syzbot


general protection fault in sg_alloc_append_table_from_pages
Status: upstream: reported C repro on 2021/10/13 16:51
Reported-by: syzbot+2c56b725ec547fa9cb29@syzkaller.appspotmail.com
Fix commit: 2b6dd600dd72 udmabuf: validate ubuf->pagecount
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 230d, last: 64d

Cause bisection: introduced by (bisect log) :
commit 284562e1f34874e267d4f499362c3816f8f6bc3f
Author: Gurchetan Singh <gurchetansingh@chromium.org>
Date: Tue Dec 3 01:36:27 2019 +0000

  udmabuf: implement begin_cpu_access/end_cpu_access hooks

Crash: general protection fault in __sg_alloc_table_from_pages (log)
Repro: syz .config
Patch testing requests:
Created Duration User Patch Repo Result
2021/12/30 13:53 9m paskripkin@gmail.com patch upstream OK

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 PID: 3598 Comm: syz-executor439 Not tainted 5.16.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:sg_alloc_append_table_from_pages+0x821/0xdb0 lib/scatterlist.c:525
Code: 0c 24 48 8b 4c 24 48 48 39 c8 48 0f 46 c8 89 f0 4c 8d 3c c7 48 89 4c 24 30 48 b9 00 00 00 00 00 fc ff df 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 24 05 00 00 4d 8b 3f 4c 89 e0 31 ff 83 e0 03 48
RSP: 0018:ffffc90001f5fc48 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000001 RCX: dffffc0000000000
RDX: ffff888018623a00 RSI: 0000000000000000 RDI: 0000000000000010
RBP: 00000000fffff000 R08: fffffffffffff000 R09: ffff888145f2fec0
R10: ffffffff83d8c060 R11: 0000000000000001 R12: 0000000000000002
R13: ffff888145f2fec0 R14: 0000000000000000 R15: 0000000000000010
FS:  0000555556ea9300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020005b4c CR3: 000000006fc91000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 sg_alloc_table_from_pages_segment+0xc9/0x260 lib/scatterlist.c:573
 sg_alloc_table_from_pages include/linux/scatterlist.h:331 [inline]
 get_sg_table.isra.0+0xbb/0x160 drivers/dma-buf/udmabuf.c:67
 begin_cpu_udmabuf+0x130/0x1d0 drivers/dma-buf/udmabuf.c:126
 dma_buf_begin_cpu_access+0xfd/0x1d0 drivers/dma-buf/dma-buf.c:1175
 dma_buf_ioctl+0x29a/0x380 drivers/dma-buf/dma-buf.c:374
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2e9baf8079
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd94191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2e9baf8079
RDX: 0000000020000000 RSI: 0000000040086200 RDI: 0000000000000004
RBP: 00007f2e9babc060 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 00007f2e9babc0f0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace fc3b8f1d5f6f9add ]---
RIP: 0010:sg_alloc_append_table_from_pages+0x821/0xdb0 lib/scatterlist.c:525
Code: 0c 24 48 8b 4c 24 48 48 39 c8 48 0f 46 c8 89 f0 4c 8d 3c c7 48 89 4c 24 30 48 b9 00 00 00 00 00 fc ff df 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 24 05 00 00 4d 8b 3f 4c 89 e0 31 ff 83 e0 03 48
RSP: 0018:ffffc90001f5fc48 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000001 RCX: dffffc0000000000
RDX: ffff888018623a00 RSI: 0000000000000000 RDI: 0000000000000010
RBP: 00000000fffff000 R08: fffffffffffff000 R09: ffff888145f2fec0
R10: ffffffff83d8c060 R11: 0000000000000001 R12: 0000000000000002
R13: ffff888145f2fec0 R14: 0000000000000000 R15: 0000000000000010
FS:  0000555556ea9300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020005b4c CR3: 000000006fc91000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	0c 24                	or     $0x24,%al
   2:	48 8b 4c 24 48       	mov    0x48(%rsp),%rcx
   7:	48 39 c8             	cmp    %rcx,%rax
   a:	48 0f 46 c8          	cmovbe %rax,%rcx
   e:	89 f0                	mov    %esi,%eax
  10:	4c 8d 3c c7          	lea    (%rdi,%rax,8),%r15
  14:	48 89 4c 24 30       	mov    %rcx,0x30(%rsp)
  19:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  20:	fc ff df
  23:	4c 89 f8             	mov    %r15,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1) <-- trapping instruction
  2e:	0f 85 24 05 00 00    	jne    0x558
  34:	4d 8b 3f             	mov    (%r15),%r15
  37:	4c 89 e0             	mov    %r12,%rax
  3a:	31 ff                	xor    %edi,%edi
  3c:	83 e0 03             	and    $0x3,%eax
  3f:	48                   	rex.W

