[syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs (2)
11 views
Skip to first unread message
syzbot
Jun 15, 2024, 3:06:24 AM (11 days ago) Jun 15
to b...@alien8.de, dave....@linux.intel.com, h...@zytor.com, linux-...@vger.kernel.org, mi...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de, x...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: a957267fa7e9 Add linux-next specific files for 20240611
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=171e6e56980000
kernel config: https://syzkaller.appspot.com/x/.config?x=9a880e96898e79f8
dashboard link: https://syzkaller.appspot.com/bug?extid=e9be5674af5e3a0b9ecc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6451759a606b/disk-a957267f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7f635dbe5b8a/vmlinux-a957267f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/33eafd1b8aec/bzImage-a957267f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e9be56...@syzkaller.appspotmail.com
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:synchronize_rcu+0x0/0x360 kernel/rcu/tree.c:4005
Code: Unable to access opcode bytes at 0x1ffff920012daeae.
RSP: 76c0:0000000000000203 EFLAGS: 1ffff920012daed4
==================================================================
BUG: KASAN: stack-out-of-bounds in __show_regs+0xa6/0x610 arch/x86/kernel/process_64.c:83
Read of size 8 at addr ffffc900096d7618 by task syz-executor.0/9934
CPU: 1 PID: 9934 Comm: syz-executor.0 Not tainted 6.10.0-rc3-next-20240611-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:91 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:117
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__show_regs+0xa6/0x610 arch/x86/kernel/process_64.c:83
show_trace_log_lvl+0x3d4/0x520 arch/x86/kernel/dumpstack.c:301
sched_show_task+0x578/0x740 kernel/sched/core.c:7432
report_rtnl_holders+0x1ba/0x2d0 net/core/rtnetlink.c:104
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers kernel/time/timer.c:2417 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
run_timer_base kernel/time/timer.c:2437 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 4e d0 63 f6 f6 44 24 21 02 75 52 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> c3 eb cc f5 65 8b 05 74 4f 6e 74 85 c0 74 43 48 c7 04 24 0e 36
RSP: 0018:ffffc9000330f600 EFLAGS: 00000206
RAX: 4e6b703e49168e00 RBX: 1ffff92000661ec4 RCX: ffffffff816fafba
RDX: dffffc0000000000 RSI: ffffffff8bcac1a0 RDI: 0000000000000001
RBP: ffffc9000330f690 R08: ffffffff92fcb7ef R09: 1ffffffff25f96fd
R10: dffffc0000000000 R11: fffffbfff25f96fe R12: dffffc0000000000
R13: 1ffff92000661ec0 R14: ffffc9000330f620 R15: 0000000000000246
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
__wake_up_common_lock+0x18c/0x1e0 kernel/sched/wait.c:108
__unix_dgram_recvmsg+0x5f4/0x12f0 net/unix/af_unix.c:2415
sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046
____sys_recvmsg+0x3c0/0x470 net/socket.c:2802
___sys_recvmsg net/socket.c:2846 [inline]
do_recvmmsg+0x474/0xae0 net/socket.c:2940
__sys_recvmmsg net/socket.c:3019 [inline]
__do_sys_recvmmsg net/socket.c:3042 [inline]
__se_sys_recvmmsg net/socket.c:3035 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3035
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f53cfc7cea9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f53d0a0c0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f53cfdb4050 RCX: 00007f53cfc7cea9
RDX: 0000000000010106 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007f53cfcebff4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f53cfdb4050 R15: 00007fffb8c061e8
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc900096d0000, ffffc900096d9000) created by:
copy_process+0x5d1/0x3dc0 kernel/fork.c:2201
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807c7f0000 pfn:0x7c7f0
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88807c7f0000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 126928355749, free_ts 121449634751
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1470
prep_new_page mm/page_alloc.c:1478 [inline]
get_page_from_freelist+0x2cbd/0x2d70 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4715
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3567 [inline]
__vmalloc_area_node mm/vmalloc.c:3643 [inline]
__vmalloc_node_range_noprof+0x971/0x1460 mm/vmalloc.c:3824
alloc_thread_stack_node kernel/fork.c:310 [inline]
dup_task_struct+0x444/0x8c0 kernel/fork.c:1110
copy_process+0x5d1/0x3dc0 kernel/fork.c:2201
kernel_clone+0x226/0x8f0 kernel/fork.c:2778
kernel_thread+0x1bc/0x240 kernel/fork.c:2840
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x60d/0x810 kernel/kthread.c:765
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:144
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 5674 tgid 5674 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1089 [inline]
free_unref_folios+0x103a/0x1b00 mm/page_alloc.c:2669
folios_put_refs+0x76e/0x860 mm/swap.c:1020
free_pages_and_swap_cache+0x2ea/0x690 mm/swap_state.c:332
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
exit_mmap+0x44f/0xc80 mm/mmap.c:3395
__mmput+0x115/0x390 kernel/fork.c:1341
exit_mm+0x220/0x310 kernel/exit.c:565
do_exit+0x9aa/0x28e0 kernel/exit.c:861
do_group_exit+0x207/0x2c0 kernel/exit.c:1023
__do_sys_exit_group kernel/exit.c:1034 [inline]
__se_sys_exit_group kernel/exit.c:1032 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1032
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc900096d7500: 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
ffffc900096d7580: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
>ffffc900096d7600: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc900096d7680: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3
ffffc900096d7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 9c pushf
1: 8f 44 24 20 pop 0x20(%rsp)
5: 42 80 3c 23 00 cmpb $0x0,(%rbx,%r12,1)
a: 74 08 je 0x14
c: 4c 89 f7 mov %r14,%rdi
f: e8 4e d0 63 f6 call 0xf663d062
14: f6 44 24 21 02 testb $0x2,0x21(%rsp)
19: 75 52 jne 0x6d
1b: 41 f7 c7 00 02 00 00 test $0x200,%r15d
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 c3 eb cc f5 call 0xf5ccebf2 <-- trapping instruction
2f: 65 8b 05 74 4f 6e 74 mov %gs:0x746e4f74(%rip),%eax # 0x746e4faa
36: 85 c0 test %eax,%eax
38: 74 43 je 0x7d
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: 04 24 add $0x24,%al
3e: 0e (bad)
3f: 36 ss
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: a957267fa7e9 Add linux-next specific files for 20240611
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=171e6e56980000
kernel config: https://syzkaller.appspot.com/x/.config?x=9a880e96898e79f8
dashboard link: https://syzkaller.appspot.com/bug?extid=e9be5674af5e3a0b9ecc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6451759a606b/disk-a957267f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7f635dbe5b8a/vmlinux-a957267f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/33eafd1b8aec/bzImage-a957267f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e9be56...@syzkaller.appspotmail.com
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:synchronize_rcu+0x0/0x360 kernel/rcu/tree.c:4005
Code: Unable to access opcode bytes at 0x1ffff920012daeae.
