syzbot


general protection fault in security_inode_getattr

Status: upstream: reported C repro on 2020/09/08 02:23
Reported-by: syzbot+80af3add22f1afdb306b@syzkaller.appspotmail.com
First crash: 1319d, last: 9d05h
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-6-1 general protection fault in security_inode_getattr C 2 9d11h 23d 0/2 upstream: reported C repro on 2024/03/26 18:25
upstream general protection fault in security_inode_getattr overlayfs C done inconclusive 55 341d 1359d 0/26 auto-obsoleted due to no activity on 2023/08/23 09:02
linux-5.15 general protection fault in security_inode_getattr 1 153d 153d 0/3 auto-obsoleted due to no activity on 2024/02/25 11:36
android-5-15 general protection fault in security_inode_getattr C 1 22d 22d 0/2 upstream: reported C repro on 2024/03/27 12:21
linux-5.15 general protection fault in security_inode_getattr (2) 2 24d 31d 0/3 upstream: reported on 2024/03/18 14:23
linux-4.19 general protection fault in security_inode_getattr C error 29 560d 1341d 0/1 upstream: reported C repro on 2020/08/16 14:26
android-5-10 general protection fault in security_inode_getattr C 5 6d22h 23d 0/2 upstream: reported C repro on 2024/03/26 17:56
Last patch testing requests (8)
Created Duration User Patch Repo Result
2024/04/10 01:32 22m retest repro android12-5.4 report log
2024/04/10 01:32 1h42m retest repro android12-5.4 report log
2024/01/20 16:05 6m retest repro android12-5.4 report log
2023/11/11 15:38 7m retest repro android12-5.4 report log
2023/09/02 15:15 17m retest repro android12-5.4 report log
2023/06/24 14:05 8m retest repro android12-5.4 report log
2023/04/15 10:40 10m retest repro android12-5.4 report log
2022/08/29 01:27 0m retest repro https://android.googlesource.com/kernel/common android-5.4 error OK

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 357 Comm: syz-executor989 Not tainted 5.4.265-syzkaller-00009-g43a5ead9254d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
RIP: 0010:d_backing_inode include/linux/dcache.h:552 [inline]
RIP: 0010:security_inode_getattr+0x42/0x120 security/security.c:1241
Code: 5c ff 49 8d 5f 08 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 cc fd 8b ff 48 8b 2b 48 83 c5 30 48 89 e8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 ef e8 af fd 8b ff 48 8b 6d 00 48 83 c5
RSP: 0018:ffff8881db8cef58 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffff8881db8cf3f8 RCX: ffff8881dc1a8fc0
RDX: 0000000000000000 RSI: ffff8881db8cf400 RDI: ffff8881db8cf3f0
RBP: 0000000000000030 R08: dffffc0000000000 R09: ffff8881db8cf3f0
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff8881db8cf3f0 R14: 0000000000000000 R15: ffff8881db8cf3f0
FS:  00005555570e1480(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 00000001dc36a000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 vfs_getattr+0x27/0x700 fs/stat.c:115
 ovl_copy_up_one fs/overlayfs/copy_up.c:804 [inline]
 ovl_copy_up_flags+0x5b2/0x29f0 fs/overlayfs/copy_up.c:886
 ovl_maybe_copy_up+0x14e/0x180 fs/overlayfs/copy_up.c:918
 ovl_open+0xa3/0x320 fs/overlayfs/file.c:128
 do_dentry_open+0x964/0x1130 fs/open.c:796
 vfs_open fs/open.c:910 [inline]
 dentry_open+0xb1/0xf0 fs/open.c:926
 file_open+0x2ab/0x620 fs/incfs/vfs.c:1449
 do_dentry_open+0x964/0x1130 fs/open.c:796
 do_last fs/namei.c:3515 [inline]
 path_openat+0x2992/0x3480 fs/namei.c:3634
 do_filp_open+0x20b/0x450 fs/namei.c:3664
 do_sys_open+0x39c/0x810 fs/open.c:1113
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:
---[ end trace 6d8a3904c6a322b6 ]---
RIP: 0010:d_backing_inode include/linux/dcache.h:552 [inline]
RIP: 0010:security_inode_getattr+0x42/0x120 security/security.c:1241
Code: 5c ff 49 8d 5f 08 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 cc fd 8b ff 48 8b 2b 48 83 c5 30 48 89 e8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 ef e8 af fd 8b ff 48 8b 6d 00 48 83 c5
RSP: 0018:ffff8881db8cef58 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffff8881db8cf3f8 RCX: ffff8881dc1a8fc0
RDX: 0000000000000000 RSI: ffff8881db8cf400 RDI: ffff8881db8cf3f0
RBP: 0000000000000030 R08: dffffc0000000000 R09: ffff8881db8cf3f0
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff8881db8cf3f0 R14: 0000000000000000 R15: ffff8881db8cf3f0
FS:  00005555570e1480(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 00000001dc36a000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	5c                   	pop    %rsp
   1:	ff 49 8d             	decl   -0x73(%rcx)
   4:	5f                   	pop    %rdi
   5:	08 48 89             	or     %cl,-0x77(%rax)
   8:	d8 48 c1             	fmuls  -0x3f(%rax)
   b:	e8 03 42 80 3c       	call   0x3c804213
  10:	20 00                	and    %al,(%rax)
  12:	74 08                	je     0x1c
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 cc fd 8b ff       	call   0xff8bfde8
  1c:	48 8b 2b             	mov    (%rbx),%rbp
  1f:	48 83 c5 30          	add    $0x30,%rbp
  23:	48 89 e8             	mov    %rbp,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 ef             	mov    %rbp,%rdi
  34:	e8 af fd 8b ff       	call   0xff8bfde8
  39:	48 8b 6d 00          	mov    0x0(%rbp),%rbp
  3d:	48                   	rex.W
  3e:	83                   	.byte 0x83
  3f:	c5                   	.byte 0xc5

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/03/26 21:53 android12-5.4 43a5ead9254d 454571b6 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan general protection fault in security_inode_getattr
2020/09/08 02:40 https://android.googlesource.com/kernel/common android-5.4 c99fd3bf1076 abf9ba4f .config console log report syz ci2-android-5-4-kasan
2020/09/08 02:22 https://android.googlesource.com/kernel/common android-5.4 c99fd3bf1076 abf9ba4f .config console log report ci2-android-5-4-kasan
* Struck through repros no longer work on HEAD.