general protection fault in syscall_return

general protection fault in syscall_return_slowpath
Status: fixed on 2020/09/16 22:51
Reported-by: syzbot+cd66e43794b178bb5cd6@syzkaller.appspotmail.com
Fix commit: 033724d6 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
First crash: 326d, last: 235d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) :
commit 033724d6864245a11f8e04c066002e6ad22b3fd0
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Wed Jul 15 01:51:02 2020 +0000

fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.

duplicates (22):
Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
KASAN: null-ptr-deref Read in uncore_pmu_event_add	C	done		1	268d	264d	0/17	closed as dup on 2020/08/16 03:50
BUG: unable to handle kernel paging request in do_syscall_64				1	249d	245d	0/17	closed as dup on 2020/08/15 13:35
BUG: stack guard page was hit in __bad_area_nosemaphore				3	181d	197d	0/17	closed as dup on 2020/08/16 13:35
general protection fault in do_syscall_64	C	done	error	4	271d	301d	0/17	closed as dup on 2020/08/15 11:55
BUG: unable to handle kernel paging request in x86_pmu_event_init	C	done		1	184d	180d	0/17	closed as dup on 2020/08/16 01:19
BUG: unable to handle kernel NULL pointer dereference in do_syscall_32_irqs_on	syz	done		3	180d	182d	0/17	closed as dup on 2020/08/15 13:55
general protection fault in __switch_to_asm	C	inconclusive	done	158	126d	228d	0/17	closed as dup on 2020/10/20 07:02
BUG: stack guard page was hit in mark_held_locks				1	199d	199d	0/17	closed as dup on 2020/08/16 13:35
KASAN: null-ptr-deref Read in kvm_arch_check_processor_compat	syz	done		1	219d	215d	0/17	closed as dup on 2020/06/30 06:11
KASAN: null-ptr-deref Read in kvm_vfio_set_attr	syz	done		1	307d	303d	0/17	closed as dup on 2020/08/16 03:56
BUG: unable to handle kernel NULL pointer dereference in do_syscall_64 (2)	C	done		9	219d	324d	0/17	closed as dup on 2020/08/15 13:48
BUG: unable to handle kernel paging request in syscall_return_slowpath	C	done		2	182d	265d	0/17	closed as dup on 2020/08/15 13:44
BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath	C			55	181d	208d	0/17	closed as dup on 2020/06/29 16:42
BUG: unable to handle kernel NULL pointer dereference in syscall_trace_enter				1	201d	197d	0/17	closed as dup on 2020/08/15 13:51
KASAN: out-of-bounds Write in nested_sync_vmcs12_to_shadow	syz	done	error	1	282d	278d	0/17	closed as dup on 2020/08/16 03:59
general protection fault in pvclock_gtod_notify	C			69	130d	211d	0/17	closed as dup on 2020/06/30 06:12
BUG: unable to handle kernel paging request in __syscall_return_slowpath	syz	done		1	181d	177d	0/17	closed as dup on 2020/08/15 13:40
KASAN: out-of-bounds Read in kvm_arch_hardware_setup	C			1	214d	210d	0/17	closed as dup on 2020/06/30 06:12
BUG: sleeping function called from invalid context in do_page_fault	C	done	error	7	258d	325d	0/17	closed as dup on 2020/08/16 04:02
KASAN: user-memory-access Read in kvmclock_cpufreq_notifier	C	done	error	1	288d	314d	0/17	closed as dup on 2020/08/16 04:05
BUG: stack guard page was hit in fixup_exception				1	197d	197d	0/17	closed as dup on 2020/08/16 13:34
BUG: sleeping function called from invalid context in do_user_addr_fault	syz	inconclusive	done	10	137d	217d	0/17	closed as dup on 2020/09/02 22:06

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/07/10 07:27	14m	dvyukov@google.com	patch	https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7	report log
2020/07/04 06:40	0m	dvyukov@google.com	patch	https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7	error
2020/07/03 11:23	0m	jannh@google.com	patch	https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7	error
2020/03/08 18:35	3m	jannh@google.com	patch	https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7	error
2020/03/08 17:21	3m	jannh@google.com	patch	https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7	error

Sample crash report:

general protection fault, probably for non-canonical address 0x1ffffffff1255a6b: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/paravirt.h:757 [inline]
RIP: 0010:syscall_return_slowpath+0xeb/0x4a0 arch/x86/entry/common.c:277
Code: 00 10 0f 85 de 00 00 00 e8 b2 a3 76 00 48 c7 c0 58 d3 2a 89 48 c1 e8 03 80 3c 18 00 74 0c 48 c7 c7 58 d3 2a 89 e8 05 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a7ed0 EFLAGS: 00010246
RAX: 1ffffffff1255a6b RBX: dffffc0000000000 RCX: ffff88808c512380
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900020a7f10 R08: ffffffff810075bb R09: fffffbfff14d9182
R10: fffffbfff14d9182 R11: 0000000000000000 R12: 1ffff110118a2470
R13: 0000000000004000 R14: ffff88808c512380 R15: ffff88808c512380
FS:  000000000154f940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000076c000 CR3: 00000000a6b05000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 8fecc067 P4D 8fecc067 PUD 97953067 PMD 0 
Oops: 0002 [#2] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a7598 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: 000000000045a920
RBP: ffffc900020a75e8 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff88808c512380 R11: 0000000000000002 R12: ffffffff8b026000
R13: 000000000045a920 R14: ffffc900020a7610 R15: ffffc900020a7608
FS:  000000000154f940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a6b05000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __sprint_symbol+0x4c/0x1b0 kernel/kallsyms.c:365
 sprint_symbol+0x24/0x30 kernel/kallsyms.c:396
 symbol_string+0xb3/0x210 lib/vsprintf.c:961
 pointer+0x388/0x7c0 lib/vsprintf.c:2188
 vsnprintf+0xd4c/0x1bc0 lib/vsprintf.c:2578
 vscnprintf+0x2d/0x80 lib/vsprintf.c:2677
 vprintk_store+0x4b/0x6a0 kernel/printk/printk.c:1917
 vprintk_emit+0x12a/0x3a0 kernel/printk/printk.c:1978
 vprintk_default+0x28/0x30 kernel/printk/printk.c:2023
 vprintk_func+0x158/0x170 kernel/printk/printk_safe.c:386
 printk+0x62/0x8d kernel/printk/printk.c:2056
 show_ip arch/x86/kernel/dumpstack.c:124 [inline]
 show_iret_regs+0x40/0x100 arch/x86/kernel/dumpstack.c:131
 __show_regs+0x26/0x760 arch/x86/kernel/process_64.c:74
 show_regs_if_on_stack arch/x86/kernel/dumpstack.c:149 [inline]
 show_trace_log_lvl+0x2e0/0x3e0 arch/x86/kernel/dumpstack.c:274
 show_regs arch/x86/kernel/dumpstack.c:447 [inline]
 __die_body+0x5f/0xa0 arch/x86/kernel/dumpstack.c:392
 die_addr+0xa9/0xe0 arch/x86/kernel/dumpstack.c:432
 do_general_protection+0x325/0x570 arch/x86/kernel/traps.c:564
 general_protection+0x2d/0x40 arch/x86/entry/entry_64.S:1202
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/paravirt.h:757 [inline]
RIP: 0010:syscall_return_slowpath+0xeb/0x4a0 arch/x86/entry/common.c:277
Code: 00 10 0f 85 de 00 00 00 e8 b2 a3 76 00 48 c7 c0 58 d3 2a 89 48 c1 e8 03 80 3c 18 00 74 0c 48 c7 c7 58 d3 2a 89 e8 05 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a7ed0 EFLAGS: 00010246
