Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+2e65930fda17880da336@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler
Date: Fri, 03 Jan 2025 21:54:02 -0800	[thread overview]
Message-ID: <6778ccfa.050a0220.7f35c.0003.GAE@google.com> (raw)
In-Reply-To: <tencent_DA5DEE991DCFA60DB425950D991255DDF807@qq.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler

nsp: ffff888032f4d340, get_uts
nsp: ffff888032f4d340, get_uts
write buf: \x13\x03, count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000028: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]
CPU: 0 UID: 0 PID: 6593 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-g5009ba366804 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:proc_do_uts_string+0x1f1/0x610 kernel/utsname_sysctl.c:54
Code: 03 00 00 4d 8b 76 08 e8 8d b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f0 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc90003e6f468 EFLAGS: 00010207
RAX: 0000000000000145 RBX: 1ffff920007cde92 RCX: 1ffff110052538a1
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802929c508
RBP: ffffffff8de3a458 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc90003e6f520 R14: 0000000000000000 R15: ffffffff8de3a460
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562a01053200 CR3: 000000007a9a2000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x424/0x5f0 fs/proc/proc_sysctl.c:602
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xadd/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3016
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f810a587a6a
Code: Unable to access opcode bytes at 0x7f810a587a40.
RSP: 002b:00007ffcd4dfd8c8 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
RAX: 0000000000000000 RBX: 00007ffcd4dfd950 RCX: 00007f810a587a6a
RDX: 0000000000000041 RSI: 0000000000000029 RDI: 0000000000000003
RBP: 0000000000000003 R08: 00007ffcd4dfd8ec R09: 0079746972756365
R10: 00007ffcd4dfd950 R11: 0000000000000212 R12: 00007f810a747a00
R13: 00007ffcd4dfd8ec R14: 0000000000000000 R15: 00007f810a748e40
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:proc_do_uts_string+0x1f1/0x610 kernel/utsname_sysctl.c:54
Code: 03 00 00 4d 8b 76 08 e8 8d b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f0 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc90003e6f468 EFLAGS: 00010207
RAX: 0000000000000145 RBX: 1ffff920007cde92 RCX: 1ffff110052538a1
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802929c508
RBP: ffffffff8de3a458 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc90003e6f520 R14: 0000000000000000 R15: ffffffff8de3a460
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562a00fcac40 CR3: 000000007c1d4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	03 00                	add    (%rax),%eax
   2:	00 4d 8b             	add    %cl,-0x75(%rbp)
   5:	76 08                	jbe    0xf
   7:	e8 8d b1 fe ff       	call   0xfffeb199
   c:	48 8b 04 24          	mov    (%rsp),%rax
  10:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
  17:	fc ff df
  1a:	48 2d 80 8d 02 90    	sub    $0xffffffff90028d80,%rax
  20:	4c 01 f0             	add    %r14,%rax
  23:	48 89 c2             	mov    %rax,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 0c 32          	movzbl (%rdx,%rsi,1),%ecx <-- trapping instruction
  2e:	48 8d 50 40          	lea    0x40(%rax),%rdx
  32:	48 89 d7             	mov    %rdx,%rdi
  35:	48 c1 ef 03          	shr    $0x3,%rdi
  39:	0f b6 34 37          	movzbl (%rdi,%rsi,1),%esi
  3d:	48 89 c7             	mov    %rax,%rdi


Tested on:

commit:         5009ba36 utsname: debug ctl table for domainname
git tree:       https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=123366f8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

next prev parent reply	other threads:[~2025-01-04  5:54 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-04  1:20 [syzbot] [kernel?] general protection fault in proc_sys_call_handler syzbot
2025-01-04  3:10 ` Edward Adam Davis
2025-01-04  3:25   ` syzbot
2025-01-04  4:32 ` Edward Adam Davis
2025-01-04  4:49   ` syzbot
2025-01-04  5:12 ` Edward Adam Davis
2025-01-04  5:27   ` syzbot
2025-01-04  5:39 ` Edward Adam Davis
2025-01-04  5:54   ` syzbot [this message]
2025-01-04  6:00 ` Edward Adam Davis
2025-01-04  6:21   ` syzbot
2025-01-04 12:21 ` [PATCH] utsname: Prevents using NULL value nsproxy Edward Adam Davis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6778ccfa.050a0220.7f35c.0003.GAE@google.com \
    --to=syzbot+2e65930fda17880da336@syzkaller.appspotmail.com \
    --cc=eadavis@qq.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.