[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a85b2aaa-9390-ef85-0db7-8f3549cdad59@virtuozzo.com>
Date: Tue, 2 Oct 2018 11:44:45 +0000
From: Kirill Tkhai <ktkhai@...tuozzo.com>
To: syzbot <syzbot+c1e36d30ee3416289cc0@...kaller.appspotmail.com>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"miklos@...redi.hu" <miklos@...redi.hu>,
"syzkaller-bugs@...glegroups.com" <syzkaller-bugs@...glegroups.com>
Subject: Re: general protection fault in fuse_dev_do_write
On 02.10.2018 13:55, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 62f3d25900c9 Add linux-next specific files for 20181002
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=147d5eb9400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=77a6dfae97d4b496
> dashboard link: https://syzkaller.appspot.com/bug?extid=c1e36d30ee3416289cc0
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+c1e36d30ee3416289cc0@...kaller.appspotmail.com
>
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> CPU: 1 PID: 20304 Comm: syz-executor1 Not tainted 4.19.0-rc6-next-20181002+ #85
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:fuse_retrieve fs/fuse/dev.c:1741 [inline]
It looks like both num and offset are 0, so num_pages == 0 and req->page_descs == NULL.
Possible, we should ignore requests with such the parameters, but I'm not sure...
> RIP: 0010:fuse_notify_retrieve fs/fuse/dev.c:1801 [inline]
> RIP: 0010:fuse_notify fs/fuse/dev.c:1834 [inline]
> RIP: 0010:fuse_dev_do_write+0x1dc2/0x3810 fs/fuse/dev.c:1913
> Code: 00 48 c1 e0 2a 80 3c 02 00 0f 85 dc 17 00 00 49 8b 9d 58 01 00 00 b8 ff ff 37 00 48 c1 e0 2a 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 82
> RSP: 0018:ffff88019bd474b8 EFLAGS: 00010247
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90003e76000
> RDX: 0000000000000000 RSI: ffffffff8287fbd3 RDI: 0000000000000004
> RBP: ffff88019bd47a50 R08: ffff8801c0552500 R09: ffffed0039ae937e
> R10: ffffed0039ae937e R11: ffff8801cd749bf3 R12: 0000000000000000
> R13: ffff8801cd749bd0 R14: 0000000000000000 R15: 0000000000000030
> FS: 00007f5740db7700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000625208 CR3: 00000001c4109000 CR4: 00000000001406e0
> Call Trace:
> fuse_dev_write+0x19a/0x240 fs/fuse/dev.c:1997
> call_write_iter include/linux/fs.h:1844 [inline]
> new_sync_write fs/read_write.c:474 [inline]
> __vfs_write+0x6b8/0x9f0 fs/read_write.c:487
> vfs_write+0x1fc/0x560 fs/read_write.c:549
> ksys_write+0x101/0x260 fs/read_write.c:598
> __do_sys_write fs/read_write.c:610 [inline]
> __se_sys_write fs/read_write.c:607 [inline]
> __x64_sys_write+0x73/0xb0 fs/read_write.c:607
> do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x457579
> Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f5740db6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579
> RDX: 0000000000000030 RSI: 0000000020000080 RDI: 0000000000000004
> RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5740db76d4
> R13: 00000000004c50c5 R14: 00000000004d8718 R15: 00000000ffffffff
> Modules linked in:
> ---[ end trace 8b37456f1c1100bc ]---
> RIP: 0010:fuse_retrieve fs/fuse/dev.c:1741 [inline]
> RIP: 0010:fuse_notify_retrieve fs/fuse/dev.c:1801 [inline]
> RIP: 0010:fuse_notify fs/fuse/dev.c:1834 [inline]
> RIP: 0010:fuse_dev_do_write+0x1dc2/0x3810 fs/fuse/dev.c:1913
> Code: 00 48 c1 e0 2a 80 3c 02 00 0f 85 dc 17 00 00 49 8b 9d 58 01 00 00 b8 ff ff 37 00 48 c1 e0 2a 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 82
> RSP: 0018:ffff88019bd474b8 EFLAGS: 00010247
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90003e76000
> RDX: 0000000000000000 RSI: ffffffff8287fbd3 RDI: 0000000000000004
> RBP: ffff88019bd47a50 R08: ffff8801c0552500 R09: ffffed0039ae937e
> kobject: 'loop5' (0000000025425302): kobject_uevent_env
> R10: ffffed0039ae937e R11: ffff8801cd749bf3 R12: 0000000000000000
> kobject: 'loop5' (0000000025425302): fill_kobj_path: path = '/devices/virtual/block/loop5'
> R13: ffff8801cd749bd0 R14: 0000000000000000 R15: 0000000000000030
> FS: 00007f5740db7700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> kobject: 'loop3' (000000006439d2fe): kobject_uevent_env
> kobject: 'loop3' (000000006439d2fe): fill_kobj_path: path = '/devices/virtual/block/loop3'
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> kobject: 'loop5' (0000000025425302): kobject_uevent_env
> kobject: 'loop5' (0000000025425302): fill_kobj_path: path = '/devices/virtual/block/loop5'
> CR2: 0000001b2f541000 CR3: 00000001c4109000 CR4: 00000000001406e0
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
Powered by blists - more mailing lists