Hello,
syzbot found the following crash on:
HEAD commit: dc4c89997735 Add linux-next specific files for 20190201
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=120a50b0c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=59aefae07c771af6
dashboard link: https://syzkaller.appspot.com/bug?extid=65788f9af9d54844389e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178e0798c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b4f0b0c00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0-rc4-next-20190201 #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events_unbound flush_to_ldisc
RIP: 0010:skb_put+0x35/0x1d0 net/core/skbuff.c:1698
Code: 89 f5 41 54 49 89 fc 53 4d 8d b4 24 b8 00 00 00 48 83 ec 08 e8 2c 6a
01 fc 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 4c
89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 4c
RSP: 0018:ffff8880a99cfb28 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8880969a9280 RCX: ffffffff84ef8fa3
RDX: 0000000000000017 RSI: ffffffff856e9164 RDI: 0000000000000000
RBP: ffff8880a99cfb58 R08: ffff8880a99c0580 R09: ffffed1015d25bc0
R10: ffffed1015d25bbf R11: ffff8880ae92ddfb R12: 0000000000000000
R13: 0000000000000001 R14: 00000000000000b8 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b4adc CR3: 000000008e053000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
skb_put_data include/linux/skbuff.h:2138 [inline]
bcsp_unslip_one_byte drivers/bluetooth/hci_bcsp.c:451 [inline]
bcsp_recv+0x98f/0x13a0 drivers/bluetooth/hci_bcsp.c:612
hci_uart_tty_receive+0x22b/0x530 drivers/bluetooth/hci_ldisc.c:607
tty_ldisc_receive_buf+0x164/0x1c0 drivers/tty/tty_buffer.c:465
tty_port_default_receive_buf+0x7d/0xb0 drivers/tty/tty_port.c:38
receive_buf drivers/tty/tty_buffer.c:481 [inline]
flush_to_ldisc+0x228/0x390 drivers/tty/tty_buffer.c:533
process_one_work+0x98e/0x1790 kernel/workqueue.c:2257
worker_thread+0x98/0xe40 kernel/workqueue.c:2403
kthread+0x357/0x430 kernel/kthread.c:247
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 6643b2336de1f8b1 ]---
RIP: 0010:skb_put+0x35/0x1d0 net/core/skbuff.c:1698
Code: 89 f5 41 54 49 89 fc 53 4d 8d b4 24 b8 00 00 00 48 83 ec 08 e8 2c 6a
01 fc 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 4c
89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 4c
RSP: 0018:ffff8880a99cfb28 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8880969a9280 RCX: ffffffff84ef8fa3
RDX: 0000000000000017 RSI: ffffffff856e9164 RDI: 0000000000000000
RBP: ffff8880a99cfb58 R08: ffff8880a99c0580 R09: ffffed1015d25bc0
R10: ffffed1015d25bbf R11: ffff8880ae92ddfb R12: 0000000000000000
R13: 0000000000000001 R14: 00000000000000b8 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b4adc CR3: 000000008e053000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot has bisected this bug to:
commit 97faec531460c949d7120672b8c77e2f41f8d6d7
Author: James Smart <[email protected]>
Date: Thu Sep 13 23:17:38 2018 +0000
nvme_fc: add 'nvme_discovery' sysfs attribute to fc transport device
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=121f55db200000
start commit: 97faec53 nvme_fc: add 'nvme_discovery' sysfs attribute to ..
git tree: linux-next
final crash: https://syzkaller.appspot.com/x/report.txt?x=111f55db200000
console output: https://syzkaller.appspot.com/x/log.txt?x=161f55db200000
kernel config: https://syzkaller.appspot.com/x/.config?x=59aefae07c771af6
dashboard link: https://syzkaller.appspot.com/bug?extid=65788f9af9d54844389e
userspace arch: amd64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178e0798c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b4f0b0c00000
Reported-by: [email protected]
Fixes: 97faec53 ("nvme_fc: add 'nvme_discovery' sysfs attribute to fc
transport device")
On 3/11/2019 6:20 AM, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit 97faec531460c949d7120672b8c77e2f41f8d6d7
> Author: James Smart <[email protected]>
> Date: Thu Sep 13 23:17:38 2018 +0000
>
> nvme_fc: add 'nvme_discovery' sysfs attribute to fc transport device
>
> bisection log:
> https://syzkaller.appspot.com/x/bisect.txt?x=121f55db200000
> start commit: 97faec53 nvme_fc: add 'nvme_discovery' sysfs attribute
> to ..
