general protection fault in syscall_return

general protection fault in syscall_return_slowpath
Status: upstream: reported syz repro on 2020/03/08 07:45
Reported-by: syzbot+cd66e43794b178bb5cd6@syzkaller.appspotmail.com
First crash: 87d, last: 27d

Cause bisection: the bug happens on the oldest tested release
Crash: WARNING in sysfs_warn_dup (log)
Repro: syz .config

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/03/08 18:35	3m	jannh@google.com	patch	https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7	error
2020/03/08 17:21	3m	jannh@google.com	patch	https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7	error

Sample crash report:

general protection fault, probably for non-canonical address 0x1ffffffff1255a6b: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/paravirt.h:757 [inline]
RIP: 0010:syscall_return_slowpath+0xeb/0x4a0 arch/x86/entry/common.c:277
Code: 00 10 0f 85 de 00 00 00 e8 b2 a3 76 00 48 c7 c0 58 d3 2a 89 48 c1 e8 03 80 3c 18 00 74 0c 48 c7 c7 58 d3 2a 89 e8 05 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a7ed0 EFLAGS: 00010246
RAX: 1ffffffff1255a6b RBX: dffffc0000000000 RCX: ffff88808c512380
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900020a7f10 R08: ffffffff810075bb R09: fffffbfff14d9182
R10: fffffbfff14d9182 R11: 0000000000000000 R12: 1ffff110118a2470
R13: 0000000000004000 R14: ffff88808c512380 R15: ffff88808c512380
FS:  000000000154f940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000076c000 CR3: 00000000a6b05000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 8fecc067 P4D 8fecc067 PUD 97953067 PMD 0 
Oops: 0002 [#2] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a7598 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: 000000000045a920
RBP: ffffc900020a75e8 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff88808c512380 R11: 0000000000000002 R12: ffffffff8b026000
R13: 000000000045a920 R14: ffffc900020a7610 R15: ffffc900020a7608
FS:  000000000154f940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a6b05000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __sprint_symbol+0x4c/0x1b0 kernel/kallsyms.c:365
 sprint_symbol+0x24/0x30 kernel/kallsyms.c:396
 symbol_string+0xb3/0x210 lib/vsprintf.c:961
 pointer+0x388/0x7c0 lib/vsprintf.c:2188
 vsnprintf+0xd4c/0x1bc0 lib/vsprintf.c:2578
 vscnprintf+0x2d/0x80 lib/vsprintf.c:2677
 vprintk_store+0x4b/0x6a0 kernel/printk/printk.c:1917
 vprintk_emit+0x12a/0x3a0 kernel/printk/printk.c:1978
 vprintk_default+0x28/0x30 kernel/printk/printk.c:2023
 vprintk_func+0x158/0x170 kernel/printk/printk_safe.c:386
 printk+0x62/0x8d kernel/printk/printk.c:2056
 show_ip arch/x86/kernel/dumpstack.c:124 [inline]
 show_iret_regs+0x40/0x100 arch/x86/kernel/dumpstack.c:131
 __show_regs+0x26/0x760 arch/x86/kernel/process_64.c:74
 show_regs_if_on_stack arch/x86/kernel/dumpstack.c:149 [inline]
 show_trace_log_lvl+0x2e0/0x3e0 arch/x86/kernel/dumpstack.c:274
 show_regs arch/x86/kernel/dumpstack.c:447 [inline]
 __die_body+0x5f/0xa0 arch/x86/kernel/dumpstack.c:392
 die_addr+0xa9/0xe0 arch/x86/kernel/dumpstack.c:432
 do_general_protection+0x325/0x570 arch/x86/kernel/traps.c:564
 general_protection+0x2d/0x40 arch/x86/entry/entry_64.S:1202
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/paravirt.h:757 [inline]
RIP: 0010:syscall_return_slowpath+0xeb/0x4a0 arch/x86/entry/common.c:277
Code: 00 10 0f 85 de 00 00 00 e8 b2 a3 76 00 48 c7 c0 58 d3 2a 89 48 c1 e8 03 80 3c 18 00 74 0c 48 c7 c7 58 d3 2a 89 e8 05 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a7ed0 EFLAGS: 00010246
RAX: 1ffffffff1255a6b RBX: dffffc0000000000 RCX: ffff88808c512380
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900020a7f10 R08: ffffffff810075bb R09: fffffbfff14d9182
R10: fffffbfff14d9182 R11: 0000000000000000 R12: 1ffff110118a2470
R13: 0000000000004000 R14: ffff88808c512380 R15: ffff88808c512380
 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 8fecc067 P4D 8fecc067 PUD 97953067 PMD 0 
Oops: 0002 [#3] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a6bf8 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: 000000000045a920
RBP: ffffc900020a6c48 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff88808c512380 R11: 0000000000000002 R12: ffffffff8b026000
R13: 000000000045a920 R14: ffffc900020a6c70 R15: ffffc900020a6c68
FS:  000000000154f940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a6b05000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __sprint_symbol+0x4c/0x1b0 kernel/kallsyms.c:365
 sprint_symbol+0x24/0x30 kernel/kallsyms.c:396
 symbol_string+0xb3/0x210 lib/vsprintf.c:961
 pointer+0x388/0x7c0 lib/vsprintf.c:2188
 vsnprintf+0xd4c/0x1bc0 lib/vsprintf.c:2578
 vscnprintf+0x2d/0x80 lib/vsprintf.c:2677
 printk_safe_log_store+0xda/0x1c0 kernel/printk/printk_safe.c:93
 vprintk_func+0x146/0x170 kernel/printk/printk_safe.c:292
 printk+0x62/0x8d kernel/printk/printk.c:2056
 show_ip arch/x86/kernel/dumpstack.c:124 [inline]
 show_iret_regs+0x40/0x100 arch/x86/kernel/dumpstack.c:131
 __show_regs+0x26/0x760 arch/x86/kernel/process_64.c:74
 show_regs_if_on_stack arch/x86/kernel/dumpstack.c:149 [inline]
 show_trace_log_lvl+0x2e0/0x3e0 arch/x86/kernel/dumpstack.c:274
 show_regs arch/x86/kernel/dumpstack.c:447 [inline]
 __die_body+0x5f/0xa0 arch/x86/kernel/dumpstack.c:392
 __die+0x80/0x90 arch/x86/kernel/dumpstack.c:406
 no_context+0xaee/0xd60 arch/x86/mm/fault.c:821
 __bad_area_nosemaphore+0x108/0x470 arch/x86/mm/fault.c:913
 bad_area_nosemaphore+0x2d/0x40 arch/x86/mm/fault.c:920
 do_user_addr_fault+0x7e1/0xaf0 arch/x86/mm/fault.c:1327
 do_page_fault+0x13b/0x250 arch/x86/mm/fault.c:1517
 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a7598 EFLAGS: 00010003
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: 000000000045a920
RBP: ffffc900020a75e8 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff88808c512380 R11: 0000000000000002 R12: ffffffff8b026000
R13: 000000000045a920 R14: ffffc900020a7610 R15: ffffc900020a7608
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 8fecc067 P4D 8fecc067 PUD 97953067 PMD 0 
Oops: 0002 [#4] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a6338 EFLAGS: 00010087
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: ffffffff80ffffff
RBP: ffffc900020a6388 R08: ffffffff816dd391 R09: ffffffff88150d5e
R10: ffff88808c512380 R11: 0000000000000002 R12: ffffffff8b026000
R13: ffffffff80ffffff R14: ffffc900020a63b0 R15: ffffc900020a63a8
FS:  000000000154f940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a6b05000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 8fecc067 P4D 8fecc067 PUD 97953067 PMD 0 
Oops: 0002 [#5] PREEMPT SMP KASAN
CPU: 0 PID: 8742 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:in_gate_area_no_mm+0x0/0x60 arch/x86/entry/vsyscall/vsyscall_64.c:343
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc900020a5a78 EFLAGS: 00010087
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff88808c512380
RDX: ffff88808c512380 RSI: ffffffff8b026000 RDI: ffffffff80ffffff
RBP: ffffc900020a5ac8 R08: ffffffff816dd391 R09: ff
Lost 226 message(s)!

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce-smack-root	2020/05/03 18:49	upstream	f66ed1eb	c88c7b75	.config	log		syz
ci-upstream-kasan-gce-smack-root	2020/04/03 11:57	upstream	bef7b2a7	c88c7b75	.config	log		syz

Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci-upstream-kasan-gce-smack-root	2020/03/04 07:43	upstream	63623fd4	c88c7b75	.config	log	report	syz		bp@alien8.de, hpa@zytor.com, linux-kernel@vger.kernel.org, luto@kernel.org, mingo@redhat.com, tglx@linutronix.de, x86@kernel.org