WARNING in __floppy_read_block_0

From: Sanan Hasanov
Date: Thu Sep 07 2023 - 17:21:27 EST

Next message: Sanan Hasanov: "KASAN: slab-use-after-free Write in sco_sock_timeout"
Previous message: Sanan Hasanov: "WARNING in vma_merge"
Next in thread: Jens Axboe: "Re: WARNING in __floppy_read_block_0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.3.0-next-20230505
Kernel Config: https://drive.google.com/file/d/1CWOQciTTXKzVb4DgU4k4_8G_EBnsj5e_/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1URA2qDJHiSLilF49m9XAutOZCd3CNg52/view?usp=sharing

Thank you!

Best regards,
Sanan Hasanov

current_req=0000000000000000
command_status=-1
floppy0: floppy timeout called
no cont in shutdown!
------------[ cut here ]------------
WARNING: CPU: 3 PID: 17310 at drivers/block/floppy.c:999 schedule_bh drivers/block/floppy.c:999 [inline]
WARNING: CPU: 3 PID: 17310 at drivers/block/floppy.c:999 process_fd_request drivers/block/floppy.c:2847 [inline]
WARNING: CPU: 3 PID: 17310 at drivers/block/floppy.c:999 __floppy_read_block_0.isra.0+0x28b/0x320 drivers/block/floppy.c:4160
Modules linked in:
CPU: 3 PID: 17310 Comm: syz-executor.2 Not tainted 6.3.0-next-20230505 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:schedule_bh drivers/block/floppy.c:999 [inline]
RIP: 0010:process_fd_request drivers/block/floppy.c:2847 [inline]
RIP: 0010:__floppy_read_block_0.isra.0+0x28b/0x320 drivers/block/floppy.c:4160
Code: 65 48 2b 04 25 28 00 00 00 0f 85 a4 00 00 00 48 81 c4 88 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6e 3b 16 04 e8 b5 f3 c2 fc <0f> 0b e9 65 ff ff ff e8 c9 5c 17 fd e9 8a fe ff ff e8 9f f3 c2 fc
RSP: 0018:ffff88806c9ff690 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88806c9ff818 RCX: 0000000000000000
floppy0: floppy_shutdown: timeout handler died.
RDX: ffff88806d252040 RSI: ffffffff84cac7db RDI: ffffffff84cac73e
RBP: ffff88806c9ff840 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffea0001b1b740
R13: 0000000000000001 R14: 1ffff1100d93fed3 R15: dffffc0000000000
FS: 00007f57dfc11700(0000) GS:ffff888119f80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7a805bd0b0 CR3: 00000001178e4000 CR4: 0000000000350ee0
Call Trace:
<TASK>
floppy_revalidate.isra.0+0x80c/0xc10 drivers/block/floppy.c:4206
floppy_open+0xadc/0xe90 drivers/block/floppy.c:4058
blkdev_get_whole+0x9b/0x2d0 block/bdev.c:606
blkdev_get_by_dev.part.0+0x5da/0xbb0 block/bdev.c:756
blkdev_get_by_dev+0x7d/0x90 block/bdev.c:790
blkdev_open+0x14a/0x2e0 block/fops.c:493
do_dentry_open+0x683/0x1270 fs/open.c:920
vfs_open+0xa4/0xe0 fs/open.c:1051
do_open fs/namei.c:3636 [inline]
path_openat+0x1d5c/0x2950 fs/namei.c:3791
do_filp_open+0x1c9/0x420 fs/namei.c:3818
do_sys_openat2+0x17c/0x540 fs/open.c:1356
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x175/0x240 fs/open.c:1383
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f57dea3dca4
Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 86 f9 ff ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 b8 f9 ff ff 8b 44
RSP: 002b:00007f57dfc10720 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007f57dea3dca4
RDX: 0000000000000000 RSI: 00007f57dfc107c0 RDI: 00000000ffffff9c
RBP: 00007f57dfc107c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffdd213b57f R14: 00007ffdd213b720 R15: 00007f57dfc10d80
</TASK>
irq event stamp: 889
hardirqs last enabled at (899): [<ffffffff816ff504>] __up_console_sem+0xf4/0x180 kernel/printk/printk.c:347
hardirqs last disabled at (908): [<ffffffff816ff4e9>] __up_console_sem+0xd9/0x180 kernel/printk/printk.c:345
softirqs last enabled at (298): [<ffffffff8154f646>] invoke_softirq kernel/softirq.c:445 [inline]
softirqs last enabled at (298): [<ffffffff8154f646>] __irq_exit_rcu+0x196/0x230 kernel/softirq.c:650
softirqs last disabled at (193): [<ffffffff8154f646>] invoke_softirq kernel/softirq.c:445 [inline]
softirqs last disabled at (193): [<ffffffff8154f646>] __irq_exit_rcu+0x196/0x230 kernel/softirq.c:650
---[ end trace 0000000000000000 ]---

