syzbot


general protection fault in __vb2_queue_free

Status: upstream: reported C repro on 2019/06/16 16:22
Reported-by: syzbot+4bb107dc49a70be0a67b@syzkaller.appspotmail.com
First crash: 1835d, last: 482d
Fix bisection the fix commit could be any of (bisect log):
  a74d0e937a3a Linux 4.14.126
  4139fb08c05f Linux 4.14.187
  
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in __vb2_queue_free media C 38 2008d 2064d 11/27 fixed on 2019/01/11 01:22
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2020/06/28 22:39 29m (3) bisect fix linux-4.14.y job log (2)
2020/04/12 22:57 23m bisect fix linux-4.14.y job log (0) log
2020/03/01 09:42 23m bisect fix linux-4.14.y job log (0) log
2020/01/04 23:12 23m bisect fix linux-4.14.y job log (0) log

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7966 Comm: syz-executor263 Not tainted 4.14.306-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
task: ffff888097b14200 task.stack: ffff8880937a0000
RIP: 0010:vb2_vmalloc_put_userptr+0x6a/0x210 drivers/media/v4l2-core/videobuf2-vmalloc.c:136
RSP: 0018:ffff8880937a7bb8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff1040490
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000009
RBP: ffff8880b40f5500 R08: 0000000000000000 R09: 000000000004054c
R10: ffff888097b14ab0 R11: ffff888097b14200 R12: 0000000000000000
R13: ffff8880b40f5508 R14: ffffc90005bea000 R15: ffff8880b40f5500
FS:  000055555714e300(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fecd9150038 CR3: 00000000a10b0000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __vb2_buf_userptr_put drivers/media/v4l2-core/videobuf2-core.c:256 [inline]
 __vb2_free_mem drivers/media/v4l2-core/videobuf2-core.c:413 [inline]
 __vb2_queue_free+0x394/0x7a0 drivers/media/v4l2-core/videobuf2-core.c:454
 vb2_core_queue_release+0x5b/0x70 drivers/media/v4l2-core/videobuf2-core.c:2054
 v4l2_m2m_ctx_release+0x26/0x30 drivers/media/v4l2-core/v4l2-mem2mem.c:702
 vim2m_release+0xd4/0x120 drivers/media/platform/vim2m.c:959
 v4l2_release+0xf4/0x190 drivers/media/v4l2-core/v4l2-dev.c:446
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:915
 do_group_exit+0x100/0x2e0 kernel/exit.c:1037
 SYSC_exit_group kernel/exit.c:1048 [inline]
 SyS_exit_group+0x19/0x20 kernel/exit.c:1046
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7fecd910bf19
RSP: 002b:00007ffda7759c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fecd9180270 RCX: 00007fecd910bf19
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 00007fecd9180270
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Code: 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 91 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 65 08 49 8d 7c 24 09 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 40 01 00 
RIP: vb2_vmalloc_put_userptr+0x6a/0x210 drivers/media/v4l2-core/videobuf2-vmalloc.c:136 RSP: ffff8880937a7bb8
---[ end trace 457c4f2b52e21c66 ]---
----------------
Code disassembly (best guess):
   0:	4c 89 ea             	mov    %r13,%rdx
   3:	48 c1 ea 03          	shr    $0x3,%rdx
   7:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   b:	0f 85 91 01 00 00    	jne    0x1a2
  11:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  18:	fc ff df
  1b:	4c 8b 65 08          	mov    0x8(%rbp),%r12
  1f:	49 8d 7c 24 09       	lea    0x9(%r12),%rdi
  24:	48 89 fa             	mov    %rdi,%rdx
  27:	48 c1 ea 03          	shr    $0x3,%rdx
* 2b:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2f:	48 89 fa             	mov    %rdi,%rdx
  32:	83 e2 07             	and    $0x7,%edx
  35:	38 d0                	cmp    %dl,%al
  37:	7f 08                	jg     0x41
  39:	84 c0                	test   %al,%al
  3b:	0f                   	.byte 0xf
  3c:	85 40 01             	test   %eax,0x1(%rax)

