Re: found "kernel panic: Couldn't open N_TTY ldisc for ptm0 --- error -12. " with syzkaller

From: Dmitry Vyukov
Date: Tue Jun 06 2017 - 03:02:21 EST


On Tue, Jun 6, 2017 at 8:56 AM, æç <lastingyang@xxxxxxxxx> wrote:
>
> Hello all!
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit ba7b2387ad239a519041f2a2d35a1902bdd03dfb (v4.12-rc4).

Hi,

This is a known bug.
See:
https://groups.google.com/forum/#!msg/syzkaller/ty5IhaYWVp8/aTN_hZ8qBQAJ
and this (whole thread):
http://lists-archives.com/linux-kernel/28809064-tty-serial-driver-fixes-for-4-11-rc4.html


> Crashes:
> DescriptionCountLast TimeReport
> kernel panic: Couldn't open N_TTY ldisc for ptm0 --- error -12.1Jun 06 2017 13:39:12 CSThas repro
> kernel panic: Couldn't open N_TTY ldisc for ptm1 --- error -12.3Jun 06 2017 14:37:30 CSThas repro
>
> ==========================================================================
>
> Syzkaller hit 'kernel panic: Couldn't open N_TTY ldisc for ptm0 --- error -12.' bug on commit .
>
> Kernel panic - not syncing: Couldn't open N_TTY ldisc for ptm0 --- error -12.
> CPU: 0 PID: 6160 Comm: syz-executor3 Not tainted 4.12.0-rc4+ #6
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:16 [inline]
> dump_stack+0xdc/0x155 lib/dump_stack.c:52
> panic+0x165/0x327 kernel/panic.c:180
> tty_ldisc_restore drivers/tty/tty_ldisc.c:523 [inline]
> tty_set_ldisc+0x42e/0x480 drivers/tty/tty_ldisc.c:582
> tiocsetd drivers/tty/tty_io.c:2166 [inline]
> tty_ioctl+0x7ff/0x1020 drivers/tty/tty_io.c:2410
> vfs_ioctl fs/ioctl.c:45 [inline]
> do_vfs_ioctl+0x153/0xcc0 fs/ioctl.c:685
> SYSC_ioctl fs/ioctl.c:700 [inline]
> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
> entry_SYSCALL_64_fastpath+0x1a/0xa5
> RIP: 0033:0x44fb79
> RSP: 002b:00007f86205dfb58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00000000007080a8 RCX: 000000000044fb79
> RDX: 000000002000cffc RSI: 0000000000005423 RDI: 0000000000000005
> RBP: 0000000000000450 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000212 R12: ffffffffffffffff
> R13: 0000000000000005 R14: 0000000000080000 R15: 0000000000000000
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> Syzkaller reproducer:
> # {Threaded:true Collide:false Repeat:true Procs:4 Sandbox:setuid Repro:false}
> mmap(&(0x7f0000000000/0xe000)=nil, (0xe000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
> r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000002000-0xa)="2f6465762f70746d7800", 0x0, 0x0)
> ioctl$TIOCSSOFTCAR(r0, 0x541a, &(0x7f000000a000)=0x1)
> getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f000000b000-0xc)={0x0, 0x0, 0x0}, &(0x7f0000000000)=0xc)
> ioctl$TIOCSETD(r0, 0x5423, &(0x7f000000d000-0x4)=0x2)
>
> ==========================================================================
>
> Syzkaller hit 'kernel panic: Couldn't open N_TTY ldisc for ptm1 --- error -12.' bug on commit .
>
> Kernel panic - not syncing: Couldn't open N_TTY ldisc for ptm1 --- error -12.
> CPU: 3 PID: 15596 Comm: syz-executor2 Not tainted 4.12.0-rc4+ #6
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:16 [inline]
> dump_stack+0xdc/0x155 lib/dump_stack.c:52
> panic+0x165/0x327 kernel/panic.c:180
> tty_ldisc_restore drivers/tty/tty_ldisc.c:523 [inline]
> tty_set_ldisc+0x42e/0x480 drivers/tty/tty_ldisc.c:582
> tiocsetd drivers/tty/tty_io.c:2166 [inline]
> tty_ioctl+0x7ff/0x1020 drivers/tty/tty_io.c:2410
> vfs_ioctl fs/ioctl.c:45 [inline]
> do_vfs_ioctl+0x153/0xcc0 fs/ioctl.c:685
> SYSC_ioctl fs/ioctl.c:700 [inline]
> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
> entry_SYSCALL_64_fastpath+0x1a/0xa5
> RIP: 0033:0x44fb79
> RSP: 002b:00007fa8f34d3b58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fa8f34d4700 RCX: 000000000044fb79
> RDX: 000000002000cffc RSI: 0000000000005423 RDI: 0000000000000019
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
> R13: 00007ffcdd5dd48f R14: 00007fa8f34d49c0 R15: 0000000000000000
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> Syzkaller reproducer:
> # {Threaded:true Collide:true Repeat:true Procs:1 Sandbox:setuid Repro:false}
> mmap(&(0x7f0000000000/0xe000)=nil, (0xe000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
> r0 = creat(&(0x7f0000001000)="2e2f66696c653000", 0x10)
> msync(&(0x7f0000004000/0x1000)=nil, (0x1000), 0x1)
> pipe2(&(0x7f0000000000)={<r1=>0xffffffffffffffff, 0xffffffffffffffff}, 0x80000)
> ioctl$TIOCGETD(r1, 0x5424, &(0x7f0000001000-0x4)=0x0)
> getegid()
> splice(r1, 0x0, r0, 0x0, 0x6, 0x3)
> setsockopt$SCTP_I_WANT_MAPPED_V4_ADDR(r0, 0x84, 0xc, &(0x7f0000004000)=0x80000000, 0x4)
> r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000002000-0xa)="2f6465762f70746d7800", 0x0, 0x0)
> ioctl$TCSETAW(r2, 0x5402, &(0x7f0000008000)={0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x7, 0x3})
> openat$mixer(0xffffffffffffff9c, &(0x7f000000b000-0xb)="2f6465762f6d6978657200", 0x1, 0x0)
> ioctl$TCXONC(r2, 0x540a, 0x6)
> capget(&(0x7f000000c000-0x8)={0x19980330, 0x0}, &(0x7f000000c000-0x18)={0xa, 0x7fff, 0xffffffffffffffc1, 0x10000, 0x9, 0x6})
> ioctl$TIOCSETD(r2, 0x5423, &(0x7f000000d000-0x4)=0x2)
>
> ==========================================================================
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@xxxxxxxxxxxxxxxxx
> For more options, visit https://groups.google.com/d/optout.