RSP: 76c0:0000000000000203 EFLAGS: 1ffff920012daed4
==================================================================
BUG: KASAN: stack-out-of-bounds in __show_regs+0xa6/0x610 arch/x86/kernel/process_64.c:83
Read of size 8 at addr ffffc900096d7618 by task syz-executor.0/9934
CPU: 1 PID: 9934 Comm: syz-executor.0 Not tainted 6.10.0-rc3-next-20240611-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:91 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:117
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__show_regs+0xa6/0x610 arch/x86/kernel/process_64.c:83
show_trace_log_lvl+0x3d4/0x520 arch/x86/kernel/dumpstack.c:301
sched_show_task+0x578/0x740 kernel/sched/core.c:7432
report_rtnl_holders+0x1ba/0x2d0 net/core/rtnetlink.c:104
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers kernel/time/timer.c:2417 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
run_timer_base kernel/time/timer.c:2437 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 4e d0 63 f6 f6 44 24 21 02 75 52 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> c3 eb cc f5 65 8b 05 74 4f 6e 74 85 c0 74 43 48 c7 04 24 0e 36
RSP: 0018:ffffc9000330f600 EFLAGS: 00000206
RAX: 4e6b703e49168e00 RBX: 1ffff92000661ec4 RCX: ffffffff816fafba
RDX: dffffc0000000000 RSI: ffffffff8bcac1a0 RDI: 0000000000000001
RBP: ffffc9000330f690 R08: ffffffff92fcb7ef R09: 1ffffffff25f96fd
R10: dffffc0000000000 R11: fffffbfff25f96fe R12: dffffc0000000000
R13: 1ffff92000661ec0 R14: ffffc9000330f620 R15: 0000000000000246
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
__wake_up_common_lock+0x18c/0x1e0 kernel/sched/wait.c:108
__unix_dgram_recvmsg+0x5f4/0x12f0 net/unix/af_unix.c:2415
sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046
____sys_recvmsg+0x3c0/0x470 net/socket.c:2802
___sys_recvmsg net/socket.c:2846 [inline]
do_recvmmsg+0x474/0xae0 net/socket.c:2940
__sys_recvmmsg net/socket.c:3019 [inline]
__do_sys_recvmmsg net/socket.c:3042 [inline]
__se_sys_recvmmsg net/socket.c:3035 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3035
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f53cfc7cea9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f53d0a0c0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f53cfdb4050 RCX: 00007f53cfc7cea9
RDX: 0000000000010106 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007f53cfcebff4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f53cfdb4050 R15: 00007fffb8c061e8
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc900096d0000, ffffc900096d9000) created by:
copy_process+0x5d1/0x3dc0 kernel/fork.c:2201
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807c7f0000 pfn:0x7c7f0
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88807c7f0000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 126928355749, free_ts 121449634751
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1470
prep_new_page mm/page_alloc.c:1478 [inline]
get_page_from_freelist+0x2cbd/0x2d70 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4715
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3567 [inline]
__vmalloc_area_node mm/vmalloc.c:3643 [inline]
__vmalloc_node_range_noprof+0x971/0x1460 mm/vmalloc.c:3824
alloc_thread_stack_node kernel/fork.c:310 [inline]
dup_task_struct+0x444/0x8c0 kernel/fork.c:1110
copy_process+0x5d1/0x3dc0 kernel/fork.c:2201
kernel_clone+0x226/0x8f0 kernel/fork.c:2778
kernel_thread+0x1bc/0x240 kernel/fork.c:2840
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x60d/0x810 kernel/kthread.c:765
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:144
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 5674 tgid 5674 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1089 [inline]
free_unref_folios+0x103a/0x1b00 mm/page_alloc.c:2669
folios_put_refs+0x76e/0x860 mm/swap.c:1020
free_pages_and_swap_cache+0x2ea/0x690 mm/swap_state.c:332
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
exit_mmap+0x44f/0xc80 mm/mmap.c:3395
__mmput+0x115/0x390 kernel/fork.c:1341
exit_mm+0x220/0x310 kernel/exit.c:565
do_exit+0x9aa/0x28e0 kernel/exit.c:861
do_group_exit+0x207/0x2c0 kernel/exit.c:1023
__do_sys_exit_group kernel/exit.c:1034 [inline]
__se_sys_exit_group kernel/exit.c:1032 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1032
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc900096d7500: 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
ffffc900096d7580: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
>ffffc900096d7600: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc900096d7680: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3
ffffc900096d7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 9c pushf
1: 8f 44 24 20 pop 0x20(%rsp)
5: 42 80 3c 23 00 cmpb $0x0,(%rbx,%r12,1)
a: 74 08 je 0x14
c: 4c 89 f7 mov %r14,%rdi
f: e8 4e d0 63 f6 call 0xf663d062
14: f6 44 24 21 02 testb $0x2,0x21(%rsp)
19: 75 52 jne 0x6d
1b: 41 f7 c7 00 02 00 00 test $0x200,%r15d
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 c3 eb cc f5 call 0xf5ccebf2 <-- trapping instruction
2f: 65 8b 05 74 4f 6e 74 mov %gs:0x746e4f74(%rip),%eax # 0x746e4faa
36: 85 c0 test %eax,%eax
38: 74 43 je 0x7d
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: 04 24 add $0x24,%al
3e: 0e (bad)
3f: 36 ss
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 23, 2024, 7:38:22 AM (3 days ago) Jun 23
to b...@alien8.de, dave....@linux.intel.com, h...@zytor.com, linux-...@vger.kernel.org, mi...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de, x...@kernel.org
syzbot has found a reproducer for the following issue on:
HEAD commit: f76698bd9a8c Add linux-next specific files for 20240621
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14293f0e980000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca79e3c3b9118bd0
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f204c5d02251/disk-f76698bd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/50289c7e8999/vmlinux-f76698bd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c360e133a94f/bzImage-f76698bd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e9be56...@syzkaller.appspotmail.com
Code: 8b 3d 3c 28 4a 0c 48 89 de 5b e9 d3 de 5a 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 04 24 <65> 48 8b 0c 25 00 d6 03 00 65 8b 15 20 5b 70 7e f7 c2 00 01 ff 00
RSP: 0018:ffffc9000b8bf5b8 EFLAGS: 00000202
RAX: ffffffff81375c3f RBX: ffffffff81f9a77f RCX: ffff888025659e00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
==================================================================
BUG: KASAN: out-of-bounds in __show_regs+0x172/0x610 arch/x86/kernel/process_64.c:87
Read of size 8 at addr ffffc9000b8bf528 by task swapper/1/0
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.10.0-rc4-next-20240621-syzkaller #0
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
show_trace_log_lvl+0x3d4/0x520 arch/x86/kernel/dumpstack.c:301
sched_show_task+0x578/0x740 kernel/sched/core.c:7503
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:92 [inline]
RIP: 0010:acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:113
Code: 90 90 90 90 90 90 90 90 90 65 48 8b 04 25 00 d6 03 00 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d d5 66 9c 00 f3 0f 1e fa fb f4 <fa> c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90
RSP: 0018:ffffc900001a7d08 EFLAGS: 00000246
RAX: ffff8880176b0000 RBX: ffff88801b2db864 RCX: 00000000123988e9
RDX: 0000000000000001 RSI: ffff88801b2db800 RDI: ffff88801b2db864
RBP: 000000000003a6b8 R08: ffff8880b9537ccb R09: 1ffff110172a6f99
R10: dffffc0000000000 R11: ffffffff8b8d9ba0 R12: ffff88801a71e000
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8ead7e20
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x112/0x480 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:230 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:326
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:424
start_secondary+0x100/0x100 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x147
copy_process+0x5d1/0x3d90 kernel/fork.c:2206
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880678c2140 pfn:0x678c2
memcg:ffff88801a6b4002
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1500
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x2ccb/0x2d80 mm/page_alloc.c:3487
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4745
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3576 [inline]
__vmalloc_area_node mm/vmalloc.c:3652 [inline]
__vmalloc_node_range_noprof+0x971/0x1460 mm/vmalloc.c:3833
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct+0x444/0x8c0 kernel/fork.c:1114
copy_process+0x5d1/0x3d90 kernel/fork.c:2206
kernel_clone+0x226/0x8f0 kernel/fork.c:2788
__do_sys_clone3 kernel/fork.c:3089 [inline]
__se_sys_clone3+0x2cb/0x350 kernel/fork.c:3073
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1093 [inline]
free_unref_page+0xd22/0xea0 mm/page_alloc.c:2651
__slab_free+0x31b/0x3d0 mm/slub.c:4384
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3975 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
__do_kmalloc_node mm/slub.c:4157 [inline]
__kmalloc_noprof+0x1a3/0x400 mm/slub.c:4171
kmalloc_noprof include/linux/slab.h:664 [inline]
kzalloc_noprof include/linux/slab.h:778 [inline]
tomoyo_encode2 security/tomoyo/realpath.c:45 [inline]
tomoyo_encode+0x26f/0x540 security/tomoyo/realpath.c:80
tomoyo_path_perm+0x3ca/0x740 security/tomoyo/file.c:831
tomoyo_path_symlink+0xde/0x120 security/tomoyo/tomoyo.c:212
security_path_symlink+0xe3/0x140 security/security.c:1876
do_symlinkat+0x136/0x3a0 fs/namei.c:4530
__do_sys_symlink fs/namei.c:4553 [inline]
__se_sys_symlink fs/namei.c:4551 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4551
ffffc9000b8bf480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000b8bf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc9000b8bf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000b8bf600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
6: 48 89 de mov %rbx,%rsi
9: 5b pop %rbx
a: e9 d3 de 5a 00 jmp 0x5adee2
f: 0f 1f 00 nopl (%rax)
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: 90 nop
21: 90 nop
22: f3 0f 1e fa endbr64
26: 48 8b 04 24 mov (%rsp),%rax
* 2a: 65 48 8b 0c 25 00 d6 mov %gs:0x3d600,%rcx <-- trapping instruction
31: 03 00
33: 65 8b 15 20 5b 70 7e mov %gs:0x7e705b20(%rip),%edx # 0x7e705b5a
3a: f7 c2 00 01 ff 00 test $0xff0100,%edx
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: f76698bd9a8c Add linux-next specific files for 20240621
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14293f0e980000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca79e3c3b9118bd0
dashboard link: https://syzkaller.appspot.com/bug?extid=e9be5674af5e3a0b9ecc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=118dd151980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f204c5d02251/disk-f76698bd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/50289c7e8999/vmlinux-f76698bd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c360e133a94f/bzImage-f76698bd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e9be56...@syzkaller.appspotmail.com
RSP: 0018:ffffc9000b8bf5b8 EFLAGS: 00000202
RAX: ffffffff81375c3f RBX: ffffffff81f9a77f RCX: ffff888025659e00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
==================================================================
BUG: KASAN: out-of-bounds in __show_regs+0x172/0x610 arch/x86/kernel/process_64.c:87
Read of size 8 at addr ffffc9000b8bf528 by task swapper/1/0
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.10.0-rc4-next-20240621-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
Call Trace:
<IRQ>
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__show_regs+0x172/0x610 arch/x86/kernel/process_64.c:87
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
show_trace_log_lvl+0x3d4/0x520 arch/x86/kernel/dumpstack.c:301
sched_show_task+0x578/0x740 kernel/sched/core.c:7503
report_rtnl_holders+0x1ba/0x2d0 net/core/rtnetlink.c:104
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers kernel/time/timer.c:2417 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
run_timer_base kernel/time/timer.c:2437 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers kernel/time/timer.c:2417 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
run_timer_base kernel/time/timer.c:2437 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:92 [inline]
RIP: 0010:acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:113
Code: 90 90 90 90 90 90 90 90 90 65 48 8b 04 25 00 d6 03 00 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d d5 66 9c 00 f3 0f 1e fa fb f4 <fa> c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90
RSP: 0018:ffffc900001a7d08 EFLAGS: 00000246
RAX: ffff8880176b0000 RBX: ffff88801b2db864 RCX: 00000000123988e9
RDX: 0000000000000001 RSI: ffff88801b2db800 RDI: ffff88801b2db864
RBP: 000000000003a6b8 R08: ffff8880b9537ccb R09: 1ffff110172a6f99
R10: dffffc0000000000 R11: ffffffff8b8d9ba0 R12: ffff88801a71e000
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8ead7e20
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x112/0x480 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:230 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:326
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:424
start_secondary+0x100/0x100 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x147
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc9000b8b8000, ffffc9000b8c1000) created by:
The buggy address belongs to the virtual mapping at
copy_process+0x5d1/0x3d90 kernel/fork.c:2206
The buggy address belongs to the physical page:
memcg:ffff88801a6b4002
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff8880678c2140 0000000000000000 00000001ffffffff ffff88801a6b4002
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 6303, tgid 6303 (syz-executor.4), ts 1539185935031, free_ts 1529629150697
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1500
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x2ccb/0x2d80 mm/page_alloc.c:3487
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4745
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3576 [inline]
__vmalloc_area_node mm/vmalloc.c:3652 [inline]
__vmalloc_node_range_noprof+0x971/0x1460 mm/vmalloc.c:3833
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct+0x444/0x8c0 kernel/fork.c:1114
copy_process+0x5d1/0x3d90 kernel/fork.c:2206
kernel_clone+0x226/0x8f0 kernel/fork.c:2788
__do_sys_clone3 kernel/fork.c:3089 [inline]
__se_sys_clone3+0x2cb/0x350 kernel/fork.c:3073
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6242 tgid 6242 stack trace:
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1093 [inline]
free_unref_page+0xd22/0xea0 mm/page_alloc.c:2651
__slab_free+0x31b/0x3d0 mm/slub.c:4384
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3975 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
__do_kmalloc_node mm/slub.c:4157 [inline]
__kmalloc_noprof+0x1a3/0x400 mm/slub.c:4171
kmalloc_noprof include/linux/slab.h:664 [inline]
kzalloc_noprof include/linux/slab.h:778 [inline]
tomoyo_encode2 security/tomoyo/realpath.c:45 [inline]
tomoyo_encode+0x26f/0x540 security/tomoyo/realpath.c:80
tomoyo_path_perm+0x3ca/0x740 security/tomoyo/file.c:831
tomoyo_path_symlink+0xde/0x120 security/tomoyo/tomoyo.c:212
security_path_symlink+0xe3/0x140 security/security.c:1876
do_symlinkat+0x136/0x3a0 fs/namei.c:4530
__do_sys_symlink fs/namei.c:4553 [inline]
__se_sys_symlink fs/namei.c:4551 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4551
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000b8bf400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000b8bf480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000b8bf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc9000b8bf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000b8bf600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 8b 3d 3c 28 4a 0c mov 0xc4a283c(%rip),%edi # 0xc4a2842
----------------
Code disassembly (best guess):
6: 48 89 de mov %rbx,%rsi
9: 5b pop %rbx
a: e9 d3 de 5a 00 jmp 0x5adee2
f: 0f 1f 00 nopl (%rax)
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: 90 nop
21: 90 nop
22: f3 0f 1e fa endbr64
26: 48 8b 04 24 mov (%rsp),%rax
* 2a: 65 48 8b 0c 25 00 d6 mov %gs:0x3d600,%rcx <-- trapping instruction
31: 03 00
33: 65 8b 15 20 5b 70 7e mov %gs:0x7e705b20(%rip),%edx # 0x7e705b5a
3a: f7 c2 00 01 ff 00 test $0xff0100,%edx
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Tetsuo Handa
Jun 24, 2024, 9:23:02 PM (2 days ago) Jun 24
to syzbot, b...@alien8.de, dave....@linux.intel.com, h...@zytor.com, linux-...@vger.kernel.org, mi...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de, x...@kernel.org, kasan-dev, linux-mm
Hello.
This report is triggered by my debug printk() patch at
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/net/core/rtnetlink.c?id=5210cbe9a47fc5c1f43ba16d481e6335f3e2f345
but I can't find where the bug is (x86 bug or mm bug or kasan bug or my bug).
On 2024/06/15 16:06, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: a957267fa7e9 Add linux-next specific files for 20240611
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=171e6e56980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9a880e96898e79f8
> dashboard link: https://syzkaller.appspot.com/bug?extid=e9be5674af5e3a0b9ecc
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Quoting from https://syzkaller.appspot.com/text?tag=CrashReport&x=17786fb1980000
and https://syzkaller.appspot.com/text?tag=CrashLog&x=15e0202a980000 :
----------------------------------------
CPU: 0 UID: 0 PID: 9588 Comm: syz.0.1430 Not tainted 6.10.0-rc5-next-20240624-syzkaller #0
RSP: 0018:ffffc9000407f600 EFLAGS: 00000206
RAX: 13958dc9d919f000 RBX: 1ffff9200080fec4 RCX: ffffffff816fd2da
RDX: dffffc0000000000 RSI: ffffffff8bcac820 RDI: 0000000000000001
RBP: ffffc9000407f690 R08: ffffffff92fe47ef R09: 1ffffffff25fc8fd
R10: dffffc0000000000 R11: fffffbfff25fc8fe R12: dffffc0000000000
R13: 1ffff9200080fec0 R14: ffffc9000407f620 R15: 0000000000000246
___sys_recvmsg net/socket.c:2858 [inline]
do_recvmmsg+0x474/0xae0 net/socket.c:2952
__sys_recvmmsg net/socket.c:3031 [inline]
__do_sys_recvmmsg net/socket.c:3054 [inline]
__se_sys_recvmmsg net/socket.c:3047 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3047
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdfbbc7e048 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fdfbb104070 RCX: 00007fdfbaf75d39
copy_process+0x5d1/0x3d90 kernel/fork.c:2206
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x295f2
set_page_owner include/linux/page_owner.h:32 [inline]
call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:172
process_one_work kernel/workqueue.c:3224 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3305
worker_thread+0x86d/0xd40 kernel/workqueue.c:3383
kthread+0x2f0/0x390 kernel/kthread.c:389
Memory state around the buggy address:
ffffc90008807500: 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
ffffc90008807580: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
>ffffc90008807600: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc90008807680: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3
ffffc90008807700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------------------------------
----------------------------------------
[ 560.831831][ C0] DEBUG: holding rtnl_mutex for 937 jiffies.
[ 560.838015][ C0] task:kworker/u8:9 state:R running task stack:20216 pid:2460 tgid:2460 ppid:2 flags:0x00004000
[ 560.849882][ C0] Workqueue: netns cleanup_net
[ 560.854770][ C0] Call Trace:
[ 560.854789][ C0] <TASK>
[ 560.872376][ C0] __schedule+0x17e8/0x4a20
[ 560.877336][ C0] ? mark_lock+0x9a/0x360
[ 560.881823][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 560.887887][ C0] ? __virt_addr_valid+0x183/0x520
[ 560.893171][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 560.899593][ C0] ? lock_release+0xbf/0x9f0
[ 560.904330][ C0] ? __pfx___schedule+0x10/0x10
[ 560.909271][ C0] ? lockdep_hardirqs_on+0x99/0x150
[ 560.914617][ C0] ? mark_lock+0x9a/0x360
[ 560.919119][ C0] preempt_schedule_irq+0xfb/0x1c0
[ 560.924392][ C0] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 560.931783][ C0] irqentry_exit+0x5e/0x90
[ 560.936590][ C0] asm_sysvec_reschedule_ipi+0x1a/0x20
[ 560.942783][ C0] RIP: 0010:synchronize_rcu+0x0/0x360
[ 560.948403][ C0] Code: e1 07 80 c1 03 38 c1 0f 8c 97 fe ff ff 4c 89 f7 e8 15 50 80 00 e9 8a fe ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48
[ 560.968242][ C0] RSP: 76c0:0000000000000a06 EFLAGS: 1ffff92001100ed4
[ 560.975129][ C0] ==================================================================
[ 560.994479][ C0] BUG: KASAN: stack-out-of-bounds in __show_regs+0xa6/0x610
[ 561.002642][ C0] Read of size 8 at addr ffffc90008807618 by task syz.0.1430/9588
[ 561.014598][ C0]
[ 561.017321][ C0] CPU: 0 UID: 0 PID: 9588 Comm: syz.0.1430 Not tainted 6.10.0-rc5-next-20240624-syzkaller #0
[ 561.028952][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 561.043847][ C0] Call Trace:
[ 561.047213][ C0] <IRQ>
[ 561.050101][ C0] dump_stack_lvl+0x241/0x360
[ 561.054963][ C0] ? __pfx_dump_stack_lvl+0x10/0x10
[ 561.073046][ C0] ? __pfx__printk+0x10/0x10
[ 561.077786][ C0] ? _printk+0xd5/0x120
[ 561.082123][ C0] print_report+0x169/0x550
[ 561.086775][ C0] ? __virt_addr_valid+0xbd/0x520
[ 561.091947][ C0] ? __show_regs+0xa6/0x610
[ 561.096544][ C0] kasan_report+0x143/0x180
[ 561.101170][ C0] ? show_opcodes+0x148/0x170
[ 561.105909][ C0] ? __show_regs+0xa6/0x610
[ 561.110457][ C0] __show_regs+0xa6/0x610
[ 561.114858][ C0] ? asm_sysvec_reschedule_ipi+0x1a/0x20
[ 561.120539][ C0] ? asm_sysvec_reschedule_ipi+0x1a/0x20
[ 561.126227][ C0] show_trace_log_lvl+0x3d4/0x520
[ 561.131292][ C0] ? __pfx_synchronize_rcu+0x10/0x10
[ 561.136630][ C0] sched_show_task+0x578/0x740
[ 561.141466][ C0] ? report_rtnl_holders+0x183/0x2d0
[ 561.147055][ C0] ? __pfx__printk+0x10/0x10
[ 561.151699][ C0] ? __pfx_sched_show_task+0x10/0x10
[ 561.157153][ C0] report_rtnl_holders+0x1ba/0x2d0
[ 561.162519][ C0] ? report_rtnl_holders+0x20/0x2d0
[ 561.167755][ C0] call_timer_fn+0x18e/0x650
[ 561.172361][ C0] ? call_timer_fn+0xc0/0x650
[ 561.177086][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.182785][ C0] ? __pfx_call_timer_fn+0x10/0x10
[ 561.187939][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.193631][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.199303][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.204994][ C0] ? _raw_spin_unlock_irq+0x23/0x50
[ 561.210231][ C0] ? lockdep_hardirqs_on+0x99/0x150
[ 561.215469][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.221120][ C0] __run_timer_base+0x66a/0x8e0
[ 561.226093][ C0] ? __pfx___run_timer_base+0x10/0x10
[ 561.231493][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 561.237874][ C0] run_timer_softirq+0xb7/0x170
