* general protection fault in reset_interrupt
@ 2021-10-27 1:36 Hao Sun
0 siblings, 0 replies; 4+ messages in thread
From: Hao Sun @ 2021-10-27 1:36 UTC (permalink / raw)
To: Jens Axboe, linux-block, efremov, Linux Kernel Mailing List
Hello,
When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.
HEAD commit: 519d81956ee2 Linux 5.15-rc6
git tree: upstream
console output:
https://drive.google.com/file/d/1bzxncErwj8l-KA-R-jLCUajYQMReiAWX/view?usp=sharing
kernel config: https://drive.google.com/file/d/12PUnxIM1EPBgW4ZJmI7WJBRaY1lA83an/view?usp=sharing
Syzlang reproducer:
https://drive.google.com/file/d/1IOQR_MqiSkN8y0m3UjFZcP9l5QcBnCIv/view?usp=sharing
Sorry, I don't have a C reproducer for this crash, hope the Syzlang
reproducer and symbolized report can help.
If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@gmail.com>
floppy0: Unable to send byte 6f to FDC. Fdc=0 Status=d0
floppy driver state
-------------------
now=4295008404 last interrupt=4295008403 diff=1 last called
handler=reset_interrupt
timeout_message=floppy start
last output bytes:
10 90 4294978780
7 80 4294978780
0 90 4294978780
8 80 4294978780
f 80 4294978780
0 90 4294978780
1 90 4294978780
8 80 4294978780
4 80 4294978785
0 90 4294978785
f 80 4294978785
0 90 4294978785
8 80 4294978785
0 90 4294978785
d8 80 4295008402
8 80 4295008403
8 80 4295008403
8 80 4295008403
8 80 4295008403
d8 80 4295008404
last result at 4295008403
last redo_fd_request at 4295008403
status=d0
fdc_busy=1
floppy_work.func=floppy_work_workfn
timer_function=ffffffff8476f5f0 expires=298
cont=ffffffff89fe0d80
current_req=0000000000000000
command_status=-1
general protection fault, probably for non-canonical address
0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 10 Comm: kworker/u8:1 Not tainted 5.15.0-rc6 #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: floppy floppy_work_workfn
RIP: 0010:reset_interrupt+0xef/0x140 drivers/block/floppy.c:1792
Code: fc 84 db 0f 85 71 58 8e 04 e8 4d 4d ff fc 48 8b 1d 86 47 db 0b
48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c
02 00 75 40 48 8b 43 08 5b ff e0 e8 0f dd 46 fd eb a8 e8 08
RSP: 0018:ffffc900006d7d28 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8880118d9c80
RDX: 0000000000000001 RSI: ffff8880118d9c80 RDI: 0000000000000008
RBP: ffffffff8c482f00 R08: ffffffff84771173 R09: 0000000000000000
R10: 0000000000000001 R11: fffffbfff1adb1ba R12: ffffc900006d7dc8
R13: ffffffff8c482f10 R14: ffff888011968000 R15: ffff888010c71800
FS: 0000000000000000(0000) GS:ffff888135c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3397e36db8 CR3: 0000000020a83000 CR4: 0000000000350ee0
Call Trace:
process_one_work+0x9df/0x16d0 kernel/workqueue.c:2297
worker_thread+0x90/0xed0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 24ebcf9665bb7032 ]---
RIP: 0010:reset_interrupt+0xef/0x140 drivers/block/floppy.c:1792
Code: fc 84 db 0f 85 71 58 8e 04 e8 4d 4d ff fc 48 8b 1d 86 47 db 0b
48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c
02 00 75 40 48 8b 43 08 5b ff e0 e8 0f dd 46 fd eb a8 e8 08
RSP: 0018:ffffc900006d7d28 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8880118d9c80
RDX: 0000000000000001 RSI: ffff8880118d9c80 RDI: 0000000000000008
RBP: ffffffff8c482f00 R08: ffffffff84771173 R09: 0000000000000000
R10: 0000000000000001 R11: fffffbfff1adb1ba R12: ffffc900006d7dc8
R13: ffffffff8c482f10 R14: ffff888011968000 R15: ffff888010c71800
FS: 0000000000000000(0000) GS:ffff888063f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100000000 CR3: 00000000277d1000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
0: fc cld
1: 84 db test %bl,%bl
3: 0f 85 71 58 8e 04 jne 0x48e587a
9: e8 4d 4d ff fc callq 0xfcff4d5b
e: 48 8b 1d 86 47 db 0b mov 0xbdb4786(%rip),%rbx # 0xbdb479b
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 48 8d 7b 08 lea 0x8(%rbx),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 75 40 jne 0x70
30: 48 8b 43 08 mov 0x8(%rbx),%rax
34: 5b pop %rbx
35: ff e0 jmpq *%rax
37: e8 0f dd 46 fd callq 0xfd46dd4b
3c: eb a8 jmp 0xffffffe6
3e: e8 .byte 0xe8
3f: 08 .byte 0x8
^ permalink raw reply [flat|nested] 4+ messages in thread
* general protection fault in reset_interrupt
@ 2023-09-12 23:03 Sanan Hasanov
2023-09-13 2:13 ` Jens Axboe
0 siblings, 1 reply; 4+ messages in thread
From: Sanan Hasanov @ 2023-09-12 23:03 UTC (permalink / raw)
To: efremov@linux.com, axboe@kernel.dk, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com, contact@pgazz.com
Good day, dear maintainers,
We found a bug using a modified kernel configuration file used by syzbot.