> git tree: linux-next
> final crash: https://syzkaller.appspot.com/x/report.txt?x=111f55db200000
> console output: https://syzkaller.appspot.com/x/log.txt?x=161f55db200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=59aefae07c771af6
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=65788f9af9d54844389e
> userspace arch: amd64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178e0798c00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b4f0b0c00000
>
> Reported-by: [email protected]
> Fixes: 97faec53 ("nvme_fc: add 'nvme_discovery' sysfs attribute to fc
> transport device")
can someone contact me as to what this thing is doing and how to
interpret all the logs. nvme_fc isn't remotely in any of the logs and
doesn't use skb's unless the underlying udev_uevents are using them.
-- james
On Mon, Mar 11, 2019 at 5:20 PM 'James Smart' via syzkaller-bugs
<[email protected]> wrote:
>
> On 3/11/2019 6:20 AM, syzbot wrote:
> > syzbot has bisected this bug to:
> >
> > commit 97faec531460c949d7120672b8c77e2f41f8d6d7
> > Author: James Smart <[email protected]>
> > Date: Thu Sep 13 23:17:38 2018 +0000
> >
> > nvme_fc: add 'nvme_discovery' sysfs attribute to fc transport device
> >
> > bisection log:
> > https://syzkaller.appspot.com/x/bisect.txt?x=121f55db200000
> > start commit: 97faec53 nvme_fc: add 'nvme_discovery' sysfs attribute
> > to ..
> > git tree: linux-next
> > final crash: https://syzkaller.appspot.com/x/report.txt?x=111f55db200000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=161f55db200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=59aefae07c771af6
> > dashboard link:
> > https://syzkaller.appspot.com/bug?extid=65788f9af9d54844389e
> > userspace arch: amd64
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178e0798c00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b4f0b0c00000
> >
> > Reported-by: [email protected]
> > Fixes: 97faec53 ("nvme_fc: add 'nvme_discovery' sysfs attribute to fc
> > transport device")
>
> can someone contact me as to what this thing is doing and how to
> interpret all the logs. nvme_fc isn't remotely in any of the logs and
> doesn't use skb's unless the underlying udev_uevents are using them.
Hi James,
What exactly is unclear/needs interpretation? syzbot did what is
commonly known as kernel/git bisection process. This is a new feature
so there can be some rough edges. Hopefully we can improve the
representation together.
Thanks
On 3/11/2019 9:40 AM, Dmitry Vyukov wrote:
> On Mon, Mar 11, 2019 at 5:20 PM 'James Smart' via syzkaller-bugs
> <[email protected]> wrote:
>>
>> On 3/11/2019 6:20 AM, syzbot wrote:
>>> syzbot has bisected this bug to:
>>>
>>> commit 97faec531460c949d7120672b8c77e2f41f8d6d7
>>> Author: James Smart <[email protected]>
>>> Date: Thu Sep 13 23:17:38 2018 +0000
>>>
>>> nvme_fc: add 'nvme_discovery' sysfs attribute to fc transport device
>>>
>>> bisection log:
>>> https://syzkaller.appspot.com/x/bisect.txt?x=121f55db200000
>>> start commit: 97faec53 nvme_fc: add 'nvme_discovery' sysfs attribute
>>> to ..
>>> git tree: linux-next
>>> final crash: https://syzkaller.appspot.com/x/report.txt?x=111f55db200000
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=161f55db200000
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=59aefae07c771af6
>>> dashboard link:
>>> https://syzkaller.appspot.com/bug?extid=65788f9af9d54844389e
>>> userspace arch: amd64
>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178e0798c00000
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b4f0b0c00000
>>>
>>> Reported-by: [email protected]
>>> Fixes: 97faec53 ("nvme_fc: add 'nvme_discovery' sysfs attribute to fc
>>> transport device")
>>
>> can someone contact me as to what this thing is doing and how to
>> interpret all the logs. nvme_fc isn't remotely in any of the logs and
>> doesn't use skb's unless the underlying udev_uevents are using them.
>
> Hi James,
>
> What exactly is unclear/needs interpretation? syzbot did what is
> commonly known as kernel/git bisection process. This is a new feature
> so there can be some rough edges. Hopefully we can improve the
> representation together.
