syzbot


general protection fault in fscache_free_cookie

Status: upstream: reported on 2022/01/18 15:00
Reported-by: syzbot+5b129e8586277719bab3@syzkaller.appspotmail.com
Fix commit: fscache: fix GPF in fscache_free_cookie
Patched on: [], missing on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 265d, last: 265d

Sample crash report:
RBP: 00007fb28e1911d0 R08: 0000000020000280 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffe01f9c0cf R14: 00007fb28e191300 R15: 0000000000022000
 </TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 9511 Comm: syz-executor.1 Not tainted 5.16.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_del_entry_valid+0x81/0xf0 lib/list_debug.c:51
Code: 0f 84 19 69 35 05 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 1a 69 35 05 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 d1 68 35 05 49 8d 7d
RSP: 0018:ffffc9000714fa10 EFLAGS: 00010256
RAX: dffffc0000000000 RBX: ffffffff89ec31a0 RCX: ffffffff815d148a
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888148f8ddd8
RBP: ffff888148f8ddd0 R08: 0000000000000001 R09: 0000000000000003
R10: fffff52000e29f38 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880293d0a00
FS:  00007fb28e191700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5cb26cf310 CR3: 00000000799aa000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 __list_del_entry include/linux/list.h:134 [inline]
 list_del include/linux/list.h:148 [inline]
 fscache_free_cookie fs/fscache/cookie.c:71 [inline]
 fscache_free_cookie+0x77/0x330 fs/fscache/cookie.c:66
 fscache_alloc_cookie+0x67a/0x790 fs/fscache/cookie.c:195
 __fscache_acquire_cookie+0x16c/0x600 fs/fscache/cookie.c:296
 fscache_acquire_cookie include/linux/fscache.h:334 [inline]
 v9fs_cache_session_get_cookie+0xf2/0x2f0 fs/9p/cache.c:60
 v9fs_session_init+0xe02/0x1780 fs/9p/v9fs.c:472
 v9fs_mount+0x73/0xa80 fs/9p/vfs_super.c:125
 legacy_get_tree+0x105/0x220 fs/fs_context.c:610
 vfs_get_tree+0x89/0x2f0 fs/super.c:1500
 do_new_mount fs/namespace.c:2994 [inline]
 path_mount+0x1320/0x1fa0 fs/namespace.c:3324
 do_mount fs/namespace.c:3337 [inline]
 __do_sys_mount fs/namespace.c:3545 [inline]
 __se_sys_mount fs/namespace.c:3522 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3522
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fb28f81beb9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb28e191168 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fb28f92ef60 RCX: 00007fb28f81beb9
RDX: 0000000020000b80 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 00007fb28e1911d0 R08: 0000000020000280 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffe01f9c0cf R14: 00007fb28e191300 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace e959b745799b2618 ]---
RIP: 0010:__list_del_entry_valid+0x81/0xf0 lib/list_debug.c:51
Code: 0f 84 19 69 35 05 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 1a 69 35 05 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 d1 68 35 05 49 8d 7d
RSP: 0018:ffffc9000714fa10 EFLAGS: 00010256
RAX: dffffc0000000000 RBX: ffffffff89ec31a0 RCX: ffffffff815d148a
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888148f8ddd8
RBP: ffff888148f8ddd0 R08: 0000000000000001 R09: 0000000000000003
R10: fffff52000e29f38 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880293d0a00
FS:  00007fb28e191700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5cb26cf310 CR3: 00000000799aa000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
   0:	0f 84 19 69 35 05    	je     0x535691f
   6:	48 b8 22 01 00 00 00 	movabs $0xdead000000000122,%rax
   d:	00 ad de
  10:	49 39 c4             	cmp    %rax,%r12
  13:	0f 84 1a 69 35 05    	je     0x5356933
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	4c 89 e2             	mov    %r12,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	75 51                	jne    0x81
  30:	49 8b 14 24          	mov    (%r12),%rdx
  34:	48 39 ea             	cmp    %rbp,%rdx
  37:	0f 85 d1 68 35 05    	jne    0x535690e
  3d:	49                   	rex.WB
  3e:	8d                   	.byte 0x8d
  3f:	7d                   	.byte 0x7d

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2022/01/13 08:45 upstream f079ab01b560 44d1319a .config log report info general protection fault in fscache_free_cookie
* Struck through repros no longer work on HEAD.