general protection fault in __dentry_path

general protection fault in __dentry_path

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    02495e76ded5 Add linux-next specific files for 20190130
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17e8d80f400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a2b2e9c0bc43c14d
dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 445 Comm: syz-executor3 Not tainted 5.0.0-rc4-next-20190130 #22
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344
Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f  
ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00  
0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40
RSP: 0018:ffff8881c21bf8a8 EFLAGS: 00010207
RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffc90005b5c000
RDX: 0000000000002edf RSI: ffffffff81e27c43 RDI: 000000000000002f
RBP: ffff8881c21bf9d0 R08: ffff88806b30a040 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881c21bf9a8
R13: 0000000000000000 R14: 0000000000009674 R15: dffffc0000000000
FS:  00007f27af88b700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f722000 CR3: 0000000218991000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  dentry_path_raw+0x26/0x30 fs/d_path.c:371
  kvm_uevent_notify_change.part.0+0x213/0x440  
arch/x86/kvm/../../../virt/kvm/kvm_main.c:4050
  kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4017  
[inline]
  kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3355  
[inline]
  kvm_dev_ioctl+0x137a/0x1a60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3377
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696
  ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
  do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458089
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f27af88ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458089
RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f27af88b6d4
R13: 00000000004c0bcf R14: 00000000004d2890 R15: 00000000ffffffff
Modules linked in:
---[ end trace 1701fe85f04d676b ]---
RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344
Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f  
ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00  
0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40
RSP: 0018:ffff8881c21bf8a8 EFLAGS: 00010207
RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffc90005b5c000
RDX: 0000000000002edf RSI: ffffffff81e27c43 RDI: 000000000000002f
RBP: ffff8881c21bf9d0 R08: ffff88806b30a040 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881c21bf9a8
R13: 0000000000000000 R14: 0000000000009674 R15: dffffc0000000000
FS:  00007f27af88b700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001f80f70 CR3: 0000000218991000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

Re: general protection fault in __dentry_path

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit:    02495e76ded5 Add linux-next specific files for 20190130
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=106161ef400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a2b2e9c0bc43c14d
dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1182e5b8c00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8239 Comm: syz-executor4 Not tainted 5.0.0-rc4-next-20190130 #22
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344
Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f  
ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00  
0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40
RSP: 0018:ffff88808ab5f8a8 EFLAGS: 00010207
RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffff81e27f21
RDX: 0000000000000000 RSI: ffffffff81e27c43 RDI: 000000000000002f
RBP: ffff88808ab5f9d0 R08: ffff88809edd4280 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ab5f9a8
R13: 0000000000000000 R14: 0000000000000c78 R15: dffffc0000000000
FS:  00007f69a6d18700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000144a008 CR3: 00000000a1190000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  dentry_path_raw+0x26/0x30 fs/d_path.c:371
  kvm_uevent_notify_change.part.0+0x213/0x440  
arch/x86/kvm/../../../virt/kvm/kvm_main.c:4050
  kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4017  
[inline]
  kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3355  
[inline]
  kvm_dev_ioctl+0x137a/0x1a60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3377
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696
  ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
  do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458089
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f69a6d17c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458089
RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000006
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f69a6d186d4
R13: 00000000004c0bcf R14: 00000000004d2890 R15: 00000000ffffffff
Modules linked in:
---[ end trace c2b508264c762aae ]---
RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344
Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f  
ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00  
0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40
RSP: 0018:ffff88808ab5f8a8 EFLAGS: 00010207
RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffff81e27f21
RDX: 0000000000000000 RSI: ffffffff81e27c43 RDI: 000000000000002f
RBP: ffff88808ab5f9d0 R08: ffff88809edd4280 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ab5f9a8
R13: 0000000000000000 R14: 0000000000000c78 R15: dffffc0000000000
FS:  00007f69a6d18700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fec12a1fdb8 CR3: 00000000a1190000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Re: general protection fault in __dentry_path

[Tetsuo Handa]

This report should be sent to KVM people.

