lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Fri, 4 Aug 2023 22:02:43 +0800
From:   yang lan <lanyang0908@...il.com>
To:     Bob Peterson <rpeterso@...hat.com>, agruenba@...hat.com,
        cluster-devel@...hat.com, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: [Bug report] kernel BUG in gfs2_glock_nq

Hi,

We use our modified Syzkaller to fuzz the latest Linux kernel and
found the following issue.

Head Commit: 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4
Git Tree: upstream

I compile the kernel with the "kernel_config" provided. And this bug
can be reproduced with the "c_poc" in attachment of this email.

If you fix the bug, please add the following tag to the commit:
Reported-by: lanyang0908@...il.com

Crash log:
[  105.802919][ T7184] ------------[ cut here ]------------
[  105.803214][ T7184] kernel BUG at fs/gfs2/glock.c:1551!
[  105.803516][ T7184] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[  105.803838][ T7184] CPU: 1 PID: 7184 Comm: syz-executor.3 Not
tainted 6.5.0-rc4 #1
[  105.804236][ T7184] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.12.0-1 04/01/2014
[  105.804703][ T7184] RIP: 0010:gfs2_glock_nq+0xa00/0x1930
[  105.804993][ T7184] Code: 08 3c 03 0f 8e 70 0d 00 00 8b 53 18 4c 89
e6 48 c7 c7 00 c2 d6 89 e8 ef 24 e3 fd ba 01 00 00 00 4c 89 ee 31 ff
e8 f0 5c ff ff <0f> 0b 4c 8b 6c 24 20 e8 04 58 fe fd 0f 1f 44 00 00 e8
fa 57 fe fd
[  105.805989][ T7184] RSP: 0018:ffff888027c17a70 EFLAGS: 00010282
[  105.806305][ T7184] RAX: 0000000000000000 RBX: ffff88804d339c20
RCX: ffff888042600000
[  105.806739][ T7184] RDX: 0000000000000000 RSI: ffff888042600000
RDI: 0000000000000002
[  105.807157][ T7184] RBP: ffff888026eae280 R08: ffffffff837ca265
R09: 0000000000000000
[  105.807564][ T7184] R10: 0000000000000001 R11: 0000000000000001
R12: ffff88805a6e1270
[  105.807968][ T7184] R13: ffff88804d339c20 R14: 0000000000001c10
R15: ffff888057693822
[  105.808370][ T7184] FS:  0000000002658940(0000)
GS:ffff88807ec00000(0000) knlGS:0000000000000000
[  105.808822][ T7184] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  105.809163][ T7184] CR2: 00007f0b0cb8a000 CR3: 0000000028b4f000
CR4: 0000000000350ee0
[  105.809581][ T7184] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[  105.809980][ T7184] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[  105.810379][ T7184] Call Trace:
[  105.810553][ T7184]  <TASK>
[  105.810755][ T7184]  ? __die_body+0x15/0x60
[  105.811044][ T7184]  ? die+0x37/0x50
[  105.811254][ T7184]  ? do_trap+0x1a3/0x280
[  105.811492][ T7184]  ? gfs2_glock_nq+0xa00/0x1930
[  105.811754][ T7184]  ? do_error_trap+0x9e/0x160
[  105.812010][ T7184]  ? gfs2_glock_nq+0xa00/0x1930
[  105.812272][ T7184]  ? handle_invalid_op+0x2c/0x30
[  105.812541][ T7184]  ? gfs2_glock_nq+0xa00/0x1930
[  105.812800][ T7184]  ? exc_invalid_op+0x2d/0x40
[  105.813059][ T7184]  ? asm_exc_invalid_op+0x1a/0x20
[  105.813334][ T7184]  ? gfs2_dump_glock+0x1405/0x1c60
[  105.813606][ T7184]  ? gfs2_glock_nq+0xa00/0x1930
[  105.813866][ T7184]  ? __sanitizer_cov_trace_pc+0x1e/0x50
[  105.814166][ T7184]  ? __gfs2_holder_init+0x14c/0x290
[  105.814440][ T7184]  do_sync+0x4a3/0xc30
[  105.814671][ T7184]  ? gfs2_qa_put+0x150/0x150
[  105.814916][ T7184]  ? lock_sync+0x180/0x180
[  105.815170][ T7184]  ? do_raw_spin_lock+0x125/0x2d0
[  105.815434][ T7184]  ? rwlock_bug.part.1+0x90/0x90
[  105.815694][ T7184]  ? __sanitizer_cov_trace_pc+0x1e/0x50
[  105.815986][ T7184]  gfs2_quota_sync+0x28f/0x540