[ 561.242832][ C0] handle_softirqs+0x2c4/0x970
[ 561.247626][ C0] ? __irq_exit_rcu+0xf4/0x1c0
[ 561.252429][ C0] ? __pfx_handle_softirqs+0x10/0x10
[ 561.257856][ C0] ? irqtime_account_irq+0xd4/0x1e0
[ 561.263090][ C0] __irq_exit_rcu+0xf4/0x1c0
[ 561.267711][ C0] ? __pfx___irq_exit_rcu+0x10/0x10
[ 561.272931][ C0] irq_exit_rcu+0x9/0x30
[ 561.277231][ C0] sysvec_apic_timer_interrupt+0xa6/0xc0
[ 561.283185][ C0] </IRQ>
[ 561.286769][ C0] <TASK>
[ 561.289972][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 561.297172][ C0] RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140
[ 561.307112][ C0] Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 0e 94 61 f6 f6 44 24 21 02 75 52 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> c3 10 ca f5 65 8b 05 b4 54 6b 74 85 c0 74 43 48 c7 04 24 0e 36
[ 561.327228][ C0] RSP: 0018:ffffc9000407f600 EFLAGS: 00000206
[ 561.333355][ C0] RAX: 13958dc9d919f000 RBX: 1ffff9200080fec4 RCX: ffffffff816fd2da
[ 561.341352][ C0] RDX: dffffc0000000000 RSI: ffffffff8bcac820 RDI: 0000000000000001
[ 561.349458][ C0] RBP: ffffc9000407f690 R08: ffffffff92fe47ef R09: 1ffffffff25fc8fd
[ 561.357460][ C0] R10: dffffc0000000000 R11: fffffbfff25fc8fe R12: dffffc0000000000
[ 561.365478][ C0] R13: 1ffff9200080fec0 R14: ffffc9000407f620 R15: 0000000000000246
[ 561.373533][ C0] ? mark_lock+0x9a/0x360
[ 561.378221][ C0] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 561.385142][ C0] ? autoremove_wake_function+0x37/0x110
[ 561.391145][ C0] __wake_up_common_lock+0x18c/0x1e0
[ 561.396936][ C0] __unix_dgram_recvmsg+0x5f4/0x12f0
[ 561.403018][ C0] ? __pfx___unix_dgram_recvmsg+0x10/0x10
[ 561.409788][ C0] ? __pfx___might_resched+0x10/0x10
[ 561.415745][ C0] ? iovec_from_user+0x61/0x240
[ 561.421927][ C0] ? unix_dgram_recvmsg+0xb6/0xe0
[ 561.427965][ C0] ? __pfx_unix_dgram_recvmsg+0x10/0x10
[ 561.435584][ C0] sock_recvmsg_nosec+0x18e/0x1d0
[ 561.441322][ C0] ____sys_recvmsg+0x3c0/0x470
[ 561.446583][ C0] ? __pfx_____sys_recvmsg+0x10/0x10
[ 561.455788][ C0] ? __might_fault+0xaa/0x120
[ 561.460634][ C0] do_recvmmsg+0x474/0xae0
[ 561.465088][ C0] ? __pfx___futex_wait+0x10/0x10
[ 561.470148][ C0] ? __pfx_do_recvmmsg+0x10/0x10
[ 561.475130][ C0] ? __pfx_futex_wake_mark+0x10/0x10
[ 561.480509][ C0] ? futex_wait+0x285/0x360
[ 561.485124][ C0] ? __pfx_futex_wait+0x10/0x10
[ 561.490014][ C0] ? fd_install+0x9c/0x5d0
[ 561.494459][ C0] ? __pfx_lock_release+0x10/0x10
[ 561.499504][ C0] ? __pfx_do_futex+0x10/0x10
[ 561.504229][ C0] __x64_sys_recvmmsg+0x199/0x250
[ 561.510481][ C0] ? __pfx___x64_sys_recvmmsg+0x10/0x10
[ 561.517399][ C0] ? do_syscall_64+0x100/0x230
[ 561.522660][ C0] ? do_syscall_64+0xb6/0x230
[ 561.529823][ C0] do_syscall_64+0xf3/0x230
[ 561.534742][ C0] ? clear_bhb_loop+0x35/0x90
[ 561.540096][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 561.546133][ C0] RIP: 0033:0x7fdfbaf75d39
[ 561.550744][ C0] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 561.571064][ C0] RSP: 002b:00007fdfbbc7e048 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
[ 561.580376][ C0] RAX: ffffffffffffffda RBX: 00007fdfbb104070 RCX: 00007fdfbaf75d39
[ 561.588397][ C0] RDX: 0000000000010106 RSI: 00000000200000c0 RDI: 0000000000000003
[ 561.596400][ C0] RBP: 00007fdfbaff6766 R08: 0000000000000000 R09: 0000000000000000
[ 561.604404][ C0] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
[ 561.612415][ C0] R13: 000000000000006e R14: 00007fdfbb104070 R15: 00007ffeafeb36a8
[ 561.620458][ C0] </TASK>
[ 561.623517][ C0]
[ 561.625876][ C0] The buggy address belongs to the virtual mapping at
[ 561.625876][ C0] [ffffc90008800000, ffffc90008809000) created by:
[ 561.625876][ C0] copy_process+0x5d1/0x3d90
[ 561.643549][ C0]
[ 561.645879][ C0] The buggy address belongs to the physical page:
[ 561.652306][ C0] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x295f2
[ 561.661135][ C0] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 561.668346][ C0] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
[ 561.677050][ C0] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 561.685659][ C0] page dumped because: kasan: bad access detected
[ 561.692219][ C0] page_owner tracks the page as allocated
[ 561.697979][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 1052, tgid 1052 (kworker/u8:5), ts 20453244600, free_ts 0
[ 561.716523][ C0] post_alloc_hook+0x1f3/0x230
[ 561.721344][ C0] get_page_from_freelist+0x2ccb/0x2d80
[ 561.727009][ C0] __alloc_pages_noprof+0x256/0x6c0
[ 561.732233][ C0] alloc_pages_mpol_noprof+0x3e8/0x680
[ 561.737727][ C0] __vmalloc_node_range_noprof+0x971/0x1460
[ 561.743664][ C0] dup_task_struct+0x444/0x8c0
[ 561.748479][ C0] copy_process+0x5d1/0x3d90
[ 561.753128][ C0] kernel_clone+0x226/0x8f0
[ 561.757766][ C0] user_mode_thread+0x132/0x1a0
[ 561.762660][ C0] call_usermodehelper_exec_work+0x5c/0x230
[ 561.768674][ C0] process_scheduled_works+0xa2c/0x1830
[ 561.774240][ C0] worker_thread+0x86d/0xd40
[ 561.778849][ C0] kthread+0x2f0/0x390
[ 561.782979][ C0] ret_from_fork+0x4b/0x80
[ 561.787453][ C0] ret_from_fork_asm+0x1a/0x30
[ 561.792332][ C0] page_owner free stack trace missing
[ 561.797698][ C0]
[ 561.800029][ C0] Memory state around the buggy address:
[ 561.805664][ C0] ffffc90008807500: 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
[ 561.813728][ C0] ffffc90008807580: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
[ 561.821814][ C0] >ffffc90008807600: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[ 561.829912][ C0] ^
[ 561.834781][ C0] ffffc90008807680: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3
[ 561.842858][ C0] ffffc90008807700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 561.851024][ C0] ==================================================================
[ 561.859206][ C0] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 561.866452][ C0] CPU: 0 UID: 0 PID: 9588 Comm: syz.0.1430 Not tainted 6.10.0-rc5-next-20240624-syzkaller #0
----------------------------------------
arch/x86/kernel/process_64.c:83 is
printk("%sRAX: %016lx RBX: %016lx RCX: %016lx\n",
log_lvl, regs->ax, regs->bx, regs->cx);
(which looks nothing special), and kernel stack area [ffffc90008800000, ffffc90008809000) is
