test for https://syzkaller.appspot.com/bug?id=cf85b88b79d07390576fcb5d17ec25c34032d98e
26 views
Skip to first unread message
Jun Nie
Nov 3, 2022, 11:03:50 PM11/3/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
#syz test: https://android.googlesource.com/kernel/common 2c85ebc57b3e1817b
test v5.10. It takes more than half an hour to reproduce it per
syzbot log sometimes.
Reported-by: syzbot+e00d13...@syzkaller.appspotmail.com
test v5.10. It takes more than half an hour to reproduce it per
syzbot log sometimes.
Reported-by: syzbot+e00d13...@syzkaller.appspotmail.com
syzbot
Nov 4, 2022, 2:15:26 AM11/4/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
=============================
[ 23.523881][ T105] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2
[ 23.531690][ T105] member access within address 000000007d1c1fb7 with insufficient space
[ 23.540107][ T105] for an object of type 'struct sk_buff'
[ 23.545725][ T105] CPU: 0 PID: 105 Comm: kworker/0:2 Not tainted 5.10.0-syzkaller #0
[ 23.553761][ T105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 23.563797][ T105] Workqueue: ipv6_addrconf addrconf_dad_work
[ 23.569747][ T105] Call Trace:
[ 23.573019][ T105] dump_stack+0x19c/0x1e2
[ 23.577323][ T105] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 23.583014][ T105] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 23.588979][ T105] wg_xmit+0x48f/0xa60
[ 23.593113][ T105] ? __sanitizer_cov_trace_switch+0x64/0x80
[ 23.599157][ T105] netdev_start_xmit+0x8a/0x160
[ 23.603981][ T105] dev_hard_start_xmit+0x18d/0x2f0
[ 23.609065][ T105] __dev_queue_xmit+0xf16/0x1920
[ 23.613992][ T105] ? __kasan_check_write+0x14/0x20
[ 23.619077][ T105] dev_queue_xmit+0x17/0x20
[ 23.623564][ T105] neigh_connected_output+0x288/0x2b0
[ 23.628935][ T105] ip6_finish_output2+0xc34/0x1020
[ 23.634107][ T105] ? ip6_mtu+0xf1/0x140
[ 23.638238][ T105] __ip6_finish_output+0x279/0x370
[ 23.643349][ T105] ip6_finish_output+0x20b/0x220
[ 23.648290][ T105] ? ip6_output+0x175/0x3f0
[ 23.652788][ T105] ip6_output+0x18c/0x3f0
[ 23.657091][ T105] ? ip6_dst_idev+0x40/0x40
[ 23.661600][ T105] NF_HOOK+0x88/0x210
[ 23.665564][ T105] ? NF_HOOK+0x210/0x210
[ 23.669779][ T105] ndisc_send_skb+0x653/0x9f0
[ 23.674437][ T105] ndisc_send_rs+0x26c/0x360
[ 23.679001][ T105] addrconf_dad_completed+0x493/0x970
[ 23.684357][ T105] addrconf_dad_work+0x9d0/0x12d0
[ 23.689366][ T105] process_one_work+0x3d5/0x640
[ 23.694278][ T105] worker_thread+0x723/0xa60
[ 23.698847][ T105] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 23.704379][ T105] kthread+0x365/0x400
[ 23.708423][ T105] ? pr_cont_work+0x110/0x110
[ 23.713085][ T105] ? __list_add+0xc0/0xc0
[ 23.717391][ T105] ret_from_fork+0x1f/0x30
[ 23.721822][ T105] ================================================================================
[ 23.733016][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
2022/11/04 06:14:17 building call list...
[ 23.741479][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 23.749838][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 23.757824][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 23.773325][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 23.847973][ T373] ==================================================================
[ 23.856242][ T373] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0
[ 23.863611][ T373] Read of size 4 at addr ffff88810015a184 by task syz-executor.0/373
[ 23.871674][ T373]
[ 23.874015][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0
[ 23.882329][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 23.892408][ T373] Call Trace:
[ 23.895705][ T373] dump_stack+0x19c/0x1e2
[ 23.900135][ T373] print_address_description+0x7e/0x6a0
[ 23.905973][ T373] ? printk+0x76/0x96
[ 23.910038][ T373] kasan_report+0x16f/0x210
[ 23.914559][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 23.919590][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 23.924603][ T373] __asan_report_load4_noabort+0x14/0x20
[ 23.930306][ T373] task_active_pid_ns+0x9a/0xa0
[ 23.935139][ T373] do_notify_parent+0x2c7/0xa70
[ 23.939975][ T373] ? __kasan_check_write+0x14/0x20
[ 23.945071][ T373] do_exit+0x1a52/0x2190
[ 23.949293][ T373] ? avc_has_perm_noaudit+0xc7/0x1b0
[ 23.954577][ T373] do_group_exit+0x13f/0x310
[ 23.959202][ T373] get_signal+0xbef/0x10c0
[ 23.963611][ T373] arch_do_signal+0x42/0x710
[ 23.968185][ T373] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.974613][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 23.979891][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 23.985422][ T373] do_syscall_64+0x40/0x70
[ 23.989823][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 23.995689][ T373] RIP: 0033:0x7fc85c3f1c4a
[ 24.000074][ T373] Code: Unable to access opcode bytes at RIP 0x7fc85c3f1c20.
[ 24.007417][ T373] RSP: 002b:00007ffd1da024d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
[ 24.015807][ T373] RAX: 0000000000000000 RBX: 0000000000000029 RCX: 00007fc85c3f1c4a
[ 24.023762][ T373] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
[ 24.031712][ T373] RBP: 00007ffd1da02500 R08: 00000000000003b8 R09: ffffffffffff0000
[ 24.039662][ T373] R10: 00007fc85c4e5bc0 R11: 0000000000000206 R12: 00007ffd1da02560
[ 24.047622][ T373] R13: 0000000000000003 R14: 00007ffd1da024fc R15: 00007fc85c4e5b60
[ 24.055582][ T373]
[ 24.057887][ T373] Allocated by task 0:
[ 24.061935][ T373] __kasan_kmalloc+0x11a/0x150
[ 24.066680][ T373] kasan_slab_alloc+0xe/0x10
[ 24.071378][ T373] slab_post_alloc_hook+0x3f/0x70
[ 24.076465][ T373] kmem_cache_alloc+0x143/0x200
[ 24.081386][ T373] alloc_pid+0x9a/0xb00
[ 24.085521][ T373] copy_process+0xdc0/0x2110
[ 24.090097][ T373] kernel_clone+0x1df/0x690
[ 24.094581][ T373] kernel_thread+0x11b/0x160
[ 24.099162][ T373] rest_init+0x22/0xf0
[ 24.103296][ T373] arch_call_rest_init+0xe/0x10
[ 24.108251][ T373] start_kernel+0x47d/0x518
[ 24.112828][ T373] x86_64_start_reservations+0x2a/0x2c
[ 24.118274][ T373] x86_64_start_kernel+0x7a/0x7d
[ 24.123244][ T373] secondary_startup_64_no_verify+0xb0/0xbb
[ 24.129134][ T373]
[ 24.131529][ T373] Freed by task 371:
[ 24.135406][ T373] kasan_set_track+0x4c/0x80
[ 24.139976][ T373] kasan_set_free_info+0x1b/0x30
[ 24.144887][ T373] __kasan_slab_free+0x11c/0x150
[ 24.149797][ T373] kasan_slab_free+0xe/0x10
[ 24.154439][ T373] slab_free_freelist_hook+0x8b/0x160
[ 24.159786][ T373] kmem_cache_free+0x9a/0x1c0
[ 24.164441][ T373] put_pid+0xb3/0x120
[ 24.168399][ T373] proc_do_cad_pid+0x131/0x1d0
[ 24.173137][ T373] proc_sys_call_handler+0x48d/0x640
[ 24.179609][ T373] proc_sys_write+0x22/0x30
[ 24.184101][ T373] vfs_write+0x466/0x560
[ 24.188516][ T373] ksys_write+0x155/0x260
[ 24.192839][ T373] __x64_sys_write+0x7b/0x90
[ 24.197407][ T373] do_syscall_64+0x34/0x70
[ 24.201826][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 24.207799][ T373]
[ 24.210116][ T373] The buggy address belongs to the object at ffff88810015a180
[ 24.210116][ T373] which belongs to the cache pid of size 112
[ 24.223541][ T373] The buggy address is located 4 bytes inside of
[ 24.223541][ T373] 112-byte region [ffff88810015a180, ffff88810015a1f0)
[ 24.236706][ T373] The buggy address belongs to the page:
[ 24.242325][ T373] page:00000000f6e03c96 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10015a
[ 24.252629][ T373] flags: 0x8000000000000200(slab)
[ 24.257720][ T373] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100134c80
[ 24.266434][ T373] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 24.275189][ T373] page dumped because: kasan: bad access detected
[ 24.281659][ T373] page_owner tracks the page as allocated
[ 24.287356][ T373] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0()
[ 24.295760][ T373] register_early_stack+0x41/0x80
[ 24.300761][ T373] init_page_owner+0x32/0x4f0
[ 24.305454][ T373] invoke_init_callbacks+0x63/0x6d
[ 24.310715][ T373] page_ext_init+0x348/0x371
[ 24.315273][ T373] page_owner free stack trace missing
[ 24.320614][ T373]
[ 24.322914][ T373] Memory state around the buggy address:
[ 24.328520][ T373] ffff88810015a080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 24.336556][ T373] ffff88810015a100: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 24.344592][ T373] >ffff88810015a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 24.352644][ T373] ^
[ 24.356686][ T373] ffff88810015a200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 24.364894][ T373] ffff88810015a280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 24.373013][ T373] ==================================================================
[ 24.381044][ T373] Disabling lock debugging due to kernel taint
[ 24.387287][ T373] BUG: unable to handle page fault for address: ffffed122001c53f
[ 24.394976][ T373] #PF: supervisor read access in kernel mode
[ 24.400925][ T373] #PF: error_code(0x0000) - not-present page
[ 24.406872][ T373] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 24.412232][ T373] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 24.417407][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Tainted: G B 5.10.0-syzkaller #0
[ 24.427024][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 24.437095][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 24.442788][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 24.462544][ T373] RSP: 0018:ffffc9000033fb40 EFLAGS: 00010806
[ 24.468596][ T373] RAX: 1ffff1122001c53f RBX: ffff8891000e29f8 RCX: 0000000000000002
[ 24.476556][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 24.484684][ T373] RBP: ffffc9000033fb50 R08: ffff8881191e2dc0 R09: fffffbfff0bc26f9
[ 24.492658][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 24.500704][ T373] R13: ffff8881191e2dc0 R14: dffffc0000000000 R15: ffff8881191e32e0
[ 24.508655][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 24.518425][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 24.525172][ T373] CR2: ffffed122001c53f CR3: 0000000119127000 CR4: 00000000003506b0
[ 24.533212][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 24.541379][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 24.549865][ T373] Call Trace:
[ 24.553146][ T373] do_notify_parent+0x2c7/0xa70
[ 24.557975][ T373] ? __kasan_check_write+0x14/0x20
[ 24.563070][ T373] do_exit+0x1a52/0x2190
[ 24.567289][ T373] ? avc_has_perm_noaudit+0xc7/0x1b0
[ 24.572727][ T373] do_group_exit+0x13f/0x310
[ 24.577300][ T373] get_signal+0xbef/0x10c0
[ 24.581875][ T373] arch_do_signal+0x42/0x710
[ 24.586441][ T373] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 24.592658][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 24.598004][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 24.603437][ T373] do_syscall_64+0x40/0x70
[ 24.607832][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 24.613698][ T373] RIP: 0033:0x7fc85c3f1c4a
[ 24.618260][ T373] Code: Unable to access opcode bytes at RIP 0x7fc85c3f1c20.
[ 24.625784][ T373] RSP: 002b:00007ffd1da024d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
[ 24.634447][ T373] RAX: 0000000000000000 RBX: 0000000000000029 RCX: 00007fc85c3f1c4a
[ 24.642392][ T373] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
[ 24.650342][ T373] RBP: 00007ffd1da02500 R08: 00000000000003b8 R09: ffffffffffff0000
[ 24.658304][ T373] R10: 00007fc85c4e5bc0 R11: 0000000000000206 R12: 00007ffd1da02560
[ 24.666283][ T373] R13: 0000000000000003 R14: 00007ffd1da024fc R15: 00007fc85c4e5b60
[ 24.674228][ T373] Modules linked in:
[ 24.678101][ T373] CR2: ffffed122001c53f
[ 24.682235][ T373] ---[ end trace a2a7ae788bd15594 ]---
[ 24.687675][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 24.693315][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 24.713088][ T373] RSP: 0018:ffffc9000033fb40 EFLAGS: 00010806
[ 24.719129][ T373] RAX: 1ffff1122001c53f RBX: ffff8891000e29f8 RCX: 0000000000000002
[ 24.727075][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 24.735022][ T373] RBP: ffffc9000033fb50 R08: ffff8881191e2dc0 R09: fffffbfff0bc26f9
[ 24.743055][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 24.751004][ T373] R13: ffff8881191e2dc0 R14: dffffc0000000000 R15: ffff8881191e32e0
[ 24.758962][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 24.767866][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 24.774692][ T373] CR2: ffffed122001c53f CR3: 0000000119127000 CR4: 00000000003506b0
[ 24.782648][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 24.790600][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 24.798727][ T373] Kernel panic - not syncing: Fatal exception
[ 25.898607][ T373] Shutting down cpus with NMI
[ 25.903668][ T373] Kernel Offset: disabled
[ 25.908131][ T373] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1775073316=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at c0b80a55c
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=114650fa880000
Tested on:
commit: 2c85ebc5 Linux 5.10
git tree: https://android.googlesource.com/kernel/common
kernel config: https://syzkaller.appspot.com/x/.config?x=c0a5cf5454641b9e
dashboard link: https://syzkaller.appspot.com/bug?extid=e00d1302e217068ee641
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
syzbot tried to test the proposed patch but the build/boot failed:
=============================
[ 23.523881][ T105] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2
[ 23.531690][ T105] member access within address 000000007d1c1fb7 with insufficient space
[ 23.540107][ T105] for an object of type 'struct sk_buff'
[ 23.545725][ T105] CPU: 0 PID: 105 Comm: kworker/0:2 Not tainted 5.10.0-syzkaller #0
[ 23.553761][ T105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 23.563797][ T105] Workqueue: ipv6_addrconf addrconf_dad_work
[ 23.569747][ T105] Call Trace:
[ 23.573019][ T105] dump_stack+0x19c/0x1e2
[ 23.577323][ T105] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 23.583014][ T105] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 23.588979][ T105] wg_xmit+0x48f/0xa60
[ 23.593113][ T105] ? __sanitizer_cov_trace_switch+0x64/0x80
[ 23.599157][ T105] netdev_start_xmit+0x8a/0x160
[ 23.603981][ T105] dev_hard_start_xmit+0x18d/0x2f0
[ 23.609065][ T105] __dev_queue_xmit+0xf16/0x1920
[ 23.613992][ T105] ? __kasan_check_write+0x14/0x20
[ 23.619077][ T105] dev_queue_xmit+0x17/0x20
[ 23.623564][ T105] neigh_connected_output+0x288/0x2b0
[ 23.628935][ T105] ip6_finish_output2+0xc34/0x1020
[ 23.634107][ T105] ? ip6_mtu+0xf1/0x140
[ 23.638238][ T105] __ip6_finish_output+0x279/0x370
[ 23.643349][ T105] ip6_finish_output+0x20b/0x220
[ 23.648290][ T105] ? ip6_output+0x175/0x3f0
[ 23.652788][ T105] ip6_output+0x18c/0x3f0
[ 23.657091][ T105] ? ip6_dst_idev+0x40/0x40
[ 23.661600][ T105] NF_HOOK+0x88/0x210
[ 23.665564][ T105] ? NF_HOOK+0x210/0x210
[ 23.669779][ T105] ndisc_send_skb+0x653/0x9f0
[ 23.674437][ T105] ndisc_send_rs+0x26c/0x360
[ 23.679001][ T105] addrconf_dad_completed+0x493/0x970
[ 23.684357][ T105] addrconf_dad_work+0x9d0/0x12d0
[ 23.689366][ T105] process_one_work+0x3d5/0x640
[ 23.694278][ T105] worker_thread+0x723/0xa60
[ 23.698847][ T105] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 23.704379][ T105] kthread+0x365/0x400
[ 23.708423][ T105] ? pr_cont_work+0x110/0x110
[ 23.713085][ T105] ? __list_add+0xc0/0xc0
[ 23.717391][ T105] ret_from_fork+0x1f/0x30
[ 23.721822][ T105] ================================================================================
[ 23.733016][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
2022/11/04 06:14:17 building call list...
[ 23.741479][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 23.749838][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 23.757824][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 23.773325][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 23.847973][ T373] ==================================================================
[ 23.856242][ T373] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0
[ 23.863611][ T373] Read of size 4 at addr ffff88810015a184 by task syz-executor.0/373
[ 23.871674][ T373]
[ 23.874015][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0
[ 23.882329][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 23.892408][ T373] Call Trace:
[ 23.895705][ T373] dump_stack+0x19c/0x1e2
[ 23.900135][ T373] print_address_description+0x7e/0x6a0
[ 23.905973][ T373] ? printk+0x76/0x96
[ 23.910038][ T373] kasan_report+0x16f/0x210
[ 23.914559][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 23.919590][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 23.924603][ T373] __asan_report_load4_noabort+0x14/0x20
[ 23.930306][ T373] task_active_pid_ns+0x9a/0xa0
[ 23.935139][ T373] do_notify_parent+0x2c7/0xa70
[ 23.939975][ T373] ? __kasan_check_write+0x14/0x20
[ 23.945071][ T373] do_exit+0x1a52/0x2190
[ 23.949293][ T373] ? avc_has_perm_noaudit+0xc7/0x1b0
[ 23.954577][ T373] do_group_exit+0x13f/0x310
[ 23.959202][ T373] get_signal+0xbef/0x10c0
[ 23.963611][ T373] arch_do_signal+0x42/0x710
[ 23.968185][ T373] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.974613][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 23.979891][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 23.985422][ T373] do_syscall_64+0x40/0x70
[ 23.989823][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 23.995689][ T373] RIP: 0033:0x7fc85c3f1c4a
[ 24.000074][ T373] Code: Unable to access opcode bytes at RIP 0x7fc85c3f1c20.
