[syzbot] KASAN: use-after-free Read in hugetlb_handle_userfault
27 views
Skip to first unread message
syzbot
Sep 8, 2022, 9:37:31 PM9/8/22
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, ll...@lists.linux.dev, mike.k...@oracle.com, nat...@kernel.org, ndesau...@google.com, songm...@bytedance.com, syzkall...@googlegroups.com, tr...@redhat.com
Hello,
syzbot found the following issue on:
HEAD commit: 7726d4c3e60b Merge tag 'gpio-fixes-for-v6.0-rc4' of git://..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1106f78b080000
kernel config: https://syzkaller.appspot.com/x/.config?x=892a57667b7af6cf
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16de5bc5080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120307e5080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+193f9c...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4923
Read of size 8 at addr ffff888017a60eb0 by task syz-executor225/3606
CPU: 0 PID: 3606 Comm: syz-executor225 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3e60b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
__lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4923
lock_acquire kernel/locking/lockdep.c:5666 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
down_read+0x98/0x450 kernel/locking/rwsem.c:1499
i_mmap_lock_read include/linux/fs.h:486 [inline]
hugetlb_handle_userfault+0xf5/0x150 mm/hugetlb.c:5505
hugetlb_no_page mm/hugetlb.c:5554 [inline]
hugetlb_fault+0x14cd/0x1aa0 mm/hugetlb.c:5778
handle_mm_fault+0x640/0x780 mm/memory.c:5149
do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1397
handle_page_fault arch/x86/mm/fault.c:1488 [inline]
exc_page_fault+0x94/0x170 arch/x86/mm/fault.c:1544
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f2ff2164c3b
Code: 00 48 89 94 24 ca 03 00 00 f3 0f 6f 9c 24 c0 03 00 00 f3 0f 6f a4 24 d0 03 00 00 48 89 84 24 e2 03 00 00 48 8d 86 00 20 7a 20 <0f> 11 9e 00 20 7a 20 0f 11 a6 10 20 7a 20 48 8b b4 24 e0 03 00 00
RSP: 002b:00007f2ff2157820 EFLAGS: 00010246
RAX: 00000000207a5e00 RBX: 0000000000000000 RCX: 00180f8000180f80
RDX: 0002912000180f80 RSI: 0000000000003e00 RDI: 0000000000000008
RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 00007f2ff2157c80 R12: 00000000207a2000
R13: 0000000000000000 R14: 0000000000000000 R15: 00007f2ff2157d80
</TASK>
Allocated by task 3606:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc_lru+0x255/0x720 mm/slub.c:3275
alloc_inode_sb include/linux/fs.h:3103 [inline]
hugetlbfs_alloc_inode+0x88/0x1e0 fs/hugetlbfs/inode.c:1121
alloc_inode+0x61/0x230 fs/inode.c:260
new_inode_pseudo fs/inode.c:1019 [inline]
new_inode+0x27/0x270 fs/inode.c:1047
hugetlbfs_get_inode+0x353/0x5f0 fs/hugetlbfs/inode.c:844
hugetlb_file_setup+0x13a/0x590 fs/hugetlbfs/inode.c:1486
ksys_mmap_pgoff+0x184/0x5a0 mm/mmap.c:1578
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 0:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:367 [inline]
____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1754 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780
slab_free mm/slub.c:3534 [inline]
kmem_cache_free+0xeb/0x5b0 mm/slub.c:3551
i_callback+0x3f/0x70 fs/inode.c:249
rcu_do_batch kernel/rcu/tree.c:2245 [inline]
rcu_core+0x7b5/0x1890 kernel/rcu/tree.c:2505
__do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
Last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
call_rcu+0x99/0x790 kernel/rcu/tree.c:2793
destroy_inode+0x129/0x1b0 fs/inode.c:315
iput_final fs/inode.c:1748 [inline]
iput.part.0+0x55d/0x810 fs/inode.c:1774
iput+0x58/0x70 fs/inode.c:1764
dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401
__dentry_kill+0x3c0/0x640 fs/dcache.c:607
dentry_kill fs/dcache.c:733 [inline]
dput+0x806/0xdb0 fs/dcache.c:913
__fput+0x39c/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:177
ptrace_notify+0x114/0x140 kernel/signal.c:2353
ptrace_report_syscall include/linux/ptrace.h:420 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
syscall_exit_work kernel/entry/common.c:249 [inline]
syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276
__syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888017a60ac0
which belongs to the cache hugetlbfs_inode_cache of size 1248
The buggy address is located 1008 bytes inside of
1248-byte region [ffff888017a60ac0, ffff888017a60fa0)
The buggy address belongs to the physical page:
page:ffffea00005e9800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17a60
head:ffffea00005e9800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888145a66640
raw: 0000000000000000 0000000080170017 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2981386393, free_ts 0
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2103
alloc_pages+0x22f/0x270 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:1824 [inline]
allocate_slab+0x27e/0x3d0 mm/slub.c:1969
new_slab mm/slub.c:2029 [inline]
___slab_alloc+0x7f1/0xe10 mm/slub.c:3031
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
slab_alloc_node mm/slub.c:3209 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc_lru+0x528/0x720 mm/slub.c:3275
alloc_inode_sb include/linux/fs.h:3103 [inline]
hugetlbfs_alloc_inode+0x88/0x1e0 fs/hugetlbfs/inode.c:1121
alloc_inode+0x61/0x230 fs/inode.c:260
new_inode_pseudo fs/inode.c:1019 [inline]
new_inode+0x27/0x270 fs/inode.c:1047
hugetlbfs_get_root fs/hugetlbfs/inode.c:803 [inline]
hugetlbfs_fill_super+0x589/0xad0 fs/hugetlbfs/inode.c:1377
vfs_get_super fs/super.c:1168 [inline]
get_tree_nodev+0xcd/0x1d0 fs/super.c:1198
hugetlbfs_get_tree fs/hugetlbfs/inode.c:1392 [inline]
hugetlbfs_get_tree+0x1e3/0x2b0 fs/hugetlbfs/inode.c:1387
vfs_get_tree+0x89/0x2f0 fs/super.c:1530
fc_mount+0x13/0xc0 fs/namespace.c:1043
page_owner free stack trace missing
Memory state around the buggy address:
ffff888017a60d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888017a60e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888017a60e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888017a60f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888017a60f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 7726d4c3e60b Merge tag 'gpio-fixes-for-v6.0-rc4' of git://..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1106f78b080000
kernel config: https://syzkaller.appspot.com/x/.config?x=892a57667b7af6cf
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16de5bc5080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120307e5080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+193f9c...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4923
Read of size 8 at addr ffff888017a60eb0 by task syz-executor225/3606
CPU: 0 PID: 3606 Comm: syz-executor225 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3e60b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
__lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4923
lock_acquire kernel/locking/lockdep.c:5666 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
down_read+0x98/0x450 kernel/locking/rwsem.c:1499
i_mmap_lock_read include/linux/fs.h:486 [inline]
hugetlb_handle_userfault+0xf5/0x150 mm/hugetlb.c:5505
hugetlb_no_page mm/hugetlb.c:5554 [inline]
hugetlb_fault+0x14cd/0x1aa0 mm/hugetlb.c:5778
handle_mm_fault+0x640/0x780 mm/memory.c:5149
do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1397
handle_page_fault arch/x86/mm/fault.c:1488 [inline]
exc_page_fault+0x94/0x170 arch/x86/mm/fault.c:1544
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f2ff2164c3b
Code: 00 48 89 94 24 ca 03 00 00 f3 0f 6f 9c 24 c0 03 00 00 f3 0f 6f a4 24 d0 03 00 00 48 89 84 24 e2 03 00 00 48 8d 86 00 20 7a 20 <0f> 11 9e 00 20 7a 20 0f 11 a6 10 20 7a 20 48 8b b4 24 e0 03 00 00
RSP: 002b:00007f2ff2157820 EFLAGS: 00010246
RAX: 00000000207a5e00 RBX: 0000000000000000 RCX: 00180f8000180f80
RDX: 0002912000180f80 RSI: 0000000000003e00 RDI: 0000000000000008
RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 00007f2ff2157c80 R12: 00000000207a2000
R13: 0000000000000000 R14: 0000000000000000 R15: 00007f2ff2157d80
</TASK>
Allocated by task 3606:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc_lru+0x255/0x720 mm/slub.c:3275
alloc_inode_sb include/linux/fs.h:3103 [inline]
hugetlbfs_alloc_inode+0x88/0x1e0 fs/hugetlbfs/inode.c:1121
alloc_inode+0x61/0x230 fs/inode.c:260
new_inode_pseudo fs/inode.c:1019 [inline]
new_inode+0x27/0x270 fs/inode.c:1047
hugetlbfs_get_inode+0x353/0x5f0 fs/hugetlbfs/inode.c:844
hugetlb_file_setup+0x13a/0x590 fs/hugetlbfs/inode.c:1486
ksys_mmap_pgoff+0x184/0x5a0 mm/mmap.c:1578
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 0:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:367 [inline]
____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1754 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780
slab_free mm/slub.c:3534 [inline]
kmem_cache_free+0xeb/0x5b0 mm/slub.c:3551
i_callback+0x3f/0x70 fs/inode.c:249
rcu_do_batch kernel/rcu/tree.c:2245 [inline]
rcu_core+0x7b5/0x1890 kernel/rcu/tree.c:2505
__do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
Last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
call_rcu+0x99/0x790 kernel/rcu/tree.c:2793
destroy_inode+0x129/0x1b0 fs/inode.c:315
iput_final fs/inode.c:1748 [inline]
iput.part.0+0x55d/0x810 fs/inode.c:1774
iput+0x58/0x70 fs/inode.c:1764
dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401
__dentry_kill+0x3c0/0x640 fs/dcache.c:607
dentry_kill fs/dcache.c:733 [inline]
dput+0x806/0xdb0 fs/dcache.c:913
__fput+0x39c/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:177
ptrace_notify+0x114/0x140 kernel/signal.c:2353
ptrace_report_syscall include/linux/ptrace.h:420 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
syscall_exit_work kernel/entry/common.c:249 [inline]
syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276
__syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888017a60ac0
which belongs to the cache hugetlbfs_inode_cache of size 1248
The buggy address is located 1008 bytes inside of
1248-byte region [ffff888017a60ac0, ffff888017a60fa0)
The buggy address belongs to the physical page:
page:ffffea00005e9800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17a60
head:ffffea00005e9800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888145a66640
raw: 0000000000000000 0000000080170017 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2981386393, free_ts 0
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2103
alloc_pages+0x22f/0x270 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:1824 [inline]
allocate_slab+0x27e/0x3d0 mm/slub.c:1969
new_slab mm/slub.c:2029 [inline]
___slab_alloc+0x7f1/0xe10 mm/slub.c:3031
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
slab_alloc_node mm/slub.c:3209 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc_lru+0x528/0x720 mm/slub.c:3275
alloc_inode_sb include/linux/fs.h:3103 [inline]
hugetlbfs_alloc_inode+0x88/0x1e0 fs/hugetlbfs/inode.c:1121
alloc_inode+0x61/0x230 fs/inode.c:260
new_inode_pseudo fs/inode.c:1019 [inline]
new_inode+0x27/0x270 fs/inode.c:1047
hugetlbfs_get_root fs/hugetlbfs/inode.c:803 [inline]
hugetlbfs_fill_super+0x589/0xad0 fs/hugetlbfs/inode.c:1377
vfs_get_super fs/super.c:1168 [inline]
get_tree_nodev+0xcd/0x1d0 fs/super.c:1198
hugetlbfs_get_tree fs/hugetlbfs/inode.c:1392 [inline]
hugetlbfs_get_tree+0x1e3/0x2b0 fs/hugetlbfs/inode.c:1387
vfs_get_tree+0x89/0x2f0 fs/super.c:1530
fc_mount+0x13/0xc0 fs/namespace.c:1043
page_owner free stack trace missing
Memory state around the buggy address:
ffff888017a60d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888017a60e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888017a60e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888017a60f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888017a60f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Sep 12, 2022, 5:07:18 AM9/12/22
to phin...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
ntention.
