KASAN: stack-out-of-bounds Read in xfrm_state_find
19 views
Skip to first unread message
syzbot
Dec 31, 2022, 7:40:43 PM12/31/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c73b4619ad86 ANDROID: abi preservation for fscrypt change ..
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=176bcf14480000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7c9bd3bb9661aad
dashboard link: https://syzkaller.appspot.com/bug?extid=ada7c035554bcee65580
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=138527f8480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143357c4480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d4a785f6c196/disk-c73b4619.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e2fba875c9ab/vmlinux-c73b4619.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a870e2543ec9/bzImage-c73b4619.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ada7c0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2f9a/0x3510 net/xfrm/xfrm_state.c:1092
Read of size 4 at addr ffffc900001d0a38 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.78-syzkaller-00911-gc73b4619ad86 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3d0 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
xfrm_state_find+0x2f9a/0x3510 net/xfrm/xfrm_state.c:1092
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2393 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2438 [inline]
xfrm_resolve_and_create_bundle+0x66d/0x2c80 net/xfrm/xfrm_policy.c:2731
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2966 [inline]
xfrm_lookup_with_ifid+0xa1c/0x2640 net/xfrm/xfrm_policy.c:3097
xfrm_lookup net/xfrm/xfrm_policy.c:3194 [inline]
xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3205
ip_route_output_flow+0x1e7/0x310 net/ipv4/route.c:2889
ip_route_output_ports include/net/route.h:169 [inline]
igmpv3_newpack+0x413/0x1080 net/ipv4/igmp.c:369
add_grhead+0x84/0x320 net/ipv4/igmp.c:440
add_grec+0x12f8/0x1600 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x8b0/0xf90 net/ipv4/igmp.c:810
call_timer_fn+0x35/0x270 kernel/time/timer.c:1427
expire_timers+0x21b/0x3a0 kernel/time/timer.c:1472
__run_timers+0x598/0x6f0 kernel/time/timer.c:1743
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1756
__do_softirq+0x27e/0x5dc kernel/softirq.c:565
invoke_softirq+0xb/0x50 kernel/softirq.c:425
__irq_exit_rcu+0x4f/0xb0 kernel/softirq.c:647
irq_exit_rcu+0x9/0x10 kernel/softirq.c:659
sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:40 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:75 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:110 [inline]
RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:553 [inline]
RIP: 0010:acpi_idle_enter+0x411/0x6d0 drivers/acpi/processor_idle.c:688
Code: 8b 1b 48 89 de 48 83 e6 08 31 ff e8 19 c2 a8 fc 48 83 e3 08 0f 85 a2 00 00 00 66 90 e8 e8 bc a8 fc 0f 00 2d 11 d5 c5 00 fb f4 <fa> e9 98 00 00 00 49 83 c7 04 4c 89 f8 48 c1 e8 03 42 8a 04 30 84
RSP: 0018:ffffc90000157c70 EFLAGS: 000002d3
RAX: ffffffff84c8e2a8 RBX: 0000000000000000 RCX: ffff888100372780
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000157cb0 R08: ffffffff84c8e297 R09: ffffed102006e4f1
R10: ffffed102006e4f1 R11: 1ffff1102006e4f0 R12: 0000000000000001
R13: ffff888103bbd804 R14: dffffc0000000000 R15: ffff888105db5064
cpuidle_enter_state+0x5d0/0x14a0 drivers/cpuidle/cpuidle.c:249
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x379/0x5e0 kernel/sched/idle.c:306
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:403
start_secondary+0xde/0xf0 arch/x86/kernel/smpboot.c:270
secondary_startup_64_no_verify+0xb1/0xbb
</TASK>
Memory state around the buggy address:
ffffc900001d0900: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001d0980: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffffc900001d0a00: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
^
ffffc900001d0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001d0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 8b 1b mov (%rbx),%ebx
2: 48 89 de mov %rbx,%rsi
5: 48 83 e6 08 and $0x8,%rsi
9: 31 ff xor %edi,%edi
b: e8 19 c2 a8 fc callq 0xfca8c229
10: 48 83 e3 08 and $0x8,%rbx
14: 0f 85 a2 00 00 00 jne 0xbc
1a: 66 90 xchg %ax,%ax
1c: e8 e8 bc a8 fc callq 0xfca8bd09
21: 0f 00 2d 11 d5 c5 00 verw 0xc5d511(%rip) # 0xc5d539
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 98 00 00 00 jmpq 0xc8
30: 49 83 c7 04 add $0x4,%r15
34: 4c 89 f8 mov %r15,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 30 mov (%rax,%r14,1),%al
3f: 84 .byte 0x84
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: c73b4619ad86 ANDROID: abi preservation for fscrypt change ..
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=176bcf14480000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7c9bd3bb9661aad
dashboard link: https://syzkaller.appspot.com/bug?extid=ada7c035554bcee65580
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=138527f8480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143357c4480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d4a785f6c196/disk-c73b4619.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e2fba875c9ab/vmlinux-c73b4619.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a870e2543ec9/bzImage-c73b4619.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ada7c0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2f9a/0x3510 net/xfrm/xfrm_state.c:1092
Read of size 4 at addr ffffc900001d0a38 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.78-syzkaller-00911-gc73b4619ad86 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3d0 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
xfrm_state_find+0x2f9a/0x3510 net/xfrm/xfrm_state.c:1092
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2393 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2438 [inline]
xfrm_resolve_and_create_bundle+0x66d/0x2c80 net/xfrm/xfrm_policy.c:2731
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2966 [inline]
xfrm_lookup_with_ifid+0xa1c/0x2640 net/xfrm/xfrm_policy.c:3097
xfrm_lookup net/xfrm/xfrm_policy.c:3194 [inline]
xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3205
ip_route_output_flow+0x1e7/0x310 net/ipv4/route.c:2889
ip_route_output_ports include/net/route.h:169 [inline]
igmpv3_newpack+0x413/0x1080 net/ipv4/igmp.c:369
add_grhead+0x84/0x320 net/ipv4/igmp.c:440
add_grec+0x12f8/0x1600 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x8b0/0xf90 net/ipv4/igmp.c:810
call_timer_fn+0x35/0x270 kernel/time/timer.c:1427
expire_timers+0x21b/0x3a0 kernel/time/timer.c:1472
__run_timers+0x598/0x6f0 kernel/time/timer.c:1743
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1756
__do_softirq+0x27e/0x5dc kernel/softirq.c:565
invoke_softirq+0xb/0x50 kernel/softirq.c:425
__irq_exit_rcu+0x4f/0xb0 kernel/softirq.c:647
irq_exit_rcu+0x9/0x10 kernel/softirq.c:659
sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:40 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:75 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:110 [inline]
RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:553 [inline]
RIP: 0010:acpi_idle_enter+0x411/0x6d0 drivers/acpi/processor_idle.c:688
Code: 8b 1b 48 89 de 48 83 e6 08 31 ff e8 19 c2 a8 fc 48 83 e3 08 0f 85 a2 00 00 00 66 90 e8 e8 bc a8 fc 0f 00 2d 11 d5 c5 00 fb f4 <fa> e9 98 00 00 00 49 83 c7 04 4c 89 f8 48 c1 e8 03 42 8a 04 30 84
RSP: 0018:ffffc90000157c70 EFLAGS: 000002d3
RAX: ffffffff84c8e2a8 RBX: 0000000000000000 RCX: ffff888100372780
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000157cb0 R08: ffffffff84c8e297 R09: ffffed102006e4f1
R10: ffffed102006e4f1 R11: 1ffff1102006e4f0 R12: 0000000000000001
R13: ffff888103bbd804 R14: dffffc0000000000 R15: ffff888105db5064
cpuidle_enter_state+0x5d0/0x14a0 drivers/cpuidle/cpuidle.c:249
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x379/0x5e0 kernel/sched/idle.c:306
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:403
start_secondary+0xde/0xf0 arch/x86/kernel/smpboot.c:270
secondary_startup_64_no_verify+0xb1/0xbb
</TASK>
Memory state around the buggy address:
ffffc900001d0900: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001d0980: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffffc900001d0a00: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
^
ffffc900001d0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001d0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 8b 1b mov (%rbx),%ebx
2: 48 89 de mov %rbx,%rsi
5: 48 83 e6 08 and $0x8,%rsi
9: 31 ff xor %edi,%edi
b: e8 19 c2 a8 fc callq 0xfca8c229
10: 48 83 e3 08 and $0x8,%rbx
14: 0f 85 a2 00 00 00 jne 0xbc
1a: 66 90 xchg %ax,%ax
1c: e8 e8 bc a8 fc callq 0xfca8bd09
21: 0f 00 2d 11 d5 c5 00 verw 0xc5d511(%rip) # 0xc5d539
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 98 00 00 00 jmpq 0xc8
30: 49 83 c7 04 add $0x4,%r15
34: 4c 89 f8 mov %r15,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 30 mov (%rax,%r14,1),%al
