KASAN: user-memory-access Write in do_profile_hits (2)
4 views
Skip to first unread message
syzbot
Oct 9, 2022, 10:46:36 PM10/9/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=159d81dc880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=7644c4ee8857e8fd1bfd
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7644c4...@syzkaller.appspotmail.com
loop5: p28 start 1728127931 is beyond EOD, truncated
loop5: p29 start 3935902735 is beyond EOD, truncated
==================================================================
BUG: KASAN: user-memory-access in atomic_add include/asm-generic/atomic-instrumented.h:143 [inline]
BUG: KASAN: user-memory-access in do_profile_hits.constprop.0+0x2ae/0x610 kernel/profile.c:324
Write of size 4 at addr 00000006ffffe010 by task syz-executor.0/7828
CPU: 1 PID: 7828 Comm: syz-executor.0 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
kasan_report_error.cold+0x15b/0x1b9 mm/kasan/report.c:352
kasan_report+0x8f/0xa0 mm/kasan/report.c:412
atomic_add include/asm-generic/atomic-instrumented.h:143 [inline]
do_profile_hits.constprop.0+0x2ae/0x610 kernel