>
> Thanks
>
Everything is unclear. You're telling me that an error occurred and that
you reduced it to the git submit where the error starts appearing.
Usually there would be something in the base crash, which I'm looking at
in https://syzkaller.appspot.com/x/report.txt?x=111f55db200000 which
would point back at something in the patch or related to it. There are
no relationships. I can't quite figure out what the base test actually
did that generated the failure to see if there's any possible relationship.
Everything in the base crash stacktrace points to an issue in the
bluetooth uart driver doing all the logging - not the patch called out.
So this looks like a failure of your infrastructure.
-- james
On Mon, Mar 11, 2019 at 7:10 PM James Smart <[email protected]> wrote:
>
> On 3/11/2019 9:40 AM, Dmitry Vyukov wrote:
> > On Mon, Mar 11, 2019 at 5:20 PM 'James Smart' via syzkaller-bugs
> > <[email protected]> wrote:
> >>
> >> On 3/11/2019 6:20 AM, syzbot wrote:
> >>> syzbot has bisected this bug to:
> >>>
> >>> commit 97faec531460c949d7120672b8c77e2f41f8d6d7
> >>> Author: James Smart <[email protected]>
> >>> Date: Thu Sep 13 23:17:38 2018 +0000
> >>>
> >>> nvme_fc: add 'nvme_discovery' sysfs attribute to fc transport device
> >>>
> >>> bisection log:
> >>> https://syzkaller.appspot.com/x/bisect.txt?x=121f55db200000
> >>> start commit: 97faec53 nvme_fc: add 'nvme_discovery' sysfs attribute
> >>> to ..
> >>> git tree: linux-next
> >>> final crash: https://syzkaller.appspot.com/x/report.txt?x=111f55db200000
> >>> console output: https://syzkaller.appspot.com/x/log.txt?x=161f55db200000
> >>> kernel config: https://syzkaller.appspot.com/x/.config?x=59aefae07c771af6
> >>> dashboard link:
> >>> https://syzkaller.appspot.com/bug?extid=65788f9af9d54844389e
> >>> userspace arch: amd64
> >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178e0798c00000
> >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b4f0b0c00000
> >>>
> >>> Reported-by: [email protected]
> >>> Fixes: 97faec53 ("nvme_fc: add 'nvme_discovery' sysfs attribute to fc
> >>> transport device")
> >>
> >> can someone contact me as to what this thing is doing and how to
> >> interpret all the logs. nvme_fc isn't remotely in any of the logs and
> >> doesn't use skb's unless the underlying udev_uevents are using them.
> >
> > Hi James,
> >
> > What exactly is unclear/needs interpretation? syzbot did what is
> > commonly known as kernel/git bisection process. This is a new feature
> > so there can be some rough edges. Hopefully we can improve the
> > representation together.
> >
> > Thanks
> >
> Everything is unclear. You're telling me that an error occurred and that
> you reduced it to the git submit where the error starts appearing.
>
> Usually there would be something in the base crash, which I'm looking at
> in https://syzkaller.appspot.com/x/report.txt?x=111f55db200000 which
> would point back at something in the patch or related to it. There are
> no relationships. I can't quite figure out what the base test actually
> did that generated the failure to see if there's any possible relationship.
>
> Everything in the base crash stacktrace points to an issue in the
> bluetooth uart driver doing all the logging - not the patch called out.
Everything up to this point is perfectly correct. So lots of things
seem to be clear to you ;)
The base test case is provided in under the "syz/C repro" links in the
original report and in the bisection results report.
> So this looks like a failure of your infrastructure.
I agree that the result seems to be unrelated to the original crash.
What is the root cause is a good question. You can see the exact
history of how bisection progressed any why it ended up at the commit
it ended up over the "bisection log" link.
Kernel is unfortunately (or fortunately) is not a single-threaded
deterministic user-space parser library without global state where
everything can be bisected precisely. There is a very long tail of
other problems as well. E.g. the same reproducer triggering multiple
bugs at once, of different bugs at different commit ranges. At the
same time lots of people asked for bisection of bugs. So this is where
we are.
I've started collecting all cases with incorrect bisection results, so
that we can draw broader conclusions later and bucket common root
causes:
https://github.com/google/syzkaller/issues/1051
Added this case too.