Re: general protection fault in __vfs_write

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+7ade6c94abb2774c0fee@syzkaller.appspotmail.com>
To: alexei.starovoitov@gmail.com, ast@kernel.org,
	daniel@iogearbox.net, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk,
	willy@infradead.org
Subject: Re: general protection fault in __vfs_write
Date: Sat, 09 Jun 2018 08:36:01 -0700	[thread overview]
Message-ID: <00000000000015df96056e374691@google.com> (raw)
In-Reply-To: <000000000000973c2c056e0ecddd@google.com>

syzbot has found a reproducer for the following crash on:

HEAD commit:    3a979e8c07e3 Merge tag 'mailbox-v4.18' of git://git.linaro..
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11e0c81f800000
kernel config:  https://syzkaller.appspot.com/x/.config?x=412e35656a3f7c09
dashboard link: https://syzkaller.appspot.com/bug?extid=7ade6c94abb2774c0fee
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1665abf7800000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7ade6c94abb2774c0fee@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
bpfilter: read fail -512
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 0 PID: 4546 Comm: syz-executor6 Not tainted 4.17.0+ #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:file_write_hint include/linux/fs.h:1932 [inline]
RIP: 0010:init_sync_kiocb include/linux/fs.h:1942 [inline]
RIP: 0010:new_sync_write fs/read_write.c:470 [inline]
RIP: 0010:__vfs_write+0x4a6/0x960 fs/read_write.c:487
Code: c1 ea 03 80 3c 02 00 0f 85 1b 04 00 00 48 b8 00 00 00 00 00 fc ff df  
4c 8b 63 20 49 8d bc 24 c8 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84  
c0 74 08 3c 03 0f 8e ec 02 00 00 41 8b 84 24 c8 00
RSP: 0018:ffff8801ae407850 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801cd88f580 RCX: ffffffff81c0d6fb
RDX: 0000000000000019 RSI: ffffffff81c0d70a RDI: 00000000000000c8
RBP: ffff8801ae4079c8 R08: ffff8801d88ee680 R09: fffffbfff130c5d9
R10: ffff8801ae407a10 R11: ffffffff89862ecb R12: 0000000000000000
R13: ffff8801ae4079a0 R14: 0000000000000000 R15: ffff8801ae407a88
FS:  000000000102f940(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5f52ac0518 CR3: 00000001d8d8a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  __kernel_write+0x10c/0x380 fs/read_write.c:506
  __bpfilter_process_sockopt+0x1d8/0x35b net/bpfilter/bpfilter_kern.c:66
  bpfilter_mbox_request+0x4d/0xb0 net/ipv4/bpfilter/sockopt.c:25
  bpfilter_ip_get_sockopt+0x6b/0x90 net/ipv4/bpfilter/sockopt.c:42
  ip_getsockopt+0x238/0x2a0 net/ipv4/ip_sockglue.c:1563
  tcp_getsockopt+0x93/0xe0 net/ipv4/tcp.c:3532
  sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3012
  __sys_getsockopt+0x1a5/0x370 net/socket.c:1972
  __do_sys_getsockopt net/socket.c:1983 [inline]
  __se_sys_getsockopt net/socket.c:1980 [inline]
  __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1980
  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4584ea
Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d 8f fb ff c3 66 2e 0f  
1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 fa 8e fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:0000000000a3e328 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 0000000000a3e350 RCX: 00000000004584ea
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000706f20 R08: 0000000000a3e34c R09: 0000000000004000
R10: 0000000000a3e350 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000706860
Modules linked in:
Dumping ftrace buffer:
    (ftrace buffer empty)
---[ end trace 9a583fc95516c106 ]---
RIP: 0010:file_write_hint include/linux/fs.h:1932 [inline]
RIP: 0010:init_sync_kiocb include/linux/fs.h:1942 [inline]
RIP: 0010:new_sync_write fs/read_write.c:470 [inline]
RIP: 0010:__vfs_write+0x4a6/0x960 fs/read_write.c:487
Code: c1 ea 03 80 3c 02 00 0f 85 1b 04 00 00 48 b8 00 00 00 00 00 fc ff df  
4c 8b 63 20 49 8d bc 24 c8 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84  
c0 74 08 3c 03 0f 8e ec 02 00 00 41 8b 84 24 c8 00
RSP: 0018:ffff8801ae407850 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801cd88f580 RCX: ffffffff81c0d6fb
RDX: 0000000000000019 RSI: ffffffff81c0d70a RDI: 00000000000000c8
RBP: ffff8801ae4079c8 R08: ffff8801d88ee680 R09: fffffbfff130c5d9
R10: ffff8801ae407a10 R11: ffffffff89862ecb R12: 0000000000000000
R13: ffff8801ae4079a0 R14: 0000000000000000 R15: ffff8801ae407a88
FS:  000000000102f940(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5f52ac0518 CR3: 00000001d8d8a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

     prev parent reply	other threads:[~2018-06-09 15:36 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-07 15:19 general protection fault in __vfs_write syzbot
2018-06-07 15:28 ` Matthew Wilcox
2018-06-07 21:58   ` Alexei Starovoitov
2018-06-09 15:36 ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000015df96056e374691@google.com \
    --to=syzbot+7ade6c94abb2774c0fee@syzkaller.appspotmail.com \
    --cc=alexei.starovoitov@gmail.com \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.