[syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 13311e74 Linux 5.13-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000
kernel config: https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
dashboard link: https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000

The issue was bisected to:

commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
Author: Florian Westphal <f...@strlen.de>
Date: Wed Apr 21 07:51:08 2021 +0000

netfilter: arp_tables: pass table pointer via nf_hook_ops

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10788400300000
console output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c2f6f0...@syzkaller.appspotmail.com
Fixes: f9006acc8dfe ("netfilter: arp_tables: pass table pointer via nf_hook_ops")

usb 1-1: media controller created
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
cxusb: set interface failed
dvb-usb: bulk message failed: -22 (1/0)
DVB: Unable to find symbol mt352_attach()
dvb-usb: no frontend was attached by 'DViCO FusionHDTV DVB-T USB (LGZ201)'
dvbdev: DVB: registering new adapter (DViCO FusionHDTV DVB-T USB (LGZ201))
usb 1-1: media controller created
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2950 at mm/vmalloc.c:2873 __vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873
Modules linked in:
CPU: 1 PID: 2950 Comm: kworker/1:2 Not tainted 5.13.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873
Code: c7 04 24 00 00 00 00 eb 93 e8 b3 44 c5 ff 44 89 fa 44 89 f6 4c 89 ef e8 05 f7 09 00 48 89 04 24 e9 be fb ff ff e8 97 44 c5 ff <0f> 0b 48


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Pavel Skripkin]

On Wed, 23 Jun 2021 02:15:23 -0700
syzbot <syzbot+c2f6f0...@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 13311e74 Linux 5.13-rc7
> git tree: upstream
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000 kernel
> config: https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb syz
> repro:
> https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000 C
> reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000
>
> The issue was bisected to:
>
> commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
> Author: Florian Westphal <f...@strlen.de>
> Date: Wed Apr 21 07:51:08 2021 +0000
>
> netfilter: arp_tables: pass table pointer via nf_hook_ops
>
> bisection log:
> https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000 final
> oops: https://syzkaller.appspot.com/x/report.txt?x=10788400300000
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=17b88400300000
>

This one is similar to previous zero-size vmalloc, I guess :)

#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


With regards,
Pavel Skripkin

[Pavel Skripkin]

Hah, I didn't notice that this one is already fixed by me. But the
patch is in the media tree, it's not upstreamed yet:

https://git.linuxtv.org/media_tree.git/commit/?id=c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6

So,

#syz dup: WARNING: zero-size vmalloc in dvb_dmx_init

With regards,
Pavel Skripkin

[syzbot]

Can't dup bug to a bug in different reporting (upstream->internal).Please dup syzbot bugs only onto syzbot bugs for the same kernel/reporting.

>
> With regards,
> Pavel Skripkin

[syzbot]

Can't dup bug to a bug in different reporting (upstream->internal).Please dup syzbot bugs only onto syzbot bugs for the same kernel/reporting.

>
> With regards,
> Pavel Skripkin
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20210623192837.13792eae%40gmail.com.

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in lock_sock_nested

BUG: sleeping function called from invalid context at net/core/sock.c:3064
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 8843, name: syz-executor.2
1 lock held by syz-executor.2/8843:
#0: ffffffff8d0c43c0 (hci_sk_list.lock){++++}-{2:2}, at: hci_sock_dev_event+0x3db/0x660 net/bluetooth/hci_sock.c:763
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 8843 Comm: syz-executor.2 Not tainted 5.13.0-rc7-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:8337
lock_sock_nested+0x25/0x120 net/core/sock.c:3064
lock_sock include/net/sock.h:1610 [inline]
hci_sock_dev_event+0x465/0x660 net/bluetooth/hci_sock.c:765
hci_unregister_dev+0x2fd/0x1130 net/bluetooth/hci_core.c:4013
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbfc/0x2a60 kernel/exit.c:826
do_group_exit+0x125/0x310 kernel/exit.c:923
__do_sys_exit_group kernel/exit.c:934 [inline]
__se_sys_exit_group kernel/exit.c:932 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:932
do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.
RSP: 002b:00007fff82506ba8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fff82507368 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 0000000000000000 R08: 0000000000000025 R09: 00007fff82507368
R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004bef54
R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000400538

======================================================


Tested on:

commit: 0c18f29a module: limit enabling module.sig_enforce
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17ae9658300000
kernel config: https://syzkaller.appspot.com/x/.config?x=3932cedd2c2d4a69
dashboard link: https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=10fc8400300000

[Dmitry Vyukov]

I think we can say:

#syz dup: WARNING in __vmalloc_node_range
https://syzkaller.appspot.com/bug?id=3c558412597cc402fd7fbb250ca30d04d46c8c60

as that was the original bug report.