syzbot


general protection fault in bdev_read_page

Status: auto-closed as invalid on 2022/02/15 00:11
Reported-by: syzbot+9654069a8ba5ad049783@syzkaller.appspotmail.com
First crash: 448d, last: 448d
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 general protection fault in bdev_read_page C 14 429d 899d 0/2 upstream: reported C repro on 2020/08/22 05:04
upstream general protection fault in bdev_read_page (2) C error inconclusive 16 493d 947d 0/24 upstream: reported C repro on 2020/07/05 19:12
upstream general protection fault in bdev_read_page 2149 1989d 1925d 0/24 closed as invalid on 2017/10/31 12:51

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
CPU: 0 PID: 26988 Comm: udevd Not tainted 5.10.77-syzkaller-01258-g76698ea35fd3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bdev_read_page+0x39/0x1e0 fs/block_dev.c:733
Code: ec 18 48 89 55 c0 48 89 75 c8 48 89 fb 49 be 00 00 00 00 00 fc ff df e8 75 11 ae ff 4c 8d a3 90 00 00 00 4d 89 e5 49 c1 ed 03 <43> 80 7c 35 00 00 74 08 4c 89 e7 e8 b7 e5 e7 ff 48 89 5d d0 4d 8b
RSP: 0018:ffffc90001277130 EFLAGS: 00010206
RAX: ffffffff81bee6eb RBX: 0000000000000000 RCX: ffff88810f7d8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001277170 R08: ffffffff81c01e6d R09: fffff940008afcc9
R10: fffff940008afcc9 R11: 0000000000000000 R12: 0000000000000090
R13: 0000000000000012 R14: dffffc0000000000 R15: ffffc900012773e0
FS:  00007f2d6cbfd840(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055667b932b48 CR3: 000000011abc2000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 do_mpage_readpage+0x143c/0x1bb0 fs/mpage.c:338
 mpage_readahead+0x2d7/0x5f0 fs/mpage.c:427
 blkdev_readahead+0x1c/0x20 fs/block_dev.c:651
 read_pages+0x160/0xaa0 mm/readahead.c:140
 page_cache_ra_unbounded+0x6c4/0x8a0 mm/readahead.c:248
 do_page_cache_ra mm/readahead.c:277 [inline]
 force_page_cache_ra+0x3e6/0x440 mm/readahead.c:308
 page_cache_sync_ra+0x23f/0x2a0 mm/readahead.c:582
 page_cache_sync_readahead include/linux/pagemap.h:837 [inline]
 generic_file_buffered_read+0x63f/0x2640 mm/filemap.c:2247
 generic_file_read_iter+0x113/0x6f0 mm/filemap.c:2565
 blkdev_read_iter+0x135/0x190 fs/block_dev.c:1954
 call_read_iter include/linux/fs.h:1941 [inline]
 new_sync_read fs/read_write.c:415 [inline]
 vfs_read+0x9d4/0xbe0 fs/read_write.c:496
 ksys_read+0x186/0x2b0 fs/read_write.c:634
 __do_sys_read fs/read_write.c:644 [inline]
 __se_sys_read fs/read_write.c:642 [inline]
 __x64_sys_read+0x7b/0x90 fs/read_write.c:642
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f2d6cd548fe
Code: c0 e9 e6 fe ff ff 50 48 8d 3d 0e c7 09 00 e8 c9 cf 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
RSP: 002b:00007fffcd5a0be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2d6cd548fe
RDX: 0000000000000400 RSI: 000055667b932738 RDI: 0000000000000009
RBP: 0000000000000400 R08: 000055667b932710 R09: 00007f2d6ce24a60
R10: 0000000000000008 R11: 0000000000000246 R12: 000055667b932710
R13: 000055667b932728 R14: 000055667b8ac5d0 R15: 000055667b8ac580
Modules linked in:
---[ end trace 1895950161826ea4 ]---
RIP: 0010:bdev_read_page+0x39/0x1e0 fs/block_dev.c:733
Code: ec 18 48 89 55 c0 48 89 75 c8 48 89 fb 49 be 00 00 00 00 00 fc ff df e8 75 11 ae ff 4c 8d a3 90 00 00 00 4d 89 e5 49 c1 ed 03 <43> 80 7c 35 00 00 74 08 4c 89 e7 e8 b7 e5 e7 ff 48 89 5d d0 4d 8b
RSP: 0018:ffffc90001277130 EFLAGS: 00010206
RAX: ffffffff81bee6eb RBX: 0000000000000000 RCX: ffff88810f7d8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001277170 R08: ffffffff81c01e6d R09: fffff940008afcc9
R10: fffff940008afcc9 R11: 0000000000000000 R12: 0000000000000090
R13: 0000000000000012 R14: dffffc0000000000 R15: ffffc900012773e0
FS:  00007f2d6cbfd840(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055667b932b48 CR3: 000000011abc2000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	ec                   	in     (%dx),%al
   1:	18 48 89             	sbb    %cl,-0x77(%rax)
   4:	55                   	push   %rbp
   5:	c0 48 89 75          	rorb   $0x75,-0x77(%rax)
   9:	c8 48 89 fb          	enterq $0x8948,$0xfb
   d:	49 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%r14
  14:	fc ff df
  17:	e8 75 11 ae ff       	callq  0xffae1191
  1c:	4c 8d a3 90 00 00 00 	lea    0x90(%rbx),%r12
  23:	4d 89 e5             	mov    %r12,%r13
  26:	49 c1 ed 03          	shr    $0x3,%r13
* 2a:	43 80 7c 35 00 00    	cmpb   $0x0,0x0(%r13,%r14,1) <-- trapping instruction
  30:	74 08                	je     0x3a
  32:	4c 89 e7             	mov    %r12,%rdi
  35:	e8 b7 e5 e7 ff       	callq  0xffe7e5f1
  3a:	48 89 5d d0          	mov    %rbx,-0x30(%rbp)
  3e:	4d                   	rex.WRB
  3f:	8b                   	.byte 0x8b

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-android-5-10 2021/11/17 00:07 android12-5.10-lts 76698ea35fd3 cafff8b6 .config console log report info general protection fault in bdev_read_page
* Struck through repros no longer work on HEAD.