3f: 84 .byte 0x84
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 31, 2022, 8:05:50 PM12/31/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a8aad8851131 ANDROID: GKI: enable mulitcolor-led
syzbot found the following issue on:
git tree: android12-5.4
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13cfab88480000
kernel config: https://syzkaller.appspot.com/x/.config?x=b4f7fdc1fca3154e
dashboard link: https://syzkaller.appspot.com/bug?extid=d9747a1ee3bcfff01cf8
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b29312480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1524ba2a480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/71fa3d1afcd2/disk-a8aad885.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d25e2985873/vmlinux-a8aad885.xz
kernel image: https://storage.googleapis.com/syzbot-assets/97866ff1e151/bzImage-a8aad885.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:137 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2f65/0x34a0 net/xfrm/xfrm_state.c:1063
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
Read of size 4 at addr ffff8881f6f09a18 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.4.219-syzkaller-00012-ga8aad8851131 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
Call Trace:
<IRQ>
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x630 mm/kasan/report.c:384
__kasan_report+0xf6/0x130 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
jhash2 include/linux/jhash.h:137 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
xfrm_state_find+0x2f65/0x34a0 net/xfrm/xfrm_state.c:1063
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2397 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2442 [inline]
xfrm_resolve_and_create_bundle+0x6fc/0x3290 net/xfrm/xfrm_policy.c:2736
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2960 [inline]
xfrm_lookup_with_ifid+0x78a/0x2120 net/xfrm/xfrm_policy.c:3091
xfrm_lookup net/xfrm/xfrm_policy.c:3183 [inline]
xfrm_lookup_route+0x37/0x170 net/xfrm/xfrm_policy.c:3194
ip_route_output_flow+0x1f6/0x320 net/ipv4/route.c:2756
ip_route_output_ports include/net/route.h:163 [inline]
igmpv3_newpack+0x414/0x1040 net/ipv4/igmp.c:371
add_grhead+0x75/0x2b0 net/ipv4/igmp.c:442
add_grec+0x12f8/0x1600 net/ipv4/igmp.c:576
igmpv3_send_cr net/ipv4/igmp.c:713 [inline]
igmp_ifc_timer_expire+0x823/0xf10 net/ipv4/igmp.c:811
call_timer_fn+0x31/0x350 kernel/time/timer.c:1418
expire_timers+0x21e/0x400 kernel/time/timer.c:1463
__run_timers+0x5e0/0x700 kernel/time/timer.c:1787
run_timer_softirq+0x46/0x80 kernel/time/timer.c:1800
__do_softirq+0x23e/0x643 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x195/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:538 [inline]
smp_apic_timer_interrupt+0x113/0x440 arch/x86/kernel/apic/apic.c:1150
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
</IRQ>
The buggy address belongs to the page:
page:ffffea0007dbc240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000001000(reserved)
raw: 8000000000001000 ffffea0007dbc248 ffffea0007dbc248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffff8881f6f09980: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
>ffff8881f6f09a00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
^
ffff8881f6f09a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881f6f09b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Tudor Ambarus
Jan 3, 2023, 2:53:44 AM1/3/23
to syzbot+ada7c0...@syzkaller.appspotmail.com, jone...@google.com, syzkaller-a...@googlegroups.com
syzbot
Jan 3, 2023, 7:02:17 AM1/3/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xfrm_state_find
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x429b/0x4a00 net/xfrm/xfrm_state.c:1159
Read of size 4 at addr ffffc90002e6f980 by task udevd/389
CPU: 0 PID: 389 Comm: udevd Not tainted 6.2.0-rc2-syzkaller-00127-g69b41ac87e4a #0
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1c0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x164/0x510 mm/kasan/report.c:417
kasan_report+0x13f/0x170 mm/kasan/report.c:517
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
jhash2 include/linux/jhash.h:138 [inline]
xfrm_state_find+0x429b/0x4a00 net/xfrm/xfrm_state.c:1159
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2512 [inline]