RAX: 1ffffffff1255a6b RBX: dffffc0000000000 RCX: ffff88808c512380
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900020a7f10 R08: ffffffff810075bb R09: fffffbfff14d9182
R10: fffffbfff14d9182 R11: 0000000000000000 R12: 1ffff110118a2470
R13: 0000000000004000 R14: ffff88808c512380 R15: ffff88808c512380
 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 8fecc067 P4D 8fecc067 PUD 97953067 PMD 0 
Oops: 0002 [#3] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a6bf8 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: 000000000045a920
RBP: ffffc900020a6c48 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff88808c512380 R11: 0000000000000002 R12: ffffffff8b026000
R13: 000000000045a920 R14: ffffc900020a6c70 R15: ffffc900020a6c68
FS:  000000000154f940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a6b05000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __sprint_symbol+0x4c/0x1b0 kernel/kallsyms.c:365
 sprint_symbol+0x24/0x30 kernel/kallsyms.c:396
 symbol_string+0xb3/0x210 lib/vsprintf.c:961
 pointer+0x388/0x7c0 lib/vsprintf.c:2188
 vsnprintf+0xd4c/0x1bc0 lib/vsprintf.c:2578
 vscnprintf+0x2d/0x80 lib/vsprintf.c:2677
 printk_safe_log_store+0xda/0x1c0 kernel/printk/printk_safe.c:93
 vprintk_func+0x146/0x170 kernel/printk/printk_safe.c:292
 printk+0x62/0x8d kernel/printk/printk.c:2056
 show_ip arch/x86/kernel/dumpstack.c:124 [inline]
 show_iret_regs+0x40/0x100 arch/x86/kernel/dumpstack.c:131
 __show_regs+0x26/0x760 arch/x86/kernel/process_64.c:74
 show_regs_if_on_stack arch/x86/kernel/dumpstack.c:149 [inline]
 show_trace_log_lvl+0x2e0/0x3e0 arch/x86/kernel/dumpstack.c:274
 show_regs arch/x86/kernel/dumpstack.c:447 [inline]
 __die_body+0x5f/0xa0 arch/x86/kernel/dumpstack.c:392
 __die+0x80/0x90 arch/x86/kernel/dumpstack.c:406
 no_context+0xaee/0xd60 arch/x86/mm/fault.c:821
 __bad_area_nosemaphore+0x108/0x470 arch/x86/mm/fault.c:913
 bad_area_nosemaphore+0x2d/0x40 arch/x86/mm/fault.c:920
 do_user_addr_fault+0x7e1/0xaf0 arch/x86/mm/fault.c:1327
 do_page_fault+0x13b/0x250 arch/x86/mm/fault.c:1517
 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a7598 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: 000000000045a920
RBP: ffffc900020a75e8 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff88808c512380 R11: 0000000000000002 R12: ffffffff8b026000
R13: 000000000045a920 R14: ffffc900020a7610 R15: ffffc900020a7608
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 8fecc067 P4D 8fecc067 PUD 97953067 PMD 0 
Oops: 0002 [#4] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a6338 EFLAGS: 00010087
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: ffffffff80ffffff
RBP: ffffc900020a6388 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff88808c512380 R11: 0000000000000002 R12: ffffffff8b026000
R13: ffffffff80ffffff R14: ffffc900020a63b0 R15: ffffc900020a63a8
FS:  000000000154f940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a6b05000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 8fecc067 P4D 8fecc067 PUD 97953067 PMD 0 
Oops: 0002 [#5] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a5a78 EFLAGS: 00010087
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: ffffffff80ffffff
RBP: ffffc900020a5ac8 R08: ffffffff816dd391 R09: ff
Lost 226 message(s)!

Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Maintainers
ci-upstream-kasan-gce-smack-root	2020/03/04 07:43	upstream	63623fd4	c88c7b75	.config	log	report	syz			bp@alien8.de, hpa@zytor.com, linux-kernel@vger.kernel.org, luto@kernel.org, mingo@redhat.com, tglx@linutronix.de, x86@kernel.org