syzbot


BUG: unable to handle kernel paging request in ata_bmdma_qc_prep

Status: fixed on 2018/03/23 18:14
Reported-by: syzbot+1ff6f9fcc3c35f1c72a95e26528c8e7e3276e4da@syzkaller.appspotmail.com
Fix commit: 058f58e235cb libata: fix length validation of ATAPI-relayed SCSI commands
First crash: 2384d, last: 2332d
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 3.16 000/410] 3.16.57-rc1 review 426 (426) 2018/11/12 17:42
[PATCH 3.2 000/153] 3.2.102-rc1 review 155 (155) 2018/05/30 22:14
[PATCH 3.18 00/93] 3.18.103-stable review 102 (102) 2018/04/09 08:13
[PATCH 4.4 00/43] 4.4.125-stable review 64 (64) 2018/03/30 23:56
[PATCH 4.15 000/105] 4.15.14-stable review 115 (115) 2018/03/29 00:42
[PATCH 4.9 00/67] 4.9.91-stable review 77 (77) 2018/03/28 19:24
[PATCH 4.14 000/101] 4.14.31-stable review 107 (107) 2018/03/28 18:41
[PATCH] libata: fix length validation of ATAPI-relayed SCSI commands 2 (2) 2018/02/12 17:20

Sample crash report:
IP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2650 [inline]
IP: ata_bmdma_qc_prep+0x30a/0x3d0 drivers/ata/libata-sff.c:2727
PGD 7fff6067 P4D 7fff6067 PUD 0 
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 2984 Comm: syzkaller781870 Not tainted 4.13.0-next-20170915+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006afb03c0 task.stack: ffff88006caa0000
RIP: 0010:ata_bmdma_fill_sg drivers/ata/libata-sff.c:2650 [inline]
RIP: 0010:ata_bmdma_qc_prep+0x30a/0x3d0 drivers/ata/libata-sff.c:2727
RSP: 0018:ffff88006caa7040 EFLAGS: 00010807
RAX: dffffc0000000000 RBX: ffff88086b6d7ff8 RCX: ffff88003ae23340
RDX: 1ffff1010d6dafff RSI: 0000000000000001 RDI: ffff88086b6d7ffc
RBP: ffff88006caa70a0 R08: ffff88006b710234 R09: ffff88006b710238
R10: 0000000000000003 R11: ffffed000d6e2043 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000001071880(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed010d6dafff CR3: 000000003d9a9000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ata_qc_issue+0x625/0xea0 drivers/ata/libata-core.c:5410
 ata_scsi_translate+0x34a/0x5e0 drivers/ata/libata-scsi.c:2023
 __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4325 [inline]
 ata_scsi_queuecmd+0x2ae/0x6b0 drivers/ata/libata-scsi.c:4374
 scsi_dispatch_cmd+0x432/0xb60 drivers/scsi/scsi_lib.c:1712
 scsi_request_fn+0xdf0/0x1e50 drivers/scsi/scsi_lib.c:1847
 __blk_run_queue_uncond block/blk-core.c:376 [inline]
 __blk_run_queue+0x1a6/0x370 block/blk-core.c:396
 blk_execute_rq_nowait+0x200/0x310 block/blk-exec.c:78
 sg_common_write.isra.17+0xbf8/0x1cb0 drivers/scsi/sg.c:806
 sg_write+0x7a6/0xca0 drivers/scsi/sg.c:677
 __vfs_write+0xef/0x970 fs/read_write.c:479
 vfs_write+0x18f/0x510 fs/read_write.c:543
 SYSC_write fs/read_write.c:588 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:580
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4391a9
RSP: 002b:00007ffdb9e3ae48 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004391a9
RDX: 00000000000000c7 RSI: 0000000020515000 RDI: 0000000000000003
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000000fe R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000401e00 R14: 0000000000401e90 R15: 0000000000000000
Code: 41 8d 5e ff e8 18 5c 07 fe 48 c1 e3 03 e8 0f 5c 07 fe 48 03 5d c8 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 0c 
RIP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2650 [inline] RSP: ffff88006caa7040
RIP: ata_bmdma_qc_prep+0x30a/0x3d0 drivers/ata/libata-sff.c:2727 RSP: ffff88006caa7040
CR2: ffffed010d6dafff
---[ end trace f22b269ecd4dbac4 ]---

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/09/17 04:28 linux-next 1f183459b514 da1873aa .config console log report syz C skylake-linux-next-kasan-qemu
2017/11/08 12:13 linux-next 5a3517e009e9 e0a2b195 .config console log report skylake-linux-next-kasan-qemu
2017/11/08 06:09 linux-next 5a3517e009e9 e0a2b195 .config console log report ci-upstream-next-kasan-gce
2017/11/06 14:19 linux-next 5a3517e009e9 e0a2b195 .config console log report ci-upstream-next-kasan-gce
2017/11/05 22:55 linux-next 5a3517e009e9 e0a2b195 .config console log report ci-upstream-next-kasan-gce
2017/11/04 21:14 linux-next 5a3517e009e9 e0a2b195 .config console log report ci-upstream-next-kasan-gce
2017/11/02 04:32 linux-next 36ef71cae353 e511d9f8 .config console log report ci-upstream-next-kasan-gce
2017/11/01 19:18 linux-next 36ef71cae353 e511d9f8 .config console log report ci-upstream-next-kasan-gce
2017/10/31 00:27 linux-next 36ef71cae353 e511d9f8 .config console log report ci-upstream-next-kasan-gce
2017/10/30 01:49 linux-next 36ef71cae353 e511d9f8 .config console log report ci-upstream-next-kasan-gce
2017/09/19 08:56 linux-next 840cc455c5f5 92f543f0 .config console log report ci-upstream-next-kasan-gce
2017/09/17 23:11 linux-next 1f183459b514 da1873aa .config console log report skylake-linux-next-kasan-qemu
2017/09/17 04:22 linux-next 1f183459b514 da1873aa .config console log report skylake-linux-next-kasan-qemu
* Struck through repros no longer work on HEAD.