Re: general protection fault in crypto_remove_spawns (2)
On Sun, Jan 13, 2019 at 11:19:03PM -0800, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:4b3c31c8d4dd Merge branch 'i2c/for-current' of git://git.k.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=144cb81740 > kernel config: https://syzkaller.appspot.com/x/.config?x=b05cfdb4ee8ab9b2 > dashboard link: https://syzkaller.appspot.com/bug?extid=ee4f315443a4ea97512e > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+ee4f315443a4ea975...@syzkaller.appspotmail.com > > binder: 18706:18709 ioctl 40046207 0 returned -16 > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] PREEMPT SMP KASAN > CPU: 1 PID: 18713 Comm: cryptomgr_test Not tainted 5.0.0-rc1+ #21 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:crypto_remove_spawns+0x7ac/0x1340 crypto/algapi.c:194 > Code: 49 8d 7c 24 10 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f2 06 00 00 49 > c7 44 24 10 00 00 00 00 4d 8d 66 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 > ef 06 00 00 49 83 7e 10 00 74 0a e8 4e 9e 24 fe > RSP: :888054737b88 EFLAGS: 00010202 > RAX: 0002 RBX: dc00 RCX: 11100a8e6f86 > RDX: RSI: 835d58d2 RDI: 888085c226b8 > RBP: 888054737df8 R08: 88804fb4e4c0 R09: 88804fb4ed60 > R10: 88804fb4ed40 R11: 0001 R12: 0010 > R13: ed100a8e6f8e R14: R15: 888054737dd0 > FS: () GS:8880ae70() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 7f6091a29000 CR3: 876f9000 CR4: 001406e0 > kobject: 'loop2' (d1d42c09): kobject_uevent_env > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Call Trace: > kobject: 'loop2' (d1d42c09): fill_kobj_path: path = > '/devices/virtual/block/loop2' > crypto_alg_tested+0x52d/0x790 crypto/algapi.c:339 > cryptomgr_test+0x18/0x30 crypto/algboss.c:226 > kthread+0x357/0x430 kernel/kthread.c:246 > binder: BINDER_SET_CONTEXT_MGR already set > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 > Modules linked in: > kobject: 'loop3' (91226001): kobject_uevent_env > binder: 18723:18724 ioctl 40046207 0 returned -16 > kobject: 'loop3' (91226001): fill_kobj_path: path = > '/devices/virtual/block/loop3' > kobject: 'loop5' (38d1e891): kobject_uevent_env > kobject: 'loop5' (38d1e891): fill_kobj_path: path = > '/devices/virtual/block/loop5' > kobject: 'loop1' (47f20675): kobject_uevent_env > kobject: 'loop1' (47f20675): fill_kobj_path: path = > '/devices/virtual/block/loop1' > kobject: 'loop0' (f3ca3d42): kobject_uevent_env > kobject: 'loop0' (f3ca3d42): fill_kobj_path: path = > '/devices/virtual/block/loop0' > kobject: 'loop5' (38d1e891): kobject_uevent_env > kobject: 'loop5' (38d1e891): fill_kobj_path: path = > '/devices/virtual/block/loop5' > kobject: 'loop1' (47f20675): kobject_uevent_env > kobject: 'loop1' (47f20675): fill_kobj_path: path = > '/devices/virtual/block/loop1' > kobject: 'loop2' (d1d42c09): kobject_uevent_env > kobject: 'loop2' (d1d42c09): fill_kobj_path: path = > '/devices/virtual/block/loop2' > ---[ end trace d2934b3fdb1c156e ]--- > RIP: 0010:crypto_remove_spawns+0x7ac/0x1340 crypto/algapi.c:194 > Code: 49 8d 7c 24 10 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f2 06 00 00 49 > c7 44 24 10 00 00 00 00 4d 8d 66 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 > ef 06 00 00 49 83 7e 10 00 74 0a e8 4e 9e 24 fe > RSP: :888054737b88 EFLAGS: 00010202 > RAX: 0002 RBX: dc00 RCX: 11100a8e6f86 > RDX: RSI: 835d58d2 RDI: 888085c226b8 > RBP: 888054737df8 R08: 88804fb4e4c0 R09: 88804fb4ed60 > R10: 88804fb4ed40 R11: 0001 R12: 0010 > R13: ed100a8e6f8e R14: R15: 888054737dd0 > FS: () GS:8880ae70() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 0110cfd0 CR3: 94f35000 CR4: 001406e0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > This may be the
