2022-07-11 11:28:18

by Dae R. Jeong

[permalink] [raw]
Subject: general protection fault in add_wait_queue_exclusive

Hello,

We observed a crash "general protection fault in
add_wait_queue_exclusive" during fuzzing.

Unfortunately, we have not found a reproducer for the crash yet. We
will inform you if we have any update on this crash.


Detailed crash information is attached at the end of this email.

Best regards,
Dae R. Jeong
------

- Kernel commit:
92f20ff72066d

- Crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
CPU: 2 PID: 14077 Comm: syz-executor.0 Not tainted 5.19.0-rc3-32288-g0f3b08299494 #15
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926
Code: 89 bc 24 88 00 00 00 0f 85 02 27 00 00 83 3d 1b 16 66 10 00 0f 84 97 43 00 00 83 3d d6 ea f9 0e 00 74 31 48 89 f8 48 c1 e8 03 <42> 80 3c 00 00 74 17 e8 81 63 86 00 48 8b bc 24 88 00 00 00 49 b8
RSP: 0018:ffffc9000ea575e0 EFLAGS: 00010002
RAX: 0000000000000019 RBX: 0000000000000001 RCX: 1ffff92001d4aedc
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000c8
RBP: ffffc9000ea57970 R08: dffffc0000000000 R09: 0000000000000001
R10: fffffbfff2394d5e R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 00007f44e25aa700(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056077effb180 CR3: 0000000028845000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162
add_wait_queue_exclusive+0x3c/0x130 kernel/sched/wait.c:33
ep_ptable_queue_proc+0x1b1/0x370 fs/eventpoll.c:1259
poll_wait include/linux/poll.h:49 [inline]
vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174
vfs_poll include/linux/poll.h:88 [inline]
ep_item_poll fs/eventpoll.c:853 [inline]
ep_insert fs/eventpoll.c:1522 [inline]
do_epoll_ctl+0x2f84/0x4a90 fs/eventpoll.c:2141
__do_sys_epoll_ctl fs/eventpoll.c:2192 [inline]
__se_sys_epoll_ctl fs/eventpoll.c:2183 [inline]
__x64_sys_epoll_ctl+0x19d/0x230 fs/eventpoll.c:2183
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x478dc9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f44e25a9be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 0000000000781408 RCX: 0000000000478dc9
RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000240 R11: 0000000000000246 R12: 0000000000781500
R13: 0000000000781414 R14: 0000000000781408 R15: 00007ffc45fbf120
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926
Code: 89 bc 24 88 00 00 00 0f 85 02 27 00 00 83 3d 1b 16 66 10 00 0f 84 97 43 00 00 83 3d d6 ea f9 0e 00 74 31 48 89 f8 48 c1 e8 03 <42> 80 3c 00 00 74 17 e8 81 63 86 00 48 8b bc 24 88 00 00 00 49 b8
RSP: 0018:ffffc9000ea575e0 EFLAGS: 00010002
RAX: 0000000000000019 RBX: 0000000000000001 RCX: 1ffff92001d4aedc
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000c8
RBP: ffffc9000ea57970 R08: dffffc0000000000 R09: 0000000000000001
R10: fffffbfff2394d5e R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 00007f44e25aa700(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056077effb180 CR3: 0000000028845000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


2022-08-10 18:43:58

by Vishnu Dasa

[permalink] [raw]
Subject: Re: general protection fault in add_wait_queue_exclusive

Thank you for reporting this. We have filed an internal bug and will look into it.

Regards,
Vishnu

> On Jul 11, 2022, at 3:52 AM, Dae R. Jeong <[email protected]> wrote:
>
> Hello,
>
> We observed a crash "general protection fault in
> add_wait_queue_exclusive" during fuzzing.
>
> Unfortunately, we have not found a reproducer for the crash yet. We
> will inform you if we have any update on this crash.
>
>
> Detailed crash information is attached at the end of this email.
>
> Best regards,
> Dae R. Jeong
> ------
>
> - Kernel commit:
> 92f20ff72066d
>
> - Crash report:
> general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
> CPU: 2 PID: 14077 Comm: syz-executor.0 Not tainted 5.19.0-rc3-32288-g0f3b08299494 #15
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
> RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926
> Code: 89 bc 24 88 00 00 00 0f 85 02 27 00 00 83 3d 1b 16 66 10 00 0f 84 97 43 00 00 83 3d d6 ea f9 0e 00 74 31 48 89 f8 48 c1 e8 03 <42> 80 3c 00 00 74 17 e8 81 63 86 00 48 8b bc 24 88 00 00 00 49 b8
> RSP: 0018:ffffc9000ea575e0 EFLAGS: 00010002
> RAX: 0000000000000019 RBX: 0000000000000001 RCX: 1ffff92001d4aedc
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000c8
> RBP: ffffc9000ea57970 R08: dffffc0000000000 R09: 0000000000000001
> R10: fffffbfff2394d5e R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
> FS: 00007f44e25aa700(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000056077effb180 CR3: 0000000028845000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672
> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162
> add_wait_queue_exclusive+0x3c/0x130 kernel/sched/wait.c:33
> ep_ptable_queue_proc+0x1b1/0x370 fs/eventpoll.c:1259
> poll_wait include/linux/poll.h:49 [inline]
> vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174
> vfs_poll include/linux/poll.h:88 [inline]
> ep_item_poll fs/eventpoll.c:853 [inline]
> ep_insert fs/eventpoll.c:1522 [inline]
> do_epoll_ctl+0x2f84/0x4a90 fs/eventpoll.c:2141
> __do_sys_epoll_ctl fs/eventpoll.c:2192 [inline]
> __se_sys_epoll_ctl fs/eventpoll.c:2183 [inline]
> __x64_sys_epoll_ctl+0x19d/0x230 fs/eventpoll.c:2183
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
> RIP: 0033:0x478dc9
> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f44e25a9be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
> RAX: ffffffffffffffda RBX: 0000000000781408 RCX: 0000000000478dc9
> RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000003
> RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000020000240 R11: 0000000000000246 R12: 0000000000781500
> R13: 0000000000781414 R14: 0000000000781408 R15: 00007ffc45fbf120
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926
> Code: 89 bc 24 88 00 00 00 0f 85 02 27 00 00 83 3d 1b 16 66 10 00 0f 84 97 43 00 00 83 3d d6 ea f9 0e 00 74 31 48 89 f8 48 c1 e8 03 <42> 80 3c 00 00 74 17 e8 81 63 86 00 48 8b bc 24 88 00 00 00 49 b8
> RSP: 0018:ffffc9000ea575e0 EFLAGS: 00010002
> RAX: 0000000000000019 RBX: 0000000000000001 RCX: 1ffff92001d4aedc
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000c8
> RBP: ffffc9000ea57970 R08: dffffc0000000000 R09: 0000000000000001
> R10: fffffbfff2394d5e R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
> FS: 00007f44e25aa700(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000056077effb180 CR3: 0000000028845000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400