[ 1.629526][ T0] kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823bc00000-0xffff88823be00000
[ 1.631105][ T0] random: crng init done
[ 1.632812][ T0] Console: colour VGA+ 80x25
[ 1.633604][ T0] printk: console [ttyS0] enabled
[ 1.633604][ T0] printk: console [ttyS0] enabled
[ 1.635134][ T0] printk: bootconsole [earlyser0] disabled
[ 1.635134][ T0] printk: bootconsole [earlyser0] disabled
[ 1.637076][ T0] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[ 1.638448][ T0] ... MAX_LOCKDEP_SUBCLASSES: 8
[ 1.639228][ T0] ... MAX_LOCK_DEPTH: 48
[ 1.640056][ T0] ... MAX_LOCKDEP_KEYS: 8192
[ 1.640818][ T0] ... CLASSHASH_SIZE: 4096
[ 1.641625][ T0] ... MAX_LOCKDEP_ENTRIES: 131072
[ 1.642475][ T0] ... MAX_LOCKDEP_CHAINS: 262144
[ 1.643421][ T0] ... CHAINHASH_SIZE: 131072
[ 1.644827][ T0] memory used by lock dependency info: 20657 kB
[ 1.646136][ T0] memory used for stack traces: 8320 kB
[ 1.647227][ T0] per task-struct memory footprint: 1920 bytes
[ 1.648257][ T0] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[ 1.650226][ T0] ACPI: Core revision 20220331
[ 1.651626][ T0] APIC: Switch to symmetric I/O mode setup
[ 1.659092][ T0] ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
[ 1.661217][ T0] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x1fb6d54cfe9, max_idle_ns: 440795226702 ns
[ 1.663734][ T0] Calibrating delay loop (skipped) preset value.. 4400.34 BogoMIPS (lpj=22001720)
[ 1.665174][ T0] pid_max: default: 32768 minimum: 301
[ 1.666533][ T0] LSM: Security Framework initializing
[ 1.667607][ T0] landlock: Up and running.
[ 1.668368][ T0] Yama: becoming mindful.
[ 1.669112][ T0] TOMOYO Linux initialized
[ 1.670037][ T0] AppArmor: AppArmor initialized
[ 1.671096][ T0] LSM support for eBPF active
[ 1.677595][ T0] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
[ 1.681197][ T0] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
[ 1.682736][ T0] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 1.683799][ T0] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 1.688970][ T0] Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
[ 1.690176][ T0] Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0, 1GB 4
[ 1.691234][ T0] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[ 1.693782][ T0] Spectre V2 : Mitigation: IBRS
[ 1.694640][ T0] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 1.695941][ T0] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
[ 1.697086][ T0] RETBleed: Mitigation: IBRS
[ 1.697947][ T0] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[ 1.699622][ T0] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[ 1.700977][ T0] MDS: Mitigation: Clear CPU buffers
[ 1.702597][ T0] TAA: Mitigation: Clear CPU buffers
[ 1.703734][ T0] MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
[ 1.707472][ T0] Freeing SMP alternatives memory: 112K
[ 1.830860][ T1] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.20GHz (family: 0x6, model: 0x4f, stepping: 0x0)
[ 1.833719][ T1] cblist_init_generic: Setting adjustable number of callback queues.
[ 1.833719][ T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 1.833719][ T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 1.833719][ T1] Running RCU-tasks wait API self tests
[ 1.934199][ T1] Performance Events: unsupported p6 CPU model 79 no PMU driver, software events only.
[ 1.936520][ T1] rcu: Hierarchical SRCU implementation.
[ 1.937357][ T1] rcu: Max phase no-delay instances is 1000.
[ 1.942741][ T1] NMI watchdog: Perf NMI watchdog permanently disabled
[ 1.944418][ T1] smp: Bringing up secondary CPUs ...
[ 1.946589][ T1] x86: Booting SMP configuration:
[ 1.947387][ T1] .... node #0, CPUs: #1
[ 1.949721][ T1] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
[ 1.949721][ T1] TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.
[ 1.953848][ T1] MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.
[ 1.956688][ T1] smp: Brought up 2 nodes, 2 CPUs
[ 1.957513][ T1] smpboot: Max logical packages: 1
[ 1.958215][ T1] smpboot: Total of 2 processors activated (8800.68 BogoMIPS)
[ 1.973844][ T13] Callback from call_rcu_tasks_trace() invoked.
[ 1.996866][ T1] allocated 134217728 bytes of page_ext
[ 1.997960][ T1] Node 0, zone DMA: page owner found early allocated 0 pages
[ 2.019187][ T1] Node 0, zone DMA32: page owner found early allocated 19964 pages
[ 2.034080][ T1] Node 0, zone Normal: page owner found early allocated 228 pages
[ 2.050560][ T1] Node 1, zone Normal: page owner found early allocated 19163 pages
[ 2.054342][ T1] devtmpfs: initialized
[ 2.055856][ T1] x86/mm: Memory block size: 128MB
[ 2.098500][ T1] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 2.098500][ T1] futex hash table entries: 512 (order: 4, 65536 bytes, vmalloc)
[ 2.103739][ T1] PM: RTC time: 08:57:45, date: 2022-09-12
[ 2.116264][ T1] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 2.123042][ T1] audit: initializing netlink subsys (disabled)
[ 2.126270][ T1] thermal_sys: Registered thermal governor 'step_wise'
[ 2.126289][ T1] thermal_sys: Registered thermal governor 'user_space'
[ 2.133821][ T27] audit: type=2000 audit(1662973065.375:1): state=initialized audit_enabled=0 res=1
[ 2.136564][ T1] cpuidle: using governor menu
[ 2.136564][ T1] NET: Registered PF_QIPCRTR protocol family
[ 2.137855][ T1] PCI: Using configuration type 1 for base access
[ 2.154019][ T12] Callback from call_rcu_tasks() invoked.
