general protection fault in ebitmap_destroy (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+a57b2aff60832666fc28@syzkaller.appspotmail.com>
To: adobriyan@gmail.com, akpm@linux-foundation.org,
	dave.hansen@intel.com, eparis@parisplace.org,
	kent.overstreet@gmail.com, linux-kernel@vger.kernel.org,
	marcelo.leitner@gmail.com, nhorman@tuxdriver.com,
	paul@paul-moore.com, peter.enderborg@sony.com, pshelar@ovn.org,
	sds@tycho.nsa.gov, selinux@vger.kernel.org, shli@kernel.org,
	syzkaller-bugs@googlegroups.com, torvalds@linux-foundation.org,
	viro@zeniv.linux.org.uk, vyasevich@gmail.com,
	willy@infradead.org
Subject: general protection fault in ebitmap_destroy (2)
Date: Thu, 14 Mar 2019 13:52:06 -0700	[thread overview]
Message-ID: <0000000000006294c30584141805@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    ebc551f2 Merge tag 'nfsd-5.1' of git://linux-nfs.org/~bfie..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=105c28d7200000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f05902bca21d8935
dashboard link: https://syzkaller.appspot.com/bug?extid=a57b2aff60832666fc28
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: amd64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1510bd5f200000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1405dd6f200000

The crash was bisected to:

commit acdf52d97f824019888422842757013b37441dd1
Author: Kent Overstreet <kent.overstreet@gmail.com>
Date:   Tue Mar 12 06:31:10 2019 +0000

     selinux: convert to kvmalloc

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=12b2b093200000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=11b2b093200000
console output: https://syzkaller.appspot.com/x/log.txt?x=16b2b093200000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a57b2aff60832666fc28@syzkaller.appspotmail.com
Fixes: acdf52d9 ("selinux: convert to kvmalloc")

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8151 Comm: syz-executor646 Not tainted 5.0.0+ #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:ebitmap_destroy+0x32/0xf0 security/selinux/ss/ebitmap.c:334
Code: 49 89 fd 41 54 53 e8 6d f6 7f fe 4d 85 ed 0f 84 99 00 00 00 e8 5f f6  
7f fe 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f  
85 98 00 00 00 49 be 00 00 00 00 00 fc ff df 4d 8b
RSP: 0018:ffff8880918478c8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880a15c93e8 RCX: ffffffff82f1b92c
RDX: 0000000000000002 RSI: ffffffff82f06dd1 RDI: 0000000000000010
RBP: ffff8880918478e8 R08: ffff88807c05c080 R09: ffff88807c05c948
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000010 R14: ffffed10142b92b2 R15: 0000000000000401
FS:  0000000000f65880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000140 CR3: 000000007e591000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  policydb_destroy+0x62c/0x7f0 security/selinux/ss/policydb.c:832
  policydb_read+0xe27/0x52c0 security/selinux/ss/policydb.c:2522
  security_load_policy+0x36d/0x1170 security/selinux/ss/services.c:2147
  sel_write_load+0x25a/0x470 security/selinux/selinuxfs.c:565
  __vfs_write+0x8d/0x110 fs/read_write.c:485
  vfs_write+0x20c/0x580 fs/read_write.c:549
  ksys_write+0xea/0x1f0 fs/read_write.c:598
  __do_sys_write fs/read_write.c:610 [inline]
  __se_sys_write fs/read_write.c:607 [inline]
  __x64_sys_write+0x73/0xb0 fs/read_write.c:607
  do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4401f9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff747a42f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401f9
RDX: 0000000000000050 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a80
R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace c9a4ce516f33c859 ]---
RIP: 0010:ebitmap_destroy+0x32/0xf0 security/selinux/ss/ebitmap.c:334
Code: 49 89 fd 41 54 53 e8 6d f6 7f fe 4d 85 ed 0f 84 99 00 00 00 e8 5f f6  
7f fe 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f  
85 98 00 00 00 49 be 00 00 00 00 00 fc ff df 4d 8b
RSP: 0018:ffff8880918478c8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880a15c93e8 RCX: ffffffff82f1b92c
RDX: 0000000000000002 RSI: ffffffff82f06dd1 RDI: 0000000000000010
RBP: ffff8880918478e8 R08: ffff88807c05c080 R09: ffff88807c05c948
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000010 R14: ffffed10142b92b2 R15: 0000000000000401
FS:  0000000000f65880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000140 CR3: 000000007e591000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

next             reply	other threads:[~2019-03-14 20:52 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-14 20:52 syzbot [this message]
2019-03-21 18:58 ` general protection fault in ebitmap_destroy (2) Kent Overstreet
2019-03-21 19:01   ` Paul Moore
2019-03-21 22:20   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000006294c30584141805@google.com \
    --to=syzbot+a57b2aff60832666fc28@syzkaller.appspotmail.com \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=dave.hansen@intel.com \
    --cc=eparis@parisplace.org \
    --cc=kent.overstreet@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcelo.leitner@gmail.com \
    --cc=nhorman@tuxdriver.com \
    --cc=paul@paul-moore.com \
    --cc=peter.enderborg@sony.com \
    --cc=pshelar@ovn.org \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    --cc=shli@kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=vyasevich@gmail.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.