* invalid opcode in map_vdso @ 2020-09-23 9:18 syzbot 2020-09-23 9:19 ` Dmitry Vyukov 0 siblings, 1 reply; 4+ messages in thread From: syzbot @ 2020-09-23 9:18 UTC (permalink / raw) To: bp, hpa, linux-kernel, luto, mingo, syzkaller-bugs, tglx, x86 Hello, syzbot found the following issue on: HEAD commit: 92ab97ad Merge tag 'sh-for-5.9-part2' of git://git.libc.or.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1553eff1900000 kernel config: https://syzkaller.appspot.com/x/.config?x=cd992d74d6c7e62 dashboard link: https://syzkaller.appspot.com/bug?extid=9cf5373b0e15476f39a2 compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9cf5373b0e15476f39a2@syzkaller.appspotmail.com invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 16405 Comm: modprobe Not tainted 5.9.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:map_vdso+0x1e3/0x270 arch/x86/entry/vdso/vma.c:308 Code: 16 48 89 ef 48 8b 34 24 31 c9 e8 88 7c a7 00 eb 7a 4c 8b 74 24 28 43 80 3c 3e 00 48 8b 5c 24 08 74 08 4c 89 ef e8 4d 77 70 70 <07> 20 05 00 00 49 03 6d 00 48 89 e8 48 c1 e8 03 42 80 3c 38 00 74 RSP: 0018:ffffc90006167b98 EFLAGS: 00010246 RAX: ffff8880a7db8420 RBX: ffff88809d5fd7f8 RCX: ffff8880a811a040 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88809d5fd740 R08: ffffffff81912471 R09: fffffbfff131e57c R10: fffffbfff131e57c R11: 0000000000000000 R12: 00007ffea1107000 R13: ffff8880a811a468 R14: 1ffff1101502348d R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f33d09f8fc0 CR3: 0000000097210000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: load_elf_binary+0x2e90/0x48a0 fs/binfmt_elf.c:1221 search_binary_handler fs/exec.c:1819 [inline] exec_binprm fs/exec.c:1860 [inline] bprm_execve+0x919/0x1500 fs/exec.c:1931 kernel_execve+0x871/0x970 fs/exec.c:2080 call_usermodehelper_exec_async+0x204/0x330 kernel/umh.c:101 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Modules linked in: ---[ end trace 8d12c4aa58699b40 ]--- RIP: 0010:map_vdso+0x1e3/0x270 arch/x86/entry/vdso/vma.c:308 Code: 16 48 89 ef 48 8b 34 24 31 c9 e8 88 7c a7 00 eb 7a 4c 8b 74 24 28 43 80 3c 3e 00 48 8b 5c 24 08 74 08 4c 89 ef e8 4d 77 70 70 <07> 20 05 00 00 49 03 6d 00 48 89 e8 48 c1 e8 03 42 80 3c 38 00 74 RSP: 0018:ffffc90006167b98 EFLAGS: 00010246 RAX: ffff8880a7db8420 RBX: ffff88809d5fd7f8 RCX: ffff8880a811a040 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88809d5fd740 R08: ffffffff81912471 R09: fffffbfff131e57c R10: fffffbfff131e57c R11: 0000000000000000 R12: 00007ffea1107000 R13: ffff8880a811a468 R14: 1ffff1101502348d R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f33d09f8fc0 CR3: 0000000097210000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: invalid opcode in map_vdso 2020-09-23 9:18 invalid opcode in map_vdso syzbot @ 2020-09-23 9:19 ` Dmitry Vyukov 2020-09-23 10:30 ` Borislav Petkov 0 siblings, 1 reply; 4+ messages in thread From: Dmitry Vyukov @ 2020-09-23 9:19 UTC (permalink / raw) To: syzbot Cc: Borislav Petkov, H. Peter Anvin, LKML, Andy Lutomirski, Ingo Molnar, syzkaller-bugs, Thomas Gleixner, the arch/x86 maintainers, clang-built-linux On Wed, Sep 23, 2020 at 11:18 AM syzbot <syzbot+9cf5373b0e15476f39a2@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 92ab97ad Merge tag 'sh-for-5.9-part2' of git://git.libc.or.