stack segment fault in l2cap_chan_put
From: Wei Chen
Date: Sun Oct 30 2022 - 06:20:34 EST
Dear Linux Developer,
Recently when using our tool to fuzz kernel, the following crash was triggered:
HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1G71Ww97u1liwpZv8zvSqphYPTtn9HnOO/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@xxxxxxxxx>
stack segment: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 12694 Comm: kworker/1:11 Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
Workqueue: events l2cap_chan_timeout
RIP: 0010:l2cap_chan_put+0x21/0x160
Code: 5d 41 5c e9 91 0d 04 fd 90 41 54 55 48 89 fd 53 e8 84 0d 04 fd
66 90 e8 7d 0d 04 fd e8 78 0d 04 fd 4c 8d 65 18 bb ff ff ff ff <f0> 0f
c1 5d 18 bf 01 00 00 00 89 de e8 5e 0e 04 fd 83 fb 01 74 55
RSP: 0018:ffffc90000d73dc0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffff888111e39b80
RDX: 0000000000000000 RSI: ffff888111e39b80 RDI: 0000000000000002
RBP: dead4ead00000000 R08: ffffffff843965e8 R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000001 R12: dead4ead00000018
R13: ffff88810d814000 R14: ffff88810d8144b8 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e423000 CR3: 0000000111e00000 CR4: 00000000003506e0
Call Trace:
l2cap_sock_kill.part.11+0x24/0x110
l2cap_sock_close_cb+0x4e/0x60
l2cap_chan_timeout+0xdc/0x160
process_one_work+0x3fa/0x9f0
worker_thread+0x42/0x5c0
kthread+0x1a6/0x1e0
ret_from_fork+0x1f/0x30
Modules linked in:
---[ end trace 9e8a9c7204ba3d85 ]---
RIP: 0010:l2cap_chan_put+0x21/0x160
Code: 5d 41 5c e9 91 0d 04 fd 90 41 54 55 48 89 fd 53 e8 84 0d 04 fd
66 90 e8 7d 0d 04 fd e8 78 0d 04 fd 4c 8d 65 18 bb ff ff ff ff <f0> 0f
c1 5d 18 bf 01 00 00 00 89 de e8 5e 0e 04 fd 83 fb 01 74 55
RSP: 0018:ffffc90000d73dc0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffff888111e39b80
RDX: 0000000000000000 RSI: ffff888111e39b80 RDI: 0000000000000002
RBP: dead4ead00000000 R08: ffffffff843965e8 R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000001 R12: dead4ead00000018
R13: ffff88810d814000 R14: ffff88810d8144b8 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e423000 CR3: 0000000012e7a000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
0: 5d pop %rbp
1: 41 5c pop %r12
3: e9 91 0d 04 fd jmpq 0xfd040d99
8: 90 nop
9: 41 54 push %r12
b: 55 push %rbp
c: 48 89 fd mov %rdi,%rbp
f: 53 push %rbx
10: e8 84 0d 04 fd callq 0xfd040d99
15: 66 90 xchg %ax,%ax
17: e8 7d 0d 04 fd callq 0xfd040d99
1c: e8 78 0d 04 fd callq 0xfd040d99
21: 4c 8d 65 18 lea 0x18(%rbp),%r12
25: bb ff ff ff ff mov $0xffffffff,%ebx
* 2a: f0 0f c1 5d 18 lock xadd %ebx,0x18(%rbp) <-- trapping instruction
2f: bf 01 00 00 00 mov $0x1,%edi
34: 89 de mov %ebx,%esi
36: e8 5e 0e 04 fd callq 0xfd040e99
3b: 83 fb 01 cmp $0x1,%ebx
3e: 74 55 je 0x95
Best,
Wei