Re: [syzbot] [fs?] general protection fault in iter_file_splice_write
From: syzbot
Date: Wed May 22 2024 - 10:30:12 EST
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
] Freeing unused kernel image (initmem) memory: 26000K
[ 21.902015][ T1] Write protecting the kernel read-only data: 204800k
[ 21.915990][ T1] Freeing unused kernel image (rodata/data gap) memory: 1740K
[ 22.001150][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 22.010555][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 22.014380][ T1] Run /sbin/init as init process
[ 22.270925][ T1] SELinux: Class mctp_socket not defined in policy.
[ 22.273265][ T1] SELinux: Class anon_inode not defined in policy.
[ 22.275479][ T1] SELinux: Class io_uring not defined in policy.
[ 22.277605][ T1] SELinux: Class user_namespace not defined in policy.
[ 22.279958][ T1] SELinux: the above unknown classes and permissions will be denied
[ 22.376641][ T1] SELinux: policy capability network_peer_controls=1
[ 22.379248][ T1] SELinux: policy capability open_perms=1
[ 22.381279][ T1] SELinux: policy capability extended_socket_class=1
[ 22.383632][ T1] SELinux: policy capability always_check_network=0
[ 22.386099][ T1] SELinux: policy capability cgroup_seclabel=1
[ 22.388512][ T1] SELinux: policy capability nnp_nosuid_transition=1
[ 22.391006][ T1] SELinux: policy capability genfs_seclabel_symlinks=0
[ 22.393353][ T1] SELinux: policy capability ioctl_skip_cloexec=0
[ 22.395753][ T1] SELinux: policy capability userspace_initial_context=0
[ 22.493592][ T39] audit: type=1403 audit(1716387584.398:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[ 22.539716][ T4655] mount (4655) used greatest stack depth: 23344 bytes left
[ 22.566408][ T4656] EXT4-fs (sda1): re-mounted 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 r/w. Quota mode: none.
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
[ 22.681935][ T4659] mount (4659) used greatest stack depth: 23128 bytes left
Starting syslogd: [ 22.942320][ T39] audit: type=1400 audit(1716387584.848:3): avc: denied { read write } for pid=4672 comm="syslogd" path="/dev/null" dev="devtmpfs" ino=5 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
OK
[ 22.970689][ T39] audit: type=1400 audit(1716387584.878:4): avc: denied { read } for pid=4672 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 22.979560][ T39] audit: type=1400 audit(1716387584.878:5): avc: denied { search } for pid=4672 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 22.987816][ T39] audit: type=1400 audit(1716387584.878:6): avc: denied { write } for pid=4672 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
Starting acpid: [ 22.996353][ T39] audit: type=1400 audit(1716387584.878:7): avc: denied { add_name } for pid=4672 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 23.005839][ T39] audit: type=1400 audit(1716387584.878:8): avc: denied { create } for pid=4672 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 23.013760][ T39] audit: type=1400 audit(1716387584.878:9): avc: denied { append open } for pid=4672 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 23.022478][ T39] audit: type=1400 audit(1716387584.878:10): avc: denied { getattr } for pid=4672 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 23.032435][ T39] audit: type=1400 audit(1716387584.938:11): avc: denied { use } for pid=4674 comm="acpid" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:acpid_t tcontext=system_u:system_r:kernel_t tclass=fd permissive=1
OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [ 23.362610][ T4689] udevd[4689]: starting version 3.2.11
[ 23.521131][ T4690] udevd[4690]: starting eudev-3.2.11
[ 23.522449][ T4689] udevd (4689) used greatest stack depth: 21488 bytes left
done
Starting system message bus: [ 30.837568][ T39] kauditd_printk_skb: 13 callbacks suppressed
[ 30.837584][ T39] audit: type=1400 audit(1716387592.738:25): avc: denied { use } for pid=4894 comm="dbus-daemon" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:kernel_t tclass=fd permissive=1
