-
-
Save xrivendell7/8a65b0e5c5109d1ce87acfd56f713544 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TITLE: divide error in netfs_submit_writethrough | |
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI | |
CPU: 0 PID: 12946 Comm: syz-executor Not tainted 6.9.0-rc2-00413-gf2f80ac80987-dirty #25 | |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 | |
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427 | |
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff | |
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246 | |
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000 | |
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c | |
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000 | |
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000 | |
R13: ffff88806caa0008 R14: ffff8880564c2d20 R15: 0000000000000000 | |
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 | |
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0 | |
PKRU: 55555554 | |
Call Trace: | |
<TASK> | |
netfs_advance_writethrough+0x14a/0x180 fs/netfs/output.c:449 | |
netfs_perform_write+0x1c70/0x27e0 fs/netfs/buffered_write.c:385 | |
netfs_buffered_write_iter_locked+0x232/0x2f0 fs/netfs/buffered_write.c:454 | |
netfs_file_write_iter+0x1f3/0x480 fs/netfs/buffered_write.c:493 | |
v9fs_file_write_iter+0xa8/0x110 fs/9p/vfs_file.c:407 | |
call_write_iter include/linux/fs.h:2110 [inline] | |
do_iter_readv_writev+0x53a/0x7c0 fs/read_write.c:741 | |
vfs_writev+0x386/0xe10 fs/read_write.c:971 | |
do_pwritev+0x1c1/0x280 fs/read_write.c:1072 | |
__do_sys_pwritev2 fs/read_write.c:1131 [inline] | |
__se_sys_pwritev2 fs/read_write.c:1122 [inline] | |
__x64_sys_pwritev2+0xf6/0x160 fs/read_write.c:1122 | |
do_syscall_x64 arch/x86/entry/common.c:52 [inline] | |
do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83 | |
entry_SYSCALL_64_after_hwframe+0x72/0x7a | |
RIP: 0033:0x7f5d8e4a5559 | |
Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 38 | |
RSP: 002b:00007f5d8df9fd58 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 | |
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f5d8e4a5559 | |
RDX: 0000000000000001 RSI: 0000000020000780 RDI: 0000000000000007 | |
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016 | |
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbf8c | |
R13: 000000000000000b R14: 00000000004bbf80 R15: 00007f5d8df80000 | |
</TASK> | |
Modules linked in: | |
---[ end trace 0000000000000000 ]--- | |
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427 | |
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff | |
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246 | |
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000 | |
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c | |
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000 | |
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000 | |
R13: ffff88806caa0008 R14: ffff8880564c2d20 R15: 0000000000000000 | |
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 | |
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0 | |
PKRU: 55555554 | |
---------------- | |
Code disassembly (best guess), 2 bytes skipped: | |
0: df 48 89 fisttps -0x77(%rax) | |
3: fa cli | |
4: 48 c1 ea 03 shr $0x3,%rdx | |
8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx | |
c: 48 89 f8 mov %rdi,%rax | |
f: 83 e0 07 and $0x7,%eax | |
12: 83 c0 03 add $0x3,%eax | |
15: 38 d0 cmp %dl,%al | |
17: 7c 04 jl 0x1d | |
19: 84 d2 test %dl,%dl | |
1b: 75 1a jne 0x37 | |
1d: 8b 8b 0c 01 00 00 mov 0x10c(%rbx),%ecx | |
23: 48 89 e8 mov %rbp,%rax | |
26: 31 d2 xor %edx,%edx | |
* 28: 48 rex.W <-- trapping instruction | |
29: ff .byte 0xff | |
TITLE: kernel panic: Fatal exception | |
