[syzbot] general protection fault in cgroup_file_write

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

syzbot found the following issue on:

HEAD commit:    d4439a1189f9 Merge tag 'hsi-for-5.16' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1656d30ab00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ff3ea6b218615239
dashboard link: https://syzkaller.appspot.com/bug?extid=50f5cf33a284ce738b62
compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+50f5cf33a284ce738b62@xxxxxxxxxxxxxxxxxxxxxxxxx

general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 1 PID: 11182 Comm: syz-executor.1 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:cgroup_file_write+0xbe/0x790 kernel/cgroup/cgroup.c:3831
Code: 81 c3 88 08 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 c0 5c 52 00 48 8b 1b 48 83 c3 40 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 a3 5c 52 00 48 8b 03 48 89 44 24
RSP: 0018:ffffc9000a79f2a0 EFLAGS: 00010202
RAX: 0000000000000008 RBX: 0000000000000040 RCX: ffff888074320000
RDX: 0000000000000000 RSI: ffff88801d008980 RDI: ffff88806b48ac00
RBP: ffffc9000a79f390 R08: ffffffff8207dab3 R09: fffffbfff1fedffb
R10: fffffbfff1fedffb R11: 0000000000000000 R12: 1ffff920014f3e5c
R13: ffff88806b48ac00 R14: ffff88806b48ac00 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe6fd24a1b8 CR3: 000000002c740000 CR4: 00000000003526e0
Call Trace:
 <TASK>
 kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
 __kernel_write+0x5d1/0xaf0 fs/read_write.c:535
 do_acct_process+0x112a/0x17b0 kernel/acct.c:518
 acct_pin_kill+0x27/0x130 kernel/acct.c:173
 pin_kill+0x2a6/0x940 fs/fs_pin.c:44
 mnt_pin_kill+0xc1/0x170 fs/fs_pin.c:81
 cleanup_mnt+0x4bc/0x510 fs/namespace.c:1130
 task_work_run+0x146/0x1c0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0x705/0x24f0 kernel/exit.c:832
 do_group_exit+0x168/0x2d0 kernel/exit.c:929
 get_signal+0x16b0/0x2090 kernel/signal.c:2820
 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300
 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f0054d5fae9
Code: Unable to access opcode bytes at RIP 0x7f0054d5fabf.
RSP: 002b:00007f00522d5218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f0054e72f68 RCX: 00007f0054d5fae9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f0054e72f68
RBP: 00007f0054e72f60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0054e72f6c
R13: 00007ffd99a378af R14: 00007f00522d5300 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace 54fd0e4a1cf7068c ]---
RIP: 0010:cgroup_file_write+0xbe/0x790 kernel/cgroup/cgroup.c:3831
Code: 81 c3 88 08 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 c0 5c 52 00 48 8b 1b 48 83 c3 40 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 a3 5c 52 00 48 8b 03 48 89 44 24
RSP: 0018:ffffc9000a79f2a0 EFLAGS: 00010202
RAX: 0000000000000008 RBX: 0000000000000040 RCX: ffff888074320000
RDX: 0000000000000000 RSI: ffff88801d008980 RDI: ffff88806b48ac00
RBP: ffffc9000a79f390 R08: ffffffff8207dab3 R09: fffffbfff1fedffb
R10: fffffbfff1fedffb R11: 0000000000000000 R12: 1ffff920014f3e5c
R13: ffff88806b48ac00 R14: ffff88806b48ac00 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe6fd24a1b8 CR3: 000000000c88e000 CR4: 00000000003526e0
----------------
Code disassembly (best guess):
   0:	81 c3 88 08 00 00    	add    $0x888,%ebx
   6:	48 89 d8             	mov    %rbx,%rax
   9:	48 c1 e8 03          	shr    $0x3,%rax
   d:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  12:	74 08                	je     0x1c
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 c0 5c 52 00       	callq  0x525cdc
  1c:	48 8b 1b             	mov    (%rbx),%rbx
  1f:	48 83 c3 40          	add    $0x40,%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 a3 5c 52 00       	callq  0x525cdc
  39:	48 8b 03             	mov    (%rbx),%rax
  3c:	48                   	rex.W
  3d:	89                   	.byte 0x89
  3e:	44                   	rex.R
  3f:	24                   	.byte 0x24


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]     [Monitors]

  Powered by Linux