[syzbot] KASAN: slab-out-of-bounds Read in riscv_intc

syzbot

unread,

Mar 14, 2021, 6:14:18 AM3/14/21

to a...@eecs.berkeley.edu, linux-...@vger.kernel.org, linux...@lists.infradead.org, m...@kernel.org, pal...@dabbelt.com, paul.w...@sifive.com, syzkall...@googlegroups.com, tg...@linutronix.de

Hello,

syzbot found the following issue on:

HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
userspace arch: riscv64

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+005654...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388

CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
Hardware name: riscv-virtio,qemu (DT)
Workqueue: events nsim_dev_trap_report_work
Call Trace:
[<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201

Allocated by task 76347056:
(stack is not available)

Last potentially related work creation:

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Dmitry Vyukov

unread,

Mar 14, 2021, 6:47:57 AM3/14/21

to syzbot, Albert Ou, LKML, linux-riscv, Marc Zyngier, Palmer Dabbelt, Paul Walmsley, syzkaller-bugs, Thomas Gleixner

On Sun, Mar 14, 2021 at 11:14 AM syzbot
<syzbot+005654...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
> dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
> userspace arch: riscv64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+005654...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
> Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388
>
> CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
> Hardware name: riscv-virtio,qemu (DT)
> Workqueue: events nsim_dev_trap_report_work
> Call Trace:
> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
>
> Allocated by task 76347056:
> (stack is not available)
>
> Last potentially related work creation:

There seems to be some issue with riscv stack unwinder.
This does not have stacks.
"BUG: unable to handle kernel access to user memory in schedule_tail"
does not have proper stacks:
https://syzkaller.appspot.com/bug?id=9de8c24d24004fd5e482555f5ad8314da2fb1cee

I also found 2 riscv reports in "KASAN: use-after-free Read in
idr_for_each (2)":
https://syzkaller.appspot.com/bug?id=7f84dfc3902878befc22e52eb5c7298d0ad70cf3

both don't have any stacks:

==================================================================
BUG: KASAN: use-after-free in radix_tree_next_slot
include/linux/radix-tree.h:422 [inline]
BUG: KASAN: use-after-free in idr_for_each+0xf4/0x160 lib/idr.c:202
Read of size 8 at addr ffffffe010c00878 by task syz-executor.1/4828

CPU: 0 PID: 4828 Comm: syz-executor.1 Not tainted

5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
Hardware name: riscv-virtio,qemu (DT)

Call Trace:
[<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201

Allocated by task 4828:
(stack is not available)

Freed by task 4473:
(stack is not available)

Kefeng Wang

unread,

Mar 18, 2021, 8:21:24 AM3/18/21

to Dmitry Vyukov, syzbot, Albert Ou, LKML, linux-riscv, Marc Zyngier, Palmer Dabbelt, Paul Walmsley, syzkaller-bugs, Thomas Gleixner

Hi, could you test with the following patch about the no stack
issue(from v5.11-rc4), I made a mistake when do some cleanup...

https://lore.kernel.org/linux-riscv/ce5b3533-b75d-c31c...@huawei.com/T/#t

> _______________________________________________
> linux-riscv mailing list
> linux...@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
> .
>

Kefeng Wang

unread,

Mar 18, 2021, 10:50:06 AM3/18/21

to Dmitry Vyukov, syzbot, Albert Ou, LKML, linux-riscv, Marc Zyngier, Palmer Dabbelt, Paul Walmsley, syzkaller-bugs, Thomas Gleixner

On 2021/3/18 22:11, Dmitry Vyukov wrote:

> Hi Kefeng,
>
> Please see:
> http://bit.do/syzbot#no-custom-patches
>
> Is a unit-test for this possible? Fuzzing is not a replacement for unit testing.

ok, I mean that the issue about stack unwinder which may cause by my
previous patch,

if some one want the stack back, it could try the bugfix.

> .
>

syzbot

unread,

Jul 12, 2021, 4:18:15 AM7/12/21

to syzkall...@googlegroups.com

Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.

Reply all

Reply to author

Forward

[syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq

syzbot

Dmitry Vyukov

Kefeng Wang

Kefeng Wang

syzbot