[ 24.007417][ T373] RSP: 002b:00007ffd1da024d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
[ 24.015807][ T373] RAX: 0000000000000000 RBX: 0000000000000029 RCX: 00007fc85c3f1c4a
[ 24.023762][ T373] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
[ 24.031712][ T373] RBP: 00007ffd1da02500 R08: 00000000000003b8 R09: ffffffffffff0000
[ 24.039662][ T373] R10: 00007fc85c4e5bc0 R11: 0000000000000206 R12: 00007ffd1da02560
[ 24.047622][ T373] R13: 0000000000000003 R14: 00007ffd1da024fc R15: 00007fc85c4e5b60
[ 24.055582][ T373]
[ 24.057887][ T373] Allocated by task 0:
[ 24.061935][ T373] __kasan_kmalloc+0x11a/0x150
[ 24.066680][ T373] kasan_slab_alloc+0xe/0x10
[ 24.071378][ T373] slab_post_alloc_hook+0x3f/0x70
[ 24.076465][ T373] kmem_cache_alloc+0x143/0x200
[ 24.081386][ T373] alloc_pid+0x9a/0xb00
[ 24.085521][ T373] copy_process+0xdc0/0x2110
[ 24.090097][ T373] kernel_clone+0x1df/0x690
[ 24.094581][ T373] kernel_thread+0x11b/0x160
[ 24.099162][ T373] rest_init+0x22/0xf0
[ 24.103296][ T373] arch_call_rest_init+0xe/0x10
[ 24.108251][ T373] start_kernel+0x47d/0x518
[ 24.112828][ T373] x86_64_start_reservations+0x2a/0x2c
[ 24.118274][ T373] x86_64_start_kernel+0x7a/0x7d
[ 24.123244][ T373] secondary_startup_64_no_verify+0xb0/0xbb
[ 24.129134][ T373]
[ 24.131529][ T373] Freed by task 371:
[ 24.135406][ T373] kasan_set_track+0x4c/0x80
[ 24.139976][ T373] kasan_set_free_info+0x1b/0x30
[ 24.144887][ T373] __kasan_slab_free+0x11c/0x150
[ 24.149797][ T373] kasan_slab_free+0xe/0x10
[ 24.154439][ T373] slab_free_freelist_hook+0x8b/0x160
[ 24.159786][ T373] kmem_cache_free+0x9a/0x1c0
[ 24.164441][ T373] put_pid+0xb3/0x120
[ 24.168399][ T373] proc_do_cad_pid+0x131/0x1d0
[ 24.173137][ T373] proc_sys_call_handler+0x48d/0x640
[ 24.179609][ T373] proc_sys_write+0x22/0x30
[ 24.184101][ T373] vfs_write+0x466/0x560
[ 24.188516][ T373] ksys_write+0x155/0x260
[ 24.192839][ T373] __x64_sys_write+0x7b/0x90
[ 24.197407][ T373] do_syscall_64+0x34/0x70
[ 24.201826][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 24.207799][ T373]
[ 24.210116][ T373] The buggy address belongs to the object at ffff88810015a180
[ 24.210116][ T373] which belongs to the cache pid of size 112
[ 24.223541][ T373] The buggy address is located 4 bytes inside of
[ 24.223541][ T373] 112-byte region [ffff88810015a180, ffff88810015a1f0)
[ 24.236706][ T373] The buggy address belongs to the page:
[ 24.242325][ T373] page:00000000f6e03c96 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10015a
[ 24.252629][ T373] flags: 0x8000000000000200(slab)
[ 24.257720][ T373] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100134c80
[ 24.266434][ T373] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 24.275189][ T373] page dumped because: kasan: bad access detected
[ 24.281659][ T373] page_owner tracks the page as allocated
[ 24.287356][ T373] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0()
[ 24.295760][ T373] register_early_stack+0x41/0x80
[ 24.300761][ T373] init_page_owner+0x32/0x4f0
[ 24.305454][ T373] invoke_init_callbacks+0x63/0x6d
[ 24.310715][ T373] page_ext_init+0x348/0x371
[ 24.315273][ T373] page_owner free stack trace missing
[ 24.320614][ T373]
[ 24.322914][ T373] Memory state around the buggy address:
[ 24.328520][ T373] ffff88810015a080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 24.336556][ T373] ffff88810015a100: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 24.344592][ T373] >ffff88810015a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 24.352644][ T373] ^
[ 24.356686][ T373] ffff88810015a200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 24.364894][ T373] ffff88810015a280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 24.373013][ T373] ==================================================================
[ 24.381044][ T373] Disabling lock debugging due to kernel taint
[ 24.387287][ T373] BUG: unable to handle page fault for address: ffffed122001c53f
[ 24.394976][ T373] #PF: supervisor read access in kernel mode
[ 24.400925][ T373] #PF: error_code(0x0000) - not-present page
[ 24.406872][ T373] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 24.412232][ T373] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 24.417407][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Tainted: G B 5.10.0-syzkaller #0
[ 24.427024][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 24.437095][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 24.442788][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 24.462544][ T373] RSP: 0018:ffffc9000033fb40 EFLAGS: 00010806
[ 24.468596][ T373] RAX: 1ffff1122001c53f RBX: ffff8891000e29f8 RCX: 0000000000000002
[ 24.476556][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 24.484684][ T373] RBP: ffffc9000033fb50 R08: ffff8881191e2dc0 R09: fffffbfff0bc26f9
[ 24.492658][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 24.500704][ T373] R13: ffff8881191e2dc0 R14: dffffc0000000000 R15: ffff8881191e32e0
[ 24.508655][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 24.518425][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 24.525172][ T373] CR2: ffffed122001c53f CR3: 0000000119127000 CR4: 00000000003506b0
[ 24.533212][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 24.541379][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 24.549865][ T373] Call Trace:
[ 24.553146][ T373] do_notify_parent+0x2c7/0xa70
[ 24.557975][ T373] ? __kasan_check_write+0x14/0x20
[ 24.563070][ T373] do_exit+0x1a52/0x2190
[ 24.567289][ T373] ? avc_has_perm_noaudit+0xc7/0x1b0
[ 24.572727][ T373] do_group_exit+0x13f/0x310
[ 24.577300][ T373] get_signal+0xbef/0x10c0
[ 24.581875][ T373] arch_do_signal+0x42/0x710
[ 24.586441][ T373] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 24.592658][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 24.598004][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 24.603437][ T373] do_syscall_64+0x40/0x70
[ 24.607832][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 24.613698][ T373] RIP: 0033:0x7fc85c3f1c4a
[ 24.618260][ T373] Code: Unable to access opcode bytes at RIP 0x7fc85c3f1c20.
[ 24.625784][ T373] RSP: 002b:00007ffd1da024d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
[ 24.634447][ T373] RAX: 0000000000000000 RBX: 0000000000000029 RCX: 00007fc85c3f1c4a
[ 24.642392][ T373] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
[ 24.650342][ T373] RBP: 00007ffd1da02500 R08: 00000000000003b8 R09: ffffffffffff0000
[ 24.658304][ T373] R10: 00007fc85c4e5bc0 R11: 0000000000000206 R12: 00007ffd1da02560
[ 24.666283][ T373] R13: 0000000000000003 R14: 00007ffd1da024fc R15: 00007fc85c4e5b60
[ 24.674228][ T373] Modules linked in:
[ 24.678101][ T373] CR2: ffffed122001c53f
[ 24.682235][ T373] ---[ end trace a2a7ae788bd15594 ]---
[ 24.687675][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 24.693315][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 24.713088][ T373] RSP: 0018:ffffc9000033fb40 EFLAGS: 00010806
[ 24.719129][ T373] RAX: 1ffff1122001c53f RBX: ffff8891000e29f8 RCX: 0000000000000002
[ 24.727075][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 24.735022][ T373] RBP: ffffc9000033fb50 R08: ffff8881191e2dc0 R09: fffffbfff0bc26f9
[ 24.743055][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 24.751004][ T373] R13: ffff8881191e2dc0 R14: dffffc0000000000 R15: ffff8881191e32e0
[ 24.758962][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 24.767866][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 24.774692][ T373] CR2: ffffed122001c53f CR3: 0000000119127000 CR4: 00000000003506b0
[ 24.782648][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 24.790600][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 24.798727][ T373] Kernel panic - not syncing: Fatal exception
[ 25.898607][ T373] Shutting down cpus with NMI
[ 25.903668][ T373] Kernel Offset: disabled
[ 25.908131][ T373] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1775073316=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at c0b80a55c
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=114650fa880000
Tested on:
commit: 2c85ebc5 Linux 5.10
git tree: https://android.googlesource.com/kernel/common
kernel config: https://syzkaller.appspot.com/x/.config?x=c0a5cf5454641b9e
dashboard link: https://syzkaller.appspot.com/bug?extid=e00d1302e217068ee641
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Jun Nie
Nov 4, 2022, 3:21:41 AM11/4/22
to syzkaller-a...@googlegroups.com
#syz test: https://android.googlesource.com/kernel/common 4d93874b9e9c
========== bisect test ============
bug: v6.0-rc3
bug: v5.15.0
bug: v5.14.0
bug: v5.13.0
bug: v5.13.0-rc4
bug: 9f67672a817e Merge tag 'ext4_for_linus' of
git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pls notes: The parent of this merge is earlier than v5.12
nobug in 10min: v5.12.0
nobug in 10min: v5.10.0
nobug in 10min: v4.19.0
per syzbot, bug is in v5.15.73@44b8b2ac1d96 v5.15.71@4305285a3554
v5.15.72@43eb03f7ce81
Because we see bug: in merge 9f67672a817e while no bug with v5.12, so
let's test the first commit in this merge set.
4d93874b9e9c ext4: use memcpy_from_page() in pagecache_read()
========== bisect test ============
bug: v6.0-rc3
bug: v5.15.0
bug: v5.14.0
bug: v5.13.0
bug: v5.13.0-rc4
bug: 9f67672a817e Merge tag 'ext4_for_linus' of
git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pls notes: The parent of this merge is earlier than v5.12
nobug in 10min: v5.12.0
nobug in 10min: v5.10.0
nobug in 10min: v4.19.0
per syzbot, bug is in v5.15.73@44b8b2ac1d96 v5.15.71@4305285a3554
v5.15.72@43eb03f7ce81
Because we see bug: in merge 9f67672a817e while no bug with v5.12, so
let's test the first commit in this merge set.
4d93874b9e9c ext4: use memcpy_from_page() in pagecache_read()
syzbot
Nov 4, 2022, 3:21:43 AM11/4/22
to Jun Nie, jun...@linaro.org, syzkaller-a...@googlegroups.com
I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/CABymUCPHjdn1C6P5T-cJVBpP89ov57Xg%3DW%3DmXTVu0qYW4bA01Q%40mail.gmail.com.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/CABymUCPHjdn1C6P5T-cJVBpP89ov57Xg%3DW%3DmXTVu0qYW4bA01Q%40mail.gmail.com.
Jun Nie
Nov 4, 2022, 4:32:15 AM11/4/22
to syzkaller-a...@googlegroups.com, syzbot+8234f4...@syzkaller.appspotmail.com
syzbot
Nov 4, 2022, 7:40:25 AM11/4/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
18c/0x3f0
syzbot tried to test the proposed patch but the build/boot failed:
[ 19.612252][ T110] ? ip6_dst_idev+0x40/0x40
[ 19.616724][ T110] NF_HOOK+0x88/0x210
[ 19.620692][ T110] ? NF_HOOK+0x210/0x210
[ 19.625015][ T110] ndisc_send_skb+0x62b/0x9b0
[ 19.629694][ T110] ndisc_send_rs+0x26c/0x360
[ 19.634273][ T110] addrconf_dad_completed+0x493/0x970
[ 19.639627][ T110] addrconf_dad_work+0x9d0/0x12d0
[ 19.644627][ T110] process_one_work+0x3d5/0x640
[ 19.649457][ T110] worker_thread+0x723/0xa60
[ 19.654191][ T110] ? __kasan_check_write+0x14/0x20
[ 19.659726][ T110] ? _raw_spin_lock_irqsave+0x9e/0x190
[ 19.665266][ T110] kthread+0x349/0x3d0
[ 19.669327][ T110] ? pr_cont_work+0x110/0x110
[ 19.674002][ T110] ? __list_add+0xc0/0xc0
[ 19.678402][ T110] ret_from_fork+0x1f/0x30
[ 19.683694][ T110] ================================================================================
[ 19.693664][ T110] ================================================================================
[ 19.703831][ T110] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1927:2
[ 19.711856][ T110] member access within address ffffc900008e7600 with insufficient space
[ 19.720454][ T110] for an object of type 'struct sk_buff'
[ 19.726194][ T110] CPU: 1 PID: 110 Comm: kworker/1:3 Not tainted 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0
[ 19.736779][ T110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 19.747494][ T110] Workqueue: ipv6_addrconf addrconf_dad_work
[ 19.753725][ T110] Call Trace:
[ 19.756995][ T110] dump_stack+0x1bb/0x220
[ 19.761475][ T110] ubsan_type_mismatch_common+0x1e9/0x390
[ 19.767346][ T110] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 19.773299][ T110] wg_xmit+0x55f/0xab0
[ 19.777433][ T110] ? skb_network_protocol+0x182/0x440
[ 19.782962][ T110] netdev_start_xmit+0x8a/0x160
[ 19.788033][ T110] dev_hard_start_xmit+0x18d/0x2f0
[ 19.793119][ T110] __dev_queue_xmit+0xeea/0x1960
[ 19.798032][ T110] dev_queue_xmit+0x17/0x20
[ 19.802511][ T110] neigh_connected_output+0x288/0x2b0
[ 19.807854][ T110] ip6_finish_output2+0xc34/0x1020
[ 19.812944][ T110] ? ip6_mtu+0xf1/0x140
[ 19.817072][ T110] __ip6_finish_output+0x3e6/0x530
[ 19.822393][ T110] ip6_finish_output+0x1c9/0x1e0
[ 19.827683][ T110] ? ip6_output+0x175/0x3f0
[ 19.832371][ T110] ip6_output+0x18c/0x3f0
[ 19.836870][ T110] ? ip6_dst_idev+0x40/0x40
[ 19.841377][ T110] NF_HOOK+0x88/0x210
[ 19.845425][ T110] ? NF_HOOK+0x210/0x210
[ 19.849731][ T110] ndisc_send_skb+0x62b/0x9b0
[ 19.854536][ T110] ndisc_send_rs+0x26c/0x360
[ 19.859371][ T110] addrconf_dad_completed+0x493/0x970
[ 19.864902][ T110] addrconf_dad_work+0x9d0/0x12d0
[ 19.870079][ T110] process_one_work+0x3d5/0x640
[ 19.874969][ T110] worker_thread+0x723/0xa60
[ 19.879856][ T110] ? __kasan_check_write+0x14/0x20
[ 19.885074][ T110] ? _raw_spin_lock_irqsave+0x9e/0x190
[ 19.890635][ T110] kthread+0x349/0x3d0
2022/11/04 11:38:51 building call list...
[ 19.894787][ T110] ? pr_cont_work+0x110/0x110
[ 19.899686][ T110] ? __list_add+0xc0/0xc0
[ 19.904289][ T110] ret_from_fork+0x1f/0x30
[ 19.908930][ T110] ================================================================================
[ 19.925475][ T376] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 20.030862][ T376] ==================================================================
[ 20.039342][ T376] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0
[ 20.046982][ T376] Read of size 4 at addr ffff888100156544 by task syz-executor.0/376
[ 20.055121][ T376]
[ 20.057685][ T376] CPU: 1 PID: 376 Comm: syz-executor.0 Not tainted 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0
[ 20.068260][ T376] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 20.078757][ T376] Call Trace:
[ 20.082034][ T376] dump_stack+0x1bb/0x220
[ 20.086716][ T376] print_address_description+0x7a/0x3b0
[ 20.092696][ T376] kasan_report+0x19b/0x1e0
[ 20.097210][ T376] ? task_active_pid_ns+0x9a/0xa0
[ 20.102779][ T376] ? task_active_pid_ns+0x9a/0xa0
[ 20.108157][ T376] __asan_report_load4_noabort+0x14/0x20
[ 20.113791][ T376] task_active_pid_ns+0x9a/0xa0
[ 20.118714][ T376] do_notify_parent+0x2c7/0xa50
[ 20.124034][ T376] do_exit+0x1163/0x1aa0
[ 20.128289][ T376] do_group_exit+0x13a/0x300
[ 20.133056][ T376] get_signal+0xb1e/0x1130
[ 20.137459][ T376] arch_do_signal_or_restart+0x5d/0x6c0
[ 20.143306][ T376] exit_to_user_mode_loop+0xd4/0x110
[ 20.148688][ T376] exit_to_user_mode_prepare+0x59/0x80
[ 20.154440][ T376] syscall_exit_to_user_mode+0x24/0x40
[ 20.160081][ T376] do_syscall_64+0x40/0x70
[ 20.165036][ T376] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.171027][ T376] RIP: 0033:0x7fe88c80d353
[ 20.175526][ T376] Code: Unable to access opcode bytes at RIP 0x7fe88c80d329.
[ 20.183191][ T376] RSP: 002b:00007ffea4cbffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 20.192025][ T376] RAX: 0000000000000000 RBX: 00007ffea4cc0070 RCX: 00007fe88c80d353
[ 20.200263][ T376] RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003
[ 20.208568][ T376] RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffea4cbfe80
[ 20.217135][ T376] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
[ 20.225284][ T376] R13: 0000000000004dce R14: 0000000000000003 R15: 00007ffea4cc00b0
[ 20.233487][ T376]
[ 20.235890][ T376] Allocated by task 0:
[ 20.239937][ T376] __kasan_slab_alloc+0xa2/0xd0
[ 20.244773][ T376] slab_post_alloc_hook+0x3f/0x70
[ 20.249862][ T376] kmem_cache_alloc+0x139/0x230
[ 20.254689][ T376] alloc_pid+0x97/0xae0
[ 20.258823][ T376] copy_process+0xe4a/0x21b0
[ 20.263570][ T376] kernel_clone+0x1df/0x6a0
[ 20.268220][ T376] kernel_thread+0x109/0x150
[ 20.272786][ T376] rest_init+0x22/0xf0
[ 20.277013][ T376] arch_call_rest_init+0xe/0x10
[ 20.281852][ T376] start_kernel+0x45f/0x4d1
[ 20.286336][ T376] x86_64_start_reservations+0x2a/0x2c
[ 20.291864][ T376] x86_64_start_kernel+0x7a/0x7d
[ 20.296777][ T376] secondary_startup_64_no_verify+0xb0/0xbb
[ 20.302656][ T376]
[ 20.304964][ T376] Freed by task 374:
[ 20.308829][ T376] kasan_set_track+0x4c/0x80
[ 20.313554][ T376] kasan_set_free_info+0x23/0x40
[ 20.318901][ T376] ____kasan_slab_free+0x113/0x150
[ 20.324082][ T376] __kasan_slab_free+0xe/0x10
[ 20.328830][ T376] slab_free_freelist_hook+0xa7/0x170
[ 20.337257][ T376] kmem_cache_free+0x9a/0x190
[ 20.342297][ T376] put_pid+0xb3/0x120
[ 20.346813][ T376] proc_do_cad_pid+0x131/0x1d0
[ 20.351762][ T376] proc_sys_call_handler+0x492/0x640
[ 20.357290][ T376] proc_sys_write+0x22/0x30
[ 20.363445][ T376] vfs_write+0x466/0x560
[ 20.367965][ T376] ksys_write+0x155/0x260
[ 20.372667][ T376] __x64_sys_write+0x7b/0x90
[ 20.377489][ T376] do_syscall_64+0x34/0x70
[ 20.382249][ T376] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.388350][ T376]
[ 20.390918][ T376] The buggy address belongs to the object at ffff888100156540
[ 20.390918][ T376] which belongs to the cache pid of size 112
[ 20.405475][ T376] The buggy address is located 4 bytes inside of
[ 20.405475][ T376] 112-byte region [ffff888100156540, ffff8881001565b0)
[ 20.419188][ T376] The buggy address belongs to the page:
[ 20.424808][ T376] page:ffffea0004005580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100156
[ 20.435620][ T376] flags: 0x8000000000000200(slab)
[ 20.441135][ T376] raw: 8000000000000200 dead000000000100 dead000000000122 ffff88810012fdc0
[ 20.450854][ T376] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 20.460336][ T376] page dumped because: kasan: bad access detected
[ 20.467109][ T376] page_owner tracks the page as allocated
[ 20.472899][ T376] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1262543955
[ 20.483306][ T376] register_early_stack+0x41/0x80
[ 20.488403][ T376] init_page_owner+0x32/0x4f0
[ 20.493145][ T376] invoke_init_callbacks+0x63/0x6d
[ 20.498231][ T376] page_ext_init+0x316/0x333
[ 20.502904][ T376] page_owner free stack trace missing
[ 20.508490][ T376]
[ 20.510913][ T376] Memory state around the buggy address:
[ 20.516610][ T376] ffff888100156400: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 20.524867][ T376] ffff888100156480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 20.533730][ T376] >ffff888100156500: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 20.541966][ T376] ^
[ 20.549926][ T376] ffff888100156580: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 20.558058][ T376] ffff888100156600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 20.566350][ T376] ==================================================================
[ 20.574381][ T376] Disabling lock debugging due to kernel taint
[ 20.580605][ T376] BUG: unable to handle page fault for address: ffffed122001bdb7
[ 20.588300][ T376] #PF: supervisor read access in kernel mode
[ 20.594509][ T376] #PF: error_code(0x0000) - not-present page
[ 20.601713][ T376] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 20.607000][ T376] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 20.612347][ T376] CPU: 1 PID: 376 Comm: syz-executor.0 Tainted: G B 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0
[ 20.624924][ T376] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 20.635577][ T376] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 20.641385][ T376] Code: 1d 23 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 f8 bc 4c 00 48 8b 03 eb 07 e8 de
[ 20.661431][ T376] RSP: 0018:ffffc90000947b68 EFLAGS: 00010806
[ 20.667585][ T376] RAX: 1ffff1122001bdb7 RBX: ffff8891000dedb8 RCX: 0000000000000002
[ 20.675725][ T376] RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000001
[ 20.683859][ T376] RBP: ffffc90000947b78 R08: ffffffff8135ddf3 R09: fffffbfff0bb92f5
[ 20.692069][ T376] R10: fffffbfff0bb92f5 R11: 1ffffffff0bb92f4 R12: dffffc0000000000
[ 20.700385][ T376] R13: ffff88811b400000 R14: dffffc0000000000 R15: ffff88811b400578
[ 20.708521][ T376] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
[ 20.717891][ T376] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.724548][ T376] CR2: ffffed122001bdb7 CR3: 000000011b4d1000 CR4: 00000000003506a0
[ 20.732613][ T376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 20.741435][ T376] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 20.750409][ T376] Call Trace:
[ 20.754809][ T376] do_notify_parent+0x2c7/0xa50
[ 20.759748][ T376] do_exit+0x1163/0x1aa0
[ 20.764666][ T376] do_group_exit+0x13a/0x300
[ 20.769319][ T376] get_signal+0xb1e/0x1130
[ 20.773725][ T376] arch_do_signal_or_restart+0x5d/0x6c0
[ 20.779276][ T376] exit_to_user_mode_loop+0xd4/0x110
[ 20.784655][ T376] exit_to_user_mode_prepare+0x59/0x80
[ 20.790559][ T376] syscall_exit_to_user_mode+0x24/0x40
[ 20.796313][ T376] do_syscall_64+0x40/0x70
[ 20.800710][ T376] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.806609][ T376] RIP: 0033:0x7fe88c80d353
[ 20.811382][ T376] Code: Unable to access opcode bytes at RIP 0x7fe88c80d329.
[ 20.820297][ T376] RSP: 002b:00007ffea4cbffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 20.829053][ T376] RAX: 0000000000000000 RBX: 00007ffea4cc0070 RCX: 00007fe88c80d353
[ 20.837002][ T376] RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003
[ 20.845274][ T376] RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffea4cbfe80
[ 20.853487][ T376] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
[ 20.862080][ T376] R13: 0000000000004dce R14: 0000000000000003 R15: 00007ffea4cc00b0
[ 20.870051][ T376] Modules linked in:
[ 20.874096][ T376] CR2: ffffed122001bdb7
[ 20.878224][ T376] ---[ end trace a089e3446305001c ]---
[ 20.883752][ T376] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 20.889560][ T376] Code: 1d 23 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 f8 bc 4c 00 48 8b 03 eb 07 e8 de
[ 20.909514][ T376] RSP: 0018:ffffc90000947b68 EFLAGS: 00010806
[ 20.915842][ T376] RAX: 1ffff1122001bdb7 RBX: ffff8891000dedb8 RCX: 0000000000000002
[ 20.924575][ T376] RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000001
[ 20.932729][ T376] RBP: ffffc90000947b78 R08: ffffffff8135ddf3 R09: fffffbfff0bb92f5
[ 20.940968][ T376] R10: fffffbfff0bb92f5 R11: 1ffffffff0bb92f4 R12: dffffc0000000000
[ 20.948934][ T376] R13: ffff88811b400000 R14: dffffc0000000000 R15: ffff88811b400578
[ 20.957071][ T376] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
[ 20.966247][ T376] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.972915][ T376] CR2: ffffed122001bdb7 CR3: 000000011b4d1000 CR4: 00000000003506a0
[ 20.981313][ T376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 20.990016][ T376] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 20.998308][ T376] Kernel panic - not syncing: Fatal exception
[ 21.005189][ T376] Kernel Offset: disabled
[ 21.009931][ T376] Rebooting in 86400 seconds..
git status (err=<nil>)
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
make .descriptions
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=267e3bb1576b2f9fa97ae49305aaaa80768ba385 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221004-181533'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=267e3bb1576b2f9fa97ae49305aaaa80768ba385 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221004-181533'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=267e3bb1576b2f9fa97ae49305aaaa80768ba385 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221004-181533'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"267e3bb1576b2f9fa97ae49305aaaa80768ba385\"
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
Error text is too large and was truncated, full error text is at:
Tested on:
commit: 4d93874b ext4: use memcpy_from_page() in pagecache_rea..
git tree: https://android.googlesource.com/kernel/common
kernel config: https://syzkaller.appspot.com/x/.config?x=450e26a05ad3c424
dashboard link: https://syzkaller.appspot.com/bug?extid=8234f4fea762dd893f3d
Jun Nie
Nov 14, 2022, 1:07:12 AM11/14/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
#syz test: https://android.googlesource.com/kernel/common 4fe89d07dcc2804c
Reported-by: syzbot+e00d13...@syzkaller.appspotmail.com
Reported-by: syzbot+e00d13...@syzkaller.appspotmail.com
syzbot
Nov 14, 2022, 4:03:27 AM11/14/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e00d13...@syzkaller.appspotmail.com
Tested on:
commit: 4fe89d07 Linux 6.0
git tree: https://android.googlesource.com/kernel/common
console output: https://syzkaller.appspot.com/x/log.txt?x=16800c59880000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a06811c7a15b3a7
dashboard link: https://syzkaller.appspot.com/bug?extid=e00d1302e217068ee641
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e00d13...@syzkaller.appspotmail.com
Tested on:
commit: 4fe89d07 Linux 6.0
git tree: https://android.googlesource.com/kernel/common
console output: https://syzkaller.appspot.com/x/log.txt?x=16800c59880000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a06811c7a15b3a7
dashboard link: https://syzkaller.appspot.com/bug?extid=e00d1302e217068ee641
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
Note: no patches were applied.
Jun Nie
Nov 14, 2022, 4:17:52 AM11/14/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
#syz test: https://android.googlesource.com/kernel/common 2c85ebc57b3e
The previous test shows there is no issue on mainline. Let's test on
v5.10 to check whether its behavior is aligned with:
https://buganizer.corp.google.com/issues/229548439
The previous test shows there is no issue on mainline. Let's test on
v5.10 to check whether its behavior is aligned with:
https://buganizer.corp.google.com/issues/229548439
syzbot
Nov 14, 2022, 4:42:25 AM11/14/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
20.742419][ T371] addrconf_dad_work+0x9d0/0x12d0
syzbot tried to test the proposed patch but the build/boot failed:
[ 20.747777][ T371] process_one_work+0x3d5/0x640
[ 20.752799][ T371] worker_thread+0x723/0xa60
[ 20.757653][ T371] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 20.763211][ T371] kthread+0x365/0x400
[ 20.767568][ T371] ? pr_cont_work+0x110/0x110
[ 20.772516][ T371] ? __list_add+0xc0/0xc0
[ 20.776930][ T371] ret_from_fork+0x1f/0x30
[ 20.781365][ T371] ================================================================================
[ 20.790938][ T371] ================================================================================
[ 20.800375][ T371] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2
[ 20.808865][ T371] member access within address 0000000001f5e535 with insufficient space
[ 20.817467][ T371] for an object of type 'struct sk_buff'
[ 20.823133][ T371] CPU: 1 PID: 371 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0
[ 20.831102][ T371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 20.841514][ T371] Workqueue: ipv6_addrconf addrconf_dad_work
[ 20.847483][ T371] Call Trace:
[ 20.850759][ T371] dump_stack+0x19c/0x1e2
[ 20.855162][ T371] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 20.860977][ T371] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 20.867262][ T371] wg_xmit+0x48f/0xa60
[ 20.871321][ T371] ? __sanitizer_cov_trace_switch+0x64/0x80
[ 20.877292][ T371] netdev_start_xmit+0x8a/0x160
[ 20.882219][ T371] dev_hard_start_xmit+0x18d/0x2f0
[ 20.887338][ T371] __dev_queue_xmit+0xf16/0x1920
[ 20.892264][ T371] ? __kasan_check_write+0x14/0x20
[ 20.897366][ T371] dev_queue_xmit+0x17/0x20
[ 20.902205][ T371] neigh_connected_output+0x288/0x2b0
[ 20.907660][ T371] ip6_finish_output2+0xc34/0x1020
[ 20.912841][ T371] ? ip6_mtu+0xf1/0x140
[ 20.916981][ T371] __ip6_finish_output+0x279/0x370
[ 20.922430][ T371] ip6_finish_output+0x20b/0x220
[ 20.927527][ T371] ? ip6_output+0x175/0x3f0
[ 20.932352][ T371] ip6_output+0x18c/0x3f0
[ 20.936877][ T371] ? ip6_dst_idev+0x40/0x40
[ 20.941372][ T371] NF_HOOK+0x88/0x210
[ 20.945346][ T371] ? NF_HOOK+0x210/0x210
[ 20.949672][ T371] ndisc_send_skb+0x653/0x9f0
[ 20.954843][ T371] ndisc_send_rs+0x26c/0x360
[ 20.959522][ T371] addrconf_dad_completed+0x493/0x970
[ 20.965092][ T371] addrconf_dad_work+0x9d0/0x12d0
[ 20.970274][ T371] process_one_work+0x3d5/0x640
[ 20.975107][ T371] worker_thread+0x723/0xa60
[ 20.979939][ T371] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 20.985505][ T371] kthread+0x365/0x400
[ 20.989680][ T371] ? pr_cont_work+0x110/0x110
[ 20.994487][ T371] ? __list_add+0xc0/0xc0
[ 20.998997][ T371] ret_from_fork+0x1f/0x30
[ 21.003868][ T371] ================================================================================
2022/11/14 09:41:41 building call list...
[ 21.019428][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 21.110026][ T373] ==================================================================
[ 21.118319][ T373] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0
[ 21.126127][ T373] Read of size 4 at addr ffff88810015a0c4 by task syz-executor.0/373
[ 21.134522][ T373]
[ 21.136931][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0
[ 21.145522][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 21.155758][ T373] Call Trace:
[ 21.159136][ T373] dump_stack+0x19c/0x1e2
[ 21.163465][ T373] print_address_description+0x7e/0x6a0
[ 21.169097][ T373] ? printk+0x76/0x96
[ 21.173071][ T373] kasan_report+0x16f/0x210
[ 21.177566][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 21.182588][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 21.187614][ T373] __asan_report_load4_noabort+0x14/0x20
[ 21.193240][ T373] task_active_pid_ns+0x9a/0xa0
[ 21.198194][ T373] do_notify_parent+0x2c7/0xa70
[ 21.203050][ T373] ? __kasan_check_write+0x14/0x20
[ 21.208172][ T373] do_exit+0x1a52/0x2190
[ 21.212432][ T373] do_group_exit+0x13f/0x310
[ 21.217136][ T373] get_signal+0xbef/0x10c0
[ 21.221650][ T373] arch_do_signal+0x42/0x710
[ 21.226496][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 21.231687][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 21.237419][ T373] do_syscall_64+0x40/0x70
[ 21.241921][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 21.247799][ T373] RIP: 0033:0x7f9fad181263
[ 21.252201][ T373] Code: Unable to access opcode bytes at RIP 0x7f9fad181239.
[ 21.260084][ T373] RSP: 002b:00007fffb778e148 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 21.268494][ T373] RAX: 000000000000000c RBX: 0000000000000002 RCX: 00007f9fad181263
[ 21.276726][ T373] RDX: 000000000000000c RSI: 00007fffb778e210 RDI: 00000000000000f8
[ 21.284694][ T373] RBP: 00007fffb778e1ac R08: 00007fffb77ef080 R09: 00007fffb77ef0b8
[ 21.292969][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
[ 21.300953][ T373] R13: 0000000000005217 R14: 0000000000000003 R15: 00007fffb778e210
[ 21.308935][ T373]
[ 21.311265][ T373] Allocated by task 0:
[ 21.315352][ T373] __kasan_kmalloc+0x11a/0x150
[ 21.320109][ T373] kasan_slab_alloc+0xe/0x10
[ 21.324875][ T373] slab_post_alloc_hook+0x3f/0x70
[ 21.329971][ T373] kmem_cache_alloc+0x143/0x200
[ 21.334820][ T373] alloc_pid+0x9a/0xb00
[ 21.339142][ T373] copy_process+0xdc0/0x2110
[ 21.343719][ T373] kernel_clone+0x1df/0x690
[ 21.348373][ T373] kernel_thread+0x11b/0x160
[ 21.352973][ T373] rest_init+0x22/0xf0
[ 21.357242][ T373] arch_call_rest_init+0xe/0x10
[ 21.362094][ T373] start_kernel+0x47d/0x518
[ 21.366586][ T373] x86_64_start_reservations+0x2a/0x2c
[ 21.372032][ T373] x86_64_start_kernel+0x7a/0x7d
[ 21.376984][ T373] secondary_startup_64_no_verify+0xb0/0xbb
[ 21.383050][ T373]
[ 21.385367][ T373] Freed by task 370:
[ 21.389261][ T373] kasan_set_track+0x4c/0x80
[ 21.394023][ T373] kasan_set_free_info+0x1b/0x30
[ 21.398957][ T373] __kasan_slab_free+0x11c/0x150
[ 21.403883][ T373] kasan_slab_free+0xe/0x10
[ 21.409501][ T373] slab_free_freelist_hook+0x8b/0x160
[ 21.414963][ T373] kmem_cache_free+0x9a/0x1c0
[ 21.419888][ T373] put_pid+0xb3/0x120
[ 21.423867][ T373] proc_do_cad_pid+0x131/0x1d0
[ 21.428618][ T373] proc_sys_call_handler+0x48d/0x640
[ 21.434044][ T373] proc_sys_write+0x22/0x30
[ 21.438806][ T373] vfs_write+0x466/0x560
[ 21.443045][ T373] ksys_write+0x155/0x260
[ 21.447478][ T373] __x64_sys_write+0x7b/0x90
[ 21.452254][ T373] do_syscall_64+0x34/0x70
[ 21.456776][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 21.462886][ T373]
[ 21.465215][ T373] The buggy address belongs to the object at ffff88810015a0c0
[ 21.465215][ T373] which belongs to the cache pid of size 112
[ 21.478866][ T373] The buggy address is located 4 bytes inside of
[ 21.478866][ T373] 112-byte region [ffff88810015a0c0, ffff88810015a130)
[ 21.492346][ T373] The buggy address belongs to the page:
[ 21.498061][ T373] page:00000000de6236d4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10015a
[ 21.508547][ T373] flags: 0x8000000000000200(slab)
[ 21.513721][ T373] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100134dc0
[ 21.522392][ T373] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 21.531086][ T373] page dumped because: kasan: bad access detected
[ 21.537577][ T373] page_owner tracks the page as allocated
[ 21.543473][ T373] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0()
[ 21.551988][ T373] register_early_stack+0x41/0x80
[ 21.557063][ T373] init_page_owner+0x32/0x4f0
[ 21.561749][ T373] invoke_init_callbacks+0x63/0x6d
[ 21.566849][ T373] page_ext_init+0x348/0x371
[ 21.571417][ T373] page_owner free stack trace missing
[ 21.576771][ T373]
[ 21.579110][ T373] Memory state around the buggy address:
[ 21.585086][ T373] ffff888100159f80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[ 21.593230][ T373] ffff88810015a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 21.601394][ T373] >ffff88810015a080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 21.609439][ T373] ^
[ 21.615666][ T373] ffff88810015a100: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 21.623894][ T373] ffff88810015a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 21.632204][ T373] ==================================================================
[ 21.640248][ T373] Disabling lock debugging due to kernel taint
[ 21.646490][ T373] BUG: unable to handle page fault for address: ffffed122001c527
[ 21.654377][ T373] #PF: supervisor read access in kernel mode
[ 21.660531][ T373] #PF: error_code(0x0000) - not-present page
[ 21.666606][ T373] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 21.671907][ T373] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 21.677203][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Tainted: G B 5.10.0-syzkaller #0
[ 21.686921][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 21.696987][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 21.702793][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 21.722737][ T373] RSP: 0018:ffffc90000937b40 EFLAGS: 00010806
[ 21.728898][ T373] RAX: 1ffff1122001c527 RBX: ffff8891000e2938 RCX: 0000000000000002
[ 21.737223][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 21.745481][ T373] RBP: ffffc90000937b50 R08: ffff888119ae6ac0 R09: fffffbfff0bc26f9
[ 21.753519][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 21.761553][ T373] R13: ffff888119ae6ac0 R14: dffffc0000000000 R15: ffff888119ae6fe0
[ 21.769522][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 21.778429][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 21.785078][ T373] CR2: ffffed122001c527 CR3: 000000011590f000 CR4: 00000000003506b0
[ 21.793307][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 21.801627][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 21.809661][ T373] Call Trace:
[ 21.813019][ T373] do_notify_parent+0x2c7/0xa70
[ 21.817848][ T373] ? __kasan_check_write+0x14/0x20
[ 21.823024][ T373] do_exit+0x1a52/0x2190
[ 21.827438][ T373] do_group_exit+0x13f/0x310
[ 21.832187][ T373] get_signal+0xbef/0x10c0
[ 21.836698][ T373] arch_do_signal+0x42/0x710
[ 21.841305][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 21.846580][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 21.852174][ T373] do_syscall_64+0x40/0x70
[ 21.856768][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 21.862666][ T373] RIP: 0033:0x7f9fad181263
[ 21.867148][ T373] Code: Unable to access opcode bytes at RIP 0x7f9fad181239.
[ 21.876055][ T373] RSP: 002b:00007fffb778e148 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 21.884621][ T373] RAX: 000000000000000c RBX: 0000000000000002 RCX: 00007f9fad181263
[ 21.892746][ T373] RDX: 000000000000000c RSI: 00007fffb778e210 RDI: 00000000000000f8
[ 21.900921][ T373] RBP: 00007fffb778e1ac R08: 00007fffb77ef080 R09: 00007fffb77ef0b8
[ 21.909133][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
[ 21.917177][ T373] R13: 0000000000005217 R14: 0000000000000003 R15: 00007fffb778e210
[ 21.925130][ T373] Modules linked in:
[ 21.929028][ T373] CR2: ffffed122001c527
[ 21.933163][ T373] ---[ end trace c7539476c6f0379d ]---
[ 21.938692][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 21.944597][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 21.964702][ T373] RSP: 0018:ffffc90000937b40 EFLAGS: 00010806
[ 21.971156][ T373] RAX: 1ffff1122001c527 RBX: ffff8891000e2938 RCX: 0000000000000002
[ 21.979370][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 21.987657][ T373] RBP: ffffc90000937b50 R08: ffff888119ae6ac0 R09: fffffbfff0bc26f9
[ 21.995896][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 22.004056][ T373] R13: ffff888119ae6ac0 R14: dffffc0000000000 R15: ffff888119ae6fe0
[ 22.012205][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 22.021268][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 22.027928][ T373] CR2: ffffed122001c527 CR3: 000000011590f000 CR4: 00000000003506b0
[ 22.036349][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 22.044577][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 22.052641][ T373] Kernel panic - not syncing: Fatal exception
[ 23.184354][ T373] Shutting down cpus with NMI
[ 23.189511][ T373] Kernel Offset: disabled
[ 23.193991][ T373] Rebooting in 86400 seconds..
git status (err=<nil>)
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
tput: No value for $TERM and no -T specified
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
Error text is too large and was truncated, full error text is at:
Tested on:
commit: 2c85ebc5 Linux 5.10
kernel config: https://syzkaller.appspot.com/x/.config?x=c0a5cf5454641b9e
Jun Nie
Nov 14, 2022, 9:56:28 PM11/14/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
The previous test shows there is no issue on mainline. And a different
bug is triggered in v5.10. Let's test on
v5.10 again to check whether the bug is with
cf85b88b79d07390576fcb5d17ec25c34032d98e and the behavior is aligned
with:
https://buganizer.corp.google.com/issues/229548439
bug is triggered in v5.10. Let's test on
v5.10 again to check whether the bug is with
cf85b88b79d07390576fcb5d17ec25c34032d98e and the behavior is aligned
with:
https://buganizer.corp.google.com/issues/229548439
Jun Nie
Nov 15, 2022, 4:12:52 AM11/15/22
to syzkaller-a...@googlegroups.com, syzbot+8234f4...@syzkaller.appspotmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
094226ad94f471a9f19
Collect log on mainline
Reported-by: syzbot+8234f4...@syzkaller.appspotmail.com
094226ad94f471a9f19
Collect log on mainline
Reported-by: syzbot+8234f4...@syzkaller.appspotmail.com
syzbot
Nov 15, 2022, 6:12:26 AM11/15/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
_rs+0x26c/0x360
syzbot tried to test the proposed patch but the build/boot failed:
[ 20.892755][ T73] addrconf_dad_completed+0x493/0x970
[ 20.898105][ T73] addrconf_dad_work+0x9d0/0x12d0
[ 20.903104][ T73] process_one_work+0x3d5/0x640
[ 20.907965][ T73] worker_thread+0x723/0xa60
[ 20.912530][ T73] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 20.917966][ T73] kthread+0x365/0x400
[ 20.922010][ T73] ? pr_cont_work+0x110/0x110
[ 20.926656][ T73] ? __list_add+0xc0/0xc0
[ 20.930958][ T73] ret_from_fork+0x1f/0x30
[ 20.935379][ T73] ================================================================================
[ 20.944648][ T73] ================================================================================
[ 20.953896][ T73] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2
[ 20.961609][ T73] member access within address 00000000b3930536 with insufficient space
[ 20.969924][ T73] for an object of type 'struct sk_buff'
[ 20.975556][ T73] CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 5.10.0-syzkaller #0
[ 20.983424][ T73] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 20.993461][ T73] Workqueue: ipv6_addrconf addrconf_dad_work
[ 20.999415][ T73] Call Trace:
[ 21.002679][ T73] dump_stack+0x19c/0x1e2
[ 21.007071][ T73] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 21.012763][ T73] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 21.018718][ T73] wg_xmit+0x48f/0xa60
[ 21.022760][ T73] ? __sanitizer_cov_trace_switch+0x64/0x80
[ 21.028624][ T73] netdev_start_xmit+0x8a/0x160
[ 21.033446][ T73] dev_hard_start_xmit+0x18d/0x2f0
[ 21.038531][ T73] __dev_queue_xmit+0xf16/0x1920
[ 21.043441][ T73] ? __kasan_check_write+0x14/0x20
[ 21.048535][ T73] dev_queue_xmit+0x17/0x20
[ 21.053014][ T73] neigh_connected_output+0x288/0x2b0
[ 21.058357][ T73] ip6_finish_output2+0xc34/0x1020
[ 21.063442][ T73] ? ip6_mtu+0xf1/0x140
[ 21.067571][ T73] __ip6_finish_output+0x279/0x370
[ 21.072654][ T73] ip6_finish_output+0x20b/0x220
[ 21.077565][ T73] ? ip6_output+0x175/0x3f0
[ 21.082040][ T73] ip6_output+0x18c/0x3f0
[ 21.086353][ T73] ? ip6_dst_idev+0x40/0x40
[ 21.090836][ T73] NF_HOOK+0x88/0x210
[ 21.094793][ T73] ? NF_HOOK+0x210/0x210
[ 21.099010][ T73] ndisc_send_skb+0x653/0x9f0
[ 21.103658][ T73] ndisc_send_rs+0x26c/0x360
[ 21.108220][ T73] addrconf_dad_completed+0x493/0x970
[ 21.113567][ T73] addrconf_dad_work+0x9d0/0x12d0
[ 21.118563][ T73] process_one_work+0x3d5/0x640
[ 21.123386][ T73] worker_thread+0x723/0xa60
[ 21.127955][ T73] ? _raw_spin_lock_irqsave+0xa2/0x220
2022/11/15 11:10:54 building call list...
