[syzbot] [kernel?] WARNING in emulate_vsyscall (2)
From: syzbot
Date: Wed Apr 03 2024 - 14:24:38 EST
Hello,
syzbot found the following issue on:
HEAD commit: 480e035fc4c7 Merge tag 'drm-next-2024-03-13' of https://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10f59af9180000
kernel config: https://syzkaller.appspot.com/x/.config?x=1e5b814e91787669
dashboard link: https://syzkaller.appspot.com/bug?extid=1a55be5c9d955093937c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a64776180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142939b1180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f73b6ef963d/disk-480e035f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/46c949396aad/vmlinux-480e035f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e3b4d0f5a5f8/bzImage-480e035f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1a55be5c9d955093937c@xxxxxxxxxxxxxxxxxxxxxxxxx
syz-executor110[5075] vsyscall fault (exploit attempt?) ip:ffffffffff600000 cs:33 sp:7f991ee20c78 ax:ffffffffffffffda si:7f991ee20db0 di:19
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5075 at arch/x86/entry/vsyscall/vsyscall_64.c:278 emulate_vsyscall+0xf5a/0x1270 arch/x86/entry/vsyscall/vsyscall_64.c:277
Modules linked in:
CPU: 0 PID: 5075 Comm: syz-executor110 Not tainted 6.8.0-syzkaller-08073-g480e035fc4c7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:emulate_vsyscall+0xf5a/0x1270 arch/x86/entry/vsyscall/vsyscall_64.c:277
Code: 0f 0b 90 e9 f6 f1 ff ff e8 23 74 94 00 90 0f 0b 90 e9 e8 f2 ff ff e8 15 74 94 00 90 0f 0b 90 e9 58 f3 ff ff e8 07 74 94 00 90 <0f> 0b 90 e9 58 fe ff ff 48 c7 c1 00 31 fa 8d 80 e1 07 80 c1 03 38
RSP: 0000:ffffc90004447e60 EFLAGS: 00010293
RAX: ffffffff81008149 RBX: 0000000000000100 RCX: ffff8880228d1e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff810080a1 R09: 1ffff92000888f5c
R10: dffffc0000000000 R11: fffff52000888f5d R12: 1ffff92000888ffe
R13: ffff8880228d3710 R14: ffffc90004447ff0 R15: 1ffff1100451a6e2
FS: 00007f991ee216c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000019 CR3: 000000007906a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
do_user_addr_fault arch/x86/mm/fault.c:1346 [inline]
handle_page_fault arch/x86/mm/fault.c:1505 [inline]
exc_page_fault+0x160/0x890 arch/x86/mm/fault.c:1563
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:_end+0x6abda000/0x0
Code: Unable to access opcode bytes at 0xffffffffff5fffd6.
RSP: 002b:00007f991ee20c78 EFLAGS: 00010246
RAX: ffffffffffffffda RBX: 00007f991eef0308 RCX: 00007f991ee66739
RDX: 00007f991ee20c80 RSI: 00007f991ee20db0 RDI: 0000000000000019
RBP: 00007f991eef0300 R08: 00007f991ee216c0 R09: 00007f991ee216c0
R10: 0000800000000007 R11: 0000000000000246 R12: 00007f991eef030c
R13: 0400000000000000 R14: 66aa589070d556b8 R15: 00007ffedb75c428
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup