 44 89 f6 48 8d
RSP: 0018:ffffc90003fff9a0 EFLAGS: 00010206
RAX: 00000001863ae4f5 RBX: 0000000c31d727a8 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003fff9f8
RBP: ffffc90003fffab0 R08: ffffc90003fffa27 R09: 0000000000000000
R10: ffffc90003fffa00 R11: fffff520007fff45 R12: 1ffff920007fff38
R13: ffffc90003fff9e0 R14: 0000000000000001 R15: ffff888059da3bb8
FS: 00005555822da500(0000) GS:ffff888125d51000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f12f76000 CR3: 0000000021bec000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 03 80 3c 18 00 74 add 0x7400183c(%rax),%eax
6: 08 4c 89 ff or %cl,-0x1(%rcx,%rcx,4)
a: e8 da f2 ac fd call 0xfdacf2e9
f: 48 63 1d ff 66 47 09 movslq 0x94766ff(%rip),%rbx # 0x9476715
16: 49 03 1f add (%r15),%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 b1 f2 ac fd call 0xfdacf2e9
38: 48 8b 3b mov (%rbx),%rdi
3b: 44 89 f6 mov %r14d,%esi
3e: 48 rex.W
3f: 8d .byte 0x8d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 5, 2025, 7:45:19 PM10/5/25
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages