BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (5)
14 views
Skip to first unread message
syzbot
Feb 28, 2018, 4:59:03 PM2/28/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on upstream commit
c02be2334e7523903cc15b5258a48b85b5de6cbc (Wed Feb 28 19:40:51 2018 +0000)
Merge tag 'xfs-4.16-fixes-2' of
git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
user-space arch: i386
CC: [core...@netfilter.org da...@davemloft.net f...@strlen.de
kad...@blackhole.kfki.hu linux-...@vger.kernel.org
net...@vger.kernel.org netfilt...@vger.kernel.org pa...@netfilter.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7d25f4...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device bridge0 entered promiscuous mode
binder: 14600:14607 got transaction with invalid offsets ptr
binder: 14600:14607 transaction failed 29201/-14, size 80-16 line 2991
BUG: unable to handle kernel NULL pointer dereference at 00000000000000fd
IP: qlist_free_all+0x37/0x160 mm/kasan/quarantine.c:163
PGD 1babe4067 P4D 1babe4067 PUD 1babe5067 PMD 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4160 Comm: syz-executor6 Not tainted 4.16.0-rc3+ #243
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:qlist_free_all+0x37/0x160 mm/kasan/quarantine.c:163
RSP: 0018:ffff8801baf2f4e8 EFLAGS: 00010246
RAX: ffff8801c5e24b40 RBX: 0000000000000286 RCX: 0000000000000000
RDX: ffffea0007178900 RSI: ffffea0006dc739f RDI: 0000000000000286
RBP: ffff8801baf2f520 R08: 1ffff100375e5e6b R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: ffff8801c5e24b40 R15: ffffffff86ec9820
FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:000000000901b900
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000000000fd CR3: 00000001babe3005 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
quarantine_reduce+0x141/0x170 mm/kasan/quarantine.c:259
kasan_kmalloc+0xca/0xe0 mm/kasan/kasan.c:537
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
slab_post_alloc_hook mm/slab.h:443 [inline]
slab_alloc_node mm/slab.c:3322 [inline]
kmem_cache_alloc_node_trace+0x139/0x760 mm/slab.c:3648
kmalloc_node include/linux/slab.h:550 [inline]
kzalloc_node include/linux/slab.h:712 [inline]
__get_vm_area_node+0xae/0x340 mm/vmalloc.c:1402
__vmalloc_node_range+0xa3/0x650 mm/vmalloc.c:1754
__vmalloc_node mm/vmalloc.c:1804 [inline]
__vmalloc_node_flags mm/vmalloc.c:1818 [inline]
vmalloc+0x45/0x50 mm/vmalloc.c:1840
xt_compat_add_offset+0x228/0x380 net/netfilter/x_tables.c:529
compat_calc_entry net/ipv6/netfilter/ip6_tables.c:936 [inline]
compat_table_info+0x254/0x4a0 net/ipv6/netfilter/ip6_tables.c:967
compat_get_entries net/ipv6/netfilter/ip6_tables.c:1639 [inline]
compat_do_ip6t_get_ctl+0x322/0xc80 net/ipv6/netfilter/ip6_tables.c:1671
compat_nf_sockopt net/netfilter/nf_sockopt.c:139 [inline]
compat_nf_getsockopt+0x8b/0x130 net/netfilter/nf_sockopt.c:163
compat_ipv6_getsockopt+0x201/0x370 net/ipv6/ipv6_sockglue.c:1409
inet_csk_compat_getsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:1028
compat_tcp_getsockopt+0x3d/0x70 net/ipv4/tcp.c:3370
compat_sock_common_getsockopt+0xb2/0x140 net/core/sock.c:2945
C_SYSC_getsockopt net/compat.c:523 [inline]
compat_SyS_getsockopt net/compat.c:506 [inline]
C_SYSC_socketcall net/compat.c:857 [inline]
compat_SyS_socketcall+0xe74/0x17c0 net/compat.c:788
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fe8c99
RSP: 002b:000000000844e3e0 EFLAGS: 00000206 ORIG_RAX: 0000000000000066
RAX: ffffffffffffffda RBX: 000000000000000f RCX: 000000000844e3fc
RDX: 000000000844e548 RSI: 000000000844e454 RDI: 000000000844eb6c
RBP: 00000000081166d8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Code: 55 48 89 e5 41 57 41 56 41 55 41 54 49 c7 c7 20 98 ec 86 53 49 89 f4
48 83 ec 10 48 89 7d c8 4d 85 e4 4d 89 e5 0f 84 c8 00 00 00 <49> 63 95 fc
00 00 00 4c 8b 30 48 29 d0 49 83 3f 00 48 89 c6 0f
RIP: qlist_free_all+0x37/0x160 mm/kasan/quarantine.c:163 RSP:
ffff8801baf2f4e8
CR2: 00000000000000fd
---[ end trace 64dd1373e5f0f8cf ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on upstream commit
c02be2334e7523903cc15b5258a48b85b5de6cbc (Wed Feb 28 19:40:51 2018 +0000)
Merge tag 'xfs-4.16-fixes-2' of
git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
user-space arch: i386
CC: [core...@netfilter.org da...@davemloft.net f...@strlen.de
kad...@blackhole.kfki.hu linux-...@vger.kernel.org
net...@vger.kernel.org netfilt...@vger.kernel.org pa...@netfilter.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7d25f4...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device bridge0 entered promiscuous mode
binder: 14600:14607 got transaction with invalid offsets ptr
binder: 14600:14607 transaction failed 29201/-14, size 80-16 line 2991
BUG: unable to handle kernel NULL pointer dereference at 00000000000000fd
IP: qlist_free_all+0x37/0x160 mm/kasan/quarantine.c:163
PGD 1babe4067 P4D 1babe4067 PUD 1babe5067 PMD 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4160 Comm: syz-executor6 Not tainted 4.16.0-rc3+ #243
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:qlist_free_all+0x37/0x160 mm/kasan/quarantine.c:163
RSP: 0018:ffff8801baf2f4e8 EFLAGS: 00010246
RAX: ffff8801c5e24b40 RBX: 0000000000000286 RCX: 0000000000000000
RDX: ffffea0007178900 RSI: ffffea0006dc739f RDI: 0000000000000286
RBP: ffff8801baf2f520 R08: 1ffff100375e5e6b R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: ffff8801c5e24b40 R15: ffffffff86ec9820
FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:000000000901b900
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000000000fd CR3: 00000001babe3005 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
quarantine_reduce+0x141/0x170 mm/kasan/quarantine.c:259
kasan_kmalloc+0xca/0xe0 mm/kasan/kasan.c:537
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
slab_post_alloc_hook mm/slab.h:443 [inline]
slab_alloc_node mm/slab.c:3322 [inline]
kmem_cache_alloc_node_trace+0x139/0x760 mm/slab.c:3648
kmalloc_node include/linux/slab.h:550 [inline]
kzalloc_node include/linux/slab.h:712 [inline]
__get_vm_area_node+0xae/0x340 mm/vmalloc.c:1402
__vmalloc_node_range+0xa3/0x650 mm/vmalloc.c:1754
__vmalloc_node mm/vmalloc.c:1804 [inline]
__vmalloc_node_flags mm/vmalloc.c:1818 [inline]
vmalloc+0x45/0x50 mm/vmalloc.c:1840
xt_compat_add_offset+0x228/0x380 net/netfilter/x_tables.c:529
compat_calc_entry net/ipv6/netfilter/ip6_tables.c:936 [inline]
compat_table_info+0x254/0x4a0 net/ipv6/netfilter/ip6_tables.c:967
compat_get_entries net/ipv6/netfilter/ip6_tables.c:1639 [inline]
compat_do_ip6t_get_ctl+0x322/0xc80 net/ipv6/netfilter/ip6_tables.c:1671
compat_nf_sockopt net/netfilter/nf_sockopt.c:139 [inline]
compat_nf_getsockopt+0x8b/0x130 net/netfilter/nf_sockopt.c:163
compat_ipv6_getsockopt+0x201/0x370 net/ipv6/ipv6_sockglue.c:1409
inet_csk_compat_getsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:1028
compat_tcp_getsockopt+0x3d/0x70 net/ipv4/tcp.c:3370
compat_sock_common_getsockopt+0xb2/0x140 net/core/sock.c:2945
C_SYSC_getsockopt net/compat.c:523 [inline]
compat_SyS_getsockopt net/compat.c:506 [inline]
C_SYSC_socketcall net/compat.c:857 [inline]
compat_SyS_socketcall+0xe74/0x17c0 net/compat.c:788
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fe8c99
RSP: 002b:000000000844e3e0 EFLAGS: 00000206 ORIG_RAX: 0000000000000066
RAX: ffffffffffffffda RBX: 000000000000000f RCX: 000000000844e3fc
RDX: 000000000844e548 RSI: 000000000844e454 RDI: 000000000844eb6c
RBP: 00000000081166d8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Code: 55 48 89 e5 41 57 41 56 41 55 41 54 49 c7 c7 20 98 ec 86 53 49 89 f4
48 83 ec 10 48 89 7d c8 4d 85 e4 4d 89 e5 0f 84 c8 00 00 00 <49> 63 95 fc
00 00 00 4c 8b 30 48 29 d0 49 83 3f 00 48 89 c6 0f
RIP: qlist_free_all+0x37/0x160 mm/kasan/quarantine.c:163 RSP:
ffff8801baf2f4e8
CR2: 00000000000000fd
---[ end trace 64dd1373e5f0f8cf ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
May 26, 2018, 1:43:04 PM5/26/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
On Wed, Feb 28, 2018 at 10:59 PM, syzbot
<syzbot+7d25f4...@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> c02be2334e7523903cc15b5258a48b85b5de6cbc (Wed Feb 28 19:40:51 2018 +0000)
> Merge tag 'xfs-4.16-fixes-2' of
> git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
>
> Unfortunately, I don't have any reproducer for this crash yet.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> user-space arch: i386
> CC: [core...@netfilter.org da...@davemloft.net f...@strlen.de
> kad...@blackhole.kfki.hu linux-...@vger.kernel.org net...@vger.kernel.org
> netfilt...@vger.kernel.org pa...@netfilter.org]
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d25f4...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
This type of crash usually means some silent memory corruptions in
<syzbot+7d25f4...@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> c02be2334e7523903cc15b5258a48b85b5de6cbc (Wed Feb 28 19:40:51 2018 +0000)
> Merge tag 'xfs-4.16-fixes-2' of
> git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
>
> Unfortunately, I don't have any reproducer for this crash yet.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> user-space arch: i386
> CC: [core...@netfilter.org da...@davemloft.net f...@strlen.de
> kad...@blackhole.kfki.hu linux-...@vger.kernel.org net...@vger.kernel.org
> netfilt...@vger.kernel.org pa...@netfilter.org]
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d25f4...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
other places. And this seems to have stopped happenning, so closing:
#syz invalid
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/f403043cc728d5ea7505664cd9dd%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages