[Android 6.1] invalid opcode in __traceiter_tlb_flush
2 views
Skip to first unread message
syzbot
May 13, 2025, 9:27:25 AMMay 13
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 646380b087a5 UPSTREAM: usb: gadget: f_midi: Fixing wMaxPac..
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15068f68580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6af7ea64e79f7c2e
dashboard link: https://syzkaller.appspot.com/bug?extid=9f078c34cdcb1b55a50b
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11dd6cd4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122872f4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e4fe11eff9c4/disk-646380b0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/afaf1ef04332/vmlinux-646380b0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b4e48cdcb201/bzImage-646380b0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9f078c...@syzkaller.appspotmail.com
RAX: 0000000000000000 RBX: 00007ffd51c5fd40 RCX: 00007f0e17ee3ad9
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007ffd51c5fac7 R09: 0000000000000140
R10: 0000000000000001 R11: 0000000000000286 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
CFI failure at __traceiter_tlb_flush+0x80/0xd0 include/trace/events/tlb.h:38 (target: tp_stub_func+0x0/0x10; expected type: 0x205553a5)
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 299 Comm: syz-executor238 Not tainted 6.1.134-syzkaller-00012-g646380b087a5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
RIP: 0010:__traceiter_tlb_flush+0x80/0xd0 include/trace/events/tlb.h:38
Code: 89 f8 48 c1 e8 03 42 80 3c 28 00 74 05 e8 38 60 07 00 49 8b 7c 24 08 44 89 f6 48 8b 55 d0 41 ba 5b ac aa df 44 03 53 fc 74 02 <0f> 0b ff d3 49 83 c7 18 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08
RSP: 0018:ffffc90000f27628 EFLAGS: 00010093
RAX: 1ffff11021e4e92c RBX: ffffffff81710320 RCX: ffff88810dcbbcc0
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: ffffc9000010d000
RBP: ffffc90000f27658 R08: ffff88810dcbbcc0 R09: 000000000000000c
R10: 0000000084eb1367 R11: 0000000040000000 R12: ffff88810f274958
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88810f274958
FS: 000055557afc2380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0e17f39261 CR3: 00000001102a3000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
trace_tlb_flush include/trace/events/tlb.h:38 [inline]
switch_mm_irqs_off+0x61f/0x980 arch/x86/mm/tlb.c:630
context_switch kernel/sched/core.c:5405 [inline]
__schedule+0x9eb/0x14e0 kernel/sched/core.c:6750
preempt_schedule_irq+0x9b/0x110 kernel/sched/core.c:7062
raw_irqentry_exit_cond_resched+0x29/0x30 kernel/entry/common.c:396
irqentry_exit+0x37/0x40 kernel/entry/common.c:439
sysvec_reschedule_ipi+0x78/0x80 arch/x86/kernel/smp.c:244
asm_sysvec_reschedule_ipi+0x1b/0x20 arch/x86/include/asm/idtentry.h:696
RIP: 0010:call_rcu+0xbea/0xf90 kernel/rcu/tree.c:2927
Code: 80 3c 03 00 74 08 4c 89 f7 e8 12 7e 58 00 48 8b 05 3b 8b 9f 05 49 03 06 49 39 c5 7f 56 fb 48 c7 84 24 80 00 00 00 0e 36 e0 45 <48> b8 00 00 00 00 00 fc ff df 48 8b 4c 24 78 48 c7 04 01 00 00 00
RSP: 0018:ffffc90000f27960 EFLAGS: 00000283
RAX: 0000000000002710 RBX: 1ffff1103ee271a8 RCX: ffffffff815bbab3
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881f7138d10
RBP: ffffc90000f27a98 R08: dffffc0000000000 R09: ffffed103ee271a3
R10: ffffed103ee271a3 R11: 1ffff1103ee271a2 R12: ffff8881f7138d10
R13: 0000000000000002 R14: ffff8881f7138d40 R15: 1ffff1103ee271a2
__bpf_prog_put_noref+0x286/0x2b0 kernel/bpf/syscall.c:2056
bpf_prog_put_deferred+0x2d4/0x3c0 kernel/bpf/syscall.c:2072
__bpf_prog_put kernel/bpf/syscall.c:2084 [inline]
bpf_prog_put kernel/bpf/syscall.c:2091 [inline]
bpf_prog_release+0x243/0x250 kernel/bpf/syscall.c:2099
__fput+0x1fc/0x8f0 fs/file_table.c:320
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x1db/0x240 kernel/task_work.c:203
ptrace_notify+0x221/0x250 kernel/signal.c:2377
ptrace_report_syscall include/linux/ptrace.h:424 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:486 [inline]
syscall_exit_work+0x84/0x140 kernel/entry/common.c:258
syscall_exit_to_user_mode_prepare+0x1c/0x20 kernel/entry/common.c:285
__syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
syscall_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f0e17ee3ad9
Code: Unable to access opcode bytes at 0x7f0e17ee3aaf.
RSP: 002b:00007ffd51c5fd28 EFLAGS: 00000286 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffd51c5fd40 RCX: 00007f0e17ee3ad9
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007ffd51c5fac7 R09: 0000000000000140
R10: 0000000000000001 R11: 0000000000000286 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__traceiter_tlb_flush+0x80/0xd0 include/trace/events/tlb.h:38
Code: 89 f8 48 c1 e8 03 42 80 3c 28 00 74 05 e8 38 60 07 00 49 8b 7c 24 08 44 89 f6 48 8b 55 d0 41 ba 5b ac aa df 44 03 53 fc 74 02 <0f> 0b ff d3 49 83 c7 18 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08
RSP: 0018:ffffc90000f27628 EFLAGS: 00010093
RAX: 1ffff11021e4e92c RBX: ffffffff81710320 RCX: ffff88810dcbbcc0
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: ffffc9000010d000
RBP: ffffc90000f27658 R08: ffff88810dcbbcc0 R09: 000000000000000c
R10: 0000000084eb1367 R11: 0000000040000000 R12: ffff88810f274958
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88810f274958
FS: 000055557afc2380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0e17f39261 CR3: 00000001102a3000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 80 3c 03 00 cmpb $0x0,(%rbx,%rax,1)
4: 74 08 je 0xe
6: 4c 89 f7 mov %r14,%rdi
9: e8 12 7e 58 00 call 0x587e20
e: 48 8b 05 3b 8b 9f 05 mov 0x59f8b3b(%rip),%rax # 0x59f8b50
15: 49 03 06 add (%r14),%rax
18: 49 39 c5 cmp %rax,%r13
1b: 7f 56 jg 0x73
1d: fb sti
1e: 48 c7 84 24 80 00 00 movq $0x45e0360e,0x80(%rsp)
25: 00 0e 36 e0 45
* 2a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax <-- trapping instruction
31: fc ff df
34: 48 8b 4c 24 78 mov 0x78(%rsp),%rcx
39: 48 rex.W
3a: c7 .byte 0xc7
3b: 04 01 add $0x1,%al
3d: 00 00 add %al,(%rax)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 646380b087a5 UPSTREAM: usb: gadget: f_midi: Fixing wMaxPac..
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15068f68580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6af7ea64e79f7c2e
dashboard link: https://syzkaller.appspot.com/bug?extid=9f078c34cdcb1b55a50b
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11dd6cd4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122872f4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e4fe11eff9c4/disk-646380b0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/afaf1ef04332/vmlinux-646380b0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b4e48cdcb201/bzImage-646380b0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9f078c...@syzkaller.appspotmail.com
RAX: 0000000000000000 RBX: 00007ffd51c5fd40 RCX: 00007f0e17ee3ad9
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007ffd51c5fac7 R09: 0000000000000140
R10: 0000000000000001 R11: 0000000000000286 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
CFI failure at __traceiter_tlb_flush+0x80/0xd0 include/trace/events/tlb.h:38 (target: tp_stub_func+0x0/0x10; expected type: 0x205553a5)
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 299 Comm: syz-executor238 Not tainted 6.1.134-syzkaller-00012-g646380b087a5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
RIP: 0010:__traceiter_tlb_flush+0x80/0xd0 include/trace/events/tlb.h:38
Code: 89 f8 48 c1 e8 03 42 80 3c 28 00 74 05 e8 38 60 07 00 49 8b 7c 24 08 44 89 f6 48 8b 55 d0 41 ba 5b ac aa df 44 03 53 fc 74 02 <0f> 0b ff d3 49 83 c7 18 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08
RSP: 0018:ffffc90000f27628 EFLAGS: 00010093
RAX: 1ffff11021e4e92c RBX: ffffffff81710320 RCX: ffff88810dcbbcc0
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: ffffc9000010d000
RBP: ffffc90000f27658 R08: ffff88810dcbbcc0 R09: 000000000000000c
R10: 0000000084eb1367 R11: 0000000040000000 R12: ffff88810f274958
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88810f274958
FS: 000055557afc2380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0e17f39261 CR3: 00000001102a3000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
trace_tlb_flush include/trace/events/tlb.h:38 [inline]
switch_mm_irqs_off+0x61f/0x980 arch/x86/mm/tlb.c:630
context_switch kernel/sched/core.c:5405 [inline]
__schedule+0x9eb/0x14e0 kernel/sched/core.c:6750
preempt_schedule_irq+0x9b/0x110 kernel/sched/core.c:7062
raw_irqentry_exit_cond_resched+0x29/0x30 kernel/entry/common.c:396
irqentry_exit+0x37/0x40 kernel/entry/common.c:439
sysvec_reschedule_ipi+0x78/0x80 arch/x86/kernel/smp.c:244
asm_sysvec_reschedule_ipi+0x1b/0x20 arch/x86/include/asm/idtentry.h:696
RIP: 0010:call_rcu+0xbea/0xf90 kernel/rcu/tree.c:2927
Code: 80 3c 03 00 74 08 4c 89 f7 e8 12 7e 58 00 48 8b 05 3b 8b 9f 05 49 03 06 49 39 c5 7f 56 fb 48 c7 84 24 80 00 00 00 0e 36 e0 45 <48> b8 00 00 00 00 00 fc ff df 48 8b 4c 24 78 48 c7 04 01 00 00 00
RSP: 0018:ffffc90000f27960 EFLAGS: 00000283
RAX: 0000000000002710 RBX: 1ffff1103ee271a8 RCX: ffffffff815bbab3
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881f7138d10
RBP: ffffc90000f27a98 R08: dffffc0000000000 R09: ffffed103ee271a3
R10: ffffed103ee271a3 R11: 1ffff1103ee271a2 R12: ffff8881f7138d10
R13: 0000000000000002 R14: ffff8881f7138d40 R15: 1ffff1103ee271a2
__bpf_prog_put_noref+0x286/0x2b0 kernel/bpf/syscall.c:2056
bpf_prog_put_deferred+0x2d4/0x3c0 kernel/bpf/syscall.c:2072
__bpf_prog_put kernel/bpf/syscall.c:2084 [inline]
bpf_prog_put kernel/bpf/syscall.c:2091 [inline]
bpf_prog_release+0x243/0x250 kernel/bpf/syscall.c:2099
__fput+0x1fc/0x8f0 fs/file_table.c:320
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x1db/0x240 kernel/task_work.c:203
ptrace_notify+0x221/0x250 kernel/signal.c:2377
ptrace_report_syscall include/linux/ptrace.h:424 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:486 [inline]
syscall_exit_work+0x84/0x140 kernel/entry/common.c:258
syscall_exit_to_user_mode_prepare+0x1c/0x20 kernel/entry/common.c:285
__syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
syscall_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f0e17ee3ad9
Code: Unable to access opcode bytes at 0x7f0e17ee3aaf.
RSP: 002b:00007ffd51c5fd28 EFLAGS: 00000286 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffd51c5fd40 RCX: 00007f0e17ee3ad9
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007ffd51c5fac7 R09: 0000000000000140
R10: 0000000000000001 R11: 0000000000000286 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__traceiter_tlb_flush+0x80/0xd0 include/trace/events/tlb.h:38
Code: 89 f8 48 c1 e8 03 42 80 3c 28 00 74 05 e8 38 60 07 00 49 8b 7c 24 08 44 89 f6 48 8b 55 d0 41 ba 5b ac aa df 44 03 53 fc 74 02 <0f> 0b ff d3 49 83 c7 18 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08
RSP: 0018:ffffc90000f27628 EFLAGS: 00010093
RAX: 1ffff11021e4e92c RBX: ffffffff81710320 RCX: ffff88810dcbbcc0
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: ffffc9000010d000
RBP: ffffc90000f27658 R08: ffff88810dcbbcc0 R09: 000000000000000c
R10: 0000000084eb1367 R11: 0000000040000000 R12: ffff88810f274958
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88810f274958
FS: 000055557afc2380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0e17f39261 CR3: 00000001102a3000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 80 3c 03 00 cmpb $0x0,(%rbx,%rax,1)
4: 74 08 je 0xe
6: 4c 89 f7 mov %r14,%rdi
9: e8 12 7e 58 00 call 0x587e20
e: 48 8b 05 3b 8b 9f 05 mov 0x59f8b3b(%rip),%rax # 0x59f8b50
15: 49 03 06 add (%r14),%rax
18: 49 39 c5 cmp %rax,%r13
1b: 7f 56 jg 0x73
1d: fb sti
1e: 48 c7 84 24 80 00 00 movq $0x45e0360e,0x80(%rsp)
25: 00 0e 36 e0 45
* 2a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax <-- trapping instruction
31: fc ff df
34: 48 8b 4c 24 78 mov 0x78(%rsp),%rcx
39: 48 rex.W
3a: c7 .byte 0xc7
3b: 04 01 add $0x1,%al
3d: 00 00 add %al,(%rax)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages