syzbot


general protection fault in kobject_get_path

Status: auto-closed as invalid on 2022/03/12 09:54
Reported-by: syzbot+ce68e78f639ef7fea01a@syzkaller.appspotmail.com
First crash: 360d, last: 360d

Sample crash report:
sd 1:0:0:1: [sdc] Media removed, stopped polling
general protection fault, probably for non-canonical address 0xe01ffbf1102227d8: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x00ffff8881113ec0-0x00ffff8881113ec7]
CPU: 0 PID: 988 Comm: kworker/u4:4 Not tainted 5.16.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound async_run_entry_fn
RIP: 0010:strlen+0x1a/0x90 lib/string.c:487
Code: e8 db 93 5d ff 48 8b 74 24 08 48 8b 3c 24 eb c0 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 89 fd 48 c1 ea 03 53 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 48 80 7d 00 00
RSP: 0018:ffffc90002077858 EFLAGS: 00010292
RAX: dffffc0000000000 RBX: ffff88811c075041 RCX: 0000000000000000
RDX: 001ffff1102227d8 RSI: ffffffff8213581e RDI: 00ffff8881113ec3
RBP: 00ffff8881113ec3 R08: 000000004c7b87f2 R09: 0000000049c1e9c8
R10: fffff5200040eeb5 R11: 0000000000050046 R12: dffffc0000000000
R13: ffff888135cdb9c8 R14: 0000000000000013 R15: 0000000000000cc0
FS:  0000000000000000(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f29095a2d38 CR3: 000000013669b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 strlen include/linux/fortify-string.h:102 [inline]
 get_kobj_path_length lib/kobject.c:141 [inline]
 kobject_get_path+0x36/0x230 lib/kobject.c:176
 kobject_uevent_env+0x265/0x1650 lib/kobject_uevent.c:529
 disk_uevent+0x124/0x460 block/genhd.c:367
 device_add_disk+0xc71/0xed0 block/genhd.c:519
 sd_probe+0xa69/0xfd0 drivers/scsi/sd.c:3582
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x245/0xcc0 drivers/base/dd.c:596
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:751
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:781
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:898
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach_async_helper+0x1c9/0x280 drivers/base/dd.c:927
 async_run_entry_fn+0x9d/0x550 kernel/async.c:127
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x40b/0x500 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
Modules linked in:
---[ end trace 7527fc1d28529b3e ]---
RIP: 0010:strlen+0x1a/0x90 lib/string.c:487
Code: e8 db 93 5d ff 48 8b 74 24 08 48 8b 3c 24 eb c0 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 89 fd 48 c1 ea 03 53 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 48 80 7d 00 00
RSP: 0018:ffffc90002077858 EFLAGS: 00010292
RAX: dffffc0000000000 RBX: ffff88811c075041 RCX: 0000000000000000
RDX: 001ffff1102227d8 RSI: ffffffff8213581e RDI: 00ffff8881113ec3
RBP: 00ffff8881113ec3 R08: 000000004c7b87f2 R09: 0000000049c1e9c8
R10: fffff5200040eeb5 R11: 0000000000050046 R12: dffffc0000000000
R13: ffff888135cdb9c8 R14: 0000000000000013 R15: 0000000000000cc0
FS:  0000000000000000(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f29095a2d38 CR3: 000000013669b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e8 db 93 5d ff       	callq  0xff5d93e0
   5:	48 8b 74 24 08       	mov    0x8(%rsp),%rsi
   a:	48 8b 3c 24          	mov    (%rsp),%rdi
   e:	eb c0                	jmp    0xffffffd0
  10:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  17:	fc ff df
  1a:	48 89 fa             	mov    %rdi,%rdx
  1d:	55                   	push   %rbp
  1e:	48 89 fd             	mov    %rdi,%rbp
  21:	48 c1 ea 03          	shr    $0x3,%rdx
  25:	53                   	push   %rbx
  26:	48 83 ec 08          	sub    $0x8,%rsp
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	48 89 fa             	mov    %rdi,%rdx
  31:	83 e2 07             	and    $0x7,%edx
  34:	38 d0                	cmp    %dl,%al
  36:	7f 04                	jg     0x3c
  38:	84 c0                	test   %al,%al
  3a:	75 48                	jne    0x84
  3c:	80 7d 00 00          	cmpb   $0x0,0x0(%rbp)

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-upstream-usb 2021/12/12 09:53 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing d598c3c46ea6 49ca1f59 .config log report info general protection fault in kobject_get_path
* Struck through repros no longer work on HEAD.