[ 2.335059][ T1] WARNING: workqueue cpumask: online intersect > possible intersect
[ 2.354203][ T1] HugeTLB: registered 1.00 GiB page size, pre-allocated 0 pages
[ 2.356191][ T1] HugeTLB: 16380 KiB vmemmap can be freed for a 1.00 GiB page
[ 2.357616][ T1] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[ 2.359237][ T1] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page
[ 2.371228][ T26] ==================================================================
[ 2.372691][ T26] BUG: KASAN: slab-out-of-bounds in _find_next_bit+0x122/0x140
[ 2.373719][ T26] Read of size 8 at addr ffff8880178c27b8 by task kworker/1:1/26
[ 2.373719][ T26]
[ 2.373719][ T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.0.0-rc4-next-20220909-syzkaller-06877-g9a82ccda91ed #0
[ 2.383853][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 2.383853][ T26] Workqueue: events pcpu_balance_workfn
[ 2.383853][ T26] Call Trace:
[ 2.383853][ T26] <TASK>
[ 2.383853][ T26] dump_stack_lvl+0xcd/0x134
[ 2.383853][ T26] print_report+0x164/0x463
[ 2.383853][ T26] ? __phys_addr+0xc4/0x140
[ 2.383853][ T26] ? _find_next_bit+0x122/0x140
[ 2.383853][ T26] kasan_report+0xbb/0x1f0
[ 2.383853][ T26] ? _find_next_bit+0x122/0x140
[ 2.383853][ T26] _find_next_bit+0x122/0x140
[ 2.394119][ T26] pcpu_balance_workfn+0x6c0/0xea0
[ 2.394119][ T26] process_one_work+0x991/0x1610
[ 2.394119][ T26] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 2.394119][ T26] ? rwlock_bug.part.0+0x90/0x90
[ 2.394119][ T26] ? _raw_spin_lock_irq+0x41/0x50
[ 2.394119][ T26] worker_thread+0x665/0x1080
[ 2.394119][ T26] ? __kthread_parkme+0x15f/0x220
[ 2.394119][ T26] ? process_one_work+0x1610/0x1610
[ 2.394119][ T26] kthread+0x2e4/0x3a0
[ 2.394119][ T26] ? kthread_complete_and_exit+0x40/0x40
[ 2.394119][ T26] ret_from_fork+0x1f/0x30
[ 2.394119][ T26] </TASK>
[ 2.394119][ T26]
[ 2.394119][ T26] Allocated by task 26:
[ 2.394119][ T26] kasan_save_stack+0x1e/0x40
[ 2.394119][ T26] kasan_set_track+0x21/0x30
[ 2.394119][ T26] __kasan_kmalloc+0xa1/0xb0
[ 2.394119][ T26] __kmalloc+0x54/0xc0
[ 2.394119][ T26] pcpu_mem_zalloc+0x70/0xa0
[ 2.394119][ T26] pcpu_create_chunk+0x23/0x930
[ 2.394119][ T26] pcpu_balance_workfn+0xc4e/0xea0
[ 2.394119][ T26] process_one_work+0x991/0x1610
[ 2.394119][ T26] worker_thread+0x665/0x1080
[ 2.394119][ T26] kthread+0x2e4/0x3a0
[ 2.394119][ T26] ret_from_fork+0x1f/0x30
[ 2.394119][ T26]
[ 2.394119][ T26] The buggy address belongs to the object at ffff8880178c2700
[ 2.394119][ T26] which belongs to the cache kmalloc-192 of size 192
[ 2.394119][ T26] The buggy address is located 184 bytes inside of
[ 2.394119][ T26] 192-byte region [ffff8880178c2700, ffff8880178c27c0)
[ 2.394119][ T26]
[ 2.394119][ T26] The buggy address belongs to the physical page:
[ 2.394119][ T26] page:ffffea00005e3080 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x178c2
[ 2.394119][ T26] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 2.394119][ T26] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888011841a00
[ 2.394119][ T26] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 2.394119][ T26] page dumped because: kasan: bad access detected
[ 2.394119][ T26] page_owner tracks the page as allocated
[ 2.394119][ T26] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 2334232000, free_ts 0
[ 2.394119][ T26] get_page_from_freelist+0x109b/0x2ce0
[ 2.394119][ T26] __alloc_pages+0x1c7/0x510
[ 2.394119][ T26] alloc_page_interleave+0x1e/0x200
[ 2.394119][ T26] alloc_pages+0x22f/0x270
[ 2.394119][ T26] allocate_slab+0x213/0x300
[ 2.394119][ T26] ___slab_alloc+0xad0/0x1440
[ 2.394119][ T26] __slab_alloc.constprop.0+0x4d/0xa0
[ 2.394119][ T26] __kmem_cache_alloc_node+0x18a/0x3d0
[ 2.394119][ T26] kmalloc_trace+0x22/0x60
[ 2.394119][ T26] call_usermodehelper_setup+0x97/0x340
[ 2.394119][ T26] kobject_uevent_env+0xee6/0x1640
[ 2.394119][ T26] param_sysfs_init+0x367/0x43b
[ 2.394119][ T26] do_one_initcall+0xfe/0x650
[ 2.394119][ T26] kernel_init_freeable+0x6ff/0x788
[ 2.394119][ T26] kernel_init+0x1a/0x1d0
[ 2.394119][ T26] ret_from_fork+0x1f/0x30
[ 2.394119][ T26] page_owner free stack trace missing
[ 2.394119][ T26]
[ 2.394119][ T26] Memory state around the buggy address:
[ 2.394119][ T26] ffff8880178c2680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 2.394119][ T26] ffff8880178c2700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2.394119][ T26] >ffff8880178c2780: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[ 2.394119][ T26] ^
[ 2.394119][ T26] ffff8880178c2800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2.394119][ T26] ffff8880178c2880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2.394119][ T26] ==================================================================
[ 2.394119][ T26] Kernel panic - not syncing: panic_on_warn set ...
[ 2.394119][ T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.0.0-rc4-next-20220909-syzkaller-06877-g9a82ccda91ed #0
[ 2.394119][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 2.394119][ T26] Workqueue: events pcpu_balance_workfn
[ 2.394119][ T26] Call Trace:
[ 2.394119][ T26] <TASK>
[ 2.394119][ T26] dump_stack_lvl+0xcd/0x134
[ 2.394119][ T26] panic+0x2c8/0x622
[ 2.394119][ T26] ? panic_print_sys_info.part.0+0x110/0x110
[ 2.394119][ T26] end_report.part.0+0x3f/0x7c
[ 2.394119][ T26] ? _find_next_bit+0x122/0x140
[ 2.394119][ T26] kasan_report.cold+0xa/0xf
[ 2.394119][ T26] ? _find_next_bit+0x122/0x140
[ 2.394119][ T26] _find_next_bit+0x122/0x140
[ 2.394119][ T26] pcpu_balance_workfn+0x6c0/0xea0
[ 2.394119][ T26] process_one_work+0x991/0x1610
[ 2.394119][ T26] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 2.394119][ T26] ? rwlock_bug.part.0+0x90/0x90
[ 2.394119][ T26] ? _raw_spin_lock_irq+0x41/0x50
[ 2.394119][ T26] worker_thread+0x665/0x1080
[ 2.394119][ T26] ? __kthread_parkme+0x15f/0x220
[ 2.394119][ T26] ? process_one_work+0x1610/0x1610
[ 2.394119][ T26] kthread+0x2e4/0x3a0
[ 2.394119][ T26] ? kthread_complete_and_exit+0x40/0x40
[ 2.394119][ T26] ret_from_fork+0x1f/0x30
[ 2.394119][ T26] </TASK>
[ 2.394119][ T26] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build833528393=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 28811d0ac
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"28811d0ac5274e8b3730fcf2ad0634d723fcd878\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1741edaf080000
Tested on:
commit: 9a82ccda Add linux-next specific files for 20220909
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=a880996938a4f81c
syzbot tried to test the proposed patch but the build/boot failed:
ntention.
[ 1.629526][ T0] kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823bc00000-0xffff88823be00000
[ 1.631105][ T0] random: crng init done
[ 1.632812][ T0] Console: colour VGA+ 80x25
[ 1.633604][ T0] printk: console [ttyS0] enabled
[ 1.633604][ T0] printk: console [ttyS0] enabled
[ 1.635134][ T0] printk: bootconsole [earlyser0] disabled
[ 1.635134][ T0] printk: bootconsole [earlyser0] disabled
[ 1.637076][ T0] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[ 1.638448][ T0] ... MAX_LOCKDEP_SUBCLASSES: 8
[ 1.639228][ T0] ... MAX_LOCK_DEPTH: 48
[ 1.640056][ T0] ... MAX_LOCKDEP_KEYS: 8192
[ 1.640818][ T0] ... CLASSHASH_SIZE: 4096
[ 1.641625][ T0] ... MAX_LOCKDEP_ENTRIES: 131072
[ 1.642475][ T0] ... MAX_LOCKDEP_CHAINS: 262144
[ 1.643421][ T0] ... CHAINHASH_SIZE: 131072
[ 1.644827][ T0] memory used by lock dependency info: 20657 kB
[ 1.646136][ T0] memory used for stack traces: 8320 kB
[ 1.647227][ T0] per task-struct memory footprint: 1920 bytes
[ 1.648257][ T0] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[ 1.650226][ T0] ACPI: Core revision 20220331
[ 1.651626][ T0] APIC: Switch to symmetric I/O mode setup
[ 1.659092][ T0] ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
[ 1.661217][ T0] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x1fb6d54cfe9, max_idle_ns: 440795226702 ns
[ 1.663734][ T0] Calibrating delay loop (skipped) preset value.. 4400.34 BogoMIPS (lpj=22001720)
[ 1.665174][ T0] pid_max: default: 32768 minimum: 301
[ 1.666533][ T0] LSM: Security Framework initializing
[ 1.667607][ T0] landlock: Up and running.
[ 1.668368][ T0] Yama: becoming mindful.
[ 1.669112][ T0] TOMOYO Linux initialized
[ 1.670037][ T0] AppArmor: AppArmor initialized
[ 1.671096][ T0] LSM support for eBPF active
[ 1.677595][ T0] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
[ 1.681197][ T0] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
[ 1.682736][ T0] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 1.683799][ T0] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 1.688970][ T0] Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
[ 1.690176][ T0] Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0, 1GB 4
[ 1.691234][ T0] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[ 1.693782][ T0] Spectre V2 : Mitigation: IBRS
[ 1.694640][ T0] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 1.695941][ T0] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
[ 1.697086][ T0] RETBleed: Mitigation: IBRS
[ 1.697947][ T0] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[ 1.699622][ T0] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[ 1.700977][ T0] MDS: Mitigation: Clear CPU buffers
[ 1.702597][ T0] TAA: Mitigation: Clear CPU buffers
[ 1.703734][ T0] MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
[ 1.707472][ T0] Freeing SMP alternatives memory: 112K
[ 1.830860][ T1] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.20GHz (family: 0x6, model: 0x4f, stepping: 0x0)
[ 1.833719][ T1] cblist_init_generic: Setting adjustable number of callback queues.
[ 1.833719][ T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 1.833719][ T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 1.833719][ T1] Running RCU-tasks wait API self tests
[ 1.934199][ T1] Performance Events: unsupported p6 CPU model 79 no PMU driver, software events only.
[ 1.936520][ T1] rcu: Hierarchical SRCU implementation.
[ 1.937357][ T1] rcu: Max phase no-delay instances is 1000.
[ 1.942741][ T1] NMI watchdog: Perf NMI watchdog permanently disabled
[ 1.944418][ T1] smp: Bringing up secondary CPUs ...
[ 1.946589][ T1] x86: Booting SMP configuration:
[ 1.947387][ T1] .... node #0, CPUs: #1
[ 1.949721][ T1] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
[ 1.949721][ T1] TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.
[ 1.953848][ T1] MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.
[ 1.956688][ T1] smp: Brought up 2 nodes, 2 CPUs
[ 1.957513][ T1] smpboot: Max logical packages: 1
[ 1.958215][ T1] smpboot: Total of 2 processors activated (8800.68 BogoMIPS)
[ 1.973844][ T13] Callback from call_rcu_tasks_trace() invoked.
[ 1.996866][ T1] allocated 134217728 bytes of page_ext
[ 1.997960][ T1] Node 0, zone DMA: page owner found early allocated 0 pages
[ 2.019187][ T1] Node 0, zone DMA32: page owner found early allocated 19964 pages
[ 2.034080][ T1] Node 0, zone Normal: page owner found early allocated 228 pages
[ 2.050560][ T1] Node 1, zone Normal: page owner found early allocated 19163 pages
[ 2.054342][ T1] devtmpfs: initialized
[ 2.055856][ T1] x86/mm: Memory block size: 128MB
[ 2.098500][ T1] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 2.098500][ T1] futex hash table entries: 512 (order: 4, 65536 bytes, vmalloc)
[ 2.103739][ T1] PM: RTC time: 08:57:45, date: 2022-09-12
[ 2.116264][ T1] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 2.123042][ T1] audit: initializing netlink subsys (disabled)
[ 2.126270][ T1] thermal_sys: Registered thermal governor 'step_wise'
[ 2.126289][ T1] thermal_sys: Registered thermal governor 'user_space'
[ 2.133821][ T27] audit: type=2000 audit(1662973065.375:1): state=initialized audit_enabled=0 res=1
[ 2.136564][ T1] cpuidle: using governor menu
[ 2.136564][ T1] NET: Registered PF_QIPCRTR protocol family
[ 2.137855][ T1] PCI: Using configuration type 1 for base access
[ 2.154019][ T12] Callback from call_rcu_tasks() invoked.
[ 2.335059][ T1] WARNING: workqueue cpumask: online intersect > possible intersect
[ 2.354203][ T1] HugeTLB: registered 1.00 GiB page size, pre-allocated 0 pages
[ 2.356191][ T1] HugeTLB: 16380 KiB vmemmap can be freed for a 1.00 GiB page
[ 2.357616][ T1] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[ 2.359237][ T1] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page
[ 2.371228][ T26] ==================================================================
[ 2.372691][ T26] BUG: KASAN: slab-out-of-bounds in _find_next_bit+0x122/0x140
[ 2.373719][ T26] Read of size 8 at addr ffff8880178c27b8 by task kworker/1:1/26
[ 2.373719][ T26]
[ 2.373719][ T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.0.0-rc4-next-20220909-syzkaller-06877-g9a82ccda91ed #0
[ 2.383853][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 2.383853][ T26] Workqueue: events pcpu_balance_workfn
[ 2.383853][ T26] Call Trace:
[ 2.383853][ T26] <TASK>
[ 2.383853][ T26] dump_stack_lvl+0xcd/0x134
[ 2.383853][ T26] print_report+0x164/0x463
[ 2.383853][ T26] ? __phys_addr+0xc4/0x140
[ 2.383853][ T26] ? _find_next_bit+0x122/0x140
[ 2.383853][ T26] kasan_report+0xbb/0x1f0
[ 2.383853][ T26] ? _find_next_bit+0x122/0x140
[ 2.383853][ T26] _find_next_bit+0x122/0x140
[ 2.394119][ T26] pcpu_balance_workfn+0x6c0/0xea0
[ 2.394119][ T26] process_one_work+0x991/0x1610
[ 2.394119][ T26] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 2.394119][ T26] ? rwlock_bug.part.0+0x90/0x90
[ 2.394119][ T26] ? _raw_spin_lock_irq+0x41/0x50
[ 2.394119][ T26] worker_thread+0x665/0x1080
[ 2.394119][ T26] ? __kthread_parkme+0x15f/0x220
[ 2.394119][ T26] ? process_one_work+0x1610/0x1610
[ 2.394119][ T26] kthread+0x2e4/0x3a0
[ 2.394119][ T26] ? kthread_complete_and_exit+0x40/0x40
[ 2.394119][ T26] ret_from_fork+0x1f/0x30
[ 2.394119][ T26] </TASK>
[ 2.394119][ T26]
[ 2.394119][ T26] Allocated by task 26:
[ 2.394119][ T26] kasan_save_stack+0x1e/0x40
[ 2.394119][ T26] kasan_set_track+0x21/0x30
[ 2.394119][ T26] __kasan_kmalloc+0xa1/0xb0
[ 2.394119][ T26] __kmalloc+0x54/0xc0
[ 2.394119][ T26] pcpu_mem_zalloc+0x70/0xa0
[ 2.394119][ T26] pcpu_create_chunk+0x23/0x930
[ 2.394119][ T26] pcpu_balance_workfn+0xc4e/0xea0
[ 2.394119][ T26] process_one_work+0x991/0x1610
[ 2.394119][ T26] worker_thread+0x665/0x1080
[ 2.394119][ T26] kthread+0x2e4/0x3a0
[ 2.394119][ T26] ret_from_fork+0x1f/0x30
[ 2.394119][ T26]
[ 2.394119][ T26] The buggy address belongs to the object at ffff8880178c2700
[ 2.394119][ T26] which belongs to the cache kmalloc-192 of size 192
[ 2.394119][ T26] The buggy address is located 184 bytes inside of
[ 2.394119][ T26] 192-byte region [ffff8880178c2700, ffff8880178c27c0)
[ 2.394119][ T26]
[ 2.394119][ T26] The buggy address belongs to the physical page:
[ 2.394119][ T26] page:ffffea00005e3080 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x178c2
[ 2.394119][ T26] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 2.394119][ T26] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888011841a00
[ 2.394119][ T26] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 2.394119][ T26] page dumped because: kasan: bad access detected
[ 2.394119][ T26] page_owner tracks the page as allocated
[ 2.394119][ T26] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 2334232000, free_ts 0
[ 2.394119][ T26] get_page_from_freelist+0x109b/0x2ce0
[ 2.394119][ T26] __alloc_pages+0x1c7/0x510
[ 2.394119][ T26] alloc_page_interleave+0x1e/0x200
[ 2.394119][ T26] alloc_pages+0x22f/0x270
[ 2.394119][ T26] allocate_slab+0x213/0x300
[ 2.394119][ T26] ___slab_alloc+0xad0/0x1440
[ 2.394119][ T26] __slab_alloc.constprop.0+0x4d/0xa0
[ 2.394119][ T26] __kmem_cache_alloc_node+0x18a/0x3d0
[ 2.394119][ T26] kmalloc_trace+0x22/0x60
[ 2.394119][ T26] call_usermodehelper_setup+0x97/0x340
[ 2.394119][ T26] kobject_uevent_env+0xee6/0x1640
[ 2.394119][ T26] param_sysfs_init+0x367/0x43b
[ 2.394119][ T26] do_one_initcall+0xfe/0x650
[ 2.394119][ T26] kernel_init_freeable+0x6ff/0x788
[ 2.394119][ T26] kernel_init+0x1a/0x1d0
[ 2.394119][ T26] ret_from_fork+0x1f/0x30
[ 2.394119][ T26] page_owner free stack trace missing
[ 2.394119][ T26]
[ 2.394119][ T26] Memory state around the buggy address:
[ 2.394119][ T26] ffff8880178c2680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 2.394119][ T26] ffff8880178c2700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2.394119][ T26] >ffff8880178c2780: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[ 2.394119][ T26] ^
[ 2.394119][ T26] ffff8880178c2800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2.394119][ T26] ffff8880178c2880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2.394119][ T26] ==================================================================
[ 2.394119][ T26] Kernel panic - not syncing: panic_on_warn set ...
[ 2.394119][ T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.0.0-rc4-next-20220909-syzkaller-06877-g9a82ccda91ed #0
[ 2.394119][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 2.394119][ T26] Workqueue: events pcpu_balance_workfn
[ 2.394119][ T26] Call Trace:
[ 2.394119][ T26] <TASK>
[ 2.394119][ T26] dump_stack_lvl+0xcd/0x134
[ 2.394119][ T26] panic+0x2c8/0x622
[ 2.394119][ T26] ? panic_print_sys_info.part.0+0x110/0x110
[ 2.394119][ T26] end_report.part.0+0x3f/0x7c
[ 2.394119][ T26] ? _find_next_bit+0x122/0x140
[ 2.394119][ T26] kasan_report.cold+0xa/0xf
[ 2.394119][ T26] ? _find_next_bit+0x122/0x140
[ 2.394119][ T26] _find_next_bit+0x122/0x140
[ 2.394119][ T26] pcpu_balance_workfn+0x6c0/0xea0
[ 2.394119][ T26] process_one_work+0x991/0x1610
[ 2.394119][ T26] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 2.394119][ T26] ? rwlock_bug.part.0+0x90/0x90
[ 2.394119][ T26] ? _raw_spin_lock_irq+0x41/0x50
[ 2.394119][ T26] worker_thread+0x665/0x1080
[ 2.394119][ T26] ? __kthread_parkme+0x15f/0x220
[ 2.394119][ T26] ? process_one_work+0x1610/0x1610
[ 2.394119][ T26] kthread+0x2e4/0x3a0
[ 2.394119][ T26] ? kthread_complete_and_exit+0x40/0x40
[ 2.394119][ T26] ret_from_fork+0x1f/0x30
[ 2.394119][ T26] </TASK>
[ 2.394119][ T26] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build833528393=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 28811d0ac
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"28811d0ac5274e8b3730fcf2ad0634d723fcd878\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1741edaf080000
Tested on:
commit: 9a82ccda Add linux-next specific files for 20220909
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=a880996938a4f81c
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Sep 14, 2022, 3:19:21 AM9/14/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
m...
syzbot tried to test the proposed patch but the build/boot failed:
syzkaller login: [ 39.486866][ T3615] cgroup: Unknown subsys name 'net'
[ 39.581594][ T3615] cgroup: Unknown subsys name 'rlimit'
[ 40.819787][ T3617] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 40.827498][ T3617] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 40.834735][ T3617] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 40.842373][ T3617] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 40.849850][ T3617] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 40.857450][ T3617] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 40.865250][ T3616] Bluetooth: hci0: HCI_REQ-0x0c1a
[ 40.921306][ T3622] chnl_net:caif_netlink_parms(): no params data found
[ 40.951932][ T3622] bridge0: port 1(bridge_slave_0) entered blocking state
[ 40.959112][ T3622] bridge0: port 1(bridge_slave_0) entered disabled state
[ 40.966670][ T3622] device bridge_slave_0 entered promiscuous mode
[ 40.974622][ T3622] bridge0: port 2(bridge_slave_1) entered blocking state
[ 40.981762][ T3622] bridge0: port 2(bridge_slave_1) entered disabled state
[ 40.989603][ T3622] device bridge_slave_1 entered promiscuous mode
[ 41.006363][ T3622] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 41.016940][ T3622] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 41.035070][ T3622] team0: Port device team_slave_0 added
[ 41.042535][ T3622] team0: Port device team_slave_1 added
[ 41.056905][ T3622] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 41.064241][ T3622] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 41.090756][ T3622] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 41.102372][ T3622] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 41.109435][ T3622] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 41.135637][ T3622] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 41.157988][ T3622] device hsr_slave_0 entered promiscuous mode
[ 41.164505][ T3622] device hsr_slave_1 entered promiscuous mode
[ 41.217106][ T3622] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 41.225574][ T3622] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 41.234345][ T3622] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 41.243075][ T3622] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 41.251857][ T3622] ------------[ cut here ]------------
[ 41.257404][ T3622] memcpy: detected field-spanning write (size 28) of single field "&endpoint.addr" at drivers/net/wireguard/netlink.c:446 (size 16)
[ 41.271391][ T3622] WARNING: CPU: 0 PID: 3622 at drivers/net/wireguard/netlink.c:446 set_peer+0x991/0x10c0
[ 41.281362][ T3622] Modules linked in:
[ 41.285335][ T3622] CPU: 1 PID: 3622 Comm: syz-executor.0 Not tainted 6.0.0-rc5-next-20220914-syzkaller-07893-gf117c0118730-dirty #0
[ 41.297824][ T3622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 41.308354][ T3622] RIP: 0010:set_peer+0x991/0x10c0
[ 41.313385][ T3622] Code: 00 e8 43 47 b3 fc b9 10 00 00 00 48 c7 c2 60 4e 72 8a be 1c 00 00 00 48 c7 c7 c0 4e 72 8a c6 05 31 07 03 09 01 e8 11 cf 74 04 <0f> 0b e9 03 04 00 00 e8 13 47 b3 fc 89 ee 44 89 ef e8 59 43 b3 fc
[ 41.333240][ T3622] RSP: 0018:ffffc900045ef540 EFLAGS: 00010282
[ 41.339337][ T3622] RAX: 0000000000000000 RBX: ffffc900045ef6d8 RCX: 0000000000000000
[ 41.347513][ T3622] RDX: ffff888077fa57c0 RSI: ffffffff81611e78 RDI: fffff520008bde9a
[ 41.355487][ T3622] RBP: ffffc900045ef5e8 R08: 0000000000000005 R09: 0000000000000000
[ 41.363689][ T3622] R10: 0000000080000000 R11: 7720676e696e6e6d R12: 000000000000001c
[ 41.371749][ T3622] R13: 0000000000000000 R14: ffff8880203f7904 R15: ffff888075450960
[ 41.379760][ T3622] FS: 000055555615e400(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[ 41.389044][ T3622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.395629][ T3622] CR2: 00007f888e6d32c0 CR3: 000000007574c000 CR4: 00000000003506f0
[ 41.403636][ T3622] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 41.411723][ T3622] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 41.419999][ T3622] Call Trace:
[ 41.423293][ T3622] <TASK>
[ 41.426221][ T3622] ? wg_get_device_done+0x110/0x110
[ 41.431853][ T3622] ? nla_get_range_signed+0x520/0x520
[ 41.437697][ T3622] ? lock_downgrade+0x6e0/0x6e0
[ 41.442566][ T3622] ? __nla_parse+0x3d/0x50
[ 41.446995][ T3622] wg_set_device+0x8d7/0x11b0
[ 41.452127][ T3622] ? nla_get_range_signed+0x41/0x520
[ 41.457547][ T3622] ? set_peer+0x10c0/0x10c0
[ 41.462073][ T3622] ? __nla_parse+0x3d/0x50
[ 41.466482][ T3622] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x1b7/0x290
[ 41.474268][ T3622] ? genl_family_rcv_msg_attrs_parse.constprop.0+0xaf/0x290
[ 41.481767][ T3622] genl_family_rcv_msg_doit+0x228/0x320
[ 41.487512][ T3622] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290
[ 41.494894][ T3622] ? ns_capable+0xd9/0x100
[ 41.499399][ T3622] genl_rcv_msg+0x3b7/0x630
[ 41.503985][ T3622] ? genl_get_cmd+0x480/0x480
[ 41.509134][ T3622] ? __alloc_skb+0xd9/0x2f0
[ 41.513673][ T3622] ? netlink_sendmsg+0x9a2/0xe10
[ 41.518836][ T3622] ? sock_sendmsg+0xcf/0x120
[ 41.523449][ T3622] ? set_peer+0x10c0/0x10c0
[ 41.528174][ T3622] ? rcu_read_unlock+0x40/0x40
[ 41.532955][ T3622] ? rcu_read_lock_sched_held+0xd/0x70
[ 41.538644][ T3622] netlink_rcv_skb+0x153/0x420
[ 41.543428][ T3622] ? genl_get_cmd+0x480/0x480
[ 41.548351][ T3622] ? netlink_ack+0xd50/0xd50
[ 41.552945][ T3622] ? netlink_deliver_tap+0x1b1/0xc40
[ 41.561465][ T3622] genl_rcv+0x24/0x40
[ 41.565442][ T3622] netlink_unicast+0x543/0x7f0
[ 41.570273][ T3622] ? netlink_attachskb+0x880/0x880
[ 41.575413][ T3622] ? __virt_addr_valid+0x5d/0x2d0
[ 41.580721][ T3622] ? __phys_addr_symbol+0x2c/0x70
[ 41.585785][ T3622] ? __check_object_size+0x2de/0x5a0
[ 41.591289][ T3622] netlink_sendmsg+0x917/0xe10
[ 41.596070][ T3622] ? netlink_unicast+0x7f0/0x7f0
[ 41.601233][ T3622] ? bpf_lsm_socket_sendmsg+0x5/0x10
[ 41.606612][ T3622] ? netlink_unicast+0x7f0/0x7f0
[ 41.611752][ T3622] sock_sendmsg+0xcf/0x120
[ 41.616348][ T3622] __sys_sendto+0x236/0x340
[ 41.621026][ T3622] ? __ia32_sys_getpeername+0xb0/0xb0
[ 41.626400][ T3622] ? lock_release+0x560/0x780
[ 41.631227][ T3622] ? lock_release+0x560/0x780
[ 41.635932][ T3622] ? __ct_user_exit+0xff/0x150
[ 41.640922][ T3622] ? lock_downgrade+0x6e0/0x6e0
[ 41.645896][ T3622] ? lock_downgrade+0x6e0/0x6e0
[ 41.650833][ T3622] ? fd_install+0x1f9/0x640
[ 41.655359][ T3622] ? vtime_user_exit+0x218/0x6c0
[ 41.660378][ T3622] __x64_sys_sendto+0xdd/0x1b0
[ 41.665216][ T3622] ? syscall_enter_from_user_mode+0x22/0xb0
[ 41.671368][ T3622] do_syscall_64+0x35/0xb0
[ 41.675805][ T3622] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 41.681893][ T3622] RIP: 0033:0x7f888d63c03c
[ 41.686301][ T3622] Code: fa fa ff ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 20 fb ff ff 48 8b
[ 41.706303][ T3622] RSP: 002b:00007f888dccf780 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[ 41.714915][ T3622] RAX: ffffffffffffffda RBX: 00007f888e6d4320 RCX: 00007f888d63c03c
[ 41.723212][ T3622] RDX: 0000000000000170 RSI: 00007f888e6d4370 RDI: 0000000000000005
[ 41.731365][ T3622] RBP: 0000000000000000 R08: 00007f888dccf7d4 R09: 000000000000000c
[ 41.739566][ T3622] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[ 41.748152][ T3622] R13: 00007f888e6d4370 R14: 0000000000000005 R15: 0000000000000000
[ 41.756239][ T3622] </TASK>
[ 41.759452][ T3622] Kernel panic - not syncing: panic_on_warn set ...
[ 41.766044][ T3622] CPU: 1 PID: 3622 Comm: syz-executor.0 Not tainted 6.0.0-rc5-next-20220914-syzkaller-07893-gf117c0118730-dirty #0
[ 41.778179][ T3622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 41.788221][ T3622] Call Trace:
[ 41.791487][ T3622] <TASK>
[ 41.794405][ T3622] dump_stack_lvl+0xcd/0x134
[ 41.798984][ T3622] panic+0x2c8/0x622
[ 41.803155][ T3622] ? panic_print_sys_info.part.0+0x110/0x110
[ 41.809136][ T3622] ? __warn.cold+0x248/0x2c4
[ 41.813715][ T3622] ? set_peer+0x991/0x10c0
[ 41.818143][ T3622] __warn.cold+0x259/0x2c4
[ 41.822840][ T3622] ? __wake_up_klogd.part.0+0x99/0xf0
[ 41.828198][ T3622] ? set_peer+0x991/0x10c0
[ 41.833154][ T3622] report_bug+0x1bc/0x210
[ 41.837502][ T3622] handle_bug+0x3c/0x60
[ 41.841663][ T3622] exc_invalid_op+0x14/0x40
[ 41.846255][ T3622] asm_exc_invalid_op+0x16/0x20
[ 41.851116][ T3622] RIP: 0010:set_peer+0x991/0x10c0
[ 41.856242][ T3622] Code: 00 e8 43 47 b3 fc b9 10 00 00 00 48 c7 c2 60 4e 72 8a be 1c 00 00 00 48 c7 c7 c0 4e 72 8a c6 05 31 07 03 09 01 e8 11 cf 74 04 <0f> 0b e9 03 04 00 00 e8 13 47 b3 fc 89 ee 44 89 ef e8 59 43 b3 fc
[ 41.875943][ T3622] RSP: 0018:ffffc900045ef540 EFLAGS: 00010282
[ 41.882014][ T3622] RAX: 0000000000000000 RBX: ffffc900045ef6d8 RCX: 0000000000000000
[ 41.890077][ T3622] RDX: ffff888077fa57c0 RSI: ffffffff81611e78 RDI: fffff520008bde9a
[ 41.898133][ T3622] RBP: ffffc900045ef5e8 R08: 0000000000000005 R09: 0000000000000000
[ 41.906201][ T3622] R10: 0000000080000000 R11: 7720676e696e6e6d R12: 000000000000001c
[ 41.914169][ T3622] R13: 0000000000000000 R14: ffff8880203f7904 R15: ffff888075450960
[ 41.922234][ T3622] ? vprintk+0x88/0x90
[ 41.926310][ T3622] ? wg_get_device_done+0x110/0x110
[ 41.931535][ T3622] ? nla_get_range_signed+0x520/0x520
[ 41.936910][ T3622] ? lock_downgrade+0x6e0/0x6e0
[ 41.941937][ T3622] ? __nla_parse+0x3d/0x50
[ 41.946368][ T3622] wg_set_device+0x8d7/0x11b0
[ 41.951247][ T3622] ? nla_get_range_signed+0x41/0x520
[ 41.957061][ T3622] ? set_peer+0x10c0/0x10c0
[ 41.961659][ T3622] ? __nla_parse+0x3d/0x50
[ 41.966074][ T3622] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x1b7/0x290
[ 41.973535][ T3622] ? genl_family_rcv_msg_attrs_parse.constprop.0+0xaf/0x290
