lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 19 Oct 2022 23:37:39 -0700
From:   syzbot <syzbot+7f3f0e8b232d8c69dac1@...kaller.appspotmail.com>
To:     jack@...e.com, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: [syzbot] BUG: unable to handle kernel paging request in dquot_add_space

Hello,

syzbot found the following issue on:

HEAD commit:    bbed346d5a96 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=12890b76880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3a4a45d2d827c1e
dashboard link: https://syzkaller.appspot.com/bug?extid=7f3f0e8b232d8c69dac1
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e8e91bc79312/disk-bbed346d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c1cb3fb3b77e/vmlinux-bbed346d.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f3f0e8b232d8c69dac1@...kaller.appspotmail.com

Unable to handle kernel paging request at virtual address 0000000100000117
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000000018f1e0000
[0000000100000117] pgd=08000001607e1003, p4d=08000001607e1003, pud=0000000000000000
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 22205 Comm: syz-executor.2 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : dquot_add_space+0x3c/0x474 fs/quota/dquot.c:1329
lr : dquot_add_space+0x3c/0x474 fs/quota/dquot.c:1327
sp : ffff8000208cb590
x29: ffff8000208cb5a0 x28: ffff000119271800 x27: 0000000000000001
x26: ffff8000208cb610 x25: 00000000ffffffff x24: ffff00010e158840
x23: 0000000000000001 x22: 0000000000010000 x21: 00000000ffffffff
x20: 0000000000000000 x19: ffff80000d47eb10 x18: 00000000000000c0
x17: ffff80000dd0b198 x16: ffff80000db49158 x15: ffff0000c8173500
x14: ffff80000dd0b198 x13: ffff80000db49158 x12: 0000000000040000
x11: 0000000000003c98 x10: ffff800018493000 x9 : ffff8000086badbc
x8 : 0000000000003c99 x7 : ffff8000086ba810 x6 : 0000000000000000
x5 : 0000000000000020 x4 : ffff8000208cb610 x3 : 0000000000000001
x2 : 0000000000000000 x1 : 0000000000010000 x0 : 00000000ffffffff
Call trace:
 dquot_add_space+0x3c/0x474 fs/quota/dquot.c:1327
 __dquot_alloc_space+0x1c8/0x644
 dquot_alloc_space_nodirty include/linux/quotaops.h:300 [inline]
 dquot_alloc_space include/linux/quotaops.h:313 [inline]
 dquot_alloc_block include/linux/quotaops.h:337 [inline]
 ext4_mb_new_blocks+0x5fc/0x9e4 fs/ext4/mballoc.c:5574
 ext4_new_meta_blocks+0x84/0x140 fs/ext4/balloc.c:700
 ext4_xattr_block_set+0xce0/0x142c fs/ext4/xattr.c:2078
 ext4_xattr_set_handle+0x724/0x994 fs/ext4/xattr.c:2394
 ext4_xattr_set+0x100/0x1d0 fs/ext4/xattr.c:2495
 ext4_xattr_security_set+0x4c/0x64 fs/ext4/xattr_security.c:31
 __vfs_setxattr+0x250/0x260 fs/xattr.c:182
 __vfs_setxattr_noperm+0xcc/0x320 fs/xattr.c:216
 __vfs_setxattr_locked+0x16c/0x194 fs/xattr.c:277
 vfs_setxattr+0x174/0x280 fs/xattr.c:313
 do_setxattr fs/xattr.c:600 [inline]
 setxattr fs/xattr.c:623 [inline]
 path_setxattr+0x354/0x414 fs/xattr.c:642
 __do_sys_setxattr fs/xattr.c:658 [inline]
 __se_sys_setxattr fs/xattr.c:654 [inline]
 __arm64_sys_setxattr+0x2c/0x40 fs/xattr.c:654
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Code: aa0203f4 aa0103f6 aa0003f5 97ef9397 (f9408ebc) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	aa0203f4 	mov	x20, x2
   4:	aa0103f6 	mov	x22, x1
   8:	aa0003f5 	mov	x21, x0
   c:	97ef9397 	bl	0xffffffffffbe4e68
* 10:	f9408ebc 	ldr	x28, [x21, #280] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