xfrm_resolve_and_create_bundle+0x66d/0x2cb0 net/xfrm/xfrm_policy.c:2805
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline]
xfrm_lookup_with_ifid+0xa1c/0x2640 net/xfrm/xfrm_policy.c:3171
xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline]
xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3279
ip_route_output_flow+0x20d/0x330 net/ipv4/route.c:2880
ip_route_output_ports include/net/route.h:183 [inline]
igmpv3_newpack+0x3b6/0x1010 net/ipv4/igmp.c:369
add_grhead+0x84/0x320 net/ipv4/igmp.c:440
add_grec+0x12f5/0x1600 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x89a/0xf80 net/ipv4/igmp.c:810
call_timer_fn+0x35/0x270 kernel/time/timer.c:1700
expire_timers+0x22a/0x3c0 kernel/time/timer.c:1751
__run_timers+0x598/0x6f0 kernel/time/timer.c:2022
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:2035
__do_softirq+0x1a5/0x5a3 kernel/softirq.c:571
invoke_softirq+0x70/0xd0 kernel/softirq.c:445
__irq_exit_rcu+0x4f/0xb0 kernel/softirq.c:650
irq_exit_rcu+0x9/0x10 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x49/0xc0 arch/x86/kernel/apic/apic.c:1107
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0033:0x7f085b6b7052
Code: 48 89 6b 20 48 89 6b 18 48 89 6b 08 4c 89 6b 10 48 89 6b 28 44 89 e0 48 89 6b 30 48 83 c4 08 5b 5d 41 5c 41 5d c3 66 90 41 57 <49> 89 cf 41 56 49 89 d6 41 55 41 54 55 53 44 89 c3 48 81 ec 48 01
RSP: 002b:00007ffd336a5db0 EFLAGS: 00000246
RAX: 00007ffd336a5de0 RBX: 000000000000007a RCX: 00007ffd336a5dc8
RDX: 000055ba2586c0f9 RSI: 0000000000000020 RDI: 00007ffd336a5ea8
RBP: 00007ffd336a648e R08: 0000000000000000 R09: 0000000000000000
R10: 00007f085b7a2ac0 R11: 00007f085b7a33c0 R12: 000055ba26e2e880
R13: 00007ffd336a5ea8 R14: 00007ffd336a648e R15: 0000000000000001
</TASK>
The buggy address belongs to stack of task udevd/389
and is located at offset 96 in frame:
igmpv3_newpack+0x0/0x1010
This frame has 1 object:
[32, 96) 'fl4'
The buggy address belongs to the virtual mapping at
[ffffc90002e68000, ffffc90002e71000) created by:
dup_task_struct+0x95/0x4a0 kernel/fork.c:987
The buggy address belongs to the physical page:
page:ffffea000484d280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12134a
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 0000000000000000 dead000000000122 0000000000000000
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 95, tgid 95 (udevd), ts 38467798656, free_ts 32094489781
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1eb/0x1f0 mm/page_alloc.c:2524
prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x375/0x3f0 mm/page_alloc.c:4283
__alloc_pages+0x3d1/0x7c0 mm/page_alloc.c:5549
__vmalloc_area_node mm/vmalloc.c:3057 [inline]
__vmalloc_node_range+0x8c7/0x1390 mm/vmalloc.c:3227
alloc_thread_stack_node+0x320/0x540 kernel/fork.c:311
dup_task_struct+0x95/0x4a0 kernel/fork.c:987
copy_process+0x51a/0x3350 kernel/fork.c:2097
kernel_clone+0x22d/0x840 kernel/fork.c:2681
__do_sys_clone kernel/fork.c:2822 [inline]
__se_sys_clone kernel/fork.c:2806 [inline]
__x64_sys_clone+0x276/0x2e0 kernel/fork.c:2806
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1446 [inline]
free_pcp_prepare+0x4c0/0x4d0 mm/page_alloc.c:1519
free_unref_page_prepare mm/page_alloc.c:3369 [inline]
free_unref_page+0x1c/0x420 mm/page_alloc.c:3464
__folio_put_small mm/swap.c:106 [inline]
__folio_put+0x7b/0xa0 mm/swap.c:129
folio_put include/linux/mm.h:1250 [inline]
put_page include/linux/mm.h:1319 [inline]
anon_pipe_buf_release+0x178/0x1e0 fs/pipe.c:138
pipe_buf_release include/linux/pipe_fs_i.h:183 [inline]
pipe_read+0x5c1/0x1060 fs/pipe.c:324
call_read_iter include/linux/fs.h:2180 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x740/0xb00 fs/read_write.c:470
ksys_read+0x198/0x2c0 fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__x64_sys_read+0x7b/0x90 fs/read_write.c:621
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffffc90002e6f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90002e6f900: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
>ffffc90002e6f980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc90002e6fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90002e6fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Tested on:
commit: 69b41ac8 Merge tag 'for-6.2-rc2-tag' of git://git.kern..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=16cb1452480000
kernel config: https://syzkaller.appspot.com/x/.config?x=fb3b16ad6f6aed37
dashboard link: https://syzkaller.appspot.com/bug?extid=ada7c035554bcee65580
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xfrm_state_find
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x429b/0x4a00 net/xfrm/xfrm_state.c:1159
Read of size 4 at addr ffffc90002e6f980 by task udevd/389
CPU: 0 PID: 389 Comm: udevd Not tainted 6.2.0-rc2-syzkaller-00127-g69b41ac87e4a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1c0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x164/0x510 mm/kasan/report.c:417
kasan_report+0x13f/0x170 mm/kasan/report.c:517
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_state_find+0x429b/0x4a00 net/xfrm/xfrm_state.c:1159
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2512 [inline]
xfrm_resolve_and_create_bundle+0x66d/0x2cb0 net/xfrm/xfrm_policy.c:2805
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline]
xfrm_lookup_with_ifid+0xa1c/0x2640 net/xfrm/xfrm_policy.c:3171
xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline]
xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3279
ip_route_output_flow+0x20d/0x330 net/ipv4/route.c:2880
ip_route_output_ports include/net/route.h:183 [inline]
igmpv3_newpack+0x3b6/0x1010 net/ipv4/igmp.c:369
add_grhead+0x84/0x320 net/ipv4/igmp.c:440
add_grec+0x12f5/0x1600 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x89a/0xf80 net/ipv4/igmp.c:810
call_timer_fn+0x35/0x270 kernel/time/timer.c:1700
expire_timers+0x22a/0x3c0 kernel/time/timer.c:1751
__run_timers+0x598/0x6f0 kernel/time/timer.c:2022
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:2035
__do_softirq+0x1a5/0x5a3 kernel/softirq.c:571
invoke_softirq+0x70/0xd0 kernel/softirq.c:445
__irq_exit_rcu+0x4f/0xb0 kernel/softirq.c:650
irq_exit_rcu+0x9/0x10 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x49/0xc0 arch/x86/kernel/apic/apic.c:1107
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0033:0x7f085b6b7052
Code: 48 89 6b 20 48 89 6b 18 48 89 6b 08 4c 89 6b 10 48 89 6b 28 44 89 e0 48 89 6b 30 48 83 c4 08 5b 5d 41 5c 41 5d c3 66 90 41 57 <49> 89 cf 41 56 49 89 d6 41 55 41 54 55 53 44 89 c3 48 81 ec 48 01
RSP: 002b:00007ffd336a5db0 EFLAGS: 00000246
RAX: 00007ffd336a5de0 RBX: 000000000000007a RCX: 00007ffd336a5dc8
RDX: 000055ba2586c0f9 RSI: 0000000000000020 RDI: 00007ffd336a5ea8
RBP: 00007ffd336a648e R08: 0000000000000000 R09: 0000000000000000
R10: 00007f085b7a2ac0 R11: 00007f085b7a33c0 R12: 000055ba26e2e880
R13: 00007ffd336a5ea8 R14: 00007ffd336a648e R15: 0000000000000001
</TASK>
The buggy address belongs to stack of task udevd/389
and is located at offset 96 in frame:
igmpv3_newpack+0x0/0x1010
This frame has 1 object:
[32, 96) 'fl4'
The buggy address belongs to the virtual mapping at
[ffffc90002e68000, ffffc90002e71000) created by:
dup_task_struct+0x95/0x4a0 kernel/fork.c:987
The buggy address belongs to the physical page:
page:ffffea000484d280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12134a
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page dumped because: kasan: bad access detected
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 95, tgid 95 (udevd), ts 38467798656, free_ts 32094489781
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1eb/0x1f0 mm/page_alloc.c:2524
prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x375/0x3f0 mm/page_alloc.c:4283
__alloc_pages+0x3d1/0x7c0 mm/page_alloc.c:5549
__vmalloc_area_node mm/vmalloc.c:3057 [inline]
__vmalloc_node_range+0x8c7/0x1390 mm/vmalloc.c:3227
alloc_thread_stack_node+0x320/0x540 kernel/fork.c:311
dup_task_struct+0x95/0x4a0 kernel/fork.c:987
copy_process+0x51a/0x3350 kernel/fork.c:2097
kernel_clone+0x22d/0x840 kernel/fork.c:2681
__do_sys_clone kernel/fork.c:2822 [inline]
__se_sys_clone kernel/fork.c:2806 [inline]
__x64_sys_clone+0x276/0x2e0 kernel/fork.c:2806
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1446 [inline]
free_pcp_prepare+0x4c0/0x4d0 mm/page_alloc.c:1519
free_unref_page_prepare mm/page_alloc.c:3369 [inline]
free_unref_page+0x1c/0x420 mm/page_alloc.c:3464
__folio_put_small mm/swap.c:106 [inline]
__folio_put+0x7b/0xa0 mm/swap.c:129
folio_put include/linux/mm.h:1250 [inline]
