general protection fault in hidraw

general protection fault in hidraw_release
Status: upstream: reported on 2022/01/04 07:49
Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com
First crash: 27d, last: 4d15h

Sample crash report:

general protection fault, probably for non-canonical address 0xdffffc0000000014: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000a0-0x00000000000000a7]
CPU: 1 PID: 18549 Comm: syz-executor.4 Not tainted 5.16.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:trace_event_get_offsets_lock_acquire include/trace/events/lock.h:13 [inline]
RIP: 0010:perf_trace_lock_acquire+0xe9/0x4a0 include/trace/events/lock.h:13
Code: 44 24 48 42 8a 04 38 84 c0 0f 85 36 03 00 00 c7 84 24 a0 00 00 00 00 00 00 00 49 8d 5e 18 48 89 d8 48 c1 e8 03 48 89 44 24 38 <42> 80 3c 38 00 74 08 48 89 df e8 08 a9 6a 00 48 89 5c 24 40 48 8b
RSP: 0018:ffffc9000bcef540 EFLAGS: 00010006
RAX: 0000000000000014 RBX: 00000000000000a0 RCX: 000000000bcef503
RDX: 0000000000000000 RSI: 0000000000000088 RDI: ffffc9000bcef5c0
RBP: ffffc9000bcef658 R08: 0000000000000000 R09: 0000000000000001
R10: fffffbfff1c02a16 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff8c9eb1e0 R14: 0000000000000088 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f821000 CR3: 00000000736d3000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 trace_lock_acquire+0x161/0x190 include/trace/events/lock.h:13
 lock_acquire+0xa5/0x4d0 kernel/locking/lockdep.c:5610
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
 hidraw_release+0xb9/0x4a0 drivers/hid/hidraw.c:352
 __fput+0x3fc/0x870 fs/file_table.c:311
 task_work_run+0x146/0x1c0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0x63b/0x2140 kernel/exit.c:806
 do_group_exit+0x2af/0x2b0 kernel/exit.c:935
 get_signal+0x1831/0x2330 kernel/signal.c:2862
 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300
 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7ff6755c7f74
Code: Unable to access opcode bytes at RIP 0x7ff6755c7f4a.
RSP: 002b:00007ff673f68ca0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: 0000000000000005 RBX: 6666666666666667 RCX: 00007ff6755c7f74
RDX: 0000000000000000 RSI: 00007ff673f68d40 RDI: 00000000ffffff9c
RBP: 00007ff673f68d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffe7b50c68f R14: 00007ff673f69300 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:trace_event_get_offsets_lock_acquire include/trace/events/lock.h:13 [inline]
RIP: 0010:perf_trace_lock_acquire+0xe9/0x4a0 include/trace/events/lock.h:13
Code: 44 24 48 42 8a 04 38 84 c0 0f 85 36 03 00 00 c7 84 24 a0 00 00 00 00 00 00 00 49 8d 5e 18 48 89 d8 48 c1 e8 03 48 89 44 24 38 <42> 80 3c 38 00 74 08 48 89 df e8 08 a9 6a 00 48 89 5c 24 40 48 8b
RSP: 0018:ffffc9000bcef540 EFLAGS: 00010006
RAX: 0000000000000014 RBX: 00000000000000a0 RCX: 000000000bcef503
RDX: 0000000000000000 RSI: 0000000000000088 RDI: ffffc9000bcef5c0
RBP: ffffc9000bcef658 R08: 0000000000000000 R09: 0000000000000001
R10: fffffbfff1c02a16 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff8c9eb1e0 R14: 0000000000000088 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f821000 CR3: 00000000736d3000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	44 24 48             	rex.R and $0x48,%al
   3:	42 8a 04 38          	mov    (%rax,%r15,1),%al
   7:	84 c0                	test   %al,%al
   9:	0f 85 36 03 00 00    	jne    0x345
   f:	c7 84 24 a0 00 00 00 	movl   $0x0,0xa0(%rsp)
  16:	00 00 00 00
  1a:	49 8d 5e 18          	lea    0x18(%r14),%rbx
  1e:	48 89 d8             	mov    %rbx,%rax
  21:	48 c1 e8 03          	shr    $0x3,%rax
  25:	48 89 44 24 38       	mov    %rax,0x38(%rsp)
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 08 a9 6a 00       	callq  0x6aa941
  39:	48 89 5c 24 40       	mov    %rbx,0x40(%rsp)
  3e:	48                   	rex.W
  3f:	8b                   	.byte 0x8b

Crashes (4):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Title
ci-upstream-kasan-gce-smack-root	2022/01/23 05:38	upstream	1c52283265a4	214351e1	.config	log	report	info	general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root	2022/01/15 06:05	linux-next	bd8d9cef2a79	723cfaf0	.config	log	report	info	general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root	2022/01/13 15:38	linux-next	27c9d5b3c24a	44d1319a	.config	log	report	info	general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root	2021/12/31 03:40	linux-next	ea586a076e8a	36bd2e48	.config	log	report	info	general protection fault in hidraw_release