general protection fault in tomoyo_check_acl

From: syzbot
Date: Mon May 25 2020 - 23:46:44 EST


Hello,

syzbot found the following crash on:

HEAD commit: d2f8825a Merge tag 'for_linus' of git://git.kernel.org/pub..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13c55922100000
kernel config: https://syzkaller.appspot.com/x/.config?x=b3368ce0cc5f5ace
dashboard link: https://syzkaller.appspot.com/bug?extid=cff8c4c75acd8c6fb842
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cff8c4c75acd8c6fb842@xxxxxxxxxxxxxxxxxxxxxxxxx

general protection fault, probably for non-canonical address 0xe000026660000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: probably user-memory-access in range [0x0000333300000018-0x000033330000001f]
CPU: 0 PID: 12489 Comm: systemd-rfkill Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tomoyo_check_acl+0xa9/0x3e0 security/tomoyo/domain.c:173
Code: 00 0f 85 2d 03 00 00 49 8b 1c 24 49 39 dc 0f 84 bd 01 00 00 e8 28 65 14 fe 48 8d 7b 18 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 28 38 d0 7f 08 84 c0 0f 85 a7 02 00 00 44 0f b6 73 18 31
RSP: 0018:ffffc90016987bc8 EFLAGS: 00010246
RAX: 0000066660000003 RBX: 0000333300000000 RCX: ffffffff835ed028
RDX: 0000000000000000 RSI: ffffffff835ecff8 RDI: 0000333300000018
RBP: dffffc0000000000 R08: ffff8880a1cce1c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a72db990
R13: ffffc90016987c80 R14: 0000000000000033 R15: 0000000000000002
FS: 00007f9e4b6ba8c0(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9e4b399e30 CR3: 000000004df8d000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tomoyo_path_number_perm+0x314/0x4d0 security/tomoyo/file.c:733
security_file_ioctl+0x6c/0xb0 security/security.c:1460
ksys_ioctl+0x50/0x180 fs/ioctl.c:765
__do_sys_ioctl fs/ioctl.c:780 [inline]
__se_sys_ioctl fs/ioctl.c:778 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:778
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x7f9e4adab80a
Code: ff e9 62 fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 53 49 89 f0 48 63 ff be 01 54 00 00 b8 10 00 00 00 48 83 ec 30 48 89 e2 0f 05 <48> 3d 00 f0 ff ff 77 6e 85 c0 89 c3 75 5c 8b 04 24 8b 54 24 0c 4c
RSP: 002b:00007fffcc16ea20 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007f9e4adab80a
RDX: 00007fffcc16ea20 RSI: 0000000000005401 RDI: 0000000000000002
RBP: 0000000000000007 R08: 00007fffcc16ea60 R09: 0000000000000000
R10: 0000000000020d50 R11: 0000000000000202 R12: 000056153471ef90
R13: 00007fffcc16ec30 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 1f05c0d7f6671379 ]---
RIP: 0010:tomoyo_check_acl+0xa9/0x3e0 security/tomoyo/domain.c:173
Code: 00 0f 85 2d 03 00 00 49 8b 1c 24 49 39 dc 0f 84 bd 01 00 00 e8 28 65 14 fe 48 8d 7b 18 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 28 38 d0 7f 08 84 c0 0f 85 a7 02 00 00 44 0f b6 73 18 31
RSP: 0018:ffffc90016987bc8 EFLAGS: 00010246
RAX: 0000066660000003 RBX: 0000333300000000 RCX: ffffffff835ed028
RDX: 0000000000000000 RSI: ffffffff835ecff8 RDI: 0000333300000018
RBP: dffffc0000000000 R08: ffff8880a1cce1c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a72db990
R13: ffffc90016987c80 R14: 0000000000000033 R15: 0000000000000002
FS: 00007f9e4b6ba8c0(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f7b8031310 CR3: 000000004df8d000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.