[ 41.980936][ T3622] genl_family_rcv_msg_doit+0x228/0x320
[ 41.986546][ T3622] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290
[ 41.993994][ T3622] ? ns_capable+0xd9/0x100
[ 41.998423][ T3622] genl_rcv_msg+0x3b7/0x630
[ 42.002932][ T3622] ? genl_get_cmd+0x480/0x480
[ 42.007699][ T3622] ? __alloc_skb+0xd9/0x2f0
[ 42.012207][ T3622] ? netlink_sendmsg+0x9a2/0xe10
[ 42.017141][ T3622] ? sock_sendmsg+0xcf/0x120
[ 42.021757][ T3622] ? set_peer+0x10c0/0x10c0
[ 42.026268][ T3622] ? rcu_read_unlock+0x40/0x40
[ 42.031057][ T3622] ? rcu_read_lock_sched_held+0xd/0x70
[ 42.036526][ T3622] netlink_rcv_skb+0x153/0x420
[ 42.041289][ T3622] ? genl_get_cmd+0x480/0x480
[ 42.045974][ T3622] ? netlink_ack+0xd50/0xd50
[ 42.050676][ T3622] ? netlink_deliver_tap+0x1b1/0xc40
[ 42.055963][ T3622] genl_rcv+0x24/0x40
[ 42.059963][ T3622] netlink_unicast+0x543/0x7f0
[ 42.064729][ T3622] ? netlink_attachskb+0x880/0x880
[ 42.069960][ T3622] ? __virt_addr_valid+0x5d/0x2d0
[ 42.074994][ T3622] ? __phys_addr_symbol+0x2c/0x70
[ 42.080024][ T3622] ? __check_object_size+0x2de/0x5a0
[ 42.085493][ T3622] netlink_sendmsg+0x917/0xe10
[ 42.090261][ T3622] ? netlink_unicast+0x7f0/0x7f0
[ 42.095216][ T3622] ? bpf_lsm_socket_sendmsg+0x5/0x10
[ 42.100602][ T3622] ? netlink_unicast+0x7f0/0x7f0
[ 42.105560][ T3622] sock_sendmsg+0xcf/0x120
[ 42.109985][ T3622] __sys_sendto+0x236/0x340
[ 42.114493][ T3622] ? __ia32_sys_getpeername+0xb0/0xb0
[ 42.120057][ T3622] ? lock_release+0x560/0x780
[ 42.124733][ T3622] ? lock_release+0x560/0x780
[ 42.129414][ T3622] ? __ct_user_exit+0xff/0x150
[ 42.134180][ T3622] ? lock_downgrade+0x6e0/0x6e0
[ 42.139050][ T3622] ? lock_downgrade+0x6e0/0x6e0
[ 42.143904][ T3622] ? fd_install+0x1f9/0x640
[ 42.148424][ T3622] ? vtime_user_exit+0x218/0x6c0
[ 42.153377][ T3622] __x64_sys_sendto+0xdd/0x1b0
[ 42.158403][ T3622] ? syscall_enter_from_user_mode+0x22/0xb0
[ 42.164310][ T3622] do_syscall_64+0x35/0xb0
[ 42.168729][ T3622] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 42.174898][ T3622] RIP: 0033:0x7f888d63c03c
[ 42.179309][ T3622] Code: fa fa ff ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 20 fb ff ff 48 8b
[ 42.199278][ T3622] RSP: 002b:00007f888dccf780 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[ 42.207692][ T3622] RAX: ffffffffffffffda RBX: 00007f888e6d4320 RCX: 00007f888d63c03c
[ 42.215679][ T3622] RDX: 0000000000000170 RSI: 00007f888e6d4370 RDI: 0000000000000005
[ 42.223645][ T3622] RBP: 0000000000000000 R08: 00007f888dccf7d4 R09: 000000000000000c
[ 42.231630][ T3622] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[ 42.239597][ T3622] R13: 00007f888e6d4370 R14: 0000000000000005 R15: 0000000000000000
[ 42.247572][ T3622] </TASK>
[ 42.250800][ T3622] Kernel Offset: disabled
[ 42.255382][ T3622] Rebooting in 86400 seconds..
git status (err=<nil>)
HEAD detached at 28811d0ac
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"28811d0ac5274e8b3730fcf2ad0634d723fcd878\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: f117c011 Add linux-next specific files for 20220914
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/ master
kernel config: https://syzkaller.appspot.com/x/.config?x=af3031a45dd50c49
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=162cf55d080000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Sep 14, 2022, 3:51:17 AM9/14/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hugetlb_handle_userfault
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
CPU: 0 PID: 4084 Comm: syz-executor.0 Not tainted 6.0.0-rc5-syzkaller-00738-gd1221cea11fc #0
Code: 0f 18 00 20 91 02 00 48 89 8c 24 72 04 00 00 48 8b 8c 24 70 04 00 00 4c 8d b4 24 80 04 00 00 48 01 df 0f 11 84 24 50 04 00 00 <48> 89 4f 20 66 44 89 ac 24 7a 04 00 00 8b 8c 24 78 04 00 00 41 bd
RSP: 002b:00007f141b0d55e0 EFLAGS: 00010206
RAX: 0002912000180f80 RBX: 00000000207a2000 RCX: 0018001000180000
RDX: 00180f8000180f80 RSI: 0000000000000000 RDI: 00000000207a5e00
RBP: 00000000207a3000 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000207a2000 R11: 00007f141b0d5ad0 R12: 00000000207a3800
R13: 0000000000000008 R14: 00007f141b0d5a60 R15: 0000000000000000
</TASK>
Allocated by task 4084:
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888145d28ac0
The buggy address belongs to the physical page:
page:ffffea0005174a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145d28
head:ffffea0005174a00 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88814ab84901
flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000010200 0000000000000000 dead000000000122 ffff888145ac4000
raw: 0000000000000000 0000000080170017 00000001ffffffff ffff88814ab84901
ffff888145d28e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888145d28e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888145d28f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888145d28f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: d1221cea Merge tag 'pull-fixes' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=129a5bc8880000
kernel config: https://syzkaller.appspot.com/x/.config?x=21f69a9380d79ca9
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hugetlb_handle_userfault
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4923
Read of size 8 at addr ffff888145d28eb0 by task syz-executor.0/4084
BUG: KASAN: use-after-free in __lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4923
CPU: 0 PID: 4084 Comm: syz-executor.0 Not tainted 6.0.0-rc5-syzkaller-00738-gd1221cea11fc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
__lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4923
lock_acquire kernel/locking/lockdep.c:5666 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
down_read+0x98/0x450 kernel/locking/rwsem.c:1499
i_mmap_lock_read include/linux/fs.h:486 [inline]
hugetlb_handle_userfault+0xf5/0x150 mm/hugetlb.c:5505
hugetlb_no_page mm/hugetlb.c:5554 [inline]
hugetlb_fault+0x14cd/0x1aa0 mm/hugetlb.c:5778
handle_mm_fault+0x640/0x780 mm/memory.c:5149
do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1397
handle_page_fault arch/x86/mm/fault.c:1488 [inline]
exc_page_fault+0x94/0x170 arch/x86/mm/fault.c:1544
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f1419e2cfbd
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
__lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4923
lock_acquire kernel/locking/lockdep.c:5666 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
down_read+0x98/0x450 kernel/locking/rwsem.c:1499
i_mmap_lock_read include/linux/fs.h:486 [inline]
hugetlb_handle_userfault+0xf5/0x150 mm/hugetlb.c:5505
hugetlb_no_page mm/hugetlb.c:5554 [inline]
hugetlb_fault+0x14cd/0x1aa0 mm/hugetlb.c:5778
handle_mm_fault+0x640/0x780 mm/memory.c:5149
do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1397
handle_page_fault arch/x86/mm/fault.c:1488 [inline]
exc_page_fault+0x94/0x170 arch/x86/mm/fault.c:1544
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
Code: 0f 18 00 20 91 02 00 48 89 8c 24 72 04 00 00 48 8b 8c 24 70 04 00 00 4c 8d b4 24 80 04 00 00 48 01 df 0f 11 84 24 50 04 00 00 <48> 89 4f 20 66 44 89 ac 24 7a 04 00 00 8b 8c 24 78 04 00 00 41 bd
RSP: 002b:00007f141b0d55e0 EFLAGS: 00010206
RAX: 0002912000180f80 RBX: 00000000207a2000 RCX: 0018001000180000
RDX: 00180f8000180f80 RSI: 0000000000000000 RDI: 00000000207a5e00
RBP: 00000000207a3000 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000207a2000 R11: 00007f141b0d5ad0 R12: 00000000207a3800
R13: 0000000000000008 R14: 00007f141b0d5a60 R15: 0000000000000000
</TASK>
Allocated by task 4084:
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888145d28ac0
which belongs to the cache hugetlbfs_inode_cache of size 1248
The buggy address is located 1008 bytes inside of
1248-byte region [ffff888145d28ac0, ffff888145d28fa0)
The buggy address is located 1008 bytes inside of
The buggy address belongs to the physical page:
head:ffffea0005174a00 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88814ab84901
flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000010200 0000000000000000 dead000000000122 ffff888145ac4000
raw: 0000000000000000 0000000080170017 00000001ffffffff ffff88814ab84901
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 4437670818, free_ts 0
page_owner free stack trace missing
Memory state around the buggy address:
ffff888145d28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888145d28e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888145d28e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888145d28f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888145d28f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: d1221cea Merge tag 'pull-fixes' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=129a5bc8880000
kernel config: https://syzkaller.appspot.com/x/.config?x=21f69a9380d79ca9
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Sep 14, 2022, 4:12:20 AM9/14/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+193f9c...@syzkaller.appspotmail.com
Tested on:
commit: d1221cea Merge tag 'pull-fixes' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=150ea310880000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+193f9c...@syzkaller.appspotmail.com
Tested on:
commit: d1221cea Merge tag 'pull-fixes' of git://git.kernel.or..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=21f69a9380d79ca9
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=13d1e39f080000
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: testing is done by a robot and is best-effort only.
syzbot
Sep 14, 2022, 4:13:22 AM9/14/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file include/linux/mm_types.h
Hunk #1 succeeded at 836 (offset 82 lines).
checking file mm/hugetlb.c
Hunk #1 succeeded at 5534 (offset 58 lines).