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1553eff1900000 > kernel config: https://syzkaller.appspot.com/x/.config?x=cd992d74d6c7e62 > dashboard link: https://syzkaller.appspot.com/bug?extid=9cf5373b0e15476f39a2 > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) > > Unfortunately, I don't have any reproducer for this issue yet. > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+9cf5373b0e15476f39a2@syzkaller.appspotmail.com > > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 16405 Comm: modprobe Not tainted 5.9.0-rc5-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > RIP: 0010:map_vdso+0x1e3/0x270 arch/x86/entry/vdso/vma.c:308 > Code: 16 48 89 ef 48 8b 34 24 31 c9 e8 88 7c a7 00 eb 7a 4c 8b 74 24 28 43 80 3c 3e 00 48 8b 5c 24 08 74 08 4c 89 ef e8 4d 77 70 70 <07> 20 05 00 00 49 03 6d 00 48 89 e8 48 c1 e8 03 42 80 3c 38 00 74 > RSP: 0018:ffffc90006167b98 EFLAGS: 00010246 > RAX: ffff8880a7db8420 RBX: ffff88809d5fd7f8 RCX: ffff8880a811a040 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 > RBP: ffff88809d5fd740 R08: ffffffff81912471 R09: fffffbfff131e57c > R10: fffffbfff131e57c R11: 0000000000000000 R12: 00007ffea1107000 > R13: ffff8880a811a468 R14: 1ffff1101502348d R15: dffffc0000000000 > FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f33d09f8fc0 CR3: 0000000097210000 CR4: 00000000001506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > load_elf_binary+0x2e90/0x48a0 fs/binfmt_elf.c:1221 > search_binary_handler fs/exec.c:1819 [inline] > exec_binprm fs/exec.c:1860 [inline] > bprm_execve+0x919/0x1500 fs/exec.c:1931 > kernel_execve+0x871/0x970 fs/exec.c:2080 > call_usermodehelper_exec_async+0x204/0x330 kernel/umh.c:101 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 > Modules linked in: > ---[ end trace 8d12c4aa58699b40 ]--- > RIP: 0010:map_vdso+0x1e3/0x270 arch/x86/entry/vdso/vma.c:308 > Code: 16 48 89 ef 48 8b 34 24 31 c9 e8 88 7c a7 00 eb 7a 4c 8b 74 24 28 43 80 3c 3e 00 48 8b 5c 24 08 74 08 4c 89 ef e8 4d 77 70 70 <07> 20 05 00 00 49 03 6d 00 48 89 e8 48 c1 e8 03 42 80 3c 38 00 74 > RSP: 0018:ffffc90006167b98 EFLAGS: 00010246 > RAX: ffff8880a7db8420 RBX: ffff88809d5fd7f8 RCX: ffff8880a811a040 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 > RBP: ffff88809d5fd740 R08: ffffffff81912471 R09: fffffbfff131e57c > R10: fffffbfff131e57c R11: 0000000000000000 R12: 00007ffea1107000 > R13: ffff8880a811a468 R14: 1ffff1101502348d R15: dffffc0000000000 > FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f33d09f8fc0 CR3: 0000000097210000 CR4: 00000000001506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +clang-built-linux Looks like another one with kernel code overwrite in clang build. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: invalid opcode in map_vdso 2020-09-23 9:19 ` Dmitry Vyukov @ 2020-09-23 10:30 ` Borislav Petkov 2020-09-25 12:16 ` Dmitry Vyukov 0 siblings, 1 reply; 4+ messages in thread From: Borislav Petkov @ 2020-09-23 10:30 UTC (permalink / raw) To: Dmitry Vyukov Cc: syzbot, H. Peter Anvin, LKML, Andy Lutomirski, Ingo Molnar, syzkaller-bugs, Thomas Gleixner, the arch/x86 maintainers, clang-built-linux On Wed, Sep 23, 2020 at 11:19:40AM +0200, Dmitry Vyukov wrote: > +clang-built-linux > Looks like another one with kernel code overwrite in clang build. Uuh, that's a nice and refreshing one - the pattern is not zeroes this time Code: 16 48 89 ef 48 8b 34 24 31 c9 e8 88 7c a7 00 eb 7a 4c 8b 74 24 28 43 80 3c 3e 00 48 8b 5c 24 08 74 08 4c 89 ef e8 4d 77 70 70 <07> 20 05 00 00 49 03 6d 00 48 89 e8 48 c1 e8 03 42 80 3c 38 00 74 All code ======== 0: 16 (bad) 1: 48 89 ef mov %rbp,%rdi 4: 48 8b 34 24 mov (%rsp),%rsi 8: 31 c9 xor %ecx,%ecx a: e8 88 7c a7 00 callq 0xa77c97 f: eb 7a jmp 0x8b 11: 4c 8b 74 24 28 mov 0x28(%rsp),%r14 16: 43 80 3c 3e 00 cmpb $0x0,(%r14,%r15,1) 1b: 48 8b 5c 24 08 mov 0x8(%rsp),%rbx 20: 74 08 je 0x2a 22: 4c 89 ef mov %r13,%rdi 25: e8 4d 77 70 70 callq 0x70707777 2a:* 07 (bad) <-- trapping instruction 2b: 20 05 00 00 49 03 and %al,0x3490000(%rip) # 0x3490031 31: 6d insl (%dx),%es:(%rdi) 32: 00 48 89 add %cl,-0x77(%rax) 35: e8 48 c1 e8 03 callq 0x3e8c182 3a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) 3f: 74 .byte 0x74 Code starting with the faulting instruction =========================================== 0: 07 (bad) 1: 20 05 00 00 49 03 and %al,0x3490000(%rip) # 0x3490007 7: 6d insl (%dx),%es:(%rdi) 8: 00 48 89 add %cl,-0x77(%rax) b: e8 48 c1 e8 03 callq 0x3e8c158 10: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) 15: 74 .byte 0x74 -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: invalid opcode in map_vdso 2020-09-23 10:30 ` Borislav Petkov @ 2020-09-25 12:16 ` Dmitry Vyukov 0 siblings, 0 replies; 4+ messages in thread From: Dmitry Vyukov @ 2020-09-25 12:16 UTC (permalink / raw) To: Borislav Petkov Cc: syzbot, H. Peter Anvin, LKML, Andy Lutomirski, Ingo Molnar, syzkaller-bugs, Thomas Gleixner, the arch/x86 maintainers, clang-built-linux On Wed, Sep 23, 2020 at 12:30 PM Borislav Petkov <bp@alien8.de> wrote: > > On Wed, Sep 23, 2020 at 11:19:40AM +0200, Dmitry Vyukov wrote: > > +clang-built-linux > > Looks like another one with kernel code overwrite in clang build. > > Uuh, that's a nice and refreshing one - the pattern is not zeroes this > time > > Code: 16 48 89 ef 48 8b 34 24 31 c9 e8 88 7c a7 00 eb 7a 4c 8b 74 24 28 43 80 3c 3e 00 48 8b 5c 24 08 74 08 4c 89 ef e8 4d 77 70 70 <07> 20 05 00 00 49 03 6d 00 48 89 e8 48 c1 e8 03 42 80 3c 38 00 74 > All code > ======== > 0: 16 (bad) > 1: 48 89 ef mov %rbp,%rdi > 4: 48 8b 34 24 mov (%rsp),%rsi > 8: 31 c9 xor %ecx,%ecx > a: e8 88 7c a7 00 callq 0xa77c97 > f: eb 7a jmp 0x8b > 11: 4c 8b 74 24 28 mov 0x28(%rsp),%r14 > 16: 43 80 3c 3e 00 cmpb $0x0,(%r14,%r15,1) > 1b: 48 8b 5c 24 08 mov 0x8(%rsp),%rbx > 20: 74 08 je 0x2a > 22: 4c 89 ef mov %r13,%rdi > 25: e8 4d 77 70 70 callq 0x70707777 > 2a:* 07 (bad) <-- trapping instruction > 2b: 20 05 00 00 49 03 and %al,0x3490000(%rip) # 0x3490031 > 31: 6d insl (%dx),%es:(%rdi) > 32: 00 48 89 add %cl,-0x77(%rax) > 35: e8 48 c1 e8 03 callq 0x3e8c182 > 3a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) > 3f: 74 .byte 0x74 > > Code starting with the faulting instruction > =========================================== > 0: 07 (bad) > 1: 20 05 00 00 49 03 and %al,0x3490000(%rip) # 0x3490007 > 7: 6d insl (%dx),%es:(%rdi) > 8: 00 48 89 add %cl,-0x77(%rax) > b: e8 48 c1 e8 03 callq 0x3e8c158 > 10: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) > 15: 74 .byte 0x74 There is strong indication that this is a manifestation of the same problem we see in other crashes. Let's make one canonical bug for this: #syz dup: general protection fault in perf_misc_flags ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-25 12:17 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-09-23 9:18 invalid opcode in map_vdso syzbot 2020-09-23 9:19 ` Dmitry Vyukov 2020-09-23 10:30 ` Borislav Petkov 2020-09-25 12:16 ` Dmitry Vyukov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.