[ 21.133387][ T73] kthread+0x365/0x400
[ 21.137438][ T73] ? pr_cont_work+0x110/0x110
[ 21.142087][ T73] ? __list_add+0xc0/0xc0
[ 21.146393][ T73] ret_from_fork+0x1f/0x30
[ 21.150828][ T73] ================================================================================
[ 21.167831][ T381] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 21.264631][ T381] ==================================================================
[ 21.272732][ T381] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0
[ 21.280103][ T381] Read of size 4 at addr ffff88810015a184 by task syz-executor.0/381
[ 21.289023][ T381]
[ 21.291356][ T381] CPU: 0 PID: 381 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0
[ 21.303860][ T381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 21.313903][ T381] Call Trace:
[ 21.317187][ T381] dump_stack+0x19c/0x1e2
[ 21.321519][ T381] print_address_description+0x7e/0x6a0
[ 21.327063][ T381] ? printk+0x76/0x96
[ 21.331074][ T381] kasan_report+0x16f/0x210
[ 21.335574][ T381] ? task_active_pid_ns+0x9a/0xa0
[ 21.340593][ T381] ? task_active_pid_ns+0x9a/0xa0
[ 21.345616][ T381] __asan_report_load4_noabort+0x14/0x20
[ 21.351241][ T381] task_active_pid_ns+0x9a/0xa0
[ 21.356112][ T381] do_notify_parent+0x2c7/0xa70
[ 21.360952][ T381] ? __kasan_check_write+0x14/0x20
[ 21.366068][ T381] do_exit+0x1a52/0x2190
[ 21.370304][ T381] do_group_exit+0x13f/0x310
[ 21.374906][ T381] get_signal+0xbef/0x10c0
[ 21.379323][ T381] arch_do_signal+0x42/0x710
[ 21.383908][ T381] exit_to_user_mode_loop+0xa3/0xe0
[ 21.389094][ T381] syscall_exit_to_user_mode+0x77/0xa0
[ 21.394539][ T381] do_syscall_64+0x40/0x70
[ 21.398953][ T381] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 21.404841][ T381] RIP: 0033:0x7f0cf48d12fe
[ 21.409254][ T381] Code: Unable to access opcode bytes at RIP 0x7f0cf48d12d4.
[ 21.416614][ T381] RSP: 002b:00007fffa7ba22d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 21.425118][ T381] RAX: fffffffffffffe00 RBX: 00007fffa7ba2360 RCX: 00007f0cf48d12fe
[ 21.433092][ T381] RDX: 0000000000000040 RSI: 00007f0cf4a3c020 RDI: 00000000000000f9
[ 21.441064][ T381] RBP: 0000000000000003 R08: 00000000000002e8 R09: ffffffffffff0000
[ 21.449028][ T381] R10: 00007f0cf4a16000 R11: 0000000000000246 R12: 0000000000000032
[ 21.457004][ T381] R13: 00000000000052ab R14: 0000000000000003 R15: 00007fffa7ba23a0
[ 21.464965][ T381]
[ 21.467282][ T381] Allocated by task 0:
[ 21.471344][ T381] __kasan_kmalloc+0x11a/0x150
[ 21.476100][ T381] kasan_slab_alloc+0xe/0x10
[ 21.480681][ T381] slab_post_alloc_hook+0x3f/0x70
[ 21.485694][ T381] kmem_cache_alloc+0x143/0x200
[ 21.490533][ T381] alloc_pid+0x9a/0xb00
[ 21.494677][ T381] copy_process+0xdc0/0x2110
[ 21.499260][ T381] kernel_clone+0x1df/0x690
[ 21.503756][ T381] kernel_thread+0x11b/0x160
[ 21.508345][ T381] rest_init+0x22/0xf0
[ 21.512409][ T381] arch_call_rest_init+0xe/0x10
[ 21.517254][ T381] start_kernel+0x47d/0x518
[ 21.521756][ T381] x86_64_start_reservations+0x2a/0x2c
[ 21.527209][ T381] x86_64_start_kernel+0x7a/0x7d
[ 21.532137][ T381] secondary_startup_64_no_verify+0xb0/0xbb
[ 21.538018][ T381]
[ 21.540342][ T381] Freed by task 379:
[ 21.544225][ T381] kasan_set_track+0x4c/0x80
[ 21.548806][ T381] kasan_set_free_info+0x1b/0x30
[ 21.553739][ T381] __kasan_slab_free+0x11c/0x150
[ 21.558665][ T381] kasan_slab_free+0xe/0x10
[ 21.563154][ T381] slab_free_freelist_hook+0x8b/0x160
[ 21.568511][ T381] kmem_cache_free+0x9a/0x1c0
[ 21.573176][ T381] put_pid+0xb3/0x120
[ 21.577149][ T381] proc_do_cad_pid+0x131/0x1d0
[ 21.581901][ T381] proc_sys_call_handler+0x48d/0x640
[ 21.587181][ T381] proc_sys_write+0x22/0x30
[ 21.591679][ T381] vfs_write+0x466/0x560
[ 21.595910][ T381] ksys_write+0x155/0x260
[ 21.600227][ T381] __x64_sys_write+0x7b/0x90
[ 21.604807][ T381] do_syscall_64+0x34/0x70
[ 21.609213][ T381] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 21.615095][ T381]
[ 21.617604][ T381] The buggy address belongs to the object at ffff88810015a180
[ 21.617604][ T381] which belongs to the cache pid of size 112
[ 21.630960][ T381] The buggy address is located 4 bytes inside of
[ 21.630960][ T381] 112-byte region [ffff88810015a180, ffff88810015a1f0)
[ 21.644053][ T381] The buggy address belongs to the page:
[ 21.649680][ T381] page:000000007a7a4ada refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10015a
[ 21.659914][ T381] flags: 0x8000000000000200(slab)
[ 21.664955][ T381] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100134a00
[ 21.673535][ T381] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 21.682110][ T381] page dumped because: kasan: bad access detected
[ 21.688605][ T381] page_owner tracks the page as allocated
[ 21.694313][ T381] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0()
[ 21.702818][ T381] register_early_stack+0x41/0x80
[ 21.707833][ T381] init_page_owner+0x32/0x4f0
[ 21.712500][ T381] invoke_init_callbacks+0x63/0x6d
[ 21.717607][ T381] page_ext_init+0x348/0x371
[ 21.722180][ T381] page_owner free stack trace missing
[ 21.727533][ T381]
[ 21.729848][ T381] Memory state around the buggy address:
[ 21.735466][ T381] ffff88810015a080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 21.743702][ T381] ffff88810015a100: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 21.751754][ T381] >ffff88810015a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 21.759809][ T381] ^
[ 21.763866][ T381] ffff88810015a200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 21.771922][ T381] ffff88810015a280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 21.779977][ T381] ==================================================================
[ 21.788030][ T381] Disabling lock debugging due to kernel taint
[ 21.794268][ T381] BUG: unable to handle page fault for address: ffffed122001c53f
[ 21.801974][ T381] #PF: supervisor read access in kernel mode
[ 21.807942][ T381] #PF: error_code(0x0000) - not-present page
[ 21.813907][ T381] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 21.819210][ T381] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 21.824406][ T381] CPU: 0 PID: 381 Comm: syz-executor.0 Tainted: G B 5.10.0-syzkaller #0
[ 21.834021][ T381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 21.844094][ T381] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 21.849717][ T381] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 21.869314][ T381] RSP: 0018:ffffc90000a77b40 EFLAGS: 00010806
[ 21.875373][ T381] RAX: 1ffff1122001c53f RBX: ffff8891000e29f8 RCX: 0000000000000002
[ 21.883427][ T381] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 21.891393][ T381] RBP: ffffc90000a77b50 R08: ffff888119840000 R09: fffffbfff0bc26f9
[ 21.899359][ T381] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 21.907321][ T381] R13: ffff888119840000 R14: dffffc0000000000 R15: ffff888119840520
[ 21.915288][ T381] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 21.924224][ T381] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 21.930810][ T381] CR2: ffffed122001c53f CR3: 0000000119536000 CR4: 00000000003506b0
[ 21.938782][ T381] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 21.946749][ T381] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 21.954708][ T381] Call Trace:
[ 21.957990][ T381] do_notify_parent+0x2c7/0xa70
[ 21.962843][ T381] ? __kasan_check_write+0x14/0x20
[ 21.967945][ T381] do_exit+0x1a52/0x2190
[ 21.972194][ T381] do_group_exit+0x13f/0x310
[ 21.976783][ T381] get_signal+0xbef/0x10c0
[ 21.981213][ T381] arch_do_signal+0x42/0x710
[ 21.985793][ T381] exit_to_user_mode_loop+0xa3/0xe0
[ 21.990986][ T381] syscall_exit_to_user_mode+0x77/0xa0
[ 21.996439][ T381] do_syscall_64+0x40/0x70
[ 22.000846][ T381] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 22.006726][ T381] RIP: 0033:0x7f0cf48d12fe
[ 22.011124][ T381] Code: Unable to access opcode bytes at RIP 0x7f0cf48d12d4.
[ 22.018477][ T381] RSP: 002b:00007fffa7ba22d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 22.027076][ T381] RAX: fffffffffffffe00 RBX: 00007fffa7ba2360 RCX: 00007f0cf48d12fe
[ 22.035038][ T381] RDX: 0000000000000040 RSI: 00007f0cf4a3c020 RDI: 00000000000000f9
[ 22.043002][ T381] RBP: 0000000000000003 R08: 00000000000002e8 R09: ffffffffffff0000
[ 22.050970][ T381] R10: 00007f0cf4a16000 R11: 0000000000000246 R12: 0000000000000032
[ 22.058933][ T381] R13: 00000000000052ab R14: 0000000000000003 R15: 00007fffa7ba23a0
[ 22.067017][ T381] Modules linked in:
[ 22.070908][ T381] CR2: ffffed122001c53f
[ 22.075072][ T381] ---[ end trace 0126cb864b745932 ]---
[ 22.080525][ T381] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 22.086147][ T381] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 22.105746][ T381] RSP: 0018:ffffc90000a77b40 EFLAGS: 00010806
[ 22.111830][ T381] RAX: 1ffff1122001c53f RBX: ffff8891000e29f8 RCX: 0000000000000002
[ 22.119798][ T381] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 22.127768][ T381] RBP: ffffc90000a77b50 R08: ffff888119840000 R09: fffffbfff0bc26f9
[ 22.135745][ T381] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 22.143728][ T381] R13: ffff888119840000 R14: dffffc0000000000 R15: ffff888119840520
[ 22.151695][ T381] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 22.160621][ T381] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 22.167208][ T381] CR2: ffffed122001c53f CR3: 0000000119536000 CR4: 00000000003506b0
[ 22.175176][ T381] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 22.183144][ T381] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 22.191106][ T381] Kernel panic - not syncing: Fatal exception
[ 22.197200][ T381] Kernel Offset: disabled
[ 22.201517][ T381] Rebooting in 86400 seconds..
git status (err=<nil>)
HEAD detached at c0b80a55c
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"
Error text is too large and was truncated, full error text is at:
syzbot
Nov 15, 2022, 7:22:24 AM11/15/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_write_inline_data_end
loop0: detected capacity change from 0 to 2048
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:227!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 532 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller #0
RIP: 0010:ext4_write_inline_data_end+0xdeb/0xdf0 fs/ext4/inline.c:768
Code: f7 e8 59 54 cb ff e9 1b fa ff ff e8 0f a7 ea 02 e8 8a 1a 85 ff 0f 0b e8 83 1a 85 ff 0f 0b e8 7c 1a 85 ff 0f 0b e8 75 1a 85 ff <0f> 0b 0f 1f 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0
RSP: 0018:ffffc90002f770e0 EFLAGS: 00010293
RAX: ffffffff81ef926b RBX: 0000000000000042 RCX: ffff8881152b53c0
RDX: 0000000000000000 RSI: 0000000000000042 RDI: 0000000000074fad
RBP: ffffc90002f77230 R08: ffffffff81ef8871 R09: ffffed1022876047
R10: ffffed1022876047 R11: 1ffff11022876046 R12: 0000000000074fad
R13: dffffc0000000000 R14: 0000000000074fa2 R15: 000000000000000b
FS: 00007f3d2f364700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
<TASK>
ext4_write_end+0x19f/0x870 fs/ext4/inode.c:1313
ext4_da_write_end+0x84/0x950 fs/ext4/inode.c:3063
generic_perform_write+0x401/0x5f0 mm/filemap.c:3764
ext4_buffered_write_iter+0x35f/0x640 fs/ext4/file.c:285
ext4_file_write_iter+0x198/0x1cd0
do_iter_write+0x6d1/0xc30 fs/read_write.c:861
vfs_iter_write+0x7c/0xa0 fs/read_write.c:902
iter_file_splice_write+0x810/0xfd0 fs/splice.c:686
do_splice_from fs/splice.c:764 [inline]
direct_splice_actor+0xfe/0x130 fs/splice.c:931
splice_direct_to_actor+0x4d4/0xbd0 fs/splice.c:886
do_splice_direct+0x2a0/0x3f0 fs/splice.c:974
do_sendfile+0x63b/0xfd0 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x1ce/0x230 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3d2e68b639
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3d2f364168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f3d2e7abf80 RCX: 00007f3d2e68b639
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 00007f3d2e6e67e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffec8352f8f R14: 00007f3d2f364300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_write_inline_data fs/ext4/inline.c:227 [inline]
RIP: 0010:ext4_write_inline_data_end+0xdeb/0xdf0 fs/ext4/inline.c:768
Code: f7 e8 59 54 cb ff e9 1b fa ff ff e8 0f a7 ea 02 e8 8a 1a 85 ff 0f 0b e8 83 1a 85 ff 0f 0b e8 7c 1a 85 ff 0f 0b e8 75 1a 85 ff <0f> 0b 0f 1f 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0
RSP: 0018:ffffc90002f770e0 EFLAGS: 00010293
RAX: ffffffff81ef926b RBX: 0000000000000042 RCX: ffff8881152b53c0
RDX: 0000000000000000 RSI: 0000000000000042 RDI: 0000000000074fad
RBP: ffffc90002f77230 R08: ffffffff81ef8871 R09: ffffed1022876047
R10: ffffed1022876047 R11: 1ffff11022876046 R12: 0000000000074fad
R13: dffffc0000000000 R14: 0000000000074fa2 R15: 000000000000000b
FS: 00007f3d2f364700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
commit: 094226ad Linux 6.1-rc5
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=118359c1880000
kernel config: https://syzkaller.appspot.com/x/.config?x=39486294e303b3ab
dashboard link: https://syzkaller.appspot.com/bug?extid=8234f4fea762dd893f3d
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_write_inline_data_end
loop0: detected capacity change from 0 to 2048
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:227!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 532 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:ext4_write_inline_data fs/ext4/inline.c:227 [inline]
RIP: 0010:ext4_write_inline_data_end+0xdeb/0xdf0 fs/ext4/inline.c:768
Code: f7 e8 59 54 cb ff e9 1b fa ff ff e8 0f a7 ea 02 e8 8a 1a 85 ff 0f 0b e8 83 1a 85 ff 0f 0b e8 7c 1a 85 ff 0f 0b e8 75 1a 85 ff <0f> 0b 0f 1f 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0
RSP: 0018:ffffc90002f770e0 EFLAGS: 00010293
RAX: ffffffff81ef926b RBX: 0000000000000042 RCX: ffff8881152b53c0
RDX: 0000000000000000 RSI: 0000000000000042 RDI: 0000000000074fad
RBP: ffffc90002f77230 R08: ffffffff81ef8871 R09: ffffed1022876047
R10: ffffed1022876047 R11: 1ffff11022876046 R12: 0000000000074fad
R13: dffffc0000000000 R14: 0000000000074fa2 R15: 000000000000000b
FS: 00007f3d2f364700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3d2f365000 CR3: 000000010dadd000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_write_end+0x19f/0x870 fs/ext4/inode.c:1313
ext4_da_write_end+0x84/0x950 fs/ext4/inode.c:3063
generic_perform_write+0x401/0x5f0 mm/filemap.c:3764
ext4_buffered_write_iter+0x35f/0x640 fs/ext4/file.c:285
ext4_file_write_iter+0x198/0x1cd0
do_iter_write+0x6d1/0xc30 fs/read_write.c:861
vfs_iter_write+0x7c/0xa0 fs/read_write.c:902
iter_file_splice_write+0x810/0xfd0 fs/splice.c:686
do_splice_from fs/splice.c:764 [inline]
direct_splice_actor+0xfe/0x130 fs/splice.c:931
splice_direct_to_actor+0x4d4/0xbd0 fs/splice.c:886
do_splice_direct+0x2a0/0x3f0 fs/splice.c:974
do_sendfile+0x63b/0xfd0 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x1ce/0x230 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3d2e68b639
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3d2f364168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f3d2e7abf80 RCX: 00007f3d2e68b639
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 00007f3d2e6e67e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffec8352f8f R14: 00007f3d2f364300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_write_inline_data fs/ext4/inline.c:227 [inline]
RIP: 0010:ext4_write_inline_data_end+0xdeb/0xdf0 fs/ext4/inline.c:768
Code: f7 e8 59 54 cb ff e9 1b fa ff ff e8 0f a7 ea 02 e8 8a 1a 85 ff 0f 0b e8 83 1a 85 ff 0f 0b e8 7c 1a 85 ff 0f 0b e8 75 1a 85 ff <0f> 0b 0f 1f 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0
RSP: 0018:ffffc90002f770e0 EFLAGS: 00010293
RAX: ffffffff81ef926b RBX: 0000000000000042 RCX: ffff8881152b53c0
RDX: 0000000000000000 RSI: 0000000000000042 RDI: 0000000000074fad
RBP: ffffc90002f77230 R08: ffffffff81ef8871 R09: ffffed1022876047
R10: ffffed1022876047 R11: 1ffff11022876046 R12: 0000000000074fad
R13: dffffc0000000000 R14: 0000000000074fa2 R15: 000000000000000b
FS: 00007f3d2f364700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3d2f365000 CR3: 000000010dadd000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: 094226ad Linux 6.1-rc5
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=118359c1880000
kernel config: https://syzkaller.appspot.com/x/.config?x=39486294e303b3ab
dashboard link: https://syzkaller.appspot.com/bug?extid=8234f4fea762dd893f3d
Jun Nie
Nov 15, 2022, 11:21:34 PM11/15/22
to syzkaller-a...@googlegroups.com, syzbot+8234f4...@syzkaller.appspotmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
f68f40638559
Bug is reproduced on 21175ca434c5. Let's try its previous commit,
which does not reproduce the bug in 1000s.
f68f40638559
Bug is reproduced on 21175ca434c5. Let's try its previous commit,
which does not reproduce the bug in 1000s.