[  105.816260][ T7184]  gfs2_sync_fs+0x45/0xb0
[  105.816520][ T7184]  ? rgrp_unlock_local+0x20/0x20
[  105.816815][ T7184]  sync_filesystem+0x10a/0x290
[  105.817096][ T7184]  generic_shutdown_super+0x74/0x480
[  105.817409][ T7184]  kill_block_super+0x64/0xb0
[  105.817688][ T7184]  gfs2_kill_sb+0x35a/0x410
[  105.817965][ T7184]  deactivate_locked_super+0x92/0xf0
[  105.818277][ T7184]  deactivate_super+0xd8/0xf0
[  105.818557][ T7184]  cleanup_mnt+0x30c/0x470
[  105.818819][ T7184]  task_work_run+0x16f/0x270
[  105.819095][ T7184]  ? task_work_cancel+0x30/0x30
[  105.819381][ T7184]  ? ksys_umount+0xdc/0x120
[  105.819651][ T7184]  exit_to_user_mode_prepare+0x1f8/0x200
[  105.819987][ T7184]  syscall_exit_to_user_mode+0x1d/0x50
[  105.820309][ T7184]  do_syscall_64+0x44/0x80
[  105.820576][ T7184]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  105.820924][ T7184] RIP: 0033:0x46bc17
[  105.821158][ T7184] Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7
c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6
00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8
64 89 01 48
[  105.822236][ T7184] RSP: 002b:00007ffef0a34288 EFLAGS: 00000246
ORIG_RAX: 00000000000000a6
[  105.822720][ T7184] RAX: 0000000000000000 RBX: 0000000000000000
RCX: 000000000046bc17
[  105.823171][ T7184] RDX: 0000000000000000 RSI: 0000000000000002
RDI: 00007ffef0a34350
[  105.823622][ T7184] RBP: 00007ffef0a34350 R08: 0000000002659ec3
R09: 0000000000000009
[  105.824074][ T7184] R10: 0000000000000000 R11: 0000000000000246
R12: 00000000004c9133
[  105.824525][ T7184] R13: 00007ffef0a353f0 R14: 0000000000000001
R15: 0000000000000032
[  105.824987][ T7184]  </TASK>
[  105.825169][ T7184] Modules linked in:
[  105.825509][ T7184] ---[ end trace 0000000000000000 ]---
[  105.825829][ T7184] RIP: 0010:gfs2_glock_nq+0xa00/0x1930
[  105.826158][ T7184] Code: 08 3c 03 0f 8e 70 0d 00 00 8b 53 18 4c 89
e6 48 c7 c7 00 c2 d6 89 e8 ef 24 e3 fd ba 01 00 00 00 4c 89 ee 31 ff
e8 f0 5c ff ff <0f> 0b 4c 8b 6c 24 20 e8 04 58 fe fd 0f 1f 44 00 00 e8
fa 57 fe fd
[  105.827254][ T7184] RSP: 0018:ffff888027c17a70 EFLAGS: 00010282
[  105.827610][ T7184] RAX: 0000000000000000 RBX: ffff88804d339c20
RCX: ffff888042600000
[  105.828067][ T7184] RDX: 0000000000000000 RSI: ffff888042600000
RDI: 0000000000000002
[  105.828521][ T7184] RBP: ffff888026eae280 R08: ffffffff837ca265
R09: 0000000000000000
[  105.829289][ T7184] R10: 0000000000000001 R11: 0000000000000001
R12: ffff88805a6e1270
[  105.829748][ T7184] R13: ffff88804d339c20 R14: 0000000000001c10
R15: ffff888057693822
[  105.830207][ T7184] FS:  0000000002658940(0000)
GS:ffff88807ec00000(0000) knlGS:0000000000000000
[  105.830725][ T7184] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  105.831107][ T7184] CR2: 00007f0b0cb8a000 CR3: 0000000028b4f000
CR4: 0000000000350ee0
[  105.831561][ T7184] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[  105.832015][ T7184] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[  105.832466][ T7184] Kernel panic - not syncing: Fatal exception
[  105.833065][ T7184] Kernel Offset: disabled
[  105.833317][ T7184] Rebooting in 86400 seconds..

Download attachment "log_6.5-rc4" of type "application/octet-stream" (6046 bytes)

Download attachment "kernel_config" of type "application/octet-stream" (225672 bytes)

Download attachment "syz_poc" of type "application/octet-stream" (488511 bytes)

Download attachment "c_poc" of type "application/octet-stream" (1247789 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