Hunk #2 FAILED at 5495.
Hunk #3 succeeded at 5851 (offset 74 lines).
Hunk #4 succeeded at 5965 (offset 74 lines).
1 out of 4 hunks FAILED
Tested on:
commit: e47eb90a Add linux-next specific files for 20220901
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
patch: https://syzkaller.appspot.com/x/patch.diff?x=15f0c297080000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file include/linux/mm_types.h
Hunk #1 succeeded at 836 (offset 82 lines).
checking file mm/hugetlb.c
Hunk #1 succeeded at 5534 (offset 58 lines).
Hunk #2 FAILED at 5495.
Hunk #3 succeeded at 5851 (offset 74 lines).
Hunk #4 succeeded at 5965 (offset 74 lines).
1 out of 4 hunks FAILED
Tested on:
commit: e47eb90a Add linux-next specific files for 20220901
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
patch: https://syzkaller.appspot.com/x/patch.diff?x=15f0c297080000
syzbot
Sep 19, 2022, 11:21:30 AM9/19/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/________________________________: failed to run ["git" "fetch" "--force" "f569e972c8e9057ee9c286220c83a480ebf30cc5" "________________________________"]: exit status 128
syzbot tried to test the proposed patch but the build/boot failed:
fatal: couldn't find remote ref ________________________________
Tested on:
commit: [unknown
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ________________________________
patch: https://syzkaller.appspot.com/x/patch.diff?x=1672060f080000
syzbot
Sep 19, 2022, 11:21:30 AM9/19/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
syzbot tried to test the proposed patch but the build/boot failed:
checking file mm/hugetlb.c
Hunk #1 FAILED at 5502.
Hunk #2 succeeded at 5611 (offset 57 lines).
Hunk #3 succeeded at 5685 (offset 67 lines).
Hunk #4 succeeded at 5743 (offset 67 lines).
Hunk #5 succeeded at 5856 (offset 74 lines).
Hunk #6 FAILED at 5883.
2 out of 6 hunks FAILED
Tested on:
commit: e47eb90a Add linux-next specific files for 20220901
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
syzbot
Sep 19, 2022, 11:40:22 AM9/19/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/________________________________: failed to run ["git" "fetch" "--force" "4d52a57a3858a6eee0d0b25cc3a0c9533f747d8f" "________________________________"]: exit status 128
syzbot tried to test the proposed patch but the build/boot failed:
fatal: couldn't find remote ref ________________________________
Tested on:
commit: [unknown
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ________________________________
Tested on:
commit: [unknown
patch: https://syzkaller.appspot.com/x/patch.diff?x=10e67480880000
syzbot
Sep 19, 2022, 11:40:22 AM9/19/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
syzbot
Sep 19, 2022, 11:45:19 AM9/19/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
mm/hugetlb.c:5677:2: error: 'hash' undeclared (first use in this function); did you mean 'jhash'?
syzbot tried to test the proposed patch but the build/boot failed:
Tested on:
commit: 521a547c Linux 6.0-rc6
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=140cdf37080000
syzbot
Sep 19, 2022, 12:24:25 PM9/19/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+193f9c...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+193f9c...@syzkaller.appspotmail.com
Tested on:
commit: 521a547c Linux 6.0-rc6
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17a47290880000
commit: 521a547c Linux 6.0-rc6
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=e1f468ef6a24aa02
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17e294dd080000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Sep 20, 2022, 10:58:22 AM9/20/22
to sidhart...@oracle.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
syzbot tried to test the proposed patch but the build/boot failed:
: hci0: unexpected cc 0x1003 length: 249 > 9
[ 45.089898][ T3613] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 45.097432][ T3613] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 45.105088][ T3613] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 45.112493][ T3613] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 45.120427][ T3610] Bluetooth: hci0: HCI_REQ-0x0c1a
[ 45.175126][ T3615] chnl_net:caif_netlink_parms(): no params data found
[ 45.204398][ T3615] bridge0: port 1(bridge_slave_0) entered blocking state
[ 45.211593][ T3615] bridge0: port 1(bridge_slave_0) entered disabled state
[ 45.219270][ T3615] device bridge_slave_0 entered promiscuous mode
[ 45.226949][ T3615] bridge0: port 2(bridge_slave_1) entered blocking state
[ 45.234078][ T3615] bridge0: port 2(bridge_slave_1) entered disabled state
[ 45.241646][ T3615] device bridge_slave_1 entered promiscuous mode
[ 45.257542][ T3615] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 45.268925][ T3615] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 45.286778][ T3615] team0: Port device team_slave_0 added
[ 45.293864][ T3615] team0: Port device team_slave_1 added
[ 45.307009][ T3615] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 45.314048][ T3615] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 45.340004][ T3615] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 45.351592][ T3615] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 45.358606][ T3615] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 45.384693][ T3615] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 45.405927][ T3615] device hsr_slave_0 entered promiscuous mode
[ 45.412385][ T3615] device hsr_slave_1 entered promiscuous mode
[ 45.462995][ T3615] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 45.471380][ T3615] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 45.479786][ T3615] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 45.487880][ T3615] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 45.496761][ T3615] ------------[ cut here ]------------
[ 45.502267][ T3615] memcpy: detected field-spanning write (size 28) of single field "&endpoint.addr" at drivers/net/wireguard/netlink.c:446 (size 16)
[ 45.516287][ T3615] WARNING: CPU: 0 PID: 3615 at drivers/net/wireguard/netlink.c:446 set_peer+0x991/0x10c0
[ 45.526265][ T3615] Modules linked in:
[ 45.530219][ T3615] CPU: 0 PID: 3615 Comm: syz-executor.0 Not tainted 6.0.0-rc6-next-20220920-syzkaller #0
[ 45.540243][ T3615] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 45.550728][ T3615] RIP: 0010:set_peer+0x991/0x10c0
[ 45.555773][ T3615] Code: 00 e8 e3 02 ae fc b9 10 00 00 00 48 c7 c2 e0 5c 72 8a be 1c 00 00 00 48 c7 c7 40 5d 72 8a c6 05 12 a8 fc 08 01 e8 5c f9 77 04 <0f> 0b e9 03 04 00 00 e8 b3 02 ae fc 89 ee 44 89 ef e8 f9 fe ad fc
[ 45.575894][ T3615] RSP: 0018:ffffc90004bff540 EFLAGS: 00010282
[ 45.582149][ T3615] RAX: 0000000000000000 RBX: ffffc90004bff6d8 RCX: 0000000000000000
[ 45.591205][ T3615] RDX: ffff88802111ba80 RSI: ffffffff81620448 RDI: fffff5200097fe9a
[ 45.599206][ T3615] RBP: ffffc90004bff5e8 R08: 0000000000000005 R09: 0000000000000000
[ 45.607183][ T3615] R10: 0000000080000000 R11: 7720676e696e6e6d R12: 000000000000001c
[ 45.615248][ T3615] R13: 0000000000000000 R14: ffff88802304f104 R15: ffff88806e6d0960
[ 45.623249][ T3615] FS: 0000555556160400(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[ 45.632209][ T3615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 45.638934][ T3615] CR2: 00007f9f6acd32c0 CR3: 000000006e926000 CR4: 00000000003506f0
[ 45.646910][ T3615] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 45.654932][ T3615] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 45.663023][ T3615] Call Trace:
[ 45.666303][ T3615] <TASK>
[ 45.669321][ T3615] ? wg_get_device_done+0x110/0x110
[ 45.674548][ T3615] ? nla_get_range_signed+0x520/0x520
[ 45.680524][ T3615] ? lock_downgrade+0x6e0/0x6e0
[ 45.685406][ T3615] ? __nla_parse+0x3d/0x50
[ 45.689961][ T3615] wg_set_device+0x8d7/0x11b0
[ 45.694672][ T3615] ? fsm_init+0x2d1/0x3b0
[ 45.699072][ T3615] ? set_peer+0x10c0/0x10c0
[ 45.703605][ T3615] ? __nla_parse+0x3d/0x50
[ 45.708019][ T3615] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x1b7/0x290
[ 45.715438][ T3615] ? genl_family_rcv_msg_attrs_parse.constprop.0+0xaf/0x290
[ 45.722766][ T3615] genl_family_rcv_msg_doit+0x228/0x320
[ 45.728311][ T3615] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290
[ 45.735811][ T3615] ? ns_capable+0xd9/0x100
[ 45.740274][ T3615] genl_rcv_msg+0x3b7/0x630
[ 45.744782][ T3615] ? genl_get_cmd+0x480/0x480
[ 45.749495][ T3615] ? __alloc_skb+0xd9/0x2f0
[ 45.754007][ T3615] ? netlink_sendmsg+0x9a2/0xe10
[ 45.759018][ T3615] ? sock_sendmsg+0xcf/0x120
[ 45.763636][ T3615] ? set_peer+0x10c0/0x10c0
[ 45.768139][ T3615] ? lock_release+0x810/0x810
[ 45.772921][ T3615] ? rcu_read_lock_sched_held+0xd/0x70
[ 45.778552][ T3615] ? lock_acquire+0x4fc/0x630
[ 45.783255][ T3615] netlink_rcv_skb+0x153/0x420
[ 45.788022][ T3615] ? genl_get_cmd+0x480/0x480
[ 45.793981][ T3615] ? netlink_ack+0xd50/0xd50
[ 45.798624][ T3615] ? netlink_deliver_tap+0x1b1/0xc40
[ 45.803920][ T3615] genl_rcv+0x24/0x40
[ 45.807896][ T3615] netlink_unicast+0x543/0x7f0
[ 45.812705][ T3615] ? netlink_attachskb+0x880/0x880
[ 45.817825][ T3615] ? __virt_addr_valid+0x5d/0x2d0
[ 45.822927][ T3615] ? __phys_addr_symbol+0x2c/0x70
[ 45.827956][ T3615] ? __check_object_size+0x2de/0x5a0
[ 45.833284][ T3615] netlink_sendmsg+0x917/0xe10
[ 45.838061][ T3615] ? netlink_unicast+0x7f0/0x7f0
[ 45.843035][ T3615] ? bpf_lsm_socket_sendmsg+0x5/0x10
[ 45.848365][ T3615] ? netlink_unicast+0x7f0/0x7f0
[ 45.853374][ T3615] sock_sendmsg+0xcf/0x120
[ 45.857814][ T3615] __sys_sendto+0x236/0x340
[ 45.862369][ T3615] ? __ia32_sys_getpeername+0xb0/0xb0
[ 45.867851][ T3615] ? rcu_read_lock_sched_held+0xd/0x70
[ 45.873419][ T3615] ? lock_acquire+0x4fc/0x630
[ 45.878109][ T3615] ? lock_release+0x5cb/0x810
[ 45.882826][ T3615] ? lock_release+0x5cb/0x810
[ 45.887536][ T3615] ? __ct_user_exit+0xff/0x150
[ 45.892428][ T3615] ? lock_downgrade+0x6e0/0x6e0
[ 45.897314][ T3615] ? lock_downgrade+0x6e0/0x6e0
[ 45.902690][ T3615] ? fd_install+0x1f9/0x640
[ 45.907232][ T3615] ? vtime_user_exit+0x218/0x6c0
[ 45.912228][ T3615] __x64_sys_sendto+0xdd/0x1b0
[ 45.917035][ T3615] ? syscall_enter_from_user_mode+0x22/0xb0
[ 45.923023][ T3615] do_syscall_64+0x35/0xb0
[ 45.927468][ T3615] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 45.933468][ T3615] RIP: 0033:0x7f9f69c3c03c
[ 45.937921][ T3615] Code: fa fa ff ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 20 fb ff ff 48 8b
[ 45.957858][ T3615] RSP: 002b:00007f9f6a2cf780 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[ 45.966496][ T3615] RAX: ffffffffffffffda RBX: 00007f9f6acd4320 RCX: 00007f9f69c3c03c
[ 45.974570][ T3615] RDX: 0000000000000170 RSI: 00007f9f6acd4370 RDI: 0000000000000005
[ 45.982601][ T3615] RBP: 0000000000000000 R08: 00007f9f6a2cf7d4 R09: 000000000000000c
[ 45.990745][ T3615] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[ 45.998819][ T3615] R13: 00007f9f6acd4370 R14: 0000000000000005 R15: 0000000000000000
[ 46.006812][ T3615] </TASK>
[ 46.010590][ T3615] Kernel panic - not syncing: panic_on_warn set ...
[ 46.017197][ T3615] CPU: 0 PID: 3615 Comm: syz-executor.0 Not tainted 6.0.0-rc6-next-20220920-syzkaller #0
[ 46.027533][ T3615] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 46.037584][ T3615] Call Trace:
[ 46.041552][ T3615] <TASK>
[ 46.044474][ T3615] dump_stack_lvl+0xcd/0x134
[ 46.049060][ T3615] panic+0x2c8/0x622
[ 46.052970][ T3615] ? panic_print_sys_info.part.0+0x110/0x110
[ 46.059080][ T3615] ? __warn.cold+0x24b/0x350
[ 46.063782][ T3615] ? set_peer+0x991/0x10c0
[ 46.068293][ T3615] __warn.cold+0x25c/0x350
[ 46.072894][ T3615] ? __wake_up_klogd.part.0+0x99/0xf0
[ 46.078272][ T3615] ? set_peer+0x991/0x10c0
[ 46.082704][ T3615] report_bug+0x1bc/0x210
[ 46.087162][ T3615] handle_bug+0x3c/0x60
[ 46.091511][ T3615] exc_invalid_op+0x14/0x40
[ 46.096130][ T3615] asm_exc_invalid_op+0x16/0x20
[ 46.100994][ T3615] RIP: 0010:set_peer+0x991/0x10c0
[ 46.106023][ T3615] Code: 00 e8 e3 02 ae fc b9 10 00 00 00 48 c7 c2 e0 5c 72 8a be 1c 00 00 00 48 c7 c7 40 5d 72 8a c6 05 12 a8 fc 08 01 e8 5c f9 77 04 <0f> 0b e9 03 04 00 00 e8 b3 02 ae fc 89 ee 44 89 ef e8 f9 fe ad fc
[ 46.126086][ T3615] RSP: 0018:ffffc90004bff540 EFLAGS: 00010282
[ 46.132178][ T3615] RAX: 0000000000000000 RBX: ffffc90004bff6d8 RCX: 0000000000000000
[ 46.140340][ T3615] RDX: ffff88802111ba80 RSI: ffffffff81620448 RDI: fffff5200097fe9a
[ 46.148831][ T3615] RBP: ffffc90004bff5e8 R08: 0000000000000005 R09: 0000000000000000
[ 46.156797][ T3615] R10: 0000000080000000 R11: 7720676e696e6e6d R12: 000000000000001c
[ 46.164764][ T3615] R13: 0000000000000000 R14: ffff88802304f104 R15: ffff88806e6d0960
[ 46.172736][ T3615] ? vprintk+0x88/0x90
[ 46.176818][ T3615] ? wg_get_device_done+0x110/0x110
[ 46.182107][ T3615] ? nla_get_range_signed+0x520/0x520
[ 46.187479][ T3615] ? lock_downgrade+0x6e0/0x6e0
[ 46.192333][ T3615] ? __nla_parse+0x3d/0x50
[ 46.196749][ T3615] wg_set_device+0x8d7/0x11b0
[ 46.201433][ T3615] ? fsm_init+0x2d1/0x3b0
[ 46.205761][ T3615] ? set_peer+0x10c0/0x10c0
[ 46.210269][ T3615] ? __nla_parse+0x3d/0x50
[ 46.214688][ T3615] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x1b7/0x290
[ 46.222061][ T3615] ? genl_family_rcv_msg_attrs_parse.constprop.0+0xaf/0x290
[ 46.229364][ T3615] genl_family_rcv_msg_doit+0x228/0x320
[ 46.234925][ T3615] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290
[ 46.242306][ T3615] ? ns_capable+0xd9/0x100
[ 46.246728][ T3615] genl_rcv_msg+0x3b7/0x630
[ 46.251245][ T3615] ? genl_get_cmd+0x480/0x480
[ 46.255920][ T3615] ? __alloc_skb+0xd9/0x2f0
[ 46.260508][ T3615] ? netlink_sendmsg+0x9a2/0xe10
[ 46.265447][ T3615] ? sock_sendmsg+0xcf/0x120
[ 46.270120][ T3615] ? set_peer+0x10c0/0x10c0
[ 46.274628][ T3615] ? lock_release+0x810/0x810
[ 46.279300][ T3615] ? rcu_read_lock_sched_held+0xd/0x70
[ 46.284768][ T3615] ? lock_acquire+0x4fc/0x630
[ 46.289454][ T3615] netlink_rcv_skb+0x153/0x420
[ 46.294997][ T3615] ? genl_get_cmd+0x480/0x480
[ 46.299674][ T3615] ? netlink_ack+0xd50/0xd50
[ 46.304276][ T3615] ? netlink_deliver_tap+0x1b1/0xc40
[ 46.309565][ T3615] genl_rcv+0x24/0x40
[ 46.313547][ T3615] netlink_unicast+0x543/0x7f0
[ 46.318312][ T3615] ? netlink_attachskb+0x880/0x880
[ 46.323423][ T3615] ? __virt_addr_valid+0x5d/0x2d0
[ 46.328472][ T3615] ? __phys_addr_symbol+0x2c/0x70
[ 46.334038][ T3615] ? __check_object_size+0x2de/0x5a0
[ 46.339347][ T3615] netlink_sendmsg+0x917/0xe10
[ 46.344388][ T3615] ? netlink_unicast+0x7f0/0x7f0
[ 46.349335][ T3615] ? bpf_lsm_socket_sendmsg+0x5/0x10
[ 46.354656][ T3615] ? netlink_unicast+0x7f0/0x7f0
[ 46.359597][ T3615] sock_sendmsg+0xcf/0x120
[ 46.364014][ T3615] __sys_sendto+0x236/0x340
[ 46.368536][ T3615] ? __ia32_sys_getpeername+0xb0/0xb0
[ 46.374030][ T3615] ? rcu_read_lock_sched_held+0xd/0x70
[ 46.379516][ T3615] ? lock_acquire+0x4fc/0x630
[ 46.384199][ T3615] ? lock_release+0x5cb/0x810
[ 46.388875][ T3615] ? lock_release+0x5cb/0x810
[ 46.393654][ T3615] ? __ct_user_exit+0xff/0x150
[ 46.398417][ T3615] ? lock_downgrade+0x6e0/0x6e0
[ 46.403280][ T3615] ? lock_downgrade+0x6e0/0x6e0
[ 46.408227][ T3615] ? fd_install+0x1f9/0x640
[ 46.412738][ T3615] ? vtime_user_exit+0x218/0x6c0
[ 46.417700][ T3615] __x64_sys_sendto+0xdd/0x1b0
[ 46.422513][ T3615] ? syscall_enter_from_user_mode+0x22/0xb0
[ 46.428540][ T3615] do_syscall_64+0x35/0xb0
[ 46.433052][ T3615] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 46.438967][ T3615] RIP: 0033:0x7f9f69c3c03c
[ 46.443475][ T3615] Code: fa fa ff ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 20 fb ff ff 48 8b
[ 46.463775][ T3615] RSP: 002b:00007f9f6a2cf780 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[ 46.472210][ T3615] RAX: ffffffffffffffda RBX: 00007f9f6acd4320 RCX: 00007f9f69c3c03c
[ 46.480263][ T3615] RDX: 0000000000000170 RSI: 00007f9f6acd4370 RDI: 0000000000000005
[ 46.488230][ T3615] RBP: 0000000000000000 R08: 00007f9f6a2cf7d4 R09: 000000000000000c
[ 46.496192][ T3615] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[ 46.504157][ T3615] R13: 00007f9f6acd4370 R14: 0000000000000005 R15: 0000000000000000
[ 46.512141][ T3615] </TASK>
[ 46.515317][ T3615] Kernel Offset: disabled
[ 46.519641][ T3615] Rebooting in 86400 seconds..
git status (err=<nil>)
HEAD detached at 28811d0ac
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=28811d0ac5274e8b3730fcf2ad0634d723fcd878 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220903-151243'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"28811d0ac5274e8b3730fcf2ad0634d723fcd878\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: ef08d387 Add linux-next specific files for 20220920
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=6cff191db0198560
dashboard link: https://syzkaller.appspot.com/bug?extid=193f9cee8638750b23cf
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Reply all
Reply to author
Forward
0 new messages