32768 bytes + 4096 bytes (which looks sane to me), and ffffc90008807618 is within the 32768
bytes (which looks sane to me).
Kernel config is https://syzkaller.appspot.com/text?tag=KernelConfig&x=6221d1071c39b052 .
Can somebody find what is wrong?
This report is triggered by my debug printk() patch at
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/net/core/rtnetlink.c?id=5210cbe9a47fc5c1f43ba16d481e6335f3e2f345
but I can't find where the bug is (x86 bug or mm bug or kasan bug or my bug).
On 2024/06/15 16:06, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: a957267fa7e9 Add linux-next specific files for 20240611
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=171e6e56980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9a880e96898e79f8
> dashboard link: https://syzkaller.appspot.com/bug?extid=e9be5674af5e3a0b9ecc
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
and https://syzkaller.appspot.com/text?tag=CrashLog&x=15e0202a980000 :
----------------------------------------
BUG: KASAN: stack-out-of-bounds in __show_regs+0xa6/0x610 arch/x86/kernel/process_64.c:83
Read of size 8 at addr ffffc90008807618 by task syz.0.1430/9588
CPU: 0 UID: 0 PID: 9588 Comm: syz.0.1430 Not tainted 6.10.0-rc5-next-20240624-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<IRQ>
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__show_regs+0xa6/0x610 arch/x86/kernel/process_64.c:83
show_trace_log_lvl+0x3d4/0x520 arch/x86/kernel/dumpstack.c:301
sched_show_task+0x578/0x740 kernel/sched/core.c:7506
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__show_regs+0xa6/0x610 arch/x86/kernel/process_64.c:83
show_trace_log_lvl+0x3d4/0x520 arch/x86/kernel/dumpstack.c:301
report_rtnl_holders+0x1ba/0x2d0 net/core/rtnetlink.c:104
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers kernel/time/timer.c:2417 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
run_timer_base kernel/time/timer.c:2437 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 0e 94 61 f6 f6 44 24 21 02 75 52 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> c3 10 ca f5 65 8b 05 b4 54 6b 74 85 c0 74 43 48 c7 04 24 0e 36
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers kernel/time/timer.c:2417 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
run_timer_base kernel/time/timer.c:2437 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
RSP: 0018:ffffc9000407f600 EFLAGS: 00000206
RAX: 13958dc9d919f000 RBX: 1ffff9200080fec4 RCX: ffffffff816fd2da
RDX: dffffc0000000000 RSI: ffffffff8bcac820 RDI: 0000000000000001
RBP: ffffc9000407f690 R08: ffffffff92fe47ef R09: 1ffffffff25fc8fd
R10: dffffc0000000000 R11: fffffbfff25fc8fe R12: dffffc0000000000
R13: 1ffff9200080fec0 R14: ffffc9000407f620 R15: 0000000000000246
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
__wake_up_common_lock+0x18c/0x1e0 kernel/sched/wait.c:108
__unix_dgram_recvmsg+0x5f4/0x12f0 net/unix/af_unix.c:2415
sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046
____sys_recvmsg+0x3c0/0x470 net/socket.c:2814
__wake_up_common_lock+0x18c/0x1e0 kernel/sched/wait.c:108
__unix_dgram_recvmsg+0x5f4/0x12f0 net/unix/af_unix.c:2415
sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046
___sys_recvmsg net/socket.c:2858 [inline]
do_recvmmsg+0x474/0xae0 net/socket.c:2952
__sys_recvmmsg net/socket.c:3031 [inline]
__do_sys_recvmmsg net/socket.c:3054 [inline]
__se_sys_recvmmsg net/socket.c:3047 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3047
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdfbaf75d39
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdfbbc7e048 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fdfbb104070 RCX: 00007fdfbaf75d39
RDX: 0000000000010106 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007fdfbaff6766 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fdfbb104070 R15: 00007ffeafeb36a8
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc90008800000, ffffc90008809000) created by:
The buggy address belongs to the virtual mapping at
copy_process+0x5d1/0x3d90 kernel/fork.c:2206
The buggy address belongs to the physical page:
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 1052, tgid 1052 (kworker/u8:5), ts 20453244600, free_ts 0
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1500
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x2ccb/0x2d80 mm/page_alloc.c:3487
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4745
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2263
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x2ccb/0x2d80 mm/page_alloc.c:3487
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4745
vm_area_alloc_pages mm/vmalloc.c:3576 [inline]
__vmalloc_area_node mm/vmalloc.c:3652 [inline]
__vmalloc_node_range_noprof+0x971/0x1460 mm/vmalloc.c:3833
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct+0x444/0x8c0 kernel/fork.c:1114
copy_process+0x5d1/0x3d90 kernel/fork.c:2206
kernel_clone+0x226/0x8f0 kernel/fork.c:2788
user_mode_thread+0x132/0x1a0 kernel/fork.c:2866
__vmalloc_area_node mm/vmalloc.c:3652 [inline]
__vmalloc_node_range_noprof+0x971/0x1460 mm/vmalloc.c:3833
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct+0x444/0x8c0 kernel/fork.c:1114
copy_process+0x5d1/0x3d90 kernel/fork.c:2206
kernel_clone+0x226/0x8f0 kernel/fork.c:2788
call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:172
process_one_work kernel/workqueue.c:3224 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3305
worker_thread+0x86d/0xd40 kernel/workqueue.c:3383
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:144
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page_owner free stack trace missing
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffffc90008807580: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
>ffffc90008807600: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc90008807680: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3
ffffc90008807700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------------------------------
----------------------------------------
[ 560.831831][ C0] DEBUG: holding rtnl_mutex for 937 jiffies.