floppy driver state
-------------------
------------[ cut here ]------------
now=4294973631 last interrupt=4294973631 diff=0 last called handler=reset_interrupt
WARNING: CPU: 2 PID: 5690 at drivers/block/floppy.c:999 schedule_bh drivers/block/floppy.c:999 [inline]
WARNING: CPU: 2 PID: 5690 at drivers/block/floppy.c:999 floppy_interrupt+0x46e/0x4e0 drivers/block/floppy.c:1765
timeout_message=redo fd request
Modules linked in:
CPU: 2 PID: 5690 Comm: syz-executor.4 Tainted: G W 6.3.0-next-20230505 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:schedule_bh drivers/block/floppy.c:999 [inline]
RIP: 0010:floppy_interrupt+0x46e/0x4e0 drivers/block/floppy.c:1765
Code: ff e8 76 45 c3 fc 44 89 e7 31 db e8 3c 92 ff ff 41 89 c4 89 05 93 90 10 0a eb 94 e8 6c af 17 fd e9 cc fc ff ff e8 52 45 c3 fc <0f> 0b e9 a4 fe ff ff 48 c7 c7 00 f2 c0 8a e8 ef ae 17 fd e9 bd fb
RSP: 0018:ffff888119f09e38 EFLAGS: 00010046
RAX: 0000000080010001 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff88810d818300 RSI: ffffffff84ca763e RDI: ffffffff84ca74e1
RBP: ffff888119f09e60 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000000 R14: ffffffff84ca0b50 R15: 0000000000000000
FS: 000055555577b980(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f410fd88d78 CR3: 000000010ca57000 CR4: 0000000000350ee0
Call Trace:
<IRQ>
floppy_hardint+0x1b1/0x200 arch/x86/include/asm/floppy.h:66
__handle_irq_event_percpu+0x239/0x840 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0xb1/0x1f0 kernel/irq/handle.c:210
handle_edge_irq+0x268/0xd30 kernel/irq/chip.c:819
last output bytes:
generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
handle_irq arch/x86/kernel/irq.c:231 [inline]
__common_interrupt+0xac/0x240 arch/x86/kernel/irq.c:250
8 80 4294973607
common_interrupt+0xb6/0xe0 arch/x86/kernel/irq.c:240
8 80 4294973607
</IRQ>
8 80 4294973607
<TASK>
asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:636
8 80 4294973607
RIP: 0010:arch_local_irq_enable arch/x86/include/asm/paravirt.h:701 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:135 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x79/0xa0 kernel/locking/spinlock.c:194
8 80 4294973612
Code: c7 c0 a0 c3 e1 8a 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 1b 48 83 3d df fc 00 02 00 74 08 fb 0f 1f 44 00 00 <eb> b0 0f 0b e8 1e cc 1f f8 eb bc 48 c7 c7 a0 c3 e1 8a e8 60 5e 01
RSP: 0018:ffff88811237fbd0 EFLAGS: 00000282
RAX: 1ffffffff15c3874 RBX: 0000000000000286 RCX: 1ffffffff193c081
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000000
8 80 4294973612
RBP: ffff88811237fbe0 R08: 0000000000000001 R09: 0000000000000001
8 80 4294973612
R10: fffffbfff193c6e2 R11: 0000000000000001 R12: ffff8881079096e0
8 80 4294973612
R13: 0000000000000286 R14: ffff88811237fd18 R15: ffff88811237fd20
8 80 4294973617
spin_unlock_irqrestore include/linux/spinlock.h:405 [inline]
remove_wait_queue+0x113/0x1a0 kernel/sched/wait.c:56
8 80 4294973617
8 80 4294973617
do_wait+0x68c/0xc40 kernel/exit.c:1639
8 80 4294973617
kernel_wait4+0x175/0x290 kernel/exit.c:1777
8 80 4294973622
8 80 4294973622
8 80 4294973622
8 80 4294973622
8 80 4294973631
__do_sys_wait4+0x14b/0x160 kernel/exit.c:1805
8 80 4294973631
8 80 4294973631
8 80 4294973631
last result at 4294973631
last redo_fd_request at 4294973631
c3 00 ..
status=80
fdc_busy=1
__se_sys_wait4 kernel/exit.c:1801 [inline]
__x64_sys_wait4+0x9a/0x100 kernel/exit.c:1801
floppy_work.func=floppy_work_workfn
cont=000000001716a029
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
current_req=00000000c74d3a02
entry_SYSCALL_64_after_hwframe+0x72/0xdc
command_status=-1
RIP: 0033:0x7fd7eb28c8bf

Code: 89 7c 24 10 48 89 4c 24 18 e8 dd d9 02 00 4c 8b 54 24 18 8b 54 24 14 41 89 c0 48 8b 74 24 08 8b 7c 24 10 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2b 44 89 c7 89 44 24 10 e8 0d da 02 00 8b 44
floppy0: floppy timeout called
RSP: 002b:00007ffcf66bb8e0 EFLAGS: 00000293
floppy: error 10 while reading block 0
ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 0000000000000110 RCX: 00007fd7eb28c8bf
RDX: 0000000040000001 RSI: 00007ffcf66bb95c RDI: 00000000ffffffff
RBP: 0000000000000bb8 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000058d8f
R13: 0000000000000001 R14: 00007ffcf66bb95c R15: 0000000000000032
</TASK>
irq event stamp: 1130498
hardirqs last enabled at (1130497): [<ffffffff88e0c69e>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (1130497): [<ffffffff88e0c69e>] _raw_spin_unlock_irqrestore+0x4e/0xa0 kernel/locking/spinlock.c:194
hardirqs last disabled at (1130498): [<ffffffff88de310a>] common_interrupt+0x1a/0xe0 arch/x86/kernel/irq.c:240
softirqs last enabled at (1129182): [<ffffffff8136dda8>] fpu_clone+0x368/0xc30 arch/x86/kernel/fpu/core.c:630
softirqs last disabled at (1129180): [<ffffffff8136dd42>] fpu_clone+0x302/0xc30 arch/x86/kernel/fpu/core.c:611
---[ end trace 0000000000000000 ]---
floppy0: no autodetectable formats
floppy: error 10 while reading block 0
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
kobject: 'loop2' (00000000bf49ae8f): kobject_uevent_env
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
kobject: 'loop2' (00000000bf49ae8f): fill_kobj_path: path = '/devices/virtual/block/loop2'
CPU: 7 PID: 87 Comm: kworker/u16:3 Tainted: G W 6.3.0-next-20230505 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: floppy floppy_work_workfn
RIP: 0010:reset_interrupt+0xfb/0x240 drivers/block/floppy.c:1792
Code: fc 84 db 0f 85 8f 00 00 00 e8 61 af c3 fc 48 8b 1d 2a d2 10 0a 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 0b 01 00 00 48 8b 43 08 e8 82 f0 16 04 48 8b 5d
RSP: 0018:ffff8881020dfce0 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff84ca0c2f RDI: 0000000000000008
RBP: ffff8881020dfce8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8bb2e200
R13: ffff8881020dfda0 R14: ffff8881014efe00 R15: ffff888100079000
FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f57dea61c40 CR3: 000000010db84000 CR4: 0000000000350ee0
Call Trace:
<TASK>
floppy_work_workfn+0x19/0x20 drivers/block/floppy.c:992
process_one_work+0x9f4/0x16d0 kernel/workqueue.c:2405
kobject: 'loop5' (000000007e339653): kobject_uevent_env
kobject: 'loop5' (000000007e339653): fill_kobj_path: path = '/devices/virtual/block/loop5'
worker_thread+0x68e/0x10f0 kernel/workqueue.c:2552
kthread+0x359/0x460 kernel/kthread.c:379
ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:reset_interrupt+0xfb/0x240 drivers/block/floppy.c:1792
Code: fc 84 db 0f 85 8f 00 00 00 e8 61 af c3 fc 48 8b 1d 2a d2 10 0a 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 0b 01 00 00 48 8b 43 08 e8 82 f0 16 04 48 8b 5d
RSP: 0018:ffff8881020dfce0 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff84ca0c2f RDI: 0000000000000008
RBP: ffff8881020dfce8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8bb2e200
R13: ffff8881020dfda0 R14: ffff8881014efe00 R15: ffff888100079000
FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f57dea61c40 CR3: 000000010db84000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
0: c7 c0 a0 c3 e1 8a mov $0x8ae1c3a0,%eax
6: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
d: fc ff df
10: 48 c1 e8 03 shr $0x3,%rax
14: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1)
18: 75 1b jne 0x35
1a: 48 83 3d df fc 00 02 cmpq $0x0,0x200fcdf(%rip) # 0x200fd01
21: 00
22: 74 08 je 0x2c
24: fb sti
25: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
* 2a: eb b0 jmp 0xffffffdc <-- trapping instruction
2c: 0f 0b ud2
2e: e8 1e cc 1f f8 call 0xf81fcc51
33: eb bc jmp 0xfffffff1
35: 48 c7 c7 a0 c3 e1 8a mov $0xffffffff8ae1c3a0,%rdi
3c: e8 .byte 0xe8
3d: 60 (bad)
3e: 5e pop %rsi
3f: 01 .byte 0x1

Next message: Sanan Hasanov: "KASAN: slab-use-after-free Write in sco_sock_timeout"
Previous message: Sanan Hasanov: "WARNING in vma_merge"
Next in thread: Jens Axboe: "Re: WARNING in __floppy_read_block_0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]