[ 30.851952][ T39] audit: type=1400 audit(1716387592.738:26): avc: denied { read write } for pid=4894 comm="dbus-daemon" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:root_t tclass=chr_file permissive=1
[ 30.880042][ T39] audit: type=1400 audit(1716387592.788:27): avc: denied { search } for pid=4894 comm="dbus-daemon" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 30.893529][ T39] audit: type=1400 audit(1716387592.798:28): avc: denied { write } for pid=4894 comm="dbus-daemon" name="dbus" dev="tmpfs" ino=1471 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 30.902587][ T39] audit: type=1400 audit(1716387592.798:29): avc: denied { add_name } for pid=4894 comm="dbus-daemon" name="system_bus_socket" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 30.911419][ T39] audit: type=1400 audit(1716387592.798:30): avc: denied { create } for pid=4894 comm="dbus-daemon" name="system_bus_socket" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file permissive=1
done[ 30.920385][ T39] audit: type=1400 audit(1716387592.798:31): avc: denied { setattr } for pid=4894 comm="dbus-daemon" name="system_bus_socket" dev="tmpfs" ino=1472 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file permissive=1
[ 30.930297][ T39] audit: type=1400 audit(1716387592.808:32): avc: denied { create } for pid=4894 comm="dbus-daemon" name="messagebus.pid" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 30.939028][ T39] audit: type=1400 audit(1716387592.808:33): avc: denied { write open } for pid=4894 comm="dbus-daemon" path="/run/messagebus.pid" dev="tmpfs" ino=1473 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 30.948572][ T39] audit: type=1400 audit(1716387592.808:34): avc: denied { getattr } for pid=4894 comm="dbus-daemon" path="/run/messagebus.pid" dev="tmpfs" ino=1473 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-9.4.1 starting
dev: loaded udev
[ 31.870098][ T4918] ret: 114, nbufs: 16, buf len: 114, n: 0, iter_file_splice_write
[ 31.872828][ T4918] ret: 0, nbufs: 16, buf len: 114, n: 1, iter_file_splice_write
[ 31.875479][ T4918] ------------[ cut here ]------------
[ 31.877625][ T4918] kernel BUG at fs/splice.c:772!
[ 31.879642][ T4918] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 31.882144][ T4918] CPU: 2 PID: 4918 Comm: cat Not tainted 6.9.0-syzkaller-07370-g33e02dc69afb-dirty #0
[ 31.886067][ T4918] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 31.890166][ T4918] RIP: 0010:iter_file_splice_write+0x1039/0x1180
[ 31.892847][ T4918] Code: c1 ea 03 83 c3 01 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 8b 00 00 00 48 8b 04 24 89 98 34 01 00 00 90 <0f> 0b 48 89 cf e8 8d 0e e0 ff e9 38 f3 ff ff e8 83 0e e0 ff e9 ea
[ 31.900759][ T4918] RSP: 0018:ffffc900039af930 EFLAGS: 00010246
[ 31.903148][ T4918] RAX: ffff8880254fec00 RBX: 0000000000000001 RCX: ffff8880254fed34
[ 31.906429][ T4918] RDX: 0000000000000000 RSI: ffffffff82098b90 RDI: ffff88802ea30818
[ 31.909550][ T4918] RBP: 0000000000000072 R08: 0000000000000001 R09: 0000000000000000
[ 31.912529][ T4918] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802ea30800
[ 31.915665][ T4918] R13: 0000000000000072 R14: 0000000000000072 R15: ffff88802ea3080c
[ 31.918807][ T4918] FS: 00007f39afea8500(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
[ 31.921822][ T4918] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.924602][ T4918] CR2: 00007f39b016e5c4 CR3: 000000002b4a6000 CR4: 0000000000350ef0
[ 31.927480][ T4918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 31.930220][ T4918] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 31.933091][ T4918] Call Trace:
[ 31.934542][ T4918] <TASK>
[ 31.935639][ T4918] ? show_regs+0x8c/0xa0
[ 31.937245][ T4918] ? die+0x36/0xa0
[ 31.938912][ T4918] ? do_trap+0x232/0x430
[ 31.940376][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.942133][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.944212][ T4918] ? do_error_trap+0xf4/0x230
[ 31.946283][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.948819][ T4918] ? handle_invalid_op+0x34/0x40
[ 31.950675][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.952589][ T4918] ? exc_invalid_op+0x2e/0x50
[ 31.954493][ T4918] ? asm_exc_invalid_op+0x1a/0x20
