On Fri, Dec 22, 2017 at 10:37 PM, syzbot <bot+d36b5c0ca22dee8e75b34b1cdf54fd204c43e13e@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > Hello, > > syzkaller hit the following crash on > 1291a0d5049dbc06baaaf66a9ff3f53db493b19b > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > > Unfortunately, I don't have any reproducer for this bug yet. > > > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] SMP KASAN > Dumping ftrace buffer: > (ftrace buffer empty) > handle_userfault: 120 callbacks suppressed > FAULT_FLAG_ALLOW_RETRY missing 30 > CPU: 1 PID: 16647 Comm: syz-executor2 Not tainted 4.15.0-rc4+ #227 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > handle_userfault+0x12fa/0x24c0 fs/userfaultfd.c:427 > do_anonymous_page mm/memory.c:3121 [inline] > handle_pte_fault mm/memory.c:3935 [inline] > __handle_mm_fault+0x32a3/0x3ce0 mm/memory.c:4061 > handle_mm_fault+0x334/0x8d0 mm/memory.c:4098 > __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429 > do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504 > page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1094 > RIP: 0010:copy_user_generic_unrolled+0x86/0xc0 > arch/x86/lib/copy_user_64.S:65 > RSP: 0018:ffff8801ca287950 EFLAGS: 00010202 > RAX: fffff520003c0207 RBX: 0000000020012ff0 RCX: 0000000000000001 > RDX: 0000000000000000 RSI: 0000000020012ff0 RDI: ffffc90001e01030 > RBP: ffff8801ca287980 R08: fffff520003c0207 R09: fffff520003c0207 > R10: 0000000000000001 R11: fffff520003c0206 R12: 0000000000000008 > R13: ffffc90001e01030 R14: 00007ffffffff000 R15: 0000000020012ff8 > copy_from_user include/linux/uaccess.h:147 [inline] > bpf_prog_create_from_user+0x10b/0x2b0 net/core/filter.c:1182 > seccomp_prepare_filter kernel/seccomp.c:386 [inline] > seccomp_prepare_user_filter kernel/seccomp.c:421 [inline] > seccomp_set_mode_filter kernel/seccomp.c:856 [inline] > do_seccomp+0x8a7/0x21f0 kernel/seccomp.c:929 > SYSC_seccomp kernel/seccomp.c:943 [inline] > SyS_seccomp+0x24/0x30 kernel/seccomp.c:940 > entry_SYSCALL_64_fastpath+0x1f/0x96 > RIP: 0033:0x452a09 > RSP: 002b:00007f28b7863c58 EFLAGS: 00000212 ORIG_RAX: 000000000000013d > RAX: ffffffffffffffda RBX: 00007f28b7864700 RCX: 0000000000452a09 > RDX: 0000000020000ff0 RSI: 0000000000000000 RDI: 0000000000000001 > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 > R13: 0000000000a2f7ff R14: 00007f28b78649c0 R15: 0000000000000000 > Modules linked in: > CPU: 0 PID: 16649 Comm: syz-executor5 Not tainted 4.15.0-rc4+ #227 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:76 > RSP: 0018:ffff8801bc007058 EFLAGS: 00010093 > RAX: ffff8801d8f1a1c0 RBX: 00000000001606f0 RCX: ffffffff811a2a92 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000001606f0 > RBP: ffff8801bc007058 R08: 1ffff10037800d67 R09: 0000000000000004 > R10: ffff8801bc006fc8 R11: 0000000000000004 R12: 0000000000000093 > R13: ffff8801d8f1a1c0 R14: ffff8801db414850 R15: ffff8801db414850 > FS: 00007fd960528700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000020134000 CR3: 0000000005e22003 CR4: 00000000001626f0 > Call Trace: > __write_cr4 arch/x86/include/asm/paravirt.h:76 [inline] > __cr4_set arch/x86/include/asm/tlbflush.h:180 [inline] > cr4_clear_bits arch/x86/include/asm/tlbflush.h:203 [inline] > kvm_cpu_vmxoff arch/x86/kvm/vmx.c:3582 [inline] > hardware_disable+0x34a/0x4b0 arch/x86/kvm/vmx.c:3588 > kvm_arch_hardware_disable+0x35/0xd0 arch/x86/kvm/x86.c:7982 > hardware_disable_nolock+0x30/0x40 > arch/x86/kvm/../../../virt/kvm/kvm_main.c:3310 > on_each_cpu+0xca/0x1b0 kernel/smp.c:604 > hardware_disable_all_nolock+0x3e/0x50 > arch/x86/kvm/../../../virt/kvm/kvm_main.c:3328 > hardware_disable_all arch/x86/kvm/../../../virt/kvm/kvm_main.c:3334 > [inline] > kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:742 [inline] > kvm_put_kvm+0x956/0xdf0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:755 > kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:766 > __fput+0x327/0x7e0 fs/file_table.c:210 > ____fput+0x15/0x20 fs/file_table.c:244 > task_work_run+0x199/0x270 kernel/task_work.c:113 > exit_task_work include/linux/task_work.h:22 [inline] > do_exit+0x9bb/0x1ad0 kernel/exit.c:865 > do_group_exit+0x149/0x400 kernel/exit.c:968 > get_signal+0x73f/0x16c0 kernel/signal.c:2335 > do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:809 > exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158 > prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] > syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264 > entry_SYSCALL_64_fastpath+0x94/0x96 > RIP: 0033:0x452a09 > RSP: 002b:00007fd960527c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca > RAX: 0000000000000001 RBX: 000000000071c010 RCX: 0000000000452a09 > RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000071c03c > RBP: 00000000000003f4 R08: 0000000000000000 R09: 00000000000003f4 > R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006f2f80 > R13: 00000000ffffffff R14: 00007fd9605286d4 R15: 0000000000000008 > Code: 0f 1f 80 00 00 00 00 55 48 89 e5 0f 20 d8 5d c3 0f 1f 80 00 00 00 00 > 55 48 89 e5 0f 22 df 5d c3 0f 1f 80 00 00 00 00 55 48 89 e5 <0f> 22 e7 5d c3 > 0f 1f 80 00 00 00 00 55 48 89 e5 44 0f 20 c0 5d > RIP: native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:76 RSP: > ffff8801bc007058 > ---[ end trace 826fc7eb0c12f2d4 ]--- Let's assume this is invalid free in pcrypt which caused a bunch of random consequences: #syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2) > --- > This bug is generated by a dumb bot. It may contain errors. > See https://goo.gl/tpsmEJ for details. > Direct all questions to syzkaller@xxxxxxxxxxxxxxxx. > Please credit me with: Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx> > > syzbot will keep track of this bug report. > Once a fix for this bug is merged into any tree, reply to this email with: > #syz fix: exact-commit-title > To mark this as a duplicate of another syzbot report, please reply with: > #syz dup: exact-subject-of-another-report > If it's a one-off invalid bug report, please reply with: > #syz invalid > Note: if the crash happens again, it will cause creation of a new bug > report. > Note: all commands must start from beginning of the line in the email body. > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/001a1143fd00ff9f4c0560f49d08%40google.com. > For more options, visit https://groups.google.com/d/optout.