I guess that a lack of serialization between kvm_create_vm_debugfs() from
kvm_dev_ioctl_create_vm() and kvm_destroy_vm_debugfs() from kvm_destroy_vm()
is causing a race on kvm->debugfs_dentry when kvm_uevent_notify_change()
called dentry_path_raw(kvm->debugfs_dentry).

On 2019/01/30 20:32, syzbot wrote:
> syzbot has found a reproducer for the following crash on:
> 
> HEAD commit:    02495e76ded5 Add linux-next specific files for 20190130
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=106161ef400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a2b2e9c0bc43c14d
> dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1182e5b8c00000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com
> 
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 8239 Comm: syz-executor4 Not tainted 5.0.0-rc4-next-20190130 #22
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344
> Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40
> RSP: 0018:ffff88808ab5f8a8 EFLAGS: 00010207
> RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffff81e27f21
> RDX: 0000000000000000 RSI: ffffffff81e27c43 RDI: 000000000000002f
> RBP: ffff88808ab5f9d0 R08: ffff88809edd4280 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ab5f9a8
> R13: 0000000000000000 R14: 0000000000000c78 R15: dffffc0000000000
> FS:  00007f69a6d18700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000000144a008 CR3: 00000000a1190000 CR4: 00000000001426f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  dentry_path_raw+0x26/0x30 fs/d_path.c:371
>  kvm_uevent_notify_change.part.0+0x213/0x440 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4050
>  kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4017 [inline]
>  kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3355 [inline]
>  kvm_dev_ioctl+0x137a/0x1a60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3377
>  vfs_ioctl fs/ioctl.c:46 [inline]
>  file_ioctl fs/ioctl.c:509 [inline]
>  do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696
>  ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
>  __do_sys_ioctl fs/ioctl.c:720 [inline]
>  __se_sys_ioctl fs/ioctl.c:718 [inline]
>  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
>  do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x458089
> Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f69a6d17c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458089
> RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000006
> RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f69a6d186d4
> R13: 00000000004c0bcf R14: 00000000004d2890 R15: 00000000ffffffff
> Modules linked in:
> ---[ end trace c2b508264c762aae ]---
> RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344
> Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40
> RSP: 0018:ffff88808ab5f8a8 EFLAGS: 00010207
> RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffff81e27f21
> RDX: 0000000000000000 RSI: ffffffff81e27c43 RDI: 000000000000002f
> RBP: ffff88808ab5f9d0 R08: ffff88809edd4280 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ab5f9a8
> R13: 0000000000000000 R14: 0000000000000c78 R15: dffffc0000000000
> FS:  00007f69a6d18700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fec12a1fdb8 CR3: 00000000a1190000 CR4: 00000000001426f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> 
> 

Re: general protection fault in __dentry_path

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit:    2137397c92ae Merge tag 'sound-5.0' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1270bf78c00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7132344728e7ec3f
dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=150bee14c00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12f401d4c00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12576 Comm: syz-executor696 Not tainted 5.0.0-rc7+ #81
kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344
Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00  
e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85  
f9 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89
kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path  
= '/devices/virtual/misc/kvm'
RSP: 0018:ffff888096127c58 EFLAGS: 00010293
RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2
RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001
RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78
FS:  0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000080fb028 CR3: 000000009de68000 CR4: 00000000001426f0
kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env
Call Trace:
kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path  
= '/devices/virtual/misc/kvm'
  dentry_path_raw+0x26/0x30 fs/d_path.c:371
  kvm_uevent_notify_change.part.0+0x213/0x440  
arch/x86/kvm/../../../virt/kvm/kvm_main.c:4051
  kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4018  
[inline]
  kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3356  
[inline]
  kvm_dev_ioctl+0x1132/0x1750 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3378
  __do_compat_sys_ioctl fs/compat_ioctl.c:1052 [inline]
  __se_compat_sys_ioctl fs/compat_ioctl.c:998 [inline]
  __ia32_compat_sys_ioctl+0x197/0x620 fs/compat_ioctl.c:998
  do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
  do_fast_syscall_32+0x281/0xc98 arch/x86/entry/common.c:397
  entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fe8869
Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90  
90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90  
90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f7fe41fc EFLAGS: 00000293 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000ae01
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000003d0f00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 4fe494385b47fe74 ]---
kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env
RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344
Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00  
e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85  
f9 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89
RSP: 0018:ffff888096127c58 EFLAGS: 00010293
RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2
RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001
RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78
kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path  
= '/devices/virtual/misc/kvm'
FS:  0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000080fb038 CR3: 000000009de68000 CR4: 00000000001426f0

Re: general protection fault in __dentry_path

[Eric Biggers]

On Wed, Feb 20, 2019 at 08:14:03PM -0800, syzbot wrote:
> syzbot has found a reproducer for the following crash on:
> 
> HEAD commit:    2137397c92ae Merge tag 'sound-5.0' of git://git.kernel.org..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1270bf78c00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=7132344728e7ec3f
> dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> userspace arch: i386
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=150bee14c00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12f401d4c00000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com
> 
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 12576 Comm: syz-executor696 Not tainted 5.0.0-rc7+ #81
> kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344
> Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00
> e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9
> 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89
> kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path =
> '/devices/virtual/misc/kvm'
> RSP: 0018:ffff888096127c58 EFLAGS: 00010293
> RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2
> RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001
> RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78
> FS:  0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40
> CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
> CR2: 00000000080fb028 CR3: 000000009de68000 CR4: 00000000001426f0
> kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env
> Call Trace:
> kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path =
> '/devices/virtual/misc/kvm'
>  dentry_path_raw+0x26/0x30 fs/d_path.c:371
>  kvm_uevent_notify_change.part.0+0x213/0x440
> arch/x86/kvm/../../../virt/kvm/kvm_main.c:4051
>  kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4018
> [inline]
>  kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3356
> [inline]
>  kvm_dev_ioctl+0x1132/0x1750 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3378
>  __do_compat_sys_ioctl fs/compat_ioctl.c:1052 [inline]
>  __se_compat_sys_ioctl fs/compat_ioctl.c:998 [inline]
>  __ia32_compat_sys_ioctl+0x197/0x620 fs/compat_ioctl.c:998
>  do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
>  do_fast_syscall_32+0x281/0xc98 arch/x86/entry/common.c:397
>  entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
> RIP: 0023:0xf7fe8869
> Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90
> 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90
> 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
> RSP: 002b:00000000f7fe41fc EFLAGS: 00000293 ORIG_RAX: 0000000000000036
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000ae01
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 00000000003d0f00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> Modules linked in:
> ---[ end trace 4fe494385b47fe74 ]---
> kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env
> RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344
> Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00
> e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9
> 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89
> RSP: 0018:ffff888096127c58 EFLAGS: 00010293
> RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2
> RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001
> RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78
> kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path =
> '/devices/virtual/misc/kvm'
> FS:  0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40
> CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
> CR2: 00000000080fb038 CR3: 000000009de68000 CR4: 00000000001426f0
> 

Hi Greg, this started happening with:

	commit ff9fb72bc07705c00795ca48631f7fffe24d2c6b (HEAD)
	Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Date:   Wed Jan 23 11:28:14 2019 +0100

	    debugfs: return error values, not NULL

But virt/kvm/kvm_main.c still checks for NULL:

        if (kvm->debugfs_dentry) {
                char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL);

                if (p) {
                        tmp = dentry_path_raw(kvm->debugfs_dentry, p, PATH_MAX);
                        if (!IS_ERR(tmp))
                                add_uevent_var(env, "STATS_PATH=%s", tmp);
                        kfree(p);
                }
        }

... and sometimes kvm->debugfs_dentry = ERR_PTR(-EEXIST).