Crashes (64):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/02/25 05:20 linux-4.14.y 1e61bd26fa2c ee50e71c .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-linux-4-14 general protection fault in __vb2_queue_free
2022/08/08 11:34 linux-4.14.y b641242202ed 88e3a122 .config console log report syz C ci2-linux-4-14 general protection fault in __vb2_queue_free
2019/06/16 17:42 linux-4.14.y a74d0e937a3a 442206d7 .config console log report syz C ci2-linux-4-14
2023/02/28 19:16 linux-4.14.y 7878a41b6cc1 95aee97a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 general protection fault in __vb2_queue_free
2023/02/25 05:09 linux-4.14.y 1e61bd26fa2c ee50e71c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 general protection fault in __vb2_queue_free
2022/10/18 20:37 linux-4.14.y 9d5c0b3a8e1a b31320fc .config console log report info [disk image] [vmlinux] ci2-linux-4-14 general protection fault in __vb2_queue_free
2022/08/20 18:22 linux-4.14.y b641242202ed 26a13b38 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2022/08/08 11:21 linux-4.14.y b641242202ed 88e3a122 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2022/04/25 10:35 linux-4.14.y 15a1c6b6f516 131df97d .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2022/03/26 18:53 linux-4.14.y 004bfaafc45c 89bc8608 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2022/03/21 18:32 linux-4.14.y eb045674aab3 e2d91b1d .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/12/23 11:25 linux-4.14.y 8ee0807eedf3 6caa12e4 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/05/15 07:39 linux-4.14.y 7d7d1c0ab3eb 8bdd5343 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/04/26 14:22 linux-4.14.y cf256fbcbe34 e60b7df1 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/04/25 05:44 linux-4.14.y cf256fbcbe34 17f0b706 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/04/19 06:28 linux-4.14.y cf256fbcbe34 7e2b734b .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/04/11 17:03 linux-4.14.y 958e517f4e16 6a81331a .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/03/14 13:29 linux-4.14.y c7150cd2fa8c 4a003785 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/03/03 13:09 linux-4.14.y 3242aa3a635c e5b64d68 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/01/31 10:34 linux-4.14.y 2c8a3fceddf0 fc9fd31e .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/01/18 20:41 linux-4.14.y 2762b48e9611 63631df1 .config console log report info ci2-linux-4-14 general protection fault in __vb2_queue_free
2021/01/15 02:53 linux-4.14.y f79dc86058bc 468dbb55 .config console log report info ci2-linux-4-14
2021/01/11 16:26 linux-4.14.y ec822b3e8bf4 2c1f2513 .config console log report info ci2-linux-4-14
2021/01/02 10:19 linux-4.14.y 1752938529c6 79264ae3 .config console log report info ci2-linux-4-14
2020/12/28 09:26 linux-4.14.y 3f2ecb86cb90 2242f77f .config console log report info ci2-linux-4-14
2020/12/21 01:10 linux-4.14.y 3f2ecb86cb90 04201c06 .config console log report info ci2-linux-4-14
2020/11/20 15:33 linux-4.14.y 8961076ed318 0767f13f .config console log report info ci2-linux-4-14
2020/11/14 00:54 linux-4.14.y 27ce4f2a6817 1bf9a662 .config console log report info ci2-linux-4-14
2020/09/10 06:20 linux-4.14.y 458a534cac0c ac7ca78e .config console log report ci2-linux-4-14
2020/05/29 22:00 linux-4.14.y 4f68020fef1c bed08304 .config console log report ci2-linux-4-14
2020/05/14 16:37 linux-4.14.y ab9dfda23248 2d572622 .config console log report ci2-linux-4-14
2020/04/25 02:11 linux-4.14.y 050272a0423e 03d97a1b .config console log report ci2-linux-4-14
2020/03/13 22:56 linux-4.14.y 12cd844a39ed 749688d2 .config console log report ci2-linux-4-14
2020/01/31 09:39 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/21 18:40 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/18 04:52 linux-4.14.y c1141b3aab36 3de7aabb .config console log report ci2-linux-4-14
2020/01/15 14:20 linux-4.14.y c04fc6fa5c96 fa12bd3c .config console log report ci2-linux-4-14
2019/12/05 23:12 linux-4.14.y a844dc4c5442 9fd5a512 .config console log report ci2-linux-4-14
2019/12/03 23:32 linux-4.14.y fbc5fe7a54d0 0ecb9746 .config console log report ci2-linux-4-14
2019/11/14 11:03 linux-4.14.y 775d01b65b5d 048f2d49 .config console log report ci2-linux-4-14
2019/11/10 14:54 linux-4.14.y c9fda4f22428 dc438b91 .config console log report ci2-linux-4-14
2019/11/05 11:05 linux-4.14.y ddef1e8e3f6e 76630fc9 .config console log report ci2-linux-4-14
2019/10/28 02:49 linux-4.14.y b98aebd29824 25bb509e .config console log report ci2-linux-4-14
2019/10/21 11:59 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
2019/09/23 23:02 linux-4.14.y f6e27dbb1afa c68252d2 .config console log report ci2-linux-4-14
2019/09/23 02:03 linux-4.14.y f6e27dbb1afa d96e88f3 .config console log report ci2-linux-4-14
2019/08/27 11:55 linux-4.14.y b5260801526c d21c5d9d .config console log report ci2-linux-4-14
2019/08/25 21:01 linux-4.14.y b5260801526c d21c5d9d .config console log report ci2-linux-4-14
2019/08/25 03:47 linux-4.14.y 45f092f9e9cb d21c5d9d .config console log report ci2-linux-4-14
2019/08/21 18:55 linux-4.14.y 45f092f9e9cb 4ea67ff8 .config console log report ci2-linux-4-14
2019/08/18 20:50 linux-4.14.y 45f092f9e9cb 55bf8926 .config console log report ci2-linux-4-14
2019/08/15 14:44 linux-4.14.y 3ffe1e79c174 0d298d6b .config console log report ci2-linux-4-14
2019/08/14 16:38 linux-4.14.y 3ffe1e79c174 5576551b .config console log report ci2-linux-4-14
2019/08/11 17:42 linux-4.14.y 3ffe1e79c174 acb51638 .config console log report ci2-linux-4-14
2019/08/10 14:09 linux-4.14.y 3ffe1e79c174 acb51638 .config console log report ci2-linux-4-14
2019/08/04 07:58 linux-4.14.y 10d6aa565d05 6affd8e8 .config console log report ci2-linux-4-14
2019/08/03 14:06 linux-4.14.y 10d6aa565d05 6affd8e8 .config console log report ci2-linux-4-14
2019/08/03 14:01 linux-4.14.y 10d6aa565d05 6affd8e8 .config console log report ci2-linux-4-14
2019/08/02 12:32 linux-4.14.y 10d6aa565d05 835dffe7 .config console log report ci2-linux-4-14
2019/07/30 16:44 linux-4.14.y ff33472c282e f28bf2a5 .config console log report ci2-linux-4-14
2019/07/02 18:29 linux-4.14.y f4cc0ed9b2c7 5f175e9c .config console log report ci2-linux-4-14
2019/06/20 21:44 linux-4.14.y bb263a2a2d43 34bf9440 .config console log report ci2-linux-4-14
2019/06/20 14:39 linux-4.14.y bb263a2a2d43 34bf9440 .config console log report ci2-linux-4-14
2019/06/16 15:21 linux-4.14.y a74d0e937a3a 442206d7 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.