general protection fault in floppy_ready
From: Sanan Hasanov
Date: Tue Jan 24 2023 - 11:22:36 EST
Good day, dear maintainers,
We found a bug using a modified kernel configuration file used by syzbot.
We enhanced the coverage of the configuration file using our tool, klocalizer.
Kernel Branch: 6.2.0-rc4-next-20230116
Kernel config: https://drive.google.com/file/d/1aDw7_IXEzr5avqtp-fb6mG199n7gkvy-/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1JTPF8M111AkePf_Hce8dmkAdhjoSRMc-/view?usp=sharing
Thank you!
Best regards,
Sanan Hasanov
current_req=0000000000000000
command_status=-1
floppy0: floppy timeout called
no cont in shutdown!
floppy0: floppy_shutdown: timeout handler died.
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 3 PID: 90 Comm: kworker/u16:5 Not tainted 6.2.0-rc4-next-20230116 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: floppy floppy_work_workfn
RIP: 0010:floppy_ready+0xbc2/0x1400
Code: 8e e8 12 5a f6 fc f0 80 8b 20 9e 45 8e 10 48 8b 1d 63 51 6f 09 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9e 07 00 00 31 ff ff 53 18 48 8b 1d 38 51 6f 09
RSP: 0018:ffffc90000767ca0 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff84d62ace
RDX: 0000000000000003 RSI: 0000000000000008 RDI: 0000000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff8e459e27
R10: fffffbfff1c8b3c4 R11: 0000000000000001 R12: ffffffff8e459e20
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc919f1940 CR3: 00000001148af000 CR4: 0000000000350ee0
Call Trace:
<TASK>
seek_interrupt+0x28a/0x2e0
process_one_work+0x9ba/0x1760
worker_thread+0x669/0x1090
kthread+0x2e8/0x3a0
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:floppy_ready+0xbc2/0x1400
Code: 8e e8 12 5a f6 fc f0 80 8b 20 9e 45 8e 10 48 8b 1d 63 51 6f 09 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9e 07 00 00 31 ff ff 53 18 48 8b 1d 38 51 6f 09
RSP: 0018:ffffc90000767ca0 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff84d62ace
RDX: 0000000000000003 RSI: 0000000000000008 RDI: 0000000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff8e459e27
R10: fffffbfff1c8b3c4 R11: 0000000000000001 R12: ffffffff8e459e20
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc919f1940 CR3: 00000001148af000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
0: 8e e8 mov %eax,%gs
2: 12 5a f6 adc -0xa(%rdx),%bl
5: fc cld
6: f0 80 8b 20 9e 45 8e lock orb $0x10,-0x71ba61e0(%rbx)
d: 10
e: 48 8b 1d 63 51 6f 09 mov 0x96f5163(%rip),%rbx # 0x96f5178
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 48 8d 7b 18 lea 0x18(%rbx),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 9e 07 00 00 jne 0x7d2
34: 31 ff xor %edi,%edi
36: ff 53 18 call *0x18(%rbx)
39: 48 8b 1d 38 51 6f 09 mov 0x96f5138(%rip),%rbx # 0x96f5178