syzbot
Nov 16, 2022, 3:00:21 AM11/16/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
ton } for pid=417 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 19.442303][ T28] audit: type=1400 audit(1668585530.600:69): avc: denied { mount } for pid=417 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.464505][ T28] audit: type=1400 audit(1668585530.620:70): avc: denied { unmount } for pid=417 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.576443][ T417] cgroup: Unknown subsys name 'hugetlb'
[ 19.582019][ T417] cgroup: Unknown subsys name 'rlimit'
[ 19.705666][ T28] audit: type=1400 audit(1668585530.960:71): avc: denied { setattr } for pid=417 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=161 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 19.769929][ T420] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.777700][ T420] bridge0: port 1(bridge_slave_0) entered disabled state
[ 19.786548][ T420] device bridge_slave_0 entered promiscuous mode
[ 19.793891][ T420] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.801005][ T420] bridge0: port 2(bridge_slave_1) entered disabled state
[ 19.808431][ T420] device bridge_slave_1 entered promiscuous mode
[ 19.840543][ T420] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.847868][ T420] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 19.855241][ T420] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.862250][ T420] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 19.878644][ T5] bridge0: port 1(bridge_slave_0) entered disabled state
[ 19.886523][ T5] bridge0: port 2(bridge_slave_1) entered disabled state
[ 19.893732][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 19.901690][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 19.910951][ T418] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 19.919049][ T418] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.925993][ T418] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 19.935128][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 19.943133][ T5] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.950255][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 19.960560][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 19.969449][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 19.982691][ T420] device veth0_vlan entered promiscuous mode
[ 19.989168][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 19.997974][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 20.006014][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 20.013382][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 20.020834][ T1] ==================================================================
[ 20.028712][ T1] BUG: KASAN: use-after-free in attach_pid+0xf3/0x1f0
[ 20.035389][ T1] Read of size 8 at addr ffff888100155860 by task init/1
[ 20.042371][ T1]
[ 20.044503][ T1] CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc4-syzkaller-00016-gf68f40638559 #0
[ 20.053630][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 20.063517][ T1] Call Trace:
[ 20.066636][ T1] dump_stack+0x1bb/0x220
[ 20.070848][ T1] print_address_description+0x7a/0x3b0
[ 20.076189][ T1] kasan_report+0x19b/0x1e0
[ 20.080528][ T1] ? attach_pid+0xf3/0x1f0
[ 20.084777][ T1] ? attach_pid+0xf3/0x1f0
[ 20.089039][ T1] __asan_report_load8_noabort+0x14/0x20
[ 20.094496][ T1] attach_pid+0xf3/0x1f0
[ 20.099114][ T1] copy_process+0x1f3a/0x21d0
[ 20.103609][ T1] kernel_clone+0x1df/0x6a0
[ 20.107952][ T1] __do_sys_vfork+0x76/0xb0
[ 20.112378][ T1] do_syscall_64+0x34/0x70
[ 20.116628][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.122356][ T1] RIP: 0033:0x7fd804f232b8
[ 20.126615][ T1] Code: 00 00 e8 db 9f fb ff 48 89 e7 e8 43 3f 05 00 e9 ab fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 5f b8 3a 00 00 00 0f 05 <57> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 90 1b 0f 00 f7 d8 64 89 01 48
[ 20.146137][ T1] RSP: 002b:00007ffd668955f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003a
[ 20.154381][ T1] RAX: ffffffffffffffda RBX: 000055e9e8d679f0 RCX: 00007fd804f232b8
[ 20.162289][ T1] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00007fd8050a6e18
[ 20.170099][ T1] RBP: 00007ffd66895670 R08: 0000000000000007 R09: 000055e9e8d68390
[ 20.178272][ T1] R10: 00007ffd66895630 R11: 0000000000000246 R12: 0000000000000000
[ 20.186149][ T1] R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
[ 20.194057][ T1]
[ 20.196221][ T1] Allocated by task 0:
[ 20.200216][ T1] __kasan_slab_alloc+0xa2/0xd0
[ 20.205159][ T1] slab_post_alloc_hook+0x3f/0x70
[ 20.210015][ T1] kmem_cache_alloc+0x139/0x230
[ 20.214706][ T1] alloc_pid+0x97/0xae0
[ 20.218702][ T1] copy_process+0xe6f/0x21d0
[ 20.223132][ T1] kernel_clone+0x1df/0x6a0
[ 20.227704][ T1] kernel_thread+0x109/0x150
[ 20.232727][ T1] rest_init+0x22/0xf0
[ 20.236647][ T1] arch_call_rest_init+0xe/0x10
[ 20.241939][ T1] start_kernel+0x45f/0x4d1
[ 20.246457][ T1] x86_64_start_reservations+0x2a/0x2c
[ 20.251752][ T1] x86_64_start_kernel+0x7a/0x7d
[ 20.256527][ T1] secondary_startup_64_no_verify+0xb0/0xbb
[ 20.262245][ T1]
[ 20.264415][ T1] Freed by task 417:
[ 20.268147][ T1] kasan_set_track+0x4c/0x80
[ 20.272592][ T1] kasan_set_free_info+0x23/0x40
[ 20.277353][ T1] ____kasan_slab_free+0x113/0x150
[ 20.282305][ T1] __kasan_slab_free+0xe/0x10
[ 20.286811][ T1] slab_free_freelist_hook+0xa7/0x170
[ 20.292023][ T1] kmem_cache_free+0x9a/0x190
[ 20.296529][ T1] put_pid+0xb3/0x120
[ 20.300512][ T1] proc_do_cad_pid+0x131/0x1d0
[ 20.305184][ T1] proc_sys_call_handler+0x492/0x640
[ 20.310300][ T1] proc_sys_write+0x22/0x30
[ 20.314626][ T1] vfs_write+0x466/0x560
[ 20.318883][ T1] ksys_write+0x155/0x260
[ 20.323175][ T1] __x64_sys_write+0x7b/0x90
[ 20.327644][ T1] do_syscall_64+0x34/0x70
[ 20.331894][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.337629][ T1]
[ 20.339798][ T1] The buggy address belongs to the object at ffff888100155840
[ 20.339798][ T1] which belongs to the cache pid of size 112
[ 20.353090][ T1] The buggy address is located 32 bytes inside of
[ 20.353090][ T1] 112-byte region [ffff888100155840, ffff8881001558b0)
[ 20.366373][ T1] The buggy address belongs to the page:
[ 20.371833][ T1] page:ffffea0004005540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100155
[ 20.381902][ T1] flags: 0x4000000000000200(slab)
[ 20.386855][ T1] raw: 4000000000000200 dead000000000100 dead000000000122 ffff88810012bdc0
[ 20.395285][ T1] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 20.403685][ T1] page dumped because: kasan: bad access detected
[ 20.409935][ T1] page_owner tracks the page as allocated
[ 20.415593][ T1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1004486484
[ 20.425828][ T1] register_early_stack+0x41/0x80
[ 20.430865][ T1] init_page_owner+0x32/0x4f0
[ 20.435373][ T1] invoke_init_callbacks+0x63/0x6d
[ 20.440429][ T1] page_ext_init+0x316/0x333
[ 20.444854][ T1] page_owner free stack trace missing
[ 20.450178][ T1]
[ 20.452328][ T1] Memory state around the buggy address:
[ 20.458670][ T1] ffff888100155700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 20.466566][ T1] ffff888100155780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 20.474667][ T1] >ffff888100155800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 20.482547][ T1] ^
[ 20.489831][ T1] ffff888100155880: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 20.497926][ T1] ffff888100155900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 20.505877][ T1] ==================================================================
[ 20.515471][ T1] Disabling lock debugging due to kernel taint
[ 20.525556][ T1] BUG: unable to handle page fault for address: ffffed122001bc17
[ 20.533230][ T418] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 20.533439][ T1] #PF: supervisor read access in kernel mode
[ 20.542751][ T420] device veth1_macvtap entered promiscuous mode
[ 20.547058][ T1] #PF: error_code(0x0000) - not-present page
[ 20.547071][ T1] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 20.547091][ T1] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 20.547105][ T1] CPU: 0 PID: 1 Comm: init Tainted: G B 5.12.0-rc4-syzkaller-00016-gf68f40638559 #0
[ 20.557814][ T418] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 20.558948][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 20.558960][ T1] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 20.603540][ T1] Code: ad 5d 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 78 9c 4f 00 48 8b 03 eb 07 e8 6e
[ 20.623240][ T1] RSP: 0018:ffffc90000017df0 EFLAGS: 00010a06
[ 20.629138][ T1] RAX: 1ffff1122001bc17 RBX: ffff8891000de0b8 RCX: ffffffff813d0aea
[ 20.636947][ T1] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff888100155844
[ 20.645069][ T1] RBP: ffffc90000017e00 R08: ffffffff813d185e R09: ffffed102368b509
[ 20.652882][ T1] R10: ffffed102368b509 R11: 1ffff1102368b508 R12: 0000000000004100
[ 20.660789][ T1] R13: ffffc90000017eb8 R14: dffffc0000000000 R15: dffffc0000000000
[ 20.669068][ T1] FS: 00007fd804db9800(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 20.677807][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.684398][ T1] CR2: ffffed122001bc17 CR3: 0000000108596000 CR4: 00000000003506b0
[ 20.693393][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 20.701589][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 20.710006][ T1] Call Trace:
[ 20.713222][ T1] pid_vnr+0x1b/0x30
[ 20.716951][ T1] kernel_clone+0x226/0x6a0
[ 20.721391][ T1] __do_sys_vfork+0x76/0xb0
[ 20.725813][ T1] do_syscall_64+0x34/0x70
[ 20.730065][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.735791][ T1] RIP: 0033:0x7fd804f232b8
[ 20.740148][ T1] Code: 00 00 e8 db 9f fb ff 48 89 e7 e8 43 3f 05 00 e9 ab fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 5f b8 3a 00 00 00 0f 05 <57> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 90 1b 0f 00 f7 d8 64 89 01 48
[ 20.760186][ T1] RSP: 002b:00007ffd668955f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003a
[ 20.768528][ T1] RAX: ffffffffffffffda RBX: 000055e9e8d679f0 RCX: 00007fd804f232b8
[ 20.776335][ T1] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00007fd8050a6e18
[ 20.784484][ T1] RBP: 00007ffd66895670 R08: 0000000000000007 R09: 000055e9e8d68390
[ 20.792296][ T1] R10: 00007ffd66895630 R11: 0000000000000246 R12: 0000000000000000
[ 20.800282][ T1] R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
[ 20.808395][ T1] Modules linked in:
[ 20.812108][ T1] CR2: ffffed122001bc17
[ 20.816197][ T1] ---[ end trace d9fe3c26ab088b67 ]---
[ 20.821486][ T1] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 20.827034][ T1] Code: ad 5d 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 78 9c 4f 00 48 8b 03 eb 07 e8 6e
[ 20.847392][ T1] RSP: 0018:ffffc90000017df0 EFLAGS: 00010a06
[ 20.853817][ T1] RAX: 1ffff1122001bc17 RBX: ffff8891000de0b8 RCX: ffffffff813d0aea
[ 20.862196][ T1] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff888100155844
[ 20.870333][ T1] RBP: ffffc90000017e00 R08: ffffffff813d185e R09: ffffed102368b509
[ 20.878353][ T1] R10: ffffed102368b509 R11: 1ffff1102368b508 R12: 0000000000004100
[ 20.886682][ T1] R13: ffffc90000017eb8 R14: dffffc0000000000 R15: dffffc0000000000
[ 20.895111][ T1] FS: 00007fd804db9800(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 20.903994][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.910585][ T1] CR2: ffffed122001bc17 CR3: 0000000108596000 CR4: 00000000003506b0
[ 20.918756][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 20.926734][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 20.934560][ T1] Kernel panic - not syncing: Fatal exception
[ 20.940640][ T1] Kernel Offset: disabled
[ 20.944721][ T1] Rebooting in 86400 seconds..
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2990475542=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 6feb842be
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6feb842be06bf94e4751c499cd8b4659974c6f03 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221107-095747'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6feb842be06bf94e4751c499cd8b4659974c6f03 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221107-095747'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=101519be880000
Tested on:
commit: f68f4063 ext4: add proc files to monitor new structures
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=bae2abab5caecf71
syzbot tried to test the proposed patch but the build/boot failed:
ton } for pid=417 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 19.442303][ T28] audit: type=1400 audit(1668585530.600:69): avc: denied { mount } for pid=417 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.464505][ T28] audit: type=1400 audit(1668585530.620:70): avc: denied { unmount } for pid=417 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.576443][ T417] cgroup: Unknown subsys name 'hugetlb'
[ 19.582019][ T417] cgroup: Unknown subsys name 'rlimit'
[ 19.705666][ T28] audit: type=1400 audit(1668585530.960:71): avc: denied { setattr } for pid=417 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=161 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 19.769929][ T420] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.777700][ T420] bridge0: port 1(bridge_slave_0) entered disabled state
[ 19.786548][ T420] device bridge_slave_0 entered promiscuous mode
[ 19.793891][ T420] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.801005][ T420] bridge0: port 2(bridge_slave_1) entered disabled state
[ 19.808431][ T420] device bridge_slave_1 entered promiscuous mode
[ 19.840543][ T420] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.847868][ T420] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 19.855241][ T420] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.862250][ T420] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 19.878644][ T5] bridge0: port 1(bridge_slave_0) entered disabled state
[ 19.886523][ T5] bridge0: port 2(bridge_slave_1) entered disabled state
[ 19.893732][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 19.901690][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 19.910951][ T418] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 19.919049][ T418] bridge0: port 1(bridge_slave_0) entered blocking state
[ 19.925993][ T418] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 19.935128][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 19.943133][ T5] bridge0: port 2(bridge_slave_1) entered blocking state
[ 19.950255][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 19.960560][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 19.969449][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 19.982691][ T420] device veth0_vlan entered promiscuous mode
[ 19.989168][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 19.997974][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 20.006014][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 20.013382][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 20.020834][ T1] ==================================================================
[ 20.028712][ T1] BUG: KASAN: use-after-free in attach_pid+0xf3/0x1f0
[ 20.035389][ T1] Read of size 8 at addr ffff888100155860 by task init/1
[ 20.042371][ T1]
[ 20.044503][ T1] CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc4-syzkaller-00016-gf68f40638559 #0
[ 20.053630][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 20.063517][ T1] Call Trace:
[ 20.066636][ T1] dump_stack+0x1bb/0x220
[ 20.070848][ T1] print_address_description+0x7a/0x3b0
[ 20.076189][ T1] kasan_report+0x19b/0x1e0
[ 20.080528][ T1] ? attach_pid+0xf3/0x1f0
[ 20.084777][ T1] ? attach_pid+0xf3/0x1f0
[ 20.089039][ T1] __asan_report_load8_noabort+0x14/0x20
[ 20.094496][ T1] attach_pid+0xf3/0x1f0
[ 20.099114][ T1] copy_process+0x1f3a/0x21d0
[ 20.103609][ T1] kernel_clone+0x1df/0x6a0
[ 20.107952][ T1] __do_sys_vfork+0x76/0xb0
[ 20.112378][ T1] do_syscall_64+0x34/0x70
[ 20.116628][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.122356][ T1] RIP: 0033:0x7fd804f232b8
[ 20.126615][ T1] Code: 00 00 e8 db 9f fb ff 48 89 e7 e8 43 3f 05 00 e9 ab fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 5f b8 3a 00 00 00 0f 05 <57> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 90 1b 0f 00 f7 d8 64 89 01 48
[ 20.146137][ T1] RSP: 002b:00007ffd668955f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003a
[ 20.154381][ T1] RAX: ffffffffffffffda RBX: 000055e9e8d679f0 RCX: 00007fd804f232b8
[ 20.162289][ T1] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00007fd8050a6e18
[ 20.170099][ T1] RBP: 00007ffd66895670 R08: 0000000000000007 R09: 000055e9e8d68390
[ 20.178272][ T1] R10: 00007ffd66895630 R11: 0000000000000246 R12: 0000000000000000
[ 20.186149][ T1] R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
[ 20.194057][ T1]
[ 20.196221][ T1] Allocated by task 0:
[ 20.200216][ T1] __kasan_slab_alloc+0xa2/0xd0
[ 20.205159][ T1] slab_post_alloc_hook+0x3f/0x70
[ 20.210015][ T1] kmem_cache_alloc+0x139/0x230
[ 20.214706][ T1] alloc_pid+0x97/0xae0
[ 20.218702][ T1] copy_process+0xe6f/0x21d0
[ 20.223132][ T1] kernel_clone+0x1df/0x6a0
[ 20.227704][ T1] kernel_thread+0x109/0x150
[ 20.232727][ T1] rest_init+0x22/0xf0
[ 20.236647][ T1] arch_call_rest_init+0xe/0x10
[ 20.241939][ T1] start_kernel+0x45f/0x4d1
[ 20.246457][ T1] x86_64_start_reservations+0x2a/0x2c
[ 20.251752][ T1] x86_64_start_kernel+0x7a/0x7d
[ 20.256527][ T1] secondary_startup_64_no_verify+0xb0/0xbb
[ 20.262245][ T1]
[ 20.264415][ T1] Freed by task 417:
[ 20.268147][ T1] kasan_set_track+0x4c/0x80
[ 20.272592][ T1] kasan_set_free_info+0x23/0x40
[ 20.277353][ T1] ____kasan_slab_free+0x113/0x150
[ 20.282305][ T1] __kasan_slab_free+0xe/0x10
[ 20.286811][ T1] slab_free_freelist_hook+0xa7/0x170
[ 20.292023][ T1] kmem_cache_free+0x9a/0x190
[ 20.296529][ T1] put_pid+0xb3/0x120
[ 20.300512][ T1] proc_do_cad_pid+0x131/0x1d0
[ 20.305184][ T1] proc_sys_call_handler+0x492/0x640
[ 20.310300][ T1] proc_sys_write+0x22/0x30
[ 20.314626][ T1] vfs_write+0x466/0x560
[ 20.318883][ T1] ksys_write+0x155/0x260
[ 20.323175][ T1] __x64_sys_write+0x7b/0x90
[ 20.327644][ T1] do_syscall_64+0x34/0x70
[ 20.331894][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.337629][ T1]
[ 20.339798][ T1] The buggy address belongs to the object at ffff888100155840
[ 20.339798][ T1] which belongs to the cache pid of size 112
[ 20.353090][ T1] The buggy address is located 32 bytes inside of
[ 20.353090][ T1] 112-byte region [ffff888100155840, ffff8881001558b0)
[ 20.366373][ T1] The buggy address belongs to the page:
[ 20.371833][ T1] page:ffffea0004005540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100155
[ 20.381902][ T1] flags: 0x4000000000000200(slab)
[ 20.386855][ T1] raw: 4000000000000200 dead000000000100 dead000000000122 ffff88810012bdc0
[ 20.395285][ T1] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 20.403685][ T1] page dumped because: kasan: bad access detected
[ 20.409935][ T1] page_owner tracks the page as allocated
[ 20.415593][ T1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1004486484
[ 20.425828][ T1] register_early_stack+0x41/0x80
[ 20.430865][ T1] init_page_owner+0x32/0x4f0
[ 20.435373][ T1] invoke_init_callbacks+0x63/0x6d
[ 20.440429][ T1] page_ext_init+0x316/0x333
[ 20.444854][ T1] page_owner free stack trace missing
[ 20.450178][ T1]
[ 20.452328][ T1] Memory state around the buggy address:
[ 20.458670][ T1] ffff888100155700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 20.466566][ T1] ffff888100155780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 20.474667][ T1] >ffff888100155800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 20.482547][ T1] ^
[ 20.489831][ T1] ffff888100155880: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 20.497926][ T1] ffff888100155900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 20.505877][ T1] ==================================================================
[ 20.515471][ T1] Disabling lock debugging due to kernel taint
[ 20.525556][ T1] BUG: unable to handle page fault for address: ffffed122001bc17
[ 20.533230][ T418] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 20.533439][ T1] #PF: supervisor read access in kernel mode
[ 20.542751][ T420] device veth1_macvtap entered promiscuous mode
[ 20.547058][ T1] #PF: error_code(0x0000) - not-present page
[ 20.547071][ T1] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 20.547091][ T1] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 20.547105][ T1] CPU: 0 PID: 1 Comm: init Tainted: G B 5.12.0-rc4-syzkaller-00016-gf68f40638559 #0
[ 20.557814][ T418] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 20.558948][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 20.558960][ T1] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 20.603540][ T1] Code: ad 5d 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 78 9c 4f 00 48 8b 03 eb 07 e8 6e
[ 20.623240][ T1] RSP: 0018:ffffc90000017df0 EFLAGS: 00010a06
[ 20.629138][ T1] RAX: 1ffff1122001bc17 RBX: ffff8891000de0b8 RCX: ffffffff813d0aea
[ 20.636947][ T1] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff888100155844
[ 20.645069][ T1] RBP: ffffc90000017e00 R08: ffffffff813d185e R09: ffffed102368b509
[ 20.652882][ T1] R10: ffffed102368b509 R11: 1ffff1102368b508 R12: 0000000000004100
[ 20.660789][ T1] R13: ffffc90000017eb8 R14: dffffc0000000000 R15: dffffc0000000000
[ 20.669068][ T1] FS: 00007fd804db9800(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 20.677807][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.684398][ T1] CR2: ffffed122001bc17 CR3: 0000000108596000 CR4: 00000000003506b0
[ 20.693393][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 20.701589][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 20.710006][ T1] Call Trace:
[ 20.713222][ T1] pid_vnr+0x1b/0x30
[ 20.716951][ T1] kernel_clone+0x226/0x6a0
[ 20.721391][ T1] __do_sys_vfork+0x76/0xb0
[ 20.725813][ T1] do_syscall_64+0x34/0x70
[ 20.730065][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.735791][ T1] RIP: 0033:0x7fd804f232b8
[ 20.740148][ T1] Code: 00 00 e8 db 9f fb ff 48 89 e7 e8 43 3f 05 00 e9 ab fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 5f b8 3a 00 00 00 0f 05 <57> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 90 1b 0f 00 f7 d8 64 89 01 48
[ 20.760186][ T1] RSP: 002b:00007ffd668955f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003a
[ 20.768528][ T1] RAX: ffffffffffffffda RBX: 000055e9e8d679f0 RCX: 00007fd804f232b8
[ 20.776335][ T1] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00007fd8050a6e18
[ 20.784484][ T1] RBP: 00007ffd66895670 R08: 0000000000000007 R09: 000055e9e8d68390
[ 20.792296][ T1] R10: 00007ffd66895630 R11: 0000000000000246 R12: 0000000000000000
[ 20.800282][ T1] R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000
[ 20.808395][ T1] Modules linked in:
[ 20.812108][ T1] CR2: ffffed122001bc17
[ 20.816197][ T1] ---[ end trace d9fe3c26ab088b67 ]---
[ 20.821486][ T1] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 20.827034][ T1] Code: ad 5d 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 78 9c 4f 00 48 8b 03 eb 07 e8 6e
[ 20.847392][ T1] RSP: 0018:ffffc90000017df0 EFLAGS: 00010a06
[ 20.853817][ T1] RAX: 1ffff1122001bc17 RBX: ffff8891000de0b8 RCX: ffffffff813d0aea
[ 20.862196][ T1] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff888100155844
[ 20.870333][ T1] RBP: ffffc90000017e00 R08: ffffffff813d185e R09: ffffed102368b509
[ 20.878353][ T1] R10: ffffed102368b509 R11: 1ffff1102368b508 R12: 0000000000004100
[ 20.886682][ T1] R13: ffffc90000017eb8 R14: dffffc0000000000 R15: dffffc0000000000
[ 20.895111][ T1] FS: 00007fd804db9800(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 20.903994][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.910585][ T1] CR2: ffffed122001bc17 CR3: 0000000108596000 CR4: 00000000003506b0
[ 20.918756][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 20.926734][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 20.934560][ T1] Kernel panic - not syncing: Fatal exception
[ 20.940640][ T1] Kernel Offset: disabled
[ 20.944721][ T1] Rebooting in 86400 seconds..