CORRUPTED: true (report format is marked as corrupted) | |
MAINTAINERS (TO): [] | |
MAINTAINERS (CC): [] | |
CPU: 0 PID: 12946 Comm: syz-executor Not tainted 6.9.0-rc2-00413-gf2f80ac80987-dirty #25 | |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 | |
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427 | |
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff | |
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246 | |
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000 | |
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c | |
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000 | |
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000 | |
R13: ffff88806caa0008 R14: ffff8880564c2d20 R15: 0000000000000000 | |
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 | |
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0 | |
PKRU: 55555554 | |
Call Trace: | |
<TASK> | |
netfs_advance_writethrough+0x14a/0x180 fs/netfs/output.c:449 | |
netfs_perform_write+0x1c70/0x27e0 fs/netfs/buffered_write.c:385 | |
netfs_buffered_write_iter_locked+0x232/0x2f0 fs/netfs/buffered_write.c:454 | |
netfs_file_write_iter+0x1f3/0x480 fs/netfs/buffered_write.c:493 | |
v9fs_file_write_iter+0xa8/0x110 fs/9p/vfs_file.c:407 | |
call_write_iter include/linux/fs.h:2110 [inline] | |
do_iter_readv_writev+0x53a/0x7c0 fs/read_write.c:741 | |
vfs_writev+0x386/0xe10 fs/read_write.c:971 | |
do_pwritev+0x1c1/0x280 fs/read_write.c:1072 | |
__do_sys_pwritev2 fs/read_write.c:1131 [inline] | |
__se_sys_pwritev2 fs/read_write.c:1122 [inline] | |
__x64_sys_pwritev2+0xf6/0x160 fs/read_write.c:1122 | |
do_syscall_x64 arch/x86/entry/common.c:52 [inline] | |
do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83 | |
entry_SYSCALL_64_after_hwframe+0x72/0x7a | |
RIP: 0033:0x7f5d8e4a5559 | |
Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 38 | |
RSP: 002b:00007f5d8df9fd58 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 | |
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f5d8e4a5559 | |
RDX: 0000000000000001 RSI: 0000000020000780 RDI: 0000000000000007 | |
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016 | |
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbf8c | |
R13: 000000000000000b R14: 00000000004bbf80 R15: 00007f5d8df80000 | |
</TASK> | |
Modules linked in: | |
---[ end trace 0000000000000000 ]--- | |
RIP: 0010:netfs_submit_writethrough+0x20e/0x290 fs/netfs/output.c:427 | |
Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1a 8b 8b 0c 01 00 00 48 89 e8 31 d2 <48> ff | |
RSP: 0018:ffffc9000f88f760 EFLAGS: 00010246 | |
RAX: 0000000000001000 RBX: ffff8880564c2c00 RCX: 0000000000000000 | |
RDX: 0000000000000000 RSI: ffffffff823ceef6 RDI: ffff8880564c2d0c | |
RBP: 0000000000001000 R08: 0000000000000001 R09: 0000000000000000 | |
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000 | |
R13: ffff88806caa0008 R14: ffff8880564c2d20 R15: 0000000000000000 | |
FS: 00007f5d8dfa06c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 | |
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
CR2: 000000002000f000 CR3: 0000000059e98000 CR4: 0000000000750ef0 | |
PKRU: 55555554 | |
Kernel panic - not syncing: Fatal exception | |
Kernel Offset: disabled | |
Rebooting in 86400 seconds.. | |
---------------- | |
Code disassembly (best guess), 2 bytes skipped: | |
0: df 48 89 fisttps -0x77(%rax) | |
3: fa cli | |
4: 48 c1 ea 03 shr $0x3,%rdx | |
8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx | |
c: 48 89 f8 mov %rdi,%rax | |
f: 83 e0 07 and $0x7,%eax | |
12: 83 c0 03 add $0x3,%eax | |
15: 38 d0 cmp %dl,%al | |
17: 7c 04 jl 0x1d | |
19: 84 d2 test %dl,%dl | |
1b: 75 1a jne 0x37 | |
1d: 8b 8b 0c 01 00 00 mov 0x10c(%rbx),%ecx | |
23: 48 89 e8 mov %rbp,%rax | |
26: 31 d2 xor %edx,%edx | |
* 28: 48 rex.W <-- trapping instruction | |
29: ff .byte 0xff |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _GNU_SOURCE | |
#include <endian.h> | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <sys/syscall.h> | |
#include <sys/types.h> | |
#include <unistd.h> | |
#ifndef __NR_pwritev2 | |
#define __NR_pwritev2 328 | |
#endif | |
uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, | |
0xffffffffffffffff}; | |
int main(void) { | |
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, | |
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); | |
intptr_t res = 0; | |
memcpy((void*)0x20000240, "./file0\000", 8); | |
syscall(__NR_creat, /*file=*/0x20000240ul, /*mode=*/0ul); | |
res = syscall(__NR_pipe2, /*pipefd=*/0x20001900ul, /*flags=*/0ul); | |
if (res != -1) { | |
r[0] = *(uint32_t*)0x20001900; | |
r[1] = *(uint32_t*)0x20001904; | |
} | |
memcpy((void*)0x20000480, | |
"\x15\x00\x00\x00\x65\xff\xff\x01\x80\x00\x00\x08\x00\x39\x50\x32\x30" | |
"\x30\x30", | |
19); | |
syscall(__NR_write, /*fd=*/r[1], /*data=*/0x20000480ul, /*size=*/0x15ul); | |
res = syscall(__NR_dup, /*oldfd=*/r[1]); | |
if (res != -1) | |
r[2] = res; | |
*(uint32_t*)0x20000100 = 0x18; | |
*(uint32_t*)0x20000104 = 0; | |
*(uint64_t*)0x20000108 = 0; | |
*(uint64_t*)0x20000110 = 0; | |
syscall(__NR_write, /*fd=*/r[2], /*arg=*/0x20000100ul, /*len=*/0x18ul); | |
*(uint32_t*)0x200000c0 = 0x14c; | |
*(uint32_t*)0x200000c4 = 5; | |
*(uint64_t*)0x200000c8 = 0; | |
*(uint64_t*)0x200000d0 = 0; | |
*(uint64_t*)0x200000d8 = 0; | |
*(uint64_t*)0x200000e0 = 0; | |
*(uint32_t*)0x200000e8 = 0; | |
*(uint32_t*)0x200000ec = 0; | |
syscall(__NR_write, /*fd=*/r[2], /*arg=*/0x200000c0ul, /*len=*/0x137ul); | |
memcpy((void*)0x20000080, "./file0\000", 8); | |
memcpy((void*)0x20000040, "9p\000", 3); | |
memcpy((void*)0x20000280, "trans=fd,", 9); | |
memcpy((void*)0x20000289, "rfdno", 5); | |
*(uint8_t*)0x2000028e = 0x3d; | |
sprintf((char*)0x2000028f, "0x%016llx", (long long)r[0]); | |
*(uint8_t*)0x200002a1 = 0x2c; | |
memcpy((void*)0x200002a2, "wfdno", 5); | |
*(uint8_t*)0x200002a7 = 0x3d; | |
sprintf((char*)0x200002a8, "0x%016llx", (long long)r[2]); | |
*(uint8_t*)0x200002ba = 0x2c; | |
memcpy((void*)0x200002bb, "cache=mmap", 10); | |
*(uint8_t*)0x200002c5 = 0x2c; | |
*(uint8_t*)0x200002c6 = 0x6b; | |
syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x20000080ul, /*type=*/0x20000040ul, | |
/*flags=*/0ul, /*opts=*/0x20000280ul); | |
memcpy((void*)0x20000140, "./file0\000", 8); | |
syscall(__NR_chmod, /*file=*/0x20000140ul, /*mode=*/0ul); | |
memcpy((void*)0x20000300, "./file0\000", 8); | |
res = syscall(__NR_creat, /*file=*/0x20000300ul, /*mode=*/0ul); | |
if (res != -1) | |
r[3] = res; | |
*(uint64_t*)0x20000780 = 0x20000180; | |
memset((void*)0x20000180, 142, 1); | |
*(uint64_t*)0x20000788 = 0xfdef; | |
syscall(__NR_pwritev2, /*fd=*/r[3], /*vec=*/0x20000780ul, /*vlen=*/1ul, | |
/*off_low=*/0, /*off_high=*/0, /*flags=*/0x16ul); | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
creat(&(0x7f0000000240)='./file0\x00', 0x0) | |
pipe2$9p(&(0x7f0000001900)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0) | |
write$P9_RVERSION(r1, &(0x7f0000000480)=ANY=[@ANYBLOB="1500000065ffff018000000800395032303030"], 0x15) | |
r2 = dup(r1) | |
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18) | |
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137) | |
mount$9p_fd(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@cache_mmap}], [], 0x6b}}) | |
chmod(&(0x7f0000000140)='./file0\x00', 0x0) | |
r3 = creat(&(0x7f0000000300)='./file0\x00', 0x0) | |
pwritev2(r3, &(0x7f0000000780)=[{&(0x7f0000000180)="8e", 0xfdef}], 0x1, 0x0, 0x0, 0x16) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment