general protection fault in floppy_ready

Sanan Hasanov <sanan.hasanov@xxxxxxxxxxxxxxx> · Tue, 24 Jan 2023 16:22:18 +0000

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer. 

Kernel Branch: 6.2.0-rc4-next-20230116
Kernel config: https://drive.google.com/file/d/1aDw7_IXEzr5avqtp-fb6mG199n7gkvy-/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1JTPF8M111AkePf_Hce8dmkAdhjoSRMc-/view?usp=sharing

Thank you!

Best regards,
Sanan Hasanov

current_req=0000000000000000 
command_status=-1
floppy0: floppy timeout called
no cont in shutdown!
floppy0: floppy_shutdown: timeout handler died.  
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 3 PID: 90 Comm: kworker/u16:5 Not tainted 6.2.0-rc4-next-20230116 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: floppy floppy_work_workfn
RIP: 0010:floppy_ready+0xbc2/0x1400
Code: 8e e8 12 5a f6 fc f0 80 8b 20 9e 45 8e 10 48 8b 1d 63 51 6f 09 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9e 07 00 00 31 ff ff 53 18 48 8b 1d 38 51 6f 09
RSP: 0018:ffffc90000767ca0 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff84d62ace
RDX: 0000000000000003 RSI: 0000000000000008 RDI: 0000000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff8e459e27
R10: fffffbfff1c8b3c4 R11: 0000000000000001 R12: ffffffff8e459e20
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc919f1940 CR3: 00000001148af000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 seek_interrupt+0x28a/0x2e0
 process_one_work+0x9ba/0x1760
 worker_thread+0x669/0x1090
 kthread+0x2e8/0x3a0
 ret_from_fork+0x1f/0x30
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:floppy_ready+0xbc2/0x1400
Code: 8e e8 12 5a f6 fc f0 80 8b 20 9e 45 8e 10 48 8b 1d 63 51 6f 09 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9e 07 00 00 31 ff ff 53 18 48 8b 1d 38 51 6f 09
RSP: 0018:ffffc90000767ca0 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff84d62ace
RDX: 0000000000000003 RSI: 0000000000000008 RDI: 0000000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff8e459e27
R10: fffffbfff1c8b3c4 R11: 0000000000000001 R12: ffffffff8e459e20
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc919f1940 CR3: 00000001148af000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
   0: 8e e8                   mov    %eax,%gs
   2: 12 5a f6                adc    -0xa(%rdx),%bl
   5: fc                      cld
   6: f0 80 8b 20 9e 45 8e    lock orb $0x10,-0x71ba61e0(%rbx)
   d: 10
   e: 48 8b 1d 63 51 6f 09    mov    0x96f5163(%rip),%rbx        # 0x96f5178
  15: 48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  1c: fc ff df
  1f: 48 8d 7b 18             lea    0x18(%rbx),%rdi
  23: 48 89 fa                mov    %rdi,%rdx
  26: 48 c1 ea 03             shr    $0x3,%rdx
* 2a: 80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e: 0f 85 9e 07 00 00       jne    0x7d2
  34: 31 ff                   xor    %edi,%edi
  36: ff 53 18                call   *0x18(%rbx)
  39: 48 8b 1d 38 51 6f 09    mov    0x96f5138(%rip),%rbx        # 0x96f5178