git status (err=<nil>)
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6feb842be06bf94e4751c499cd8b4659974c6f03 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221107-095747'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6feb842be06bf94e4751c499cd8b4659974c6f03 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221107-095747'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6feb842be06bf94e4751c499cd8b4659974c6f03 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221107-095747'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6feb842be06bf94e4751c499cd8b4659974c6f03\"
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
Error text is too large and was truncated, full error text is at:
Tested on:
commit: f68f4063 ext4: add proc files to monitor new structures
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=bae2abab5caecf71
Jun Nie
Nov 17, 2022, 2:14:04 AM11/17/22
to syzkaller-a...@googlegroups.com, syzbot+8234f4...@syzkaller.appspotmail.com
#syz test: https://android.googlesource.com/kernel/common android13-5.15-lts
syzbot
Nov 17, 2022, 2:43:17 AM11/17/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+8234f4...@syzkaller.appspotmail.com
Tested on:
commit: 4ec71a9e ANDROID: cpu/hotplug: call perf event through..
git tree: android13-5.15-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=125cadcd880000
kernel config: https://syzkaller.appspot.com/x/.config?x=83a7349dd162b9f8
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Tested on:
commit: 4ec71a9e ANDROID: cpu/hotplug: call perf event through..
git tree: android13-5.15-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=125cadcd880000
kernel config: https://syzkaller.appspot.com/x/.config?x=83a7349dd162b9f8
dashboard link: https://syzkaller.appspot.com/bug?extid=8234f4fea762dd893f3d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12275311880000
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Jun Nie
Nov 18, 2022, 12:33:52 AM11/18/22
to syzkaller-a...@googlegroups.com, syzbot+8234f4...@syzkaller.appspotmail.com
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1303,7 +1303,7 @@ static int ext4_write_end(struct file *file,
trace_android_fs_datawrite_end(inode, pos, len);
trace_ext4_write_end(inode, pos, len, copied);
- if (ext4_has_inline_data(inode))
+ if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
return ext4_write_inline_data_end(inode, pos, len,
copied, page);
copied = block_write_end(file, mapping, pos, len, copied, page, fsdata);
+++ b/fs/ext4/inode.c
@@ -1303,7 +1303,7 @@ static int ext4_write_end(struct file *file,
trace_android_fs_datawrite_end(inode, pos, len);
trace_ext4_write_end(inode, pos, len, copied);
- if (ext4_has_inline_data(inode))
+ if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
return ext4_write_inline_data_end(inode, pos, len,
copied, page);
copied = block_write_end(file, mapping, pos, len, copied, page, fsdata);
syzbot
Nov 18, 2022, 12:35:23 AM11/18/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
syzbot tried to test the proposed patch but the build/boot failed:
checking file fs/ext4/inode.c
patch: **** unexpected end of file in patch
Tested on:
commit: 4ec71a9e ANDROID: cpu/hotplug: call perf event through..
git tree: android13-5.15-lts
syzbot
Nov 18, 2022, 12:55:15 AM11/18/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+8234f4...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+8234f4...@syzkaller.appspotmail.com
Tested on:
commit: 4ec71a9e ANDROID: cpu/hotplug: call perf event through..
git tree: android13-5.15-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=126d85e9880000
commit: 4ec71a9e ANDROID: cpu/hotplug: call perf event through..
git tree: android13-5.15-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=83a7349dd162b9f8
dashboard link: https://syzkaller.appspot.com/bug?extid=8234f4fea762dd893f3d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12ae6601880000
Jun Nie
Nov 24, 2022, 9:56:31 PM11/24/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
syzbot
Nov 25, 2022, 6:16:15 AM11/25/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e00d13...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Tested on:
commit: 41217963 Linux 5.10.155
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=161c5b2d880000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a6942be09d51fc1
dashboard link: https://syzkaller.appspot.com/bug?extid=e00d1302e217068ee641
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Jun Nie
Nov 25, 2022, 10:01:05 PM11/25/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
syzbot
Nov 26, 2022, 12:25:14 AM11/26/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
3960
syzbot tried to test the proposed patch but the build/boot failed:
process_one_work+0x3d5/0x640 kernel/workqueue.c:2270
worker_thread+0x723/0xa60 kernel/workqueue.c:2416
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
================================================================================
================================================================================
UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2
member access within address 00000000b61512cb with insufficient space
for an object of type 'struct sk_buff'
CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 5.10.80-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x19c/0x1e2 lib/dump_stack.c:118
ubsan_epilogue lib/ubsan.c:148 [inline]
handle_object_size_mismatch lib/ubsan.c:297 [inline]
ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310
__ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:339
__skb_insert include/linux/skbuff.h:1909 [inline]
__skb_queue_before include/linux/skbuff.h:2016 [inline]
__skb_queue_tail include/linux/skbuff.h:2049 [inline]
wg_xmit+0x4ff/0xa60 drivers/net/wireguard/device.c:182
__netdev_start_xmit include/linux/netdevice.h:4776 [inline]
netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4790
xmit_one net/core/dev.c:3584 [inline]
dev_hard_start_xmit+0x18d/0x2f0 net/core/dev.c:3600
__dev_queue_xmit+0xea9/0x18d0 net/core/dev.c:4163
dev_queue_xmit+0x17/0x20 net/core/dev.c:4196
neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1532
neigh_output include/net/neighbour.h:516 [inline]
ip6_finish_output2+0xdb0/0x12e0 net/ipv6/ip6_output.c:145
__ip6_finish_output+0x3e6/0x530 net/ipv6/ip6_output.c:210
ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:290 [inline]
ip6_output+0x18c/0x3f0 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:443 [inline]
NF_HOOK+0x88/0x210 include/linux/netfilter.h:301
ndisc_send_skb+0x653/0x9f0 net/ipv6/ndisc.c:508
ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702
addrconf_dad_completed+0x493/0x970 net/ipv6/addrconf.c:4195
addrconf_dad_work+0x9d0/0x12d0 net/ipv6/addrconf.c:3960
process_one_work+0x3d5/0x640 kernel/workqueue.c:2270
worker_thread+0x723/0xa60 kernel/workqueue.c:2416
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
================================================================================
forked to background, child pid 208
no interfaces have a carrier
Starting sshd: OK
syzkaller
syzkaller login: [ 14.692924][ T22] kauditd_printk_skb: 60 callbacks suppressed
[ 14.692935][ T22] audit: type=1400 audit(1669440265.020:71): avc: denied { transition } for pid=301 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 14.698382][ T22] audit: type=1400 audit(1669440265.020:72): avc: denied { write } for pid=301 comm="sh" path="pipe:[11219]" dev="pipefs" ino=11219 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1
Warning: Permanently added '10.128.10.7' (ECDSA) to the list of known hosts.
2022/11/26 05:24:31 fuzzer started
2022/11/26 05:24:31 connecting to host at 10.128.0.163:46237
2022/11/26 05:24:31 checking machine...
2022/11/26 05:24:31 checking revisions...
2022/11/26 05:24:31 testing simple program...
[ 21.315862][ T22] audit: type=1400 audit(1669440271.640:73): avc: denied { integrity } for pid=373 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 21.332281][ T382] cgroup: Unknown subsys name 'net'
[ 21.338883][ T22] audit: type=1400 audit(1669440271.640:74): avc: denied { getattr } for pid=373 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.367286][ T22] audit: type=1400 audit(1669440271.640:75): avc: denied { read } for pid=373 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.367424][ T382] cgroup: Unknown subsys name 'devices'
[ 21.388449][ T22] audit: type=1400 audit(1669440271.640:76): avc: denied { open } for pid=373 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.417430][ T22] audit: type=1400 audit(1669440271.640:77): avc: denied { read } for pid=373 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.440248][ T22] audit: type=1400 audit(1669440271.640:78): avc: denied { open } for pid=373 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.463557][ T22] audit: type=1400 audit(1669440271.640:79): avc: denied { mounton } for pid=382 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 21.486331][ T22] audit: type=1400 audit(1669440271.640:80): avc: denied { mount } for pid=382 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 21.508479][ T22] audit: type=1400 audit(1669440271.680:81): avc: denied { unmount } for pid=382 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 21.592884][ T382] cgroup: Unknown subsys name 'hugetlb'
[ 21.598733][ T382] cgroup: Unknown subsys name 'rlimit'
[ 21.722360][ T22] audit: type=1400 audit(1669440272.050:82): avc: denied { setattr } for pid=382 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.779458][ T385] bridge0: port 1(bridge_slave_0) entered blocking state
[ 21.786819][ T385] bridge0: port 1(bridge_slave_0) entered disabled state
[ 21.794330][ T385] device bridge_slave_0 entered promiscuous mode
[ 21.801037][ T385] bridge0: port 2(bridge_slave_1) entered blocking state
[ 21.808337][ T385] bridge0: port 2(bridge_slave_1) entered disabled state
[ 21.815704][ T385] device bridge_slave_1 entered promiscuous mode
[ 21.845057][ T385] bridge0: port 2(bridge_slave_1) entered blocking state
[ 21.852267][ T385] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 21.859520][ T385] bridge0: port 1(bridge_slave_0) entered blocking state
[ 21.866755][ T385] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 21.884042][ T18] bridge0: port 1(bridge_slave_0) entered disabled state
[ 21.891455][ T18] bridge0: port 2(bridge_slave_1) entered disabled state
[ 21.898636][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 21.906539][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 21.922407][ T383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 21.930571][ T383] bridge0: port 1(bridge_slave_0) entered blocking state
[ 21.937599][ T383] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 21.945201][ T383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 21.954259][ T383] bridge0: port 2(bridge_slave_1) entered blocking state
[ 21.961436][ T383] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 21.968976][ T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 21.977183][ T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 21.989229][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 22.007232][ T73] ================================================================================
[ 22.016541][ T73] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28
[ 22.024348][ T73] member access within address 00000000b61512cb with insufficient space
[ 22.032660][ T73] for an object of type 'struct sk_buff'
[ 22.038304][ T73] CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 5.10.80-syzkaller #0
[ 22.046285][ T73] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 22.056481][ T73] Workqueue: ipv6_addrconf addrconf_dad_work
[ 22.062532][ T73] Call Trace:
[ 22.065803][ T73] dump_stack+0x19c/0x1e2
[ 22.070120][ T73] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 22.075816][ T73] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 22.081778][ T73] wg_xmit+0x49c/0xa60
[ 22.085849][ T73] netdev_start_xmit+0x8a/0x160
[ 22.090678][ T73] dev_hard_start_xmit+0x18d/0x2f0
[ 22.095766][ T73] __dev_queue_xmit+0xea9/0x18d0
[ 22.100687][ T73] dev_queue_xmit+0x17/0x20
[ 22.105182][ T73] neigh_connected_output+0x288/0x2b0
[ 22.110549][ T73] ip6_finish_output2+0xdb0/0x12e0
[ 22.115647][ T73] ? ip6_mtu+0xf1/0x140
[ 22.119786][ T73] __ip6_finish_output+0x3e6/0x530
[ 22.124877][ T73] ip6_finish_output+0x20b/0x220
[ 22.131703][ T73] ? ip6_output+0x175/0x3f0
[ 22.136196][ T73] ip6_output+0x18c/0x3f0
[ 22.140615][ T73] ? ip6_dst_idev+0x40/0x40
[ 22.145098][ T73] NF_HOOK+0x88/0x210
[ 22.149057][ T73] ? NF_HOOK+0x210/0x210
[ 22.153276][ T73] ndisc_send_skb+0x653/0x9f0
[ 22.158047][ T73] ndisc_send_rs+0x26c/0x360
[ 22.162619][ T73] addrconf_dad_completed+0x493/0x970
[ 22.168151][ T73] addrconf_dad_work+0x9d0/0x12d0
[ 22.173168][ T73] process_one_work+0x3d5/0x640
[ 22.178019][ T73] worker_thread+0x723/0xa60
[ 22.182587][ T73] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 22.188020][ T73] kthread+0x365/0x400
[ 22.192059][ T73] ? pr_cont_work+0x110/0x110
[ 22.196715][ T73] ? __list_add+0xc0/0xc0
[ 22.201034][ T73] ret_from_fork+0x1f/0x30
[ 22.205478][ T73] ================================================================================
[ 22.214771][ T73] ================================================================================
[ 22.224164][ T73] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2
[ 22.231894][ T73] member access within address 00000000b61512cb with insufficient space
[ 22.240287][ T73] for an object of type 'struct sk_buff'
[ 22.245938][ T73] CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 5.10.80-syzkaller #0
[ 22.253984][ T73] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 22.264212][ T73] Workqueue: ipv6_addrconf addrconf_dad_work
[ 22.270259][ T73] Call Trace:
[ 22.273543][ T73] dump_stack+0x19c/0x1e2
[ 22.277865][ T73] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 22.283577][ T73] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 22.289538][ T73] wg_xmit+0x4ff/0xa60
[ 22.293581][ T73] netdev_start_xmit+0x8a/0x160
[ 22.298424][ T73] dev_hard_start_xmit+0x18d/0x2f0
[ 22.303510][ T73] __dev_queue_xmit+0xea9/0x18d0
[ 22.308417][ T73] dev_queue_xmit+0x17/0x20
[ 22.312892][ T73] neigh_connected_output+0x288/0x2b0
[ 22.318246][ T73] ip6_finish_output2+0xdb0/0x12e0
[ 22.323341][ T73] ? ip6_mtu+0xf1/0x140
[ 22.327482][ T73] __ip6_finish_output+0x3e6/0x530
[ 22.332740][ T73] ip6_finish_output+0x20b/0x220
[ 22.337654][ T73] ? ip6_output+0x175/0x3f0
[ 22.342135][ T73] ip6_output+0x18c/0x3f0
[ 22.346440][ T73] ? ip6_dst_idev+0x40/0x40
[ 22.350911][ T73] NF_HOOK+0x88/0x210
[ 22.354858][ T73] ? NF_HOOK+0x210/0x210
[ 22.359066][ T73] ndisc_send_skb+0x653/0x9f0
[ 22.363711][ T73] ndisc_send_rs+0x26c/0x360
[ 22.368268][ T73] addrconf_dad_completed+0x493/0x970
[ 22.373703][ T73] addrconf_dad_work+0x9d0/0x12d0
[ 22.378696][ T73] process_one_work+0x3d5/0x640
[ 22.383536][ T73] worker_thread+0x723/0xa60
[ 22.388103][ T73] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 22.393529][ T73] kthread+0x365/0x400
[ 22.397912][ T73] ? pr_cont_work+0x110/0x110
[ 22.402562][ T73] ? __list_add+0xc0/0xc0
[ 22.406861][ T73] ret_from_fork+0x1f/0x30
[ 22.411277][ T73] ================================================================================
[ 22.421030][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 22.429866][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 22.438376][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
2022/11/26 05:24:32 building call list...
[ 22.446238][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 22.461686][ T385] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 23.011401][ T98] device bridge_slave_1 left promiscuous mode
[ 23.021239][ T98] bridge0: port 2(bridge_slave_1) entered disabled state
[ 23.028753][ T98] device bridge_slave_0 left promiscuous mode
[ 23.035341][ T98] bridge0: port 1(bridge_slave_0) entered disabled state
git status (err=<nil>)
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
Error text is too large and was truncated, full error text is at:
Tested on:
commit: f884bb85 Linux 5.10.80
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=6f24ece4fd5daee2
Jun Nie
Nov 26, 2022, 8:11:04 AM11/26/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
syzbot
Nov 26, 2022, 10:08:23 AM11/26/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
493/0x970
syzbot tried to test the proposed patch but the build/boot failed:
[ 21.272139][ T23] addrconf_dad_work+0x9d0/0x12d0
[ 21.277152][ T23] process_one_work+0x3d5/0x640
[ 21.281977][ T23] worker_thread+0x723/0xa60
[ 21.286542][ T23] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 21.292071][ T23] kthread+0x365/0x400
[ 21.296120][ T23] ? pr_cont_work+0x110/0x110
[ 21.300791][ T23] ? __list_add+0xc0/0xc0
[ 21.305191][ T23] ret_from_fork+0x1f/0x30
[ 21.309612][ T23] ================================================================================
[ 21.318910][ T23] ================================================================================
[ 21.328310][ T23] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2
[ 21.336120][ T23] member access within address 000000001b8e33dc with insufficient space
[ 21.344464][ T23] for an object of type 'struct sk_buff'
[ 21.350094][ T23] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 5.10.10-syzkaller-00198-g11167454e9cb #0
[ 21.359777][ T23] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 21.369917][ T23] Workqueue: ipv6_addrconf addrconf_dad_work
[ 21.376013][ T23] Call Trace:
[ 21.379301][ T23] dump_stack+0x19c/0x1e2
[ 21.383618][ T23] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 21.389394][ T23] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 21.395530][ T23] wg_xmit+0x48f/0xa60
[ 21.399582][ T23] ? __sanitizer_cov_trace_switch+0x64/0x80
[ 21.405627][ T23] netdev_start_xmit+0x8a/0x160
[ 21.410533][ T23] dev_hard_start_xmit+0x18d/0x2f0
[ 21.415749][ T23] __dev_queue_xmit+0xf16/0x1920
[ 21.420870][ T23] ? __kasan_check_write+0x14/0x20
[ 21.425969][ T23] dev_queue_xmit+0x17/0x20
[ 21.430471][ T23] neigh_connected_output+0x288/0x2b0
[ 21.435830][ T23] ip6_finish_output2+0xc34/0x1020
[ 21.440917][ T23] ? ip6_mtu+0xf1/0x140
[ 21.445050][ T23] __ip6_finish_output+0x3e6/0x530
[ 21.450341][ T23] ip6_finish_output+0x20b/0x220
[ 21.455260][ T23] ? ip6_output+0x175/0x3f0
[ 21.459738][ T23] ip6_output+0x18c/0x3f0
[ 21.464038][ T23] ? ip6_dst_idev+0x40/0x40
[ 21.468513][ T23] NF_HOOK+0x88/0x210
[ 21.472462][ T23] ? NF_HOOK+0x210/0x210
[ 21.476690][ T23] ndisc_send_skb+0x653/0x9f0
[ 21.481429][ T23] ndisc_send_rs+0x26c/0x360
[ 21.485989][ T23] addrconf_dad_completed+0x493/0x970
[ 21.491422][ T23] addrconf_dad_work+0x9d0/0x12d0
[ 21.496535][ T23] process_one_work+0x3d5/0x640
[ 21.501373][ T23] worker_thread+0x723/0xa60
[ 21.505942][ T23] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 21.511462][ T23] kthread+0x365/0x400
[ 21.515534][ T23] ? pr_cont_work+0x110/0x110
[ 21.520213][ T23] ? __list_add+0xc0/0xc0
[ 21.524625][ T23] ret_from_fork+0x1f/0x30
[ 21.529532][ T23] ================================================================================
2022/11/26 15:07:10 building call list...
[ 21.545942][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 21.627753][ T373] ==================================================================
[ 21.635874][ T373] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0
[ 21.643396][ T373] Read of size 4 at addr ffff888100156f04 by task syz-executor.0/373
[ 21.651431][ T373]
[ 21.653758][ T373] CPU: 1 PID: 373 Comm: syz-executor.0 Not tainted 5.10.10-syzkaller-00198-g11167454e9cb #0
[ 21.663887][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 21.674006][ T373] Call Trace:
[ 21.677362][ T373] dump_stack+0x19c/0x1e2
[ 21.681719][ T373] print_address_description+0x7e/0x6a0
[ 21.687343][ T373] ? printk+0x76/0x96
[ 21.691325][ T373] kasan_report+0x16f/0x210
[ 21.695806][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 21.700912][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 21.706260][ T373] __asan_report_load4_noabort+0x14/0x20
[ 21.711869][ T373] task_active_pid_ns+0x9a/0xa0
[ 21.717325][ T373] do_notify_parent+0x2c7/0xa70
[ 21.722249][ T373] ? __kasan_check_write+0x14/0x20
[ 21.727518][ T373] do_exit+0x1a52/0x2190
[ 21.731736][ T373] do_group_exit+0x13f/0x310
[ 21.736302][ T373] get_signal+0xbef/0x10c0
[ 21.740831][ T373] arch_do_signal+0x42/0x710
[ 21.745422][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 21.751573][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 21.757059][ T373] do_syscall_64+0x40/0x70
[ 21.761511][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 21.767562][ T373] RIP: 0033:0x7f07c25db2fe
[ 21.771959][ T373] Code: Unable to access opcode bytes at RIP 0x7f07c25db2d4.