- Eric

Re: general protection fault in __dentry_path

[Greg Kroah-Hartman]

On Tue, Feb 26, 2019 at 11:19:33AM -0800, Eric Biggers wrote:
> On Wed, Feb 20, 2019 at 08:14:03PM -0800, syzbot wrote:
> > syzbot has found a reproducer for the following crash on:
> > 
> > HEAD commit:    2137397c92ae Merge tag 'sound-5.0' of git://git.kernel.org..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1270bf78c00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=7132344728e7ec3f
> > dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > userspace arch: i386
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=150bee14c00000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12f401d4c00000
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com
> > 
> > kasan: CONFIG_KASAN_INLINE enabled
> > kasan: GPF could be caused by NULL-ptr deref or user memory access
> > general protection fault: 0000 [#1] PREEMPT SMP KASAN
> > CPU: 0 PID: 12576 Comm: syz-executor696 Not tainted 5.0.0-rc7+ #81
> > kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344
> > Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00
> > e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9
> > 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89
> > kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path =
> > '/devices/virtual/misc/kvm'
> > RSP: 0018:ffff888096127c58 EFLAGS: 00010293
> > RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2
> > RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001
> > RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78
> > FS:  0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40
> > CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
> > CR2: 00000000080fb028 CR3: 000000009de68000 CR4: 00000000001426f0
> > kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env
> > Call Trace:
> > kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path =
> > '/devices/virtual/misc/kvm'
> >  dentry_path_raw+0x26/0x30 fs/d_path.c:371
> >  kvm_uevent_notify_change.part.0+0x213/0x440
> > arch/x86/kvm/../../../virt/kvm/kvm_main.c:4051
> >  kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4018
> > [inline]
> >  kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3356
> > [inline]
> >  kvm_dev_ioctl+0x1132/0x1750 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3378
> >  __do_compat_sys_ioctl fs/compat_ioctl.c:1052 [inline]
> >  __se_compat_sys_ioctl fs/compat_ioctl.c:998 [inline]
> >  __ia32_compat_sys_ioctl+0x197/0x620 fs/compat_ioctl.c:998
> >  do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
> >  do_fast_syscall_32+0x281/0xc98 arch/x86/entry/common.c:397
> >  entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
> > RIP: 0023:0xf7fe8869
> > Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90
> > 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90
> > 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
> > RSP: 002b:00000000f7fe41fc EFLAGS: 00000293 ORIG_RAX: 0000000000000036
> > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000ae01
> > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> > RBP: 00000000003d0f00 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> > Modules linked in:
> > ---[ end trace 4fe494385b47fe74 ]---
> > kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env
> > RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344
> > Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00
> > e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9
> > 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89
> > RSP: 0018:ffff888096127c58 EFLAGS: 00010293
> > RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2
> > RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001
> > RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78
> > kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path =
> > '/devices/virtual/misc/kvm'
> > FS:  0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40
> > CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
> > CR2: 00000000080fb038 CR3: 000000009de68000 CR4: 00000000001426f0
> > 
> 
> Hi Greg, this started happening with:
> 
> 	commit ff9fb72bc07705c00795ca48631f7fffe24d2c6b (HEAD)
> 	Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 	Date:   Wed Jan 23 11:28:14 2019 +0100
> 
> 	    debugfs: return error values, not NULL
> 
> But virt/kvm/kvm_main.c still checks for NULL:
> 
>         if (kvm->debugfs_dentry) {
>                 char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL);
> 
>                 if (p) {
>                         tmp = dentry_path_raw(kvm->debugfs_dentry, p, PATH_MAX);
>                         if (!IS_ERR(tmp))
>                                 add_uevent_var(env, "STATS_PATH=%s", tmp);
>                         kfree(p);
>                 }
>         }
> 
> ... and sometimes kvm->debugfs_dentry = ERR_PTR(-EEXIST).

Ugh, thanks for the notification.  I'll make a fix for this after my
coffee kicks in this morning...

greg k-h

[PATCH] kvm: properly check debugfs dentry before using it

[Greg Kroah-Hartman]

debugfs can now report an error code if something went wrong instead of
just NULL.  So if the return value is to be used as a "real" dentry, it
needs to be checked if it is an error before dereferencing it.

This is now happening because of ff9fb72bc077 ("debugfs: return error
values, not NULL").  syzbot has found a way to trigger multiple debugfs
files attempting to be created, which fails, and then the error code
gets passed to dentry_path_raw() which obviously does not like it.

Reported-by: Eric Biggers <ebiggers@kernel.org>
Reported-and-tested-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: kvm@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---

Paolo, this should be merged into 5.0-final, and if not there, then
5.1-rc1 and then backported to 5.0 through the stable tree.  If you
want me to send this to Linus, I will be glad to do so.


diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 585845203db8..076bc38963bf 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -4044,7 +4044,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm)
 	}
 	add_uevent_var(env, "PID=%d", kvm->userspace_pid);
 
-	if (kvm->debugfs_dentry) {
+	if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
 		char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL);
 
 		if (p) {

Re: [PATCH] kvm: properly check debugfs dentry before using it

[Paolo Bonzini]

On 28/02/19 16:08, Greg Kroah-Hartman wrote:
> debugfs can now report an error code if something went wrong instead of
> just NULL.  So if the return value is to be used as a "real" dentry, it
> needs to be checked if it is an error before dereferencing it.
> 
> This is now happening because of ff9fb72bc077 ("debugfs: return error
> values, not NULL").  syzbot has found a way to trigger multiple debugfs
> files attempting to be created, which fails, and then the error code
> gets passed to dentry_path_raw() which obviously does not like it.
> 
> Reported-by: Eric Biggers <ebiggers@kernel.org>
> Reported-and-tested-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: "Radim Krčmář" <rkrcmar@redhat.com>
> Cc: kvm@vger.kernel.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
> 
> Paolo, this should be merged into 5.0-final, and if not there, then
> 5.1-rc1 and then backported to 5.0 through the stable tree.  If you
> want me to send this to Linus, I will be glad to do so.
> 
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 585845203db8..076bc38963bf 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -4044,7 +4044,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm)
>  	}
>  	add_uevent_var(env, "PID=%d", kvm->userspace_pid);
>  
> -	if (kvm->debugfs_dentry) {
> +	if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
>  		char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL);
>  
>  		if (p) {
> 

Sure, go ahead.

Acked-by: Paolo Bonzini <pbonzini@redhat.com>

Paolo

Re: [PATCH] kvm: properly check debugfs dentry before using it

[Greg Kroah-Hartman]

On Thu, Feb 28, 2019 at 04:14:50PM +0100, Paolo Bonzini wrote:
> On 28/02/19 16:08, Greg Kroah-Hartman wrote:
> > debugfs can now report an error code if something went wrong instead of
> > just NULL.  So if the return value is to be used as a "real" dentry, it
> > needs to be checked if it is an error before dereferencing it.
> > 
> > This is now happening because of ff9fb72bc077 ("debugfs: return error
> > values, not NULL").  syzbot has found a way to trigger multiple debugfs
> > files attempting to be created, which fails, and then the error code
> > gets passed to dentry_path_raw() which obviously does not like it.
> > 
> > Reported-by: Eric Biggers <ebiggers@kernel.org>
> > Reported-and-tested-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com
> > Cc: Paolo Bonzini <pbonzini@redhat.com>
> > Cc: "Radim Krčmář" <rkrcmar@redhat.com>
> > Cc: kvm@vger.kernel.org
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> > ---
> > 
> > Paolo, this should be merged into 5.0-final, and if not there, then
> > 5.1-rc1 and then backported to 5.0 through the stable tree.  If you
> > want me to send this to Linus, I will be glad to do so.
> > 
> > 
> > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> > index 585845203db8..076bc38963bf 100644
> > --- a/virt/kvm/kvm_main.c
> > +++ b/virt/kvm/kvm_main.c
> > @@ -4044,7 +4044,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm)
> >  	}
> >  	add_uevent_var(env, "PID=%d", kvm->userspace_pid);
> >  
> > -	if (kvm->debugfs_dentry) {
> > +	if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
> >  		char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL);
> >  
> >  		if (p) {
> > 
> 
> Sure, go ahead.
> 
> Acked-by: Paolo Bonzini <pbonzini@redhat.com>

Wonderful, will do so right now, thanks!

greg k-h