[ 31.956421][ T4918] ? page_cache_pipe_buf_release+0x110/0x2f0
[ 31.958569][ T4918] ? iter_file_splice_write+0x1039/0x1180
[ 31.960765][ T4918] ? __pfx_iter_file_splice_write+0x10/0x10
[ 31.963016][ T4918] ? __pfx_lock_acquire+0x10/0x10
[ 31.964920][ T4918] ? __pfx_iter_file_splice_write+0x10/0x10
[ 31.967141][ T4918] direct_splice_actor+0x19b/0x6d0
[ 31.969069][ T4918] splice_direct_to_actor+0x346/0xa40
[ 31.971093][ T4918] ? __pfx_direct_splice_actor+0x10/0x10
[ 31.973209][ T4918] ? __pfx_splice_direct_to_actor+0x10/0x10
[ 31.975456][ T4918] ? __fsnotify_parent+0x27d/0x9d0
[ 31.977400][ T4918] ? __pfx___might_resched+0x10/0x10
[ 31.979416][ T4918] do_splice_direct+0x17e/0x250
[ 31.981880][ T4918] ? __pfx_do_splice_direct+0x10/0x10
[ 31.983926][ T4918] ? avc_policy_seqno+0x9/0x20
[ 31.985751][ T4918] ? __pfx_direct_file_splice_eof+0x10/0x10
[ 31.987982][ T4918] do_sendfile+0xaa8/0xdb0
[ 31.989672][ T4918] ? __pfx_do_sendfile+0x10/0x10
[ 31.991574][ T4918] ? do_user_addr_fault+0x6d7/0x1010
[ 31.993526][ T4918] __x64_sys_sendfile64+0x1da/0x220
[ 31.995516][ T4918] ? __pfx___x64_sys_sendfile64+0x10/0x10
[ 31.997677][ T4918] do_syscall_64+0xcf/0x260
[ 31.999401][ T4918] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 32.001652][ T4918] RIP: 0033:0x7f39affffefa
[ 32.003356][ T4918] Code: ff 76 13 83 f8 a1 74 03 f7 d8 c3 4c 89 d2 4c 89 c6 e9 49 fe ff ff 31 c0 c3 0f 1f 80 00 00 00 00 49 89 ca b8 28 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d fe 6e 0d 00 f7 d8 64 89 01 48
[ 32.010454][ T4918] RSP: 002b:00007fffa16e8068 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[ 32.013594][ T4918] RAX: ffffffffffffffda RBX: 0000000001000000 RCX: 00007f39affffefa
[ 32.016570][ T4918] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000001
[ 32.019528][ T4918] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
[ 32.022555][ T4918] R10: 0000000001000000 R11: 0000000000000246 R12: 0000000000000003
[ 32.025553][ T4918] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 32.028586][ T4918] </TASK>
[ 32.029791][ T4918] Modules linked in:
[ 32.031452][ T4918] ---[ end trace 0000000000000000 ]---
[ 32.033862][ T4918] RIP: 0010:iter_file_splice_write+0x1039/0x1180
[ 32.036610][ T4918] Code: c1 ea 03 83 c3 01 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 8b 00 00 00 48 8b 04 24 89 98 34 01 00 00 90 <0f> 0b 48 89 cf e8 8d 0e e0 ff e9 38 f3 ff ff e8 83 0e e0 ff e9 ea
[ 32.045466][ T4918] RSP: 0018:ffffc900039af930 EFLAGS: 00010246
[ 32.048320][ T4918] RAX: ffff8880254fec00 RBX: 0000000000000001 RCX: ffff8880254fed34
[ 32.050899][ T4918] RDX: 0000000000000000 RSI: ffffffff82098b90 RDI: ffff88802ea30818
[ 32.054095][ T4918] RBP: 0000000000000072 R08: 0000000000000001 R09: 0000000000000000
[ 32.057263][ T4918] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802ea30800
[ 32.060607][ T4918] R13: 0000000000000072 R14: 0000000000000072 R15: ffff88802ea3080c
[ 32.063406][ T4918] FS: 00007f39afea8500(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
[ 32.066421][ T4918] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 32.068828][ T4918] CR2: 00007f39b016e5c4 CR3: 000000002b4a6000 CR4: 0000000000350ef0
[ 32.071717][ T4918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 32.074503][ T4918] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 32.077572][ T4918] Kernel panic - not syncing: Fatal exception
[ 32.080225][ T4918] Kernel Offset: disabled
[ 32.081708][ T4918] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4079149403=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at ef5d53ed7
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ef5d53ed7e3c7d30481a88301f680e37a5cc4775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240515-155216'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ef5d53ed7e3c7d30481a88301f680e37a5cc4775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240515-155216'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"ef5d53ed7e3c7d30481a88301f680e37a5cc4775\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=164efe44980000
Tested on:
commit: 33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=179a8cec980000