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2021/12/10 16:34 upstream c741e49150db 418a00eb .config log report syz
Crashes (470):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2022/01/08 13:54 upstream d1587f7bfe9a 2ca0d385 .config log report syz C general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/01/07 10:58 upstream b2b436ec0205 6acc789a .config log report syz C general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2021/12/20 04:57 upstream a76c3d035872 44068e19 .config log report syz C general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2021/12/20 04:37 upstream a76c3d035872 44068e19 .config log report syz C general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-smack-root 2021/12/19 17:44 upstream 3f667b5d4053 44068e19 .config log report syz C general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2021/12/19 17:37 upstream 3f667b5d4053 44068e19 .config log report syz C general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2021/12/19 17:26 upstream 3f667b5d4053 44068e19 .config log report syz C general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2021/10/20 21:02 upstream 8e37395c3a5d 418a00eb .config log report syz general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2021/10/10 02:49 upstream 717478d89fe2 838e7e2c .config log report syz general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/25 12:24 upstream 52deda9551a0 89bc8608 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-selinux-root 2022/03/25 01:55 upstream 52deda9551a0 89bc8608 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/22 21:05 upstream b47d5a4f6b8d d88ef0c5 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/22 21:03 upstream b47d5a4f6b8d d88ef0c5 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-qemu-upstream 2022/03/21 23:58 upstream eaa54b1458ca e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-selinux-root 2022/03/21 21:32 upstream f443e374ae13 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/21 16:15 upstream f443e374ae13 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/21 02:13 upstream f443e374ae13 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/21 00:53 upstream f443e374ae13 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-selinux-root 2022/03/20 14:31 upstream 14702b3b2438 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-selinux-root 2022/03/18 21:25 upstream 551acdc3c3d2 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/18 18:19 upstream 551acdc3c3d2 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/18 02:40 upstream 551acdc3c3d2 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-smack-root 2022/03/17 20:42 upstream 56e337f2cf13 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/17 19:29 upstream 56e337f2cf13 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-qemu-upstream 2022/03/16 22:30 upstream 56e337f2cf13 46cc3b21 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-smack-root 2022/03/16 21:12 upstream 56e337f2cf13 dfa9a8ed .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/16 19:29 upstream 56e337f2cf13 dfa9a8ed .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/16 03:23 upstream 56e337f2cf13 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/16 01:13 upstream 56e337f2cf13 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/15 17:15 upstream 09688c0166e7 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/15 16:45 upstream 09688c0166e7 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/14 21:28 upstream 09688c0166e7 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/14 17:39 upstream 09688c0166e7 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/13 07:10 upstream aad611a868d1 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/13 03:56 upstream aad611a868d1 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/11 20:31 upstream 79b00034e9dc 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/11 20:31 upstream 79b00034e9dc 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/11 13:32 upstream dda64ead7e82 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/10 04:08 upstream e7e19defa575 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-qemu-upstream 2022/03/09 07:56 upstream 92f90cc9fe0e 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-selinux-root 2022/03/08 22:26 upstream 92f90cc9fe0e 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/08 21:05 upstream 92f90cc9fe0e 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/07 11:44 upstream ffb217a13a2e 7bdd8b2c .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-smack-root 2022/03/07 10:04 upstream ffb217a13a2e 7bdd8b2c .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-selinux-root 2022/03/07 03:12 upstream ffb217a13a2e 7bdd8b2c .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce 2022/03/06 20:30 upstream dcde98da9970 7bdd8b2c .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2022/03/06 20:26 upstream dcde98da9970 7bdd8b2c .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-root 2021/10/10 02:35 upstream 717478d89fe2 838e7e2c .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-qemu-upstream-386 2022/03/23 02:54 upstream 519129040766 5ff41e94 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/22 22:18 upstream b47d5a4f6b8d d88ef0c5 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/21 04:35 upstream f443e374ae13 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/20 20:06 upstream 14702b3b2438 e2d91b1d .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/17 10:19 upstream 56e337f2cf13 dfa9a8ed .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/17 03:19 upstream 56e337f2cf13 dfa9a8ed .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/17 00:53 upstream 56e337f2cf13 dfa9a8ed .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/15 09:17 upstream 09688c0166e7 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/13 05:26 upstream aad611a868d1 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-qemu-upstream-386 2022/03/09 05:19 upstream 92f90cc9fe0e 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/09 01:29 upstream 92f90cc9fe0e 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-qemu-upstream-386 2022/03/08 23:38 upstream 92f90cc9fe0e 9e8eaa75 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-qemu-upstream-386 2022/03/08 05:51 upstream ea4424be1688 7bdd8b2c .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-kasan-gce-386 2022/03/07 04:29 upstream ffb217a13a2e 7bdd8b2c .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-upstream-linux-next-kasan-gce-root 2022/01/30 15:15 linux-next b605fdc54c2b 495e00c5 .config log report info general protection fault in sg_alloc_append_table_from_pages
ci-qemu2-riscv64 2022/02/05 22:13 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 64a19591a293 a7dab638 .config log report info KASAN: null-ptr-deref Read in sg_alloc_append_table_from_pages