[ 560.838015][ C0] task:kworker/u8:9 state:R running task stack:20216 pid:2460 tgid:2460 ppid:2 flags:0x00004000
[ 560.849882][ C0] Workqueue: netns cleanup_net
[ 560.854770][ C0] Call Trace:
[ 560.854789][ C0] <TASK>
[ 560.872376][ C0] __schedule+0x17e8/0x4a20
[ 560.877336][ C0] ? mark_lock+0x9a/0x360
[ 560.881823][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 560.887887][ C0] ? __virt_addr_valid+0x183/0x520
[ 560.893171][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 560.899593][ C0] ? lock_release+0xbf/0x9f0
[ 560.904330][ C0] ? __pfx___schedule+0x10/0x10
[ 560.909271][ C0] ? lockdep_hardirqs_on+0x99/0x150
[ 560.914617][ C0] ? mark_lock+0x9a/0x360
[ 560.919119][ C0] preempt_schedule_irq+0xfb/0x1c0
[ 560.924392][ C0] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 560.931783][ C0] irqentry_exit+0x5e/0x90
[ 560.936590][ C0] asm_sysvec_reschedule_ipi+0x1a/0x20
[ 560.942783][ C0] RIP: 0010:synchronize_rcu+0x0/0x360
[ 560.948403][ C0] Code: e1 07 80 c1 03 38 c1 0f 8c 97 fe ff ff 4c 89 f7 e8 15 50 80 00 e9 8a fe ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48
[ 560.968242][ C0] RSP: 76c0:0000000000000a06 EFLAGS: 1ffff92001100ed4
[ 560.975129][ C0] ==================================================================
[ 560.994479][ C0] BUG: KASAN: stack-out-of-bounds in __show_regs+0xa6/0x610
[ 561.002642][ C0] Read of size 8 at addr ffffc90008807618 by task syz.0.1430/9588
[ 561.014598][ C0]
[ 561.017321][ C0] CPU: 0 UID: 0 PID: 9588 Comm: syz.0.1430 Not tainted 6.10.0-rc5-next-20240624-syzkaller #0
[ 561.028952][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 561.043847][ C0] Call Trace:
[ 561.047213][ C0] <IRQ>
[ 561.050101][ C0] dump_stack_lvl+0x241/0x360
[ 561.054963][ C0] ? __pfx_dump_stack_lvl+0x10/0x10
[ 561.073046][ C0] ? __pfx__printk+0x10/0x10
[ 561.077786][ C0] ? _printk+0xd5/0x120
[ 561.082123][ C0] print_report+0x169/0x550
[ 561.086775][ C0] ? __virt_addr_valid+0xbd/0x520
[ 561.091947][ C0] ? __show_regs+0xa6/0x610
[ 561.096544][ C0] kasan_report+0x143/0x180
[ 561.101170][ C0] ? show_opcodes+0x148/0x170
[ 561.105909][ C0] ? __show_regs+0xa6/0x610
[ 561.110457][ C0] __show_regs+0xa6/0x610
[ 561.114858][ C0] ? asm_sysvec_reschedule_ipi+0x1a/0x20
[ 561.120539][ C0] ? asm_sysvec_reschedule_ipi+0x1a/0x20
[ 561.126227][ C0] show_trace_log_lvl+0x3d4/0x520
[ 561.131292][ C0] ? __pfx_synchronize_rcu+0x10/0x10
[ 561.136630][ C0] sched_show_task+0x578/0x740
[ 561.141466][ C0] ? report_rtnl_holders+0x183/0x2d0
[ 561.147055][ C0] ? __pfx__printk+0x10/0x10
[ 561.151699][ C0] ? __pfx_sched_show_task+0x10/0x10
[ 561.157153][ C0] report_rtnl_holders+0x1ba/0x2d0
[ 561.162519][ C0] ? report_rtnl_holders+0x20/0x2d0
[ 561.167755][ C0] call_timer_fn+0x18e/0x650
[ 561.172361][ C0] ? call_timer_fn+0xc0/0x650
[ 561.177086][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.182785][ C0] ? __pfx_call_timer_fn+0x10/0x10
[ 561.187939][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.193631][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.199303][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.204994][ C0] ? _raw_spin_unlock_irq+0x23/0x50
[ 561.210231][ C0] ? lockdep_hardirqs_on+0x99/0x150
[ 561.215469][ C0] ? __pfx_report_rtnl_holders+0x10/0x10
[ 561.221120][ C0] __run_timer_base+0x66a/0x8e0
[ 561.226093][ C0] ? __pfx___run_timer_base+0x10/0x10
[ 561.231493][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 561.237874][ C0] run_timer_softirq+0xb7/0x170
[ 561.242832][ C0] handle_softirqs+0x2c4/0x970
[ 561.247626][ C0] ? __irq_exit_rcu+0xf4/0x1c0
[ 561.252429][ C0] ? __pfx_handle_softirqs+0x10/0x10
[ 561.257856][ C0] ? irqtime_account_irq+0xd4/0x1e0
[ 561.263090][ C0] __irq_exit_rcu+0xf4/0x1c0
[ 561.267711][ C0] ? __pfx___irq_exit_rcu+0x10/0x10
[ 561.272931][ C0] irq_exit_rcu+0x9/0x30
[ 561.277231][ C0] sysvec_apic_timer_interrupt+0xa6/0xc0
[ 561.283185][ C0] </IRQ>
[ 561.286769][ C0] <TASK>
[ 561.289972][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 561.297172][ C0] RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140
[ 561.307112][ C0] Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 0e 94 61 f6 f6 44 24 21 02 75 52 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> c3 10 ca f5 65 8b 05 b4 54 6b 74 85 c0 74 43 48 c7 04 24 0e 36
[ 561.327228][ C0] RSP: 0018:ffffc9000407f600 EFLAGS: 00000206
[ 561.333355][ C0] RAX: 13958dc9d919f000 RBX: 1ffff9200080fec4 RCX: ffffffff816fd2da
[ 561.341352][ C0] RDX: dffffc0000000000 RSI: ffffffff8bcac820 RDI: 0000000000000001
[ 561.349458][ C0] RBP: ffffc9000407f690 R08: ffffffff92fe47ef R09: 1ffffffff25fc8fd
[ 561.357460][ C0] R10: dffffc0000000000 R11: fffffbfff25fc8fe R12: dffffc0000000000
[ 561.365478][ C0] R13: 1ffff9200080fec0 R14: ffffc9000407f620 R15: 0000000000000246
[ 561.373533][ C0] ? mark_lock+0x9a/0x360
[ 561.378221][ C0] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 561.385142][ C0] ? autoremove_wake_function+0x37/0x110
[ 561.391145][ C0] __wake_up_common_lock+0x18c/0x1e0
[ 561.396936][ C0] __unix_dgram_recvmsg+0x5f4/0x12f0
[ 561.403018][ C0] ? __pfx___unix_dgram_recvmsg+0x10/0x10
[ 561.409788][ C0] ? __pfx___might_resched+0x10/0x10
[ 561.415745][ C0] ? iovec_from_user+0x61/0x240
[ 561.421927][ C0] ? unix_dgram_recvmsg+0xb6/0xe0
[ 561.427965][ C0] ? __pfx_unix_dgram_recvmsg+0x10/0x10
[ 561.435584][ C0] sock_recvmsg_nosec+0x18e/0x1d0
[ 561.441322][ C0] ____sys_recvmsg+0x3c0/0x470
[ 561.446583][ C0] ? __pfx_____sys_recvmsg+0x10/0x10
[ 561.455788][ C0] ? __might_fault+0xaa/0x120
[ 561.460634][ C0] do_recvmmsg+0x474/0xae0
[ 561.465088][ C0] ? __pfx___futex_wait+0x10/0x10
[ 561.470148][ C0] ? __pfx_do_recvmmsg+0x10/0x10
[ 561.475130][ C0] ? __pfx_futex_wake_mark+0x10/0x10
[ 561.480509][ C0] ? futex_wait+0x285/0x360
[ 561.485124][ C0] ? __pfx_futex_wait+0x10/0x10
[ 561.490014][ C0] ? fd_install+0x9c/0x5d0
[ 561.494459][ C0] ? __pfx_lock_release+0x10/0x10
[ 561.499504][ C0] ? __pfx_do_futex+0x10/0x10
[ 561.504229][ C0] __x64_sys_recvmmsg+0x199/0x250
[ 561.510481][ C0] ? __pfx___x64_sys_recvmmsg+0x10/0x10
[ 561.517399][ C0] ? do_syscall_64+0x100/0x230
[ 561.522660][ C0] ? do_syscall_64+0xb6/0x230
[ 561.529823][ C0] do_syscall_64+0xf3/0x230
[ 561.534742][ C0] ? clear_bhb_loop+0x35/0x90
[ 561.540096][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 561.546133][ C0] RIP: 0033:0x7fdfbaf75d39
[ 561.550744][ C0] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 561.571064][ C0] RSP: 002b:00007fdfbbc7e048 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
[ 561.580376][ C0] RAX: ffffffffffffffda RBX: 00007fdfbb104070 RCX: 00007fdfbaf75d39
[ 561.588397][ C0] RDX: 0000000000010106 RSI: 00000000200000c0 RDI: 0000000000000003
[ 561.596400][ C0] RBP: 00007fdfbaff6766 R08: 0000000000000000 R09: 0000000000000000
[ 561.604404][ C0] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
[ 561.612415][ C0] R13: 000000000000006e R14: 00007fdfbb104070 R15: 00007ffeafeb36a8
[ 561.620458][ C0] </TASK>
[ 561.623517][ C0]
[ 561.625876][ C0] The buggy address belongs to the virtual mapping at
[ 561.625876][ C0] [ffffc90008800000, ffffc90008809000) created by:
[ 561.625876][ C0] copy_process+0x5d1/0x3d90
[ 561.643549][ C0]
[ 561.645879][ C0] The buggy address belongs to the physical page:
[ 561.652306][ C0] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x295f2
[ 561.661135][ C0] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 561.668346][ C0] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
[ 561.677050][ C0] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 561.685659][ C0] page dumped because: kasan: bad access detected
[ 561.692219][ C0] page_owner tracks the page as allocated
[ 561.697979][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 1052, tgid 1052 (kworker/u8:5), ts 20453244600, free_ts 0
[ 561.716523][ C0] post_alloc_hook+0x1f3/0x230
[ 561.721344][ C0] get_page_from_freelist+0x2ccb/0x2d80
[ 561.727009][ C0] __alloc_pages_noprof+0x256/0x6c0
[ 561.732233][ C0] alloc_pages_mpol_noprof+0x3e8/0x680
[ 561.737727][ C0] __vmalloc_node_range_noprof+0x971/0x1460
[ 561.743664][ C0] dup_task_struct+0x444/0x8c0
[ 561.748479][ C0] copy_process+0x5d1/0x3d90
[ 561.753128][ C0] kernel_clone+0x226/0x8f0
[ 561.757766][ C0] user_mode_thread+0x132/0x1a0
[ 561.762660][ C0] call_usermodehelper_exec_work+0x5c/0x230
[ 561.768674][ C0] process_scheduled_works+0xa2c/0x1830
[ 561.774240][ C0] worker_thread+0x86d/0xd40
[ 561.778849][ C0] kthread+0x2f0/0x390
[ 561.782979][ C0] ret_from_fork+0x4b/0x80
[ 561.787453][ C0] ret_from_fork_asm+0x1a/0x30
[ 561.792332][ C0] page_owner free stack trace missing
[ 561.797698][ C0]
[ 561.800029][ C0] Memory state around the buggy address:
[ 561.805664][ C0] ffffc90008807500: 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
[ 561.813728][ C0] ffffc90008807580: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
[ 561.821814][ C0] >ffffc90008807600: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[ 561.829912][ C0] ^
[ 561.834781][ C0] ffffc90008807680: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3
[ 561.842858][ C0] ffffc90008807700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 561.851024][ C0] ==================================================================
[ 561.859206][ C0] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 561.866452][ C0] CPU: 0 UID: 0 PID: 9588 Comm: syz.0.1430 Not tainted 6.10.0-rc5-next-20240624-syzkaller #0
----------------------------------------
arch/x86/kernel/process_64.c:83 is
printk("%sRAX: %016lx RBX: %016lx RCX: %016lx\n",
log_lvl, regs->ax, regs->bx, regs->cx);
(which looks nothing special), and kernel stack area [ffffc90008800000, ffffc90008809000) is
32768 bytes + 4096 bytes (which looks sane to me), and ffffc90008807618 is within the 32768
bytes (which looks sane to me).
Kernel config is https://syzkaller.appspot.com/text?tag=KernelConfig&x=6221d1071c39b052 .
Can somebody find what is wrong?
Reply all
Reply to author
Forward
0 new messages