Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+2e65930fda17880da336@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler
Date: Fri, 03 Jan 2025 19:25:02 -0800	[thread overview]
Message-ID: <6778aa0e.050a0220.3b53b0.0044.GAE@google.com> (raw)
In-Reply-To: <tencent_BE9E161B894B5E1B5E25CABA5ABB7D33EB08@qq.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler

tab: ffffffff8de3a458, data: ffffffff90028ec5, procname: domainname, proc_do_uts_string
tab: ffffffff8de3a458, data: ffffffff90028ec5, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, procname: domainname, proc_do_uts_string
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 6417 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-gdcb6ff6bb369 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ee/0x5d0 kernel/utsname_sysctl.c:54
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 6a 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 28 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003657468 EFLAGS: 00010202
RAX: ffffffff90028ec5 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006cae92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900036574c0 R14: ffffffff8de3a460 R15: ffffc90003657520
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055e8f20af048 CR3: 0000000034d8c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x441/0x610 fs/proc/proc_sysctl.c:602
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xadd/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3016
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f47f6787c47
Code: Unable to access opcode bytes at 0x7f47f6787c1d.
RSP: 002b:00007ffe11e12818 EFLAGS: 00000202 ORIG_RAX: 0000000000000029
RAX: 0000000000000003 RBX: 0000000000000003 RCX: 00007f47f6787c47
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002
RBP: 00007ffe11e12efc R08: 00007ffe11e1280c R09: 00007ffe11e12c17
R10: 00007ffe11e12890 R11: 0000000000000202 R12: 0000000000000032
R13: 000000000002677e R14: 00007ffe11e12f50 R15: 0000000000000258
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ee/0x5d0 kernel/utsname_sysctl.c:54
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 6a 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 28 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003657468 EFLAGS: 00010202
RAX: ffffffff90028ec5 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006cae92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900036574c0 R14: ffffffff8de3a460 R15: ffffc90003657520
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27a1ca7d60 CR3: 0000000034d8c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ee 03          	shr    $0x3,%rsi
   4:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1)
   8:	0f 85 6a 03 00 00    	jne    0x378
   e:	48 8b 92 08 09 00 00 	mov    0x908(%rdx),%rdx
  15:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  1c:	fc ff df
  1f:	48 8d 7a 08          	lea    0x8(%rdx),%rdi
  23:	48 89 fe             	mov    %rdi,%rsi
  26:	48 c1 ee 03          	shr    $0x3,%rsi
* 2a:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1) <-- trapping instruction
  2e:	0f 85 28 03 00 00    	jne    0x35c
  34:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
  3b:	fc ff df
  3e:	48                   	rex.W
  3f:	2d                   	.byte 0x2d


Tested on:

commit:         dcb6ff6b utsname: debug ctl table for domainname
git tree:       https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=141938b0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

next prev parent reply	other threads:[~2025-01-04  3:25 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-04  1:20 [syzbot] [kernel?] general protection fault in proc_sys_call_handler syzbot
2025-01-04  3:10 ` Edward Adam Davis
2025-01-04  3:25   ` syzbot [this message]
2025-01-04  4:32 ` Edward Adam Davis
2025-01-04  4:49   ` syzbot
2025-01-04  5:12 ` Edward Adam Davis
2025-01-04  5:27   ` syzbot
2025-01-04  5:39 ` Edward Adam Davis
2025-01-04  5:54   ` syzbot
2025-01-04  6:00 ` Edward Adam Davis
2025-01-04  6:21   ` syzbot
2025-01-04 12:21 ` [PATCH] utsname: Prevents using NULL value nsproxy Edward Adam Davis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6778aa0e.050a0220.3b53b0.0044.GAE@google.com \
    --to=syzbot+2e65930fda17880da336@syzkaller.appspotmail.com \
    --cc=eadavis@qq.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.