general protection fault in crypto_remove_spawns (2)
Hello, syzbot found the following crash on: HEAD commit:4b3c31c8d4dd Merge branch 'i2c/for-current' of git://git.k.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=144cb81740 kernel config: https://syzkaller.appspot.com/x/.config?x=b05cfdb4ee8ab9b2 dashboard link: https://syzkaller.appspot.com/bug?extid=ee4f315443a4ea97512e compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+ee4f315443a4ea975...@syzkaller.appspotmail.com binder: 18706:18709 ioctl 40046207 0 returned -16 kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] PREEMPT SMP KASAN CPU: 1 PID: 18713 Comm: cryptomgr_test Not tainted 5.0.0-rc1+ #21 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:crypto_remove_spawns+0x7ac/0x1340 crypto/algapi.c:194 Code: 49 8d 7c 24 10 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f2 06 00 00 49 c7 44 24 10 00 00 00 00 4d 8d 66 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 ef 06 00 00 49 83 7e 10 00 74 0a e8 4e 9e 24 fe RSP: :888054737b88 EFLAGS: 00010202 RAX: 0002 RBX: dc00 RCX: 11100a8e6f86 RDX: RSI: 835d58d2 RDI: 888085c226b8 RBP: 888054737df8 R08: 88804fb4e4c0 R09: 88804fb4ed60 R10: 88804fb4ed40 R11: 0001 R12: 0010 R13: ed100a8e6f8e R14: R15: 888054737dd0 FS: () GS:8880ae70() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f6091a29000 CR3: 876f9000 CR4: 001406e0 kobject: 'loop2' (d1d42c09): kobject_uevent_env DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: kobject: 'loop2' (d1d42c09): fill_kobj_path: path = '/devices/virtual/block/loop2' crypto_alg_tested+0x52d/0x790 crypto/algapi.c:339 cryptomgr_test+0x18/0x30 crypto/algboss.c:226 kthread+0x357/0x430 kernel/kthread.c:246 binder: BINDER_SET_CONTEXT_MGR already set ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Modules linked in: kobject: 'loop3' (91226001): kobject_uevent_env binder: 18723:18724 ioctl 40046207 0 returned -16 kobject: 'loop3' (91226001): fill_kobj_path: path = '/devices/virtual/block/loop3' kobject: 'loop5' (38d1e891): kobject_uevent_env kobject: 'loop5' (38d1e891): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop1' (47f20675): kobject_uevent_env kobject: 'loop1' (47f20675): fill_kobj_path: path = '/devices/virtual/block/loop1' kobject: 'loop0' (f3ca3d42): kobject_uevent_env kobject: 'loop0' (f3ca3d42): fill_kobj_path: path = '/devices/virtual/block/loop0' kobject: 'loop5' (38d1e891): kobject_uevent_env kobject: 'loop5' (38d1e891): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop1' (47f20675): kobject_uevent_env kobject: 'loop1' (47f20675): fill_kobj_path: path = '/devices/virtual/block/loop1' kobject: 'loop2' (d1d42c09): kobject_uevent_env kobject: 'loop2' (d1d42c09): fill_kobj_path: path = '/devices/virtual/block/loop2' ---[ end trace d2934b3fdb1c156e ]--- RIP: 0010:crypto_remove_spawns+0x7ac/0x1340 crypto/algapi.c:194 Code: 49 8d 7c 24 10 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f2 06 00 00 49 c7 44 24 10 00 00 00 00 4d 8d 66 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 ef 06 00 00 49 83 7e 10 00 74 0a e8 4e 9e 24 fe RSP: :888054737b88 EFLAGS: 00010202 RAX: 0002 RBX: dc00 RCX: 11100a8e6f86 RDX: RSI: 835d58d2 RDI: 888085c226b8 RBP: 888054737df8 R08: 88804fb4e4c0 R09: 88804fb4ed60 R10: 88804fb4ed40 R11: 0001 R12: 0010 R13: ed100a8e6f8e R14: R15: 888054737dd0 FS: () GS:8880ae70() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0110cfd0 CR3: 94f35000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
Re: general protection fault in crypto_remove_spawns
On Mon, Nov 27, 2017 at 10:56:46AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 1ea8d039f9edcfefb20d8ddfe136930f6e551529 > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C reproducer is attached > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > > > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > Dumping ftrace buffer: >(ftrace buffer empty) > Modules linked in: > CPU: 0 PID: 25985 Comm: cryptomgr_test Not tainted 4.14.0-mm1+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > task: 8801c4562180 task.stack: 8801d5b7 > RIP: 0010:crypto_remove_spawns+0x58c/0x1260 crypto/algapi.c:159 > RSP: 0018:8801d5b779e8 EFLAGS: 00010206 > RAX: 0003 RBX: dc00 RCX: 82258aab > RDX: RSI: 11003ab6efa6 RDI: 0018 > RBP: 8801d5b77dd8 R08: 8801d5b77d70 R09: 0004 > R10: R11: 8747dda0 R12: > R13: 8801c505bb60 R14: ed003ab6ef4e R15: 8801d5b77db0 > FS: () GS:8801db40() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 7fff1d3ffcac CR3: 0001cf825000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Call Trace: > crypto_alg_tested+0x514/0x6f0 crypto/algapi.c:311 > cryptomgr_test+0x17/0x30 crypto/algboss.c:226 > kthread+0x37a/0x440 kernel/kthread.c:238 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:437 > Code: 84 e3 01 00 00 e8 35 94 4a ff 4c 89 e8 48 c1 e8 03 80 3c 18 00 0f 85 > d8 09 00 00 4d 8b 65 00 49 8d 7c 24 18 48 89 f8 48 c1 e8 03 <80> 3c 18 00 0f > 85 b4 09 00 00 4d 8b 6c 24 18 4c 3b ad 50 fc ff > RIP: crypto_remove_spawns+0x58c/0x1260 crypto/algapi.c:159 RSP: > 8801d5b779e8 > ---[ end trace 14ce8f86fe2873b1 ]--- > Kernel panic - not syncing: Fatal exception > Dumping ftrace buffer: >(ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. Fix for the actual crash now is in Linus' tree: #syz fix: crypto: algapi - fix NULL dereference in crypto_remove_spawns()
Re: general protection fault in crypto_remove_spawns
Am Montag, 27. November 2017, 19:56:46 CET schrieb syzbot: Hi Herbert, The issue seems to trigger a bug whose results we have seen before. When starting the reproducer and stopping it shortly thereafter, I see the numerous identical entries in /proc/crypto: name : cmac(des3_ede) driver : cmac(des3_ede-asm) module : kernel priority : 200 refcnt : 1 selftest : passed internal : no type : shash blocksize: 8 digestsize : 8 name : cmac(des3_ede) driver : cmac(des3_ede-asm) module : kernel priority : 200 refcnt : 1 selftest : passed internal : no type : shash blocksize: 8 digestsize : 8 name : cmac(des3_ede) driver : cmac(des3_ede-asm) module : kernel priority : 200 refcnt : 1 selftest : passed internal : no type : shash blocksize: 8 digestsize : 8 ... And this list keeps on growing without end: # ./repro # less /proc/crypto | wc 9559 26456 188754 # ./repro # less /proc/crypto | wc 11440 31586 226032 At one point in time I think the system simply has too many entries. Ciao Stephan