put_page include/linux/mm.h:1319 [inline]
anon_pipe_buf_release+0x178/0x1e0 fs/pipe.c:138
pipe_buf_release include/linux/pipe_fs_i.h:183 [inline]
pipe_read+0x5c1/0x1060 fs/pipe.c:324
call_read_iter include/linux/fs.h:2180 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x740/0xb00 fs/read_write.c:470
ksys_read+0x198/0x2c0 fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__x64_sys_read+0x7b/0x90 fs/read_write.c:621
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffffc90002e6f900: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
>ffffc90002e6f980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc90002e6fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90002e6fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Tested on:
commit: 69b41ac8 Merge tag 'for-6.2-rc2-tag' of git://git.kern..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=16cb1452480000
kernel config: https://syzkaller.appspot.com/x/.config?x=fb3b16ad6f6aed37
dashboard link: https://syzkaller.appspot.com/bug?extid=ada7c035554bcee65580
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Tudor Ambarus
Jun 14, 2023, 3:39:09 AM6/14/23
to syzbot+ada7c0...@syzkaller.appspotmail.com, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git master
syzbot
Jun 14, 2023, 3:53:35 AM6/14/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
Read of size 4 at addr ffffc900001b0aa0 by task kauditd/28
CPU: 1 PID: 28 Comm: kauditd Tainted: G W 6.4.0-rc1-syzkaller-00222-ga94fd40a18ae #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x155/0x1c0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:351 [inline]
print_report+0x15d/0x540 mm/kasan/report.c:462
kasan_report+0x16d/0x1a0 mm/kasan/report.c:572
__asan_report_load4_noabort+0x18/0x20 mm/kasan/report_generic.c:380
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
xfrm_state_find+0x2e2/0x4040 net/xfrm/xfrm_state.c:1159
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2512 [inline]
xfrm_resolve_and_create_bundle+0x66c/0x2a90 net/xfrm/xfrm_policy.c:2805
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2512 [inline]
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline]
xfrm_lookup_with_ifid+0x73f/0x2030 net/xfrm/xfrm_policy.c:3171
xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline]
xfrm_lookup_route+0x3f/0x170 net/xfrm/xfrm_policy.c:3279
ip_route_output_flow+0x219/0x340 net/ipv4/route.c:2876
ip_route_output_ports include/net/route.h:177 [inline]
igmpv3_newpack+0x3cb/0x1040 net/ipv4/igmp.c:369
add_grhead+0x84/0x330 net/ipv4/igmp.c:440
add_grec+0x12c8/0x15c0 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x833/0xf40 net/ipv4/igmp.c:810
call_timer_fn+0x3b/0x2e0 kernel/time/timer.c:1700
expire_timers kernel/time/timer.c:1751 [inline]
__run_timers+0x739/0xa30 kernel/time/timer.c:2022
run_timer_softirq+0x6d/0xf0 kernel/time/timer.c:2035
__do_softirq+0x193/0x57c kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0xbb/0x170 kernel/softirq.c:650
irq_exit_rcu+0xd/0x10 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x9e/0xc0 arch/x86/kernel/apic/apic.c:1106
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:645
RIP: 0010:console_flush_all+0x739/0xb90
Code: f6 48 81 e6 00 02 00 00 31 ff e8 f2 c5 1a 00 49 81 e6 00 02 00 00 75 07 e8 84 c1 1a 00 eb 06 e8 7d c1 1a 00 fb 4c 8b 74 24 58 <48> 8b 44 24 70 42 0f b6 04 38 84 c0 48 8b 7c 24 30 0f 85 fd 01 00
RSP: 0018:ffffc900001df840 EFLAGS: 00000293
RAX: ffffffff815a5ed3 RBX: 0000000000000001 RCX: ffff8881089ad3c0
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000
RBP: ffffc900001df9d0 R08: ffffffff815a5ebe R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffffffff862d80d8
R13: ffffffff862d8080 R14: ffffffff862d80d8 R15: dffffc0000000000
console_unlock+0x1bc/0x3b0 kernel/printk/printk.c:3007
vprintk_emit+0x145/0x440 kernel/printk/printk.c:2307
vprintk_default+0x2a/0x30 kernel/printk/printk.c:2318
vprintk+0x8a/0x90 kernel/printk/printk_safe.c:50
_printk+0xd5/0x120 kernel/printk/printk.c:2328
kauditd_printk_skb kernel/audit.c:536 [inline]
kauditd_hold_skb+0x1c4/0x210 kernel/audit.c:571
kauditd_send_queue+0x28d/0x2e0 kernel/audit.c:756
kauditd_thread+0x4f5/0x740 kernel/audit.c:880
kthread+0x2ba/0x350 kernel/kthread.c:379
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc900001a9000, ffffc900001b2000) created by:
map_irq_stack arch/x86/kernel/irq_64.c:48 [inline]
irq_init_percpu_irqstack+0x337/0x490 arch/x86/kernel/irq_64.c:75
The buggy address belongs to the physical page:
flags: 0x4000000000001000(reserved|zone=1)
page_type: 0xffffffff()
raw: 4000000000001000 ffffea0007dcc248 ffffea0007dcc248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffc900001b0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001b0a00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
>ffffc900001b0a80: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
^
ffffc900001b0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001b0b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: f6 48 81 e6 testb $0xe6,-0x7f(%rax)
Code disassembly (best guess):
4: 00 02 add %al,(%rdx)
6: 00 00 add %al,(%rax)
8: 31 ff xor %edi,%edi
a: e8 f2 c5 1a 00 callq 0x1ac601
f: 49 81 e6 00 02 00 00 and $0x200,%r14
16: 75 07 jne 0x1f
18: e8 84 c1 1a 00 callq 0x1ac1a1
1d: eb 06 jmp 0x25
1f: e8 7d c1 1a 00 callq 0x1ac1a1
24: fb sti
25: 4c 8b 74 24 58 mov 0x58(%rsp),%r14
* 2a: 48 8b 44 24 70 mov 0x70(%rsp),%rax <-- trapping instruction
2f: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
34: 84 c0 test %al,%al
36: 48 8b 7c 24 30 mov 0x30(%rsp),%rdi
3b: 0f .byte 0xf
3c: 85 fd test %edi,%ebp
3e: 01 00 add %eax,(%rax)
Tested on:
commit: a94fd40a xfrm: delete not-needed clear to zero of enca..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=107ff265280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f49233eeb90cb2bf
dashboard link: https://syzkaller.appspot.com/bug?extid=ada7c035554bcee65580
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Tudor Ambarus
Jun 14, 2023, 4:10:01 AM6/14/23
to syzbot+ada7c0...@syzkaller.appspotmail.com, jone...@google.com, syzkaller-a...@googlegroups.com
syzbot
Jun 14, 2023, 4:28:32 AM6/14/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ada7c0...@syzkaller.appspotmail.com
Tested on:
commit: 858fd168 Linux 6.4-rc6
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc6
console output: https://syzkaller.appspot.com/x/log.txt?x=1694deab280000
kernel config: https://syzkaller.appspot.com/x/.config?x=d49795f7f355ffde
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ada7c0...@syzkaller.appspotmail.com
Tested on:
commit: 858fd168 Linux 6.4-rc6
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc6
console output: https://syzkaller.appspot.com/x/log.txt?x=1694deab280000
kernel config: https://syzkaller.appspot.com/x/.config?x=d49795f7f355ffde
dashboard link: https://syzkaller.appspot.com/bug?extid=ada7c035554bcee65580
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Tudor Ambarus
Jun 14, 2023, 4:41:03 AM6/14/23
to syzbot+ada7c0...@syzkaller.appspotmail.com, jone...@google.com, syzkaller-a...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc3
On 6/14/23 09:09, Tudor Ambarus wrote:
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc6
On 6/14/23 09:09, Tudor Ambarus wrote:
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc6
syzbot
Jun 14, 2023, 8:07:34 AM6/14/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ada7c0...@syzkaller.appspotmail.com
Tested on:
commit: 44c026a7 Linux 6.4-rc3
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ada7c0...@syzkaller.appspotmail.com
Tested on:
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc3
console output: https://syzkaller.appspot.com/x/log.txt?x=16f5d207280000
kernel config: https://syzkaller.appspot.com/x/.config?x=144fd19f53f4872b
Tudor Ambarus
Jun 14, 2023, 8:20:10 AM6/14/23
to syzbot+ada7c0...@syzkaller.appspotmail.com, jone...@google.com, syzkaller-a...@googlegroups.com
syzbot
Jun 14, 2023, 8:40:38 AM6/14/23
to jone...@google.com, syzkaller-a...@googlegroups.com, tudor....@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95
Read of size 4 at addr ffffc90000007aa0 by task kauditd/28
CPU: 0 PID: 28 Comm: kauditd Not tainted 6.4.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Code: f6 48 81 e6 00 02 00 00 31 ff e8 52 c6 1a 00 49 81 e6 00 02 00 00 75 07 e8 e4 c1 1a 00 eb 06 e8 dd c1 1a 00 fb 4c 8b 74 24 58 <48> 8b 44 24 70 42 0f b6 04 38 84 c0 48 8b 7c 24 30 0f 85 fd 01 00
ffffc90000007a00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
>ffffc90000007a80: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
^
ffffc90000007b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc2
console output: https://syzkaller.appspot.com/x/log.txt?x=11a55963280000
kernel config: https://syzkaller.appspot.com/x/.config?x=577d45f57244ecb6
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95
CPU: 0 PID: 28 Comm: kauditd Not tainted 6.4.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RSP: 0018:ffffc900001df840 EFLAGS: 00000293
RAX: ffffffff815a5613 RBX: 0000000000000001 RCX: ffff8881089aa180
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000
RBP: ffffc900001df9d0 R08: ffffffff815a55fe R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffffffff862d80d8
R13: ffffffff862d8080 R14: ffffffff862d80d8 R15: dffffc0000000000
console_unlock+0x1bc/0x3b0 kernel/printk/printk.c:3007
vprintk_emit+0x145/0x440 kernel/printk/printk.c:2307
vprintk_default+0x2a/0x30 kernel/printk/printk.c:2318
vprintk+0x8a/0x90 kernel/printk/printk_safe.c:50
_printk+0xd5/0x120 kernel/printk/printk.c:2328
kauditd_printk_skb kernel/audit.c:536 [inline]
kauditd_hold_skb+0x1c4/0x210 kernel/audit.c:571
kauditd_send_queue+0x28d/0x2e0 kernel/audit.c:756
kauditd_thread+0x4f5/0x740 kernel/audit.c:880
kthread+0x2ba/0x350 kernel/kthread.c:379
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc90000000000, ffffc90000009000) created by:
R13: ffffffff862d8080 R14: ffffffff862d80d8 R15: dffffc0000000000
console_unlock+0x1bc/0x3b0 kernel/printk/printk.c:3007
vprintk_emit+0x145/0x440 kernel/printk/printk.c:2307
vprintk_default+0x2a/0x30 kernel/printk/printk.c:2318
vprintk+0x8a/0x90 kernel/printk/printk_safe.c:50
_printk+0xd5/0x120 kernel/printk/printk.c:2328
kauditd_printk_skb kernel/audit.c:536 [inline]
kauditd_hold_skb+0x1c4/0x210 kernel/audit.c:571
kauditd_send_queue+0x28d/0x2e0 kernel/audit.c:756
kauditd_thread+0x4f5/0x740 kernel/audit.c:880
kthread+0x2ba/0x350 kernel/kthread.c:379
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
The buggy address belongs to the virtual mapping at
map_irq_stack arch/x86/kernel/irq_64.c:48 [inline]
irq_init_percpu_irqstack+0x337/0x490 arch/x86/kernel/irq_64.c:75
The buggy address belongs to the physical page:
page:ffffea0007dc8240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f7209
irq_init_percpu_irqstack+0x337/0x490 arch/x86/kernel/irq_64.c:75
The buggy address belongs to the physical page:
flags: 0x4000000000001000(reserved|zone=1)
page_type: 0xffffffff()
raw: 4000000000001000 ffffea0007dc8248 ffffea0007dc8248 0000000000000000
page_type: 0xffffffff()
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffc90000007a00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
>ffffc90000007a80: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
^
ffffc90000007b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: f6 48 81 e6 testb $0xe6,-0x7f(%rax)
4: 00 02 add %al,(%rdx)
6: 00 00 add %al,(%rax)
8: 31 ff xor %edi,%edi
a: e8 52 c6 1a 00 callq 0x1ac661
----------------
Code disassembly (best guess):
0: f6 48 81 e6 testb $0xe6,-0x7f(%rax)
4: 00 02 add %al,(%rdx)
6: 00 00 add %al,(%rax)
8: 31 ff xor %edi,%edi
f: 49 81 e6 00 02 00 00 and $0x200,%r14
16: 75 07 jne 0x1f
18: e8 e4 c1 1a 00 callq 0x1ac201
16: 75 07 jne 0x1f
1d: eb 06 jmp 0x25
1f: e8 dd c1 1a 00 callq 0x1ac201
24: fb sti
25: 4c 8b 74 24 58 mov 0x58(%rsp),%r14
* 2a: 48 8b 44 24 70 mov 0x70(%rsp),%rax <-- trapping instruction
2f: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
34: 84 c0 test %al,%al
36: 48 8b 7c 24 30 mov 0x30(%rsp),%rdi
3b: 0f .byte 0xf
3c: 85 fd test %edi,%ebp
3e: 01 00 add %eax,(%rax)
Tested on:
commit: f1fcbaa1 Linux 6.4-rc2
25: 4c 8b 74 24 58 mov 0x58(%rsp),%r14
* 2a: 48 8b 44 24 70 mov 0x70(%rsp),%rax <-- trapping instruction
2f: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
34: 84 c0 test %al,%al
36: 48 8b 7c 24 30 mov 0x30(%rsp),%rdi
3b: 0f .byte 0xf
3c: 85 fd test %edi,%ebp
3e: 01 00 add %eax,(%rax)
Tested on:
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc2
console output: https://syzkaller.appspot.com/x/log.txt?x=11a55963280000
kernel config: https://syzkaller.appspot.com/x/.config?x=577d45f57244ecb6
Reply all
Reply to author
Forward
0 new messages