On Mon, Jan 8, 2018 at 2:58 AM, syzbot <syzbot+fa99e24f3c29d269a...@syzkaller.appspotmail.com> wrote: > Hello, > > syzkaller hit the following crash on > 895c0dde398510a5b5ded60e5064c11b94bd30ca > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C reproducer is attached > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+fa99e24f3c29d269a...@syzkaller.appspotmail.com > It will help syzbot understand when the bug is fixed. See footer for > details. > If you forward the report, please keep this part and the footer. > > RBP: 0000000000000006 R08: 0000000000000002 R09: 00007ffd20003032 > R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff > R13: ffffffffffffffff R14: 656c6c616b7a7973 R15: 0000000000000004 > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] SMP KASAN > Dumping ftrace buffer: > (ftrace buffer empty) > Modules linked in: > CPU: 0 PID: 3468 Comm: syzkaller619543 Not tainted 4.15.0-rc6-next-20180108+ > #90 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:free_func_state kernel/bpf/verifier.c:378 [inline] > RIP: 0010:free_verifier_state+0x6d/0x130 kernel/bpf/verifier.c:388 > RSP: 0018:ffff8801d48f77b8 EFLAGS: 00010206 > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff1003b6384a0 > RDX: 0000000000000000 RSI: 0000000000000071 RDI: 0000000000000388 > RBP: ffff8801d48f7800 R08: ffff8801db427d00 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801db1c2500 > R13: dffffc0000000000 R14: ffff8801db1c2500 R15: ffff8801db1c2500 > FS: 000000000254e880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000020386000 CR3: 00000001cb32e002 CR4: 00000000001606f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > is_state_visited kernel/bpf/verifier.c:4414 [inline] > do_check+0x2442/0x9760 kernel/bpf/verifier.c:4488 > bpf_check+0x3087/0x5580 kernel/bpf/verifier.c:5483 > bpf_prog_load+0xbb2/0x1260 kernel/bpf/syscall.c:1205 > SYSC_bpf kernel/bpf/syscall.c:1820 [inline] > SyS_bpf+0x861/0x32e0 kernel/bpf/syscall.c:1782 > entry_SYSCALL_64_fastpath+0x23/0x9a
hmm. my patch with the fix got lost somehow. Will resend.