[ 21.779323][ T373] RSP: 002b:00007ffe6e7b02e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 21.787718][ T373] RAX: fffffffffffffe00 RBX: 00007ffe6e7b0370 RCX: 00007f07c25db2fe
[ 21.795670][ T373] RDX: 0000000000000040 RSI: 00007f07c2746020 RDI: 00000000000000f9
[ 21.803621][ T373] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffffffffff0000
[ 21.811662][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
[ 21.819614][ T373] R13: 0000000000005426 R14: 0000000000000003 R15: 00007ffe6e7b03b0
[ 21.827566][ T373]
[ 21.829875][ T373] Allocated by task 0:
[ 21.833926][ T373] __kasan_kmalloc+0x11a/0x150
[ 21.838752][ T373] kasan_slab_alloc+0xe/0x10
[ 21.843318][ T373] slab_post_alloc_hook+0x3f/0x70
[ 21.848496][ T373] kmem_cache_alloc+0x143/0x200
[ 21.853324][ T373] alloc_pid+0x9a/0xb00
[ 21.857485][ T373] copy_process+0xdc0/0x2110
[ 21.862081][ T373] kernel_clone+0x1df/0x690
[ 21.866609][ T373] kernel_thread+0x11b/0x160
[ 21.871211][ T373] rest_init+0x22/0xf0
[ 21.875285][ T373] arch_call_rest_init+0xe/0x10
[ 21.880141][ T373] start_kernel+0x47d/0x518
[ 21.884634][ T373] x86_64_start_reservations+0x2a/0x2c
[ 21.890071][ T373] x86_64_start_kernel+0x7a/0x7d
[ 21.895074][ T373] secondary_startup_64_no_verify+0xb0/0xbb
[ 21.900937][ T373]
[ 21.903243][ T373] Freed by task 370:
[ 21.907117][ T373] kasan_set_track+0x4c/0x80
[ 21.911773][ T373] kasan_set_free_info+0x1b/0x30
[ 21.916780][ T373] __kasan_slab_free+0x11c/0x150
[ 21.921733][ T373] kasan_slab_free+0xe/0x10
[ 21.926223][ T373] slab_free_freelist_hook+0x8b/0x160
[ 21.931575][ T373] kmem_cache_free+0x9a/0x1c0
[ 21.936399][ T373] put_pid+0xb3/0x120
[ 21.940357][ T373] proc_do_cad_pid+0x131/0x1d0
[ 21.945098][ T373] proc_sys_call_handler+0x48d/0x640
[ 21.950380][ T373] proc_sys_write+0x22/0x30
[ 21.954875][ T373] vfs_write+0x466/0x560
[ 21.959100][ T373] ksys_write+0x155/0x260
[ 21.963405][ T373] __x64_sys_write+0x7b/0x90
[ 21.967971][ T373] do_syscall_64+0x34/0x70
[ 21.972373][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 21.978237][ T373]
[ 21.980553][ T373] The buggy address belongs to the object at ffff888100156f00
[ 21.980553][ T373] which belongs to the cache pid of size 112
[ 21.993984][ T373] The buggy address is located 4 bytes inside of
[ 21.993984][ T373] 112-byte region [ffff888100156f00, ffff888100156f70)
[ 22.007056][ T373] The buggy address belongs to the page:
[ 22.013204][ T373] page:00000000ba9628b9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100156
[ 22.023504][ T373] flags: 0x8000000000000200(slab)
[ 22.028511][ T373] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100138280
[ 22.037083][ T373] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 22.045640][ T373] page dumped because: kasan: bad access detected
[ 22.052027][ T373] page_owner tracks the page as allocated
[ 22.057751][ T373] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0()
[ 22.066171][ T373] register_early_stack+0x41/0x80
[ 22.071190][ T373] init_page_owner+0x32/0x4f0
[ 22.075904][ T373] invoke_init_callbacks+0x63/0x6d
[ 22.081112][ T373] page_ext_init+0x348/0x371
[ 22.085704][ T373] page_owner free stack trace missing
[ 22.091058][ T373]
[ 22.093369][ T373] Memory state around the buggy address:
[ 22.098984][ T373] ffff888100156e00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 22.107320][ T373] ffff888100156e80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 22.115653][ T373] >ffff888100156f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 22.123695][ T373] ^
[ 22.127739][ T373] ffff888100156f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 22.136084][ T373] ffff888100157000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 22.144129][ T373] ==================================================================
[ 22.152174][ T373] Disabling lock debugging due to kernel taint
[ 22.158321][ T373] BUG: unable to handle page fault for address: ffffed122001beef
[ 22.166022][ T373] #PF: supervisor read access in kernel mode
[ 22.171986][ T373] #PF: error_code(0x0000) - not-present page
[ 22.177969][ T373] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 22.183367][ T373] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 22.188568][ T373] CPU: 1 PID: 373 Comm: syz-executor.0 Tainted: G B 5.10.10-syzkaller-00198-g11167454e9cb #0
[ 22.201032][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 22.211270][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 22.216892][ T373] Code: 0d 5b 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 ae 4c 00 48 8b 03 eb 07 e8 ce
[ 22.236653][ T373] RSP: 0018:ffffc9000078fb40 EFLAGS: 00010802
[ 22.242697][ T373] RAX: 1ffff1122001beef RBX: ffff8891000df778 RCX: 0000000000000002
[ 22.250733][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 22.258689][ T373] RBP: ffffc9000078fb50 R08: ffff888119b26ac0 R09: fffffbfff0bc26f9
[ 22.266747][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 22.274700][ T373] R13: ffff888119b26ac0 R14: dffffc0000000000 R15: ffff888119b26fe0
[ 22.282651][ T373] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
[ 22.291653][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 22.298216][ T373] CR2: ffffed122001beef CR3: 0000000119bdb000 CR4: 00000000003506a0
[ 22.306298][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 22.314503][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 22.322465][ T373] Call Trace:
[ 22.325745][ T373] do_notify_parent+0x2c7/0xa70
[ 22.330579][ T373] ? __kasan_check_write+0x14/0x20
[ 22.335665][ T373] do_exit+0x1a52/0x2190
[ 22.339888][ T373] do_group_exit+0x13f/0x310
[ 22.344473][ T373] get_signal+0xbef/0x10c0
[ 22.348871][ T373] arch_do_signal+0x42/0x710
[ 22.353447][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 22.358627][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 22.364089][ T373] do_syscall_64+0x40/0x70
[ 22.368606][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 22.374509][ T373] RIP: 0033:0x7f07c25db2fe
[ 22.378910][ T373] Code: Unable to access opcode bytes at RIP 0x7f07c25db2d4.
[ 22.386272][ T373] RSP: 002b:00007ffe6e7b02e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 22.394676][ T373] RAX: fffffffffffffe00 RBX: 00007ffe6e7b0370 RCX: 00007f07c25db2fe
[ 22.402894][ T373] RDX: 0000000000000040 RSI: 00007f07c2746020 RDI: 00000000000000f9
[ 22.410930][ T373] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffffffffff0000
[ 22.418883][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
[ 22.427026][ T373] R13: 0000000000005426 R14: 0000000000000003 R15: 00007ffe6e7b03b0
[ 22.435079][ T373] Modules linked in:
[ 22.439049][ T373] CR2: ffffed122001beef
[ 22.443200][ T373] ---[ end trace 01cb9c9191349011 ]---
[ 22.448742][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 22.454526][ T373] Code: 0d 5b 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 ae 4c 00 48 8b 03 eb 07 e8 ce
[ 22.474305][ T373] RSP: 0018:ffffc9000078fb40 EFLAGS: 00010802
[ 22.480362][ T373] RAX: 1ffff1122001beef RBX: ffff8891000df778 RCX: 0000000000000002
[ 22.488429][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 22.496384][ T373] RBP: ffffc9000078fb50 R08: ffff888119b26ac0 R09: fffffbfff0bc26f9
[ 22.504349][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 22.512297][ T373] R13: ffff888119b26ac0 R14: dffffc0000000000 R15: ffff888119b26fe0
[ 22.520267][ T373] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
[ 22.529375][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 22.536034][ T373] CR2: ffffed122001beef CR3: 0000000119bdb000 CR4: 00000000003506a0
[ 22.543996][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 22.551952][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 22.559901][ T373] Kernel panic - not syncing: Fatal exception
[ 22.565987][ T373] Kernel Offset: disabled
[ 22.570288][ T373] Rebooting in 86400 seconds..
git status (err=<nil>)
HEAD detached at c0b80a55c
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: 11167454 kernfs: implement ->write_iter
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=75ba0c2422c58221
Jun Nie
Nov 26, 2022, 10:34:43 AM11/26/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
syzbot
Nov 26, 2022, 10:49:22 AM11/26/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
2.113938][ T5] addrconf_dad_completed+0x493/0x970
syzbot tried to test the proposed patch but the build/boot failed:
[ 22.119369][ T5] addrconf_dad_work+0x9d0/0x12d0
[ 22.124411][ T5] process_one_work+0x3d5/0x640
[ 22.129240][ T5] worker_thread+0x723/0xa60
[ 22.133804][ T5] kthread+0x365/0x400
[ 22.137844][ T5] ? pr_cont_work+0x110/0x110
[ 22.142491][ T5] ? __list_add+0xc0/0xc0
[ 22.146796][ T5] ret_from_fork+0x1f/0x30
[ 22.151219][ T5] ================================================================================
[ 22.160519][ T5] ================================================================================
[ 22.169891][ T5] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2
[ 22.177604][ T5] member access within address 00000000f64dbd84 with insufficient space
[ 22.185924][ T5] for an object of type 'struct sk_buff'
[ 22.191763][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.10-syzkaller #0
[ 22.201225][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 22.211261][ T5] Workqueue: ipv6_addrconf addrconf_dad_work
[ 22.217211][ T5] Call Trace:
[ 22.220470][ T5] dump_stack+0x19c/0x1e2
[ 22.224772][ T5] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 22.230463][ T5] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 22.236412][ T5] wg_xmit+0x48f/0xa60
[ 22.240451][ T5] ? __sanitizer_cov_trace_switch+0x64/0x80
[ 22.246312][ T5] netdev_start_xmit+0x8a/0x160
[ 22.251132][ T5] dev_hard_start_xmit+0x18d/0x2f0
[ 22.256212][ T5] __dev_queue_xmit+0xf16/0x1920
[ 22.261121][ T5] ? __kasan_check_write+0x14/0x20
[ 22.266200][ T5] dev_queue_xmit+0x17/0x20
[ 22.270673][ T5] neigh_connected_output+0x288/0x2b0
[ 22.276016][ T5] ip6_finish_output2+0xc34/0x1020
[ 22.281100][ T5] ? ip6_mtu+0xf1/0x140
[ 22.285225][ T5] __ip6_finish_output+0x3e6/0x530
[ 22.290306][ T5] ip6_finish_output+0x20b/0x220
[ 22.295214][ T5] ? ip6_output+0x175/0x3f0
[ 22.299685][ T5] ip6_output+0x18c/0x3f0
[ 22.303984][ T5] ? ip6_dst_idev+0x40/0x40
[ 22.308457][ T5] NF_HOOK+0x88/0x210
[ 22.312408][ T5] ? NF_HOOK+0x210/0x210
[ 22.316622][ T5] ndisc_send_skb+0x653/0x9f0
[ 22.321368][ T5] ndisc_send_rs+0x26c/0x360
[ 22.325929][ T5] addrconf_dad_completed+0x493/0x970
[ 22.331270][ T5] addrconf_dad_work+0x9d0/0x12d0
[ 22.336271][ T5] process_one_work+0x3d5/0x640
[ 22.341094][ T5] worker_thread+0x723/0xa60
[ 22.345658][ T5] kthread+0x365/0x400
[ 22.349718][ T5] ? pr_cont_work+0x110/0x110
2022/11/26 15:48:17 building call list...
[ 22.354374][ T5] ? __list_add+0xc0/0xc0
[ 22.358673][ T5] ret_from_fork+0x1f/0x30
[ 22.363102][ T5] ================================================================================
[ 22.374919][ T374] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 22.434693][ T374] ==================================================================
[ 22.442786][ T374] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0
[ 22.450147][ T374] Read of size 4 at addr ffff888100156604 by task syz-executor.0/374
[ 22.458189][ T374]
[ 22.460515][ T374] CPU: 1 PID: 374 Comm: syz-executor.0 Not tainted 5.10.10-syzkaller #0
[ 22.468820][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 22.478866][ T374] Call Trace:
[ 22.482152][ T374] dump_stack+0x19c/0x1e2
[ 22.486475][ T374] print_address_description+0x7e/0x6a0
[ 22.492014][ T374] ? printk+0x76/0x96
[ 22.496086][ T374] kasan_report+0x16f/0x210
[ 22.500576][ T374] ? task_active_pid_ns+0x9a/0xa0
[ 22.505598][ T374] ? task_active_pid_ns+0x9a/0xa0
[ 22.510624][ T374] __asan_report_load4_noabort+0x14/0x20
[ 22.516249][ T374] task_active_pid_ns+0x9a/0xa0
[ 22.521096][ T374] do_notify_parent+0x2c7/0xa70
[ 22.525945][ T374] ? __kasan_check_write+0x14/0x20
[ 22.531052][ T374] do_exit+0x1a52/0x2190
[ 22.535283][ T374] ? memset+0x35/0x40
[ 22.539254][ T374] do_group_exit+0x13f/0x310
[ 22.543832][ T374] get_signal+0xbef/0x10c0
[ 22.548254][ T374] arch_do_signal+0x42/0x710
[ 22.552846][ T374] exit_to_user_mode_loop+0xa3/0xe0
[ 22.558043][ T374] syscall_exit_to_user_mode+0x77/0xa0
[ 22.563498][ T374] do_syscall_64+0x40/0x70
[ 22.567919][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 22.573808][ T374] RIP: 0033:0x7f416ef3f263
[ 22.578210][ T374] Code: Unable to access opcode bytes at RIP 0x7f416ef3f239.
[ 22.585569][ T374] RSP: 002b:00007ffc157b01a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 22.593980][ T374] RAX: 000000000000000c RBX: 0000000000000002 RCX: 00007f416ef3f263
[ 22.601944][ T374] RDX: 000000000000000c RSI: 00007ffc157b0270 RDI: 00000000000000f8
[ 22.609905][ T374] RBP: 00007ffc157b020c R08: 00007ffc157c1080 R09: 00007ffc157c10b8
[ 22.617864][ T374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
[ 22.625829][ T374] R13: 0000000000005764 R14: 0000000000000003 R15: 00007ffc157b0270
[ 22.633793][ T374]
[ 22.636119][ T374] Allocated by task 0:
[ 22.640185][ T374] __kasan_kmalloc+0x11a/0x150
[ 22.644941][ T374] kasan_slab_alloc+0xe/0x10
[ 22.649604][ T374] slab_post_alloc_hook+0x3f/0x70
[ 22.654613][ T374] kmem_cache_alloc+0x143/0x200
[ 22.659449][ T374] alloc_pid+0x9a/0xb00
[ 22.663588][ T374] copy_process+0xdc0/0x2110
[ 22.668159][ T374] kernel_clone+0x1df/0x690
[ 22.672645][ T374] kernel_thread+0x11b/0x160
[ 22.677229][ T374] rest_init+0x22/0xf0
[ 22.681284][ T374] arch_call_rest_init+0xe/0x10
[ 22.686206][ T374] start_kernel+0x47d/0x518
[ 22.690693][ T374] x86_64_start_reservations+0x2a/0x2c
[ 22.696229][ T374] x86_64_start_kernel+0x7a/0x7d
[ 22.701242][ T374] secondary_startup_64_no_verify+0xb0/0xbb
[ 22.707198][ T374]
[ 22.709513][ T374] Freed by task 370:
[ 22.713395][ T374] kasan_set_track+0x4c/0x80
[ 22.717972][ T374] kasan_set_free_info+0x1b/0x30
[ 22.723162][ T374] __kasan_slab_free+0x11c/0x150
[ 22.728083][ T374] kasan_slab_free+0xe/0x10
[ 22.732572][ T374] slab_free_freelist_hook+0x8b/0x160
[ 22.737936][ T374] kmem_cache_free+0x9a/0x1c0
[ 22.742598][ T374] put_pid+0xb3/0x120
[ 22.746650][ T374] proc_do_cad_pid+0x131/0x1d0
[ 22.751404][ T374] proc_sys_call_handler+0x48d/0x640
[ 22.756684][ T374] proc_sys_write+0x22/0x30
[ 22.761201][ T374] vfs_write+0x466/0x560
[ 22.765440][ T374] ksys_write+0x155/0x260
[ 22.770012][ T374] __x64_sys_write+0x7b/0x90
[ 22.775034][ T374] do_syscall_64+0x34/0x70
[ 22.779425][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 22.786940][ T374]
[ 22.789266][ T374] The buggy address belongs to the object at ffff888100156600
[ 22.789266][ T374] which belongs to the cache pid of size 112
[ 22.802859][ T374] The buggy address is located 4 bytes inside of
[ 22.802859][ T374] 112-byte region [ffff888100156600, ffff888100156670)
[ 22.816100][ T374] The buggy address belongs to the page:
[ 22.821736][ T374] page:0000000031746e05 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100156
[ 22.831958][ T374] flags: 0x8000000000000200(slab)
[ 22.836961][ T374] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100138dc0
[ 22.845580][ T374] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 22.854220][ T374] page dumped because: kasan: bad access detected
[ 22.860627][ T374] page_owner tracks the page as allocated
[ 22.866323][ T374] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0()
[ 22.874709][ T374] register_early_stack+0x41/0x80
[ 22.879708][ T374] init_page_owner+0x32/0x4f0
[ 22.884363][ T374] invoke_init_callbacks+0x63/0x6d
[ 22.889451][ T374] page_ext_init+0x348/0x371
[ 22.894010][ T374] page_owner free stack trace missing
[ 22.899350][ T374]
[ 22.901654][ T374] Memory state around the buggy address:
[ 22.907348][ T374] ffff888100156500: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 22.915385][ T374] ffff888100156580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 22.923421][ T374] >ffff888100156600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 22.931546][ T374] ^
[ 22.935587][ T374] ffff888100156680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 22.943630][ T374] ffff888100156700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 22.951659][ T374] ==================================================================
[ 22.959776][ T374] Disabling lock debugging due to kernel taint
[ 22.965911][ T374] BUG: unable to handle page fault for address: ffffed122001bdcf
[ 22.973689][ T374] #PF: supervisor read access in kernel mode
[ 22.979645][ T374] #PF: error_code(0x0000) - not-present page
[ 22.985593][ T374] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 22.990866][ T374] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 22.996044][ T374] CPU: 1 PID: 374 Comm: syz-executor.0 Tainted: G B 5.10.10-syzkaller #0
[ 23.005728][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 23.015862][ T374] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 23.021469][ T374] Code: 0d 5b 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 ae 4c 00 48 8b 03 eb 07 e8 ce
[ 23.041045][ T374] RSP: 0018:ffffc900002ffb40 EFLAGS: 00010806
[ 23.047084][ T374] RAX: 1ffff1122001bdcf RBX: ffff8891000dee78 RCX: 0000000000000002
[ 23.055031][ T374] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 23.062977][ T374] RBP: ffffc900002ffb50 R08: ffff8881198fbd00 R09: fffffbfff0bc26f9
[ 23.070922][ T374] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 23.078871][ T374] R13: ffff8881198fbd00 R14: dffffc0000000000 R15: ffff8881198fc220
[ 23.086821][ T374] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
[ 23.095722][ T374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 23.102280][ T374] CR2: ffffed122001bdcf CR3: 0000000119689000 CR4: 00000000003506a0
[ 23.110232][ T374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 23.118181][ T374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 23.126123][ T374] Call Trace:
[ 23.129392][ T374] do_notify_parent+0x2c7/0xa70
[ 23.134218][ T374] ? __kasan_check_write+0x14/0x20
[ 23.139303][ T374] do_exit+0x1a52/0x2190
[ 23.143521][ T374] ? memset+0x35/0x40
[ 23.147484][ T374] do_group_exit+0x13f/0x310
[ 23.152048][ T374] get_signal+0xbef/0x10c0
[ 23.156449][ T374] arch_do_signal+0x42/0x710
[ 23.161014][ T374] exit_to_user_mode_loop+0xa3/0xe0
[ 23.166188][ T374] syscall_exit_to_user_mode+0x77/0xa0
[ 23.171620][ T374] do_syscall_64+0x40/0x70
[ 23.176024][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 23.181898][ T374] RIP: 0033:0x7f416ef3f263
[ 23.186288][ T374] Code: Unable to access opcode bytes at RIP 0x7f416ef3f239.
[ 23.193627][ T374] RSP: 002b:00007ffc157b01a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 23.202027][ T374] RAX: 000000000000000c RBX: 0000000000000002 RCX: 00007f416ef3f263
[ 23.209975][ T374] RDX: 000000000000000c RSI: 00007ffc157b0270 RDI: 00000000000000f8
[ 23.217920][ T374] RBP: 00007ffc157b020c R08: 00007ffc157c1080 R09: 00007ffc157c10b8
[ 23.225864][ T374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
[ 23.233830][ T374] R13: 0000000000005764 R14: 0000000000000003 R15: 00007ffc157b0270
[ 23.241777][ T374] Modules linked in:
[ 23.245649][ T374] CR2: ffffed122001bdcf
[ 23.249781][ T374] ---[ end trace 40f801c0a5db317a ]---
[ 23.255303][ T374] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 23.260915][ T374] Code: 0d 5b 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 ae 4c 00 48 8b 03 eb 07 e8 ce
[ 23.280778][ T374] RSP: 0018:ffffc900002ffb40 EFLAGS: 00010806
[ 23.286837][ T374] RAX: 1ffff1122001bdcf RBX: ffff8891000dee78 RCX: 0000000000000002
[ 23.294797][ T374] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 23.303906][ T374] RBP: ffffc900002ffb50 R08: ffff8881198fbd00 R09: fffffbfff0bc26f9
[ 23.311953][ T374] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 23.320373][ T374] R13: ffff8881198fbd00 R14: dffffc0000000000 R15: ffff8881198fc220
[ 23.328324][ T374] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
[ 23.337228][ T374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 23.343897][ T374] CR2: ffffed122001bdcf CR3: 0000000119689000 CR4: 00000000003506a0
[ 23.351946][ T374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 23.359901][ T374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 23.367850][ T374] Kernel panic - not syncing: Fatal exception
[ 24.476100][ T374] Shutting down cpus with NMI
[ 24.480870][ T374] Kernel Offset: disabled
[ 24.485281][ T374] Rebooting in 86400 seconds..
git status (err=<nil>)
HEAD detached at c0b80a55c
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: 8dc0fcbc Linux 5.10.10
Jun Nie
Nov 28, 2022, 11:02:06 AM11/28/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
#syz test: https://android.googlesource.com/kernel/common d3c86f460db1e
syzbot
Nov 28, 2022, 6:09:21 PM11/28/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
bject_r:nsfs_t tclass=file permissive=1
syzbot tried to test the proposed patch but the build/boot failed:
[ 21.310928][ T370] cgroup: Unknown subsys name 'net'
[ 21.316197][ T23] audit: type=1400 audit(1669676880.109:74): avc: denied { read } for pid=362 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.342209][ T23] audit: type=1400 audit(1669676880.109:75): avc: denied { open } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.342675][ T370] cgroup: Unknown subsys name 'devices'
[ 21.371298][ T23] audit: type=1400 audit(1669676880.109:76): avc: denied { read } for pid=362 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.394058][ T23] audit: type=1400 audit(1669676880.109:77): avc: denied { open } for pid=362 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.423408][ T23] audit: type=1400 audit(1669676880.109:78): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 21.446394][ T23] audit: type=1400 audit(1669676880.109:79): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 21.470720][ T23] audit: type=1400 audit(1669676880.139:80): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 21.590846][ T370] cgroup: Unknown subsys name 'hugetlb'
[ 21.596649][ T370] cgroup: Unknown subsys name 'rlimit'
[ 21.690238][ T23] audit: type=1400 audit(1669676880.509:81): avc: denied { setattr } for pid=370 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.726398][ T23] audit: type=1400 audit(1669676880.539:82): avc: denied { execmem } for pid=372 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 21.790849][ T373] bridge0: port 1(bridge_slave_0) entered blocking state
[ 21.798419][ T373] bridge0: port 1(bridge_slave_0) entered disabled state
[ 21.806459][ T373] device bridge_slave_0 entered promiscuous mode
[ 21.813656][ T373] bridge0: port 2(bridge_slave_1) entered blocking state
[ 21.820805][ T373] bridge0: port 2(bridge_slave_1) entered disabled state
[ 21.828139][ T373] device bridge_slave_1 entered promiscuous mode
[ 21.862676][ T373] bridge0: port 2(bridge_slave_1) entered blocking state
[ 21.869744][ T373] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 21.877219][ T373] bridge0: port 1(bridge_slave_0) entered blocking state
[ 21.884379][ T373] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 21.906086][ T24] bridge0: port 1(bridge_slave_0) entered disabled state
[ 21.913962][ T24] bridge0: port 2(bridge_slave_1) entered disabled state
[ 21.921536][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 21.929387][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 21.947883][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 21.956522][ T24] bridge0: port 1(bridge_slave_0) entered blocking state
[ 21.963640][ T24] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 21.971311][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 21.980205][ T24] bridge0: port 2(bridge_slave_1) entered blocking state
[ 21.987230][ T24] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 21.995293][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 22.003684][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 22.018812][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 22.027241][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 22.044450][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 22.053897][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 22.063437][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 22.072514][ T24] ================================================================================
[ 22.081823][ T24] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2023:28
[ 22.090063][ T24] member access within address ffffc9000019f180 with insufficient space
[ 22.098502][ T24] for an object of type 'struct sk_buff'
[ 22.104269][ T24] CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 5.10.66-syzkaller #0
[ 22.112299][ T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 22.122480][ T24] Workqueue: ipv6_addrconf addrconf_dad_work
[ 22.128453][ T24] Call Trace:
[ 22.131832][ T24] dump_stack_lvl+0x1e2/0x24b
[ 22.136496][ T24] ? bfq_pos_tree_add_move+0x439/0x439
[ 22.142065][ T24] ? wg_allowedips_lookup_dst+0x190/0x190
[ 22.147772][ T24] ? stack_trace_save+0x1f0/0x1f0
[ 22.153157][ T24] dump_stack+0x15/0x17
[ 22.157321][ T24] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 22.163040][ T24] ? __sanitizer_cov_trace_switch+0x64/0x80
[ 22.168934][ T24] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 22.174914][ T24] wg_xmit+0x4a2/0xae0
[ 22.178979][ T24] ? wg_stop+0x140/0x140
[ 22.183481][ T24] ? __sanitizer_cov_trace_const_cmp2+0x19/0x20
[ 22.190235][ T24] ? validate_xmit_skb+0x841/0xd00
[ 22.195634][ T24] netdev_start_xmit+0x8a/0x160
[ 22.200857][ T24] dev_hard_start_xmit+0x18d/0x2f0
[ 22.205956][ T24] __dev_queue_xmit+0x1000/0x1a80
[ 22.211053][ T24] ? dev_queue_xmit+0x20/0x20
[ 22.215726][ T24] ? do_raw_spin_unlock+0x60/0x60
[ 22.221102][ T24] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 22.227329][ T24] ? ndisc_constructor+0x653/0x850
[ 22.232422][ T24] ? __local_bh_enable_ip+0x53/0x80
[ 22.237627][ T24] ? _raw_write_unlock_bh+0x31/0x47
[ 22.243026][ T24] ? dev_hard_header+0xdb/0xf0
[ 22.247772][ T24] dev_queue_xmit+0x17/0x20
[ 22.252361][ T24] neigh_connected_output+0x288/0x2b0
[ 22.257716][ T24] ip6_finish_output2+0xdc6/0x1370
[ 22.262806][ T24] ? __ip6_finish_output+0x530/0x530
[ 22.268287][ T24] ? dst_cow_metrics_generic+0x55/0x1d0
[ 22.273971][ T24] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 22.280193][ T24] ? ip6_skb_dst_mtu+0xaf/0x260
[ 22.285029][ T24] __ip6_finish_output+0x3e6/0x530
[ 22.290126][ T24] ip6_finish_output+0x20b/0x220
[ 22.295208][ T24] ? ip6_output+0x1d3/0x4b0
[ 22.299692][ T24] ip6_output+0x1f8/0x4b0
[ 22.304048][ T24] ? xfrm_pols_put+0x102/0x110
[ 22.308909][ T24] ? asan.module_dtor+0x20/0x20
[ 22.313755][ T24] ? ip6_dst_idev+0x40/0x40
[ 22.318248][ T24] ? selinux_ipv6_forward+0x50/0x50
[ 22.323584][ T24] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 22.329306][ T24] NF_HOOK+0xdd/0x280
[ 22.333278][ T24] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 22.338888][ T24] ? NF_HOOK+0x280/0x280
[ 22.343111][ T24] ? xfrm_lookup+0x38/0x50
[ 22.347504][ T24] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 22.353718][ T24] ? ndisc_send_skb+0x55d/0xa10
[ 22.358732][ T24] ? memcpy+0x56/0x70
[ 22.362689][ T24] ndisc_send_skb+0x65e/0xa10
[ 22.367344][ T24] ? ndisc_fill_addr_option+0x320/0x320
[ 22.372866][ T24] ? skb_set_owner_w+0x1b8/0x330
[ 22.377780][ T24] ? __sanitizer_cov_trace_cmp4+0x19/0x20
[ 22.383500][ T24] ? skb_put+0x119/0x210
[ 22.387805][ T24] ndisc_send_rs+0x26c/0x360
[ 22.392372][ T24] addrconf_dad_completed+0x4f3/0x9f0
[ 22.397808][ T24] ? addrconf_dad_stop+0x420/0x420
[ 22.402916][ T24] addrconf_dad_work+0xa7d/0x13f0
[ 22.408027][ T24] ? INIT_LIST_HEAD+0x60/0x60
[ 22.412829][ T24] ? __kasan_check_write+0x14/0x20
[ 22.417945][ T24] process_one_work+0x3d5/0x640
[ 22.422787][ T24] worker_thread+0x723/0xa60
[ 22.427364][ T24] ? list_del_init+0x1f/0xd0
[ 22.431954][ T24] kthread+0x365/0x400
[ 22.436021][ T24] ? pr_cont_work+0x110/0x110
[ 22.440788][ T24] ? __list_add+0xc0/0xc0
[ 22.445106][ T24] ret_from_fork+0x1f/0x30
[ 22.449573][ T24] ================================================================================
[ 22.458974][ T24] ================================================================================
[ 22.468239][ T24] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1916:2
[ 22.476118][ T24] member access within address ffffc9000019f180 with insufficient space
[ 22.484628][ T24] for an object of type 'struct sk_buff'
[ 22.490283][ T24] CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 5.10.66-syzkaller #0
[ 22.498885][ T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 22.509245][ T24] Workqueue: ipv6_addrconf addrconf_dad_work
[ 22.515205][ T24] Call Trace:
[ 22.518654][ T24] dump_stack_lvl+0x1e2/0x24b
[ 22.523584][ T24] ? bfq_pos_tree_add_move+0x439/0x439
[ 22.529775][ T24] ? wg_allowedips_lookup_dst+0x190/0x190
[ 22.535764][ T24] ? stack_trace_save+0x1f0/0x1f0
[ 22.540789][ T24] dump_stack+0x15/0x17
[ 22.545100][ T24] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 22.550806][ T24] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 22.556806][ T24] wg_xmit+0x513/0xae0
[ 22.560883][ T24] ? wg_stop+0x140/0x140
[ 22.565120][ T24] ? __sanitizer_cov_trace_const_cmp2+0x19/0x20
[ 22.571351][ T24] ? validate_xmit_skb+0x841/0xd00
[ 22.576541][ T24] netdev_start_xmit+0x8a/0x160
[ 22.581382][ T24] dev_hard_start_xmit+0x18d/0x2f0
[ 22.586497][ T24] __dev_queue_xmit+0x1000/0x1a80
[ 22.591603][ T24] ? dev_queue_xmit+0x20/0x20
[ 22.596791][ T24] ? do_raw_spin_unlock+0x60/0x60
[ 22.602074][ T24] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 22.608312][ T24] ? ndisc_constructor+0x653/0x850
[ 22.613418][ T24] ? __local_bh_enable_ip+0x53/0x80
[ 22.618622][ T24] ? _raw_write_unlock_bh+0x31/0x47
[ 22.623996][ T24] ? dev_hard_header+0xdb/0xf0
[ 22.628762][ T24] dev_queue_xmit+0x17/0x20
[ 22.633429][ T24] neigh_connected_output+0x288/0x2b0
[ 22.638797][ T24] ip6_finish_output2+0xdc6/0x1370
[ 22.643908][ T24] ? __ip6_finish_output+0x530/0x530
[ 22.649271][ T24] ? dst_cow_metrics_generic+0x55/0x1d0
[ 22.654802][ T24] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 22.661194][ T24] ? ip6_skb_dst_mtu+0xaf/0x260
[ 22.666089][ T24] __ip6_finish_output+0x3e6/0x530
[ 22.671540][ T24] ip6_finish_output+0x20b/0x220
[ 22.676798][ T24] ? ip6_output+0x1d3/0x4b0
[ 22.681441][ T24] ip6_output+0x1f8/0x4b0
[ 22.685762][ T24] ? xfrm_pols_put+0x102/0x110
[ 22.690602][ T24] ? asan.module_dtor+0x20/0x20
[ 22.695441][ T24] ? ip6_dst_idev+0x40/0x40
[ 22.700032][ T24] ? selinux_ipv6_forward+0x50/0x50
[ 22.705318][ T24] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 22.711198][ T24] NF_HOOK+0xdd/0x280
[ 22.715162][ T24] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 22.720949][ T24] ? NF_HOOK+0x280/0x280
[ 22.725169][ T24] ? xfrm_lookup+0x38/0x50
[ 22.729568][ T24] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 22.736068][ T24] ? ndisc_send_skb+0x55d/0xa10
[ 22.743008][ T24] ? memcpy+0x56/0x70
[ 22.746996][ T24] ndisc_send_skb+0x65e/0xa10
[ 22.751830][ T24] ? ndisc_fill_addr_option+0x320/0x320
[ 22.757381][ T24] ? skb_set_owner_w+0x1b8/0x330
[ 22.762307][ T24] ? __sanitizer_cov_trace_cmp4+0x19/0x20
[ 22.768007][ T24] ? skb_put+0x119/0x210
[ 22.772227][ T24] ndisc_send_rs+0x26c/0x360
[ 22.776918][ T24] addrconf_dad_completed+0x4f3/0x9f0
[ 22.782284][ T24] ? addrconf_dad_stop+0x420/0x420
[ 22.787382][ T24] addrconf_dad_work+0xa7d/0x13f0
[ 22.792679][ T24] ? INIT_LIST_HEAD+0x60/0x60
[ 22.797519][ T24] ? __kasan_check_write+0x14/0x20
[ 22.802623][ T24] process_one_work+0x3d5/0x640
[ 22.807457][ T24] worker_thread+0x723/0xa60
[ 22.812033][ T24] ? list_del_init+0x1f/0xd0
[ 22.816603][ T24] kthread+0x365/0x400
2022/11/28 23:08:01 building call list...
[ 22.820755][ T24] ? pr_cont_work+0x110/0x110
[ 22.825591][ T24] ? __list_add+0xc0/0xc0
[ 22.829930][ T24] ret_from_fork+0x1f/0x30
[ 22.834661][ T24] ================================================================================
[ 22.854703][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 23.419135][ T9] device bridge_slave_1 left promiscuous mode
[ 23.425523][ T9] bridge0: port 2(bridge_slave_1) entered disabled state
[ 23.446510][ T9] device bridge_slave_0 left promiscuous mode
[ 23.452861][ T9] bridge0: port 1(bridge_slave_0) entered disabled state
git status (err=<nil>)
HEAD detached at c0b80a55c
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: d3c86f46 Merge 5.10.66 into android12-5.10-lts
git tree: https://android.googlesource.com/kernel/common
kernel config: https://syzkaller.appspot.com/x/.config?x=b8d3d95b8d8450b6
Jun Nie
Nov 29, 2022, 8:58:19 PM11/29/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
#syz test: https://android.googlesource.com/kernel/common android12-5.10-lts
syzbot
Nov 29, 2022, 10:14:15 PM11/29/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
patch is already applied
syzbot tried to test the proposed patch but the build/boot failed:
Tested on:
commit: 673a7341 Merge 5.10.153 into android12-5.10-lts
git tree: android12-5.10-lts
patch: https://syzkaller.appspot.com/x/patch.diff?x=103d9cbd880000
Jun Nie
Nov 29, 2022, 11:23:28 PM11/29/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
syzbot
Nov 30, 2022, 8:46:30 AM11/30/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in kernfs_name_hash
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
RAX: ffffffffffffffda RBX: 00007faa9b345f80 RCX: 00007faa9b2255f9
RDX: 0000000000000000 RSI: 0000000000004c81 RDI: 0000000000000003
RBP: 00007faa9b2807b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff93ce613f R14: 00007faa9b199300 R15: 0000000000022000
---[ end trace 2940a7775d203014 ]---
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 426 Comm: syz-executor.0 Tainted: G W 5.10.153-syzkaller-987315-g673a7341bdab #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:strlen+0x3a/0x80 lib/string.c:568
Code: c0 ff ff ff ff 49 bf 00 00 00 00 00 fc ff df 48 89 fb 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 49 89 c4 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 75 12 48 ff c3 49 8d 44 24 01 43 80 7c 26 01
RSP: 0018:ffffc90000c57b68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881067da780
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000c57b88 R08: ffffffff81d1d28c R09: fffff5200018af75
R10: fffff5200018af75 R11: 1ffff9200018af74 R12: ffffffffffffffff
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007faa9b199700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007faa9b198ff8 CR3: 000000011eb03000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kernfs_name_hash+0x21/0x240 fs/kernfs/dir.c:310
kernfs_find_ns+0x72/0x280 fs/kernfs/dir.c:849
kernfs_remove_by_name_ns+0x3a/0x110 fs/kernfs/dir.c:1521
kernfs_remove_by_name include/linux/kernfs.h:608 [inline]
sysfs_remove_link+0x50/0x60 fs/sysfs/symlink.c:152
del_gendisk+0xbe0/0xe20 block/genhd.c:951
loop_remove+0x46/0xb0 drivers/block/loop.c:2190
loop_control_ioctl+0x67f/0x740 drivers/block/loop.c:2289
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7faa9b2255f9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faa9b199168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007faa9b345f80 RCX: 00007faa9b2255f9
RDX: 0000000000000000 RSI: 0000000000004c81 RDI: 0000000000000003
RBP: 00007faa9b2807b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff93ce613f R14: 00007faa9b199300 R15: 0000000000022000
Modules linked in:
---[ end trace 2940a7775d203015 ]---
RIP: 0010:strlen+0x3a/0x80 lib/string.c:568
Code: c0 ff ff ff ff 49 bf 00 00 00 00 00 fc ff df 48 89 fb 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 49 89 c4 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 75 12 48 ff c3 49 8d 44 24 01 43 80 7c 26 01
RSP: 0018:ffffc90000c57b68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881067da780
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000c57b88 R08: ffffffff81d1d28c R09: fffff5200018af75
R10: fffff5200018af75 R11: 1ffff9200018af74 R12: ffffffffffffffff
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007faa9b199700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007faa9b198ff8 CR3: 000000011eb03000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 5 bytes skipped:
0: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
7: fc ff df
a: 48 89 fb mov %rdi,%rbx
d: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
14: 00 00 00 00
18: 0f 1f 00 nopl (%rax)
1b: 49 89 c4 mov %rax,%r12
1e: 48 89 d8 mov %rbx,%rax
21: 48 c1 e8 03 shr $0x3,%rax
* 25: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2a: 84 c0 test %al,%al
2c: 75 12 jne 0x40
2e: 48 ff c3 inc %rbx
31: 49 8d 44 24 01 lea 0x1(%r12),%rax
36: 43 rex.XB
37: 80 .byte 0x80
38: 7c 26 jl 0x60
3a: 01 .byte 0x1
Tested on:
commit: 673a7341 Merge 5.10.153 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=774c6a4e0e6c292c
dashboard link: https://syzkaller.appspot.com/bug?extid=e00d1302e217068ee641
Jun Nie
Dec 5, 2022, 1:59:34 AM12/5/22
to syzbot+e00d13...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
syzbot
Dec 6, 2022, 9:04:43 AM12/6/22
to jun...@linaro.org, syzkaller-a...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e00d13...@syzkaller.appspotmail.com
Tested on:
commit: 76dcd734 Linux 6.1-rc8
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=12e8bfbd880000
kernel config: https://syzkaller.appspot.com/x/.config?x=12254142a3d66478
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e00d13...@syzkaller.appspotmail.com
Tested on:
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=12e8bfbd880000
kernel config: https://syzkaller.appspot.com/x/.config?x=12254142a3d66478
dashboard link: https://syzkaller.appspot.com/bug?extid=e00d1302e217068ee641
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Reply all
Reply to author
Forward
0 new messages