We enhanced the coverage of the configuration file using our tool, klocalizer.
Kernel Branch: 6.3.0-next-20230426
Kernel Config: https://drive.google.com/file/d/1KvqI7fZne2h3Kd3DpmOLyPGpSEdUBc2E/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1jzcFNmZ3cprWLTyPYdUhI6rXHT4DuP-3/view?usp=sharing
Thank you!
Best regards,
Sanan Hasanov
cont=00000000cd5131b6
current_req=0000000000000000
command_status=-1
floppy0: floppy timeout called
floppy0: floppy_shutdown: timeout handler died.
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 24572 Comm: kworker/u16:64 Not tainted 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: floppy floppy_work_workfn
RIP: 0010:reset_interrupt+0xf7/0x230 drivers/block/floppy.c:1792
Code: fc 84 db 0f 85 83 00 00 00 e8 45 9a cc fc 48 8b 1d ae 3c fa 0b 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f9 00 00 00 48 8b 43 08 5b ff e0 e8 13 9a cc fc
RSP: 0018:ffffc9000883fd10 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff84b4edeb RDI: 0000000000000008
RBP: ffffffff8c927000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000400
R13: ffffc9000883fdb0 R14: ffff88810ef3f800 R15: ffff888100089000
FS: 0000000000000000(0000) GS:ffff888119c80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb088bbc000 CR3: 000000010d7fe000 CR4: 0000000000350ee0
Call Trace:
<TASK>
process_one_work+0x993/0x15e0 kernel/workqueue.c:2405
worker_thread+0x67d/0x10c0 kernel/workqueue.c:2552
kthread+0x33e/0x440 kernel/kthread.c:379
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:reset_interrupt+0xf7/0x230 drivers/block/floppy.c:1792
Code: fc 84 db 0f 85 83 00 00 00 e8 45 9a cc fc 48 8b 1d ae 3c fa 0b 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f9 00 00 00 48 8b 43 08 5b ff e0 e8 13 9a cc fc
RSP: 0018:ffffc9000883fd10 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff84b4edeb RDI: 0000000000000008
RBP: ffffffff8c927000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000400
R13: ffffc9000883fdb0 R14: ffff88810ef3f800 R15: ffff888100089000
FS: 0000000000000000(0000) GS:ffff888119c80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb088bbc000 CR3: 000000010d7fe000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
0: fc cld
1: 84 db test %bl,%bl
3: 0f 85 83 00 00 00 jne 0x8c
9: e8 45 9a cc fc call 0xfccc9a53
e: 48 8b 1d ae 3c fa 0b mov 0xbfa3cae(%rip),%rbx # 0xbfa3cc3
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 48 8d 7b 08 lea 0x8(%rbx),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 f9 00 00 00 jne 0x12d
34: 48 8b 43 08 mov 0x8(%rbx),%rax
38: 5b pop %rbx
39: ff e0 jmp *%rax
3b: e8 13 9a cc fc call 0xfccc9a53
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: general protection fault in reset_interrupt
2023-09-12 23:03 Sanan Hasanov
@ 2023-09-13 2:13 ` Jens Axboe
0 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2023-09-13 2:13 UTC (permalink / raw)
To: Sanan Hasanov
Cc: efremov@linux.com, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller@googlegroups.com,
contact@pgazz.com
https://lore.kernel.org/all/7df3e30a-aa31-495c-9d59-cb6080364f61@kernel.dk/
--
Jens Axboe
^ permalink raw reply [flat|nested] 4+ messages in thread
* general protection fault in reset_interrupt
@ 2026-06-26 21:29 sanan.hasanou
0 siblings, 0 replies; 4+ messages in thread
From: sanan.hasanou @ 2026-06-26 21:29 UTC (permalink / raw)
To: efremov, axboe, linux-block, linux-kernel; +Cc: syzkaller, contact
Good day, dear maintainers,
We found a bug using a modified version of syzkaller.
Kernel Branch: 7.0-rc1
Kernel Config: <https://drive.google.com/open?id=1pfjd_xagvCCoLD4kK7OQIvvdEBYpavwn>
Unfortunately, we don't have any reproducer for this bug yet.
Thank you!
Best regards,
Sanan Hasanov
floppy0: floppy_shutdown: timeout handler died.
floppy0: get result error. Fdc=0 Last status=ffffffff Read bytes=0
floppy driver state
-------------------
now=4294939504 last interrupt=4294939495 diff=9 last called handler=reset_interrupt
timeout_message=do wakeup
last output bytes:
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
8 80 4294938128
8 80 4294938128
8 80 4294938128
8 80 4294938128
e 80 4294938128
13 80 4294938128
0 90 4294938128
1a 90 4294938128
0 90 4294938128
12 80 4294938128
0 90 4294938128
14 80 4294938128
18 80 4294938128
8 80 4294939495
last result at 4294939495
last redo_fd_request at 4294939495
status=d0
fdc_busy=0
cont=0000000000000000
current_req=0000000000000000
command_status=-1
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 UID: 0 PID: 39 Comm: kworker/u8:3 Not tainted 7.0.0-rc1 #1 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: floppy floppy_work_workfn
RIP: 0010:reset_interrupt+0x136/0x1b0 drivers/block/floppy.c:1790
Code: 62 8d 48 c7 c2 60 ff b9 8b e8 86 98 22 fb e9 3e ff ff ff e8 9c 23 c7 fb 48 8b 1d c5 52 d5 0d 48 83 c3 10 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 6b d4 32 fc 48 8b 33 48 c7 c7 80
RSP: 0018:ffffc90000297ab0 EFLAGS: 00010212
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff888015b53a00
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffffc90000297ac0 R08: ffffffff8f76bd77 R09: 1ffffffff1eed7ae
R10: dffffc0000000000 R11: fffffbfff1eed7af R12: ffff888015718818
R13: ffffffff819609fe R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880dbbbb000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000db2b000 CR4: 00000000000006f0
Call Trace:
<TASK>
floppy_work_workfn+0x18/0x20 drivers/block/floppy.c:993
process_one_work kernel/workqueue.c:3275 [inline]
process_scheduled_works+0xa30/0x13d0 kernel/workqueue.c:3358
worker_thread+0xacb/0x1060 kernel/workqueue.c:3439
kthread+0x388/0x470 kernel/kthread.c:467
ret_from_fork+0x5e4/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:reset_interrupt+0x136/0x1b0 drivers/block/floppy.c:1790
Code: 62 8d 48 c7 c2 60 ff b9 8b e8 86 98 22 fb e9 3e ff ff ff e8 9c 23 c7 fb 48 8b 1d c5 52 d5 0d 48 83 c3 10 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 6b d4 32 fc 48 8b 33 48 c7 c7 80
RSP: 0018:ffffc90000297ab0 EFLAGS: 00010212
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff888015b53a00
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffffc90000297ac0 R08: ffffffff8f76bd77 R09: 1ffffffff1eed7ae
R10: dffffc0000000000 R11: fffffbfff1eed7af R12: ffff888015718818
R13: ffffffff819609fe R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880dbbbb000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000db2b000 CR4: 00000000000006f0
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 8d 48 c7 lea -0x39(%rax),%ecx
3: c2 60 ff ret $0xff60
6: b9 8b e8 86 98 mov $0x9886e88b,%ecx
b: 22 fb and %bl,%bh
d: e9 3e ff ff ff jmp 0xffffff50
12: e8 9c 23 c7 fb call 0xfbc723b3
17: 48 8b 1d c5 52 d5 0d mov 0xdd552c5(%rip),%rbx # 0xdd552e3
1e: 48 83 c3 10 add $0x10,%rbx
22: 48 89 d8 mov %rbx,%rax
25: 48 c1 e8 03 shr $0x3,%rax
* 29: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 6b d4 32 fc call 0xfc32d4a3
38: 48 8b 33 mov (%rbx),%rsi
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: c7 .byte 0xc7
3e: 80 .byte 0x80
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-26 21:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26 21:29 general protection fault in reset_interrupt sanan.hasanou
-- strict thread matches above, loose matches on Subject: below --
2023-09-12 23:03 Sanan Hasanov
2023-09-13 2:13 ` Jens Axboe
2021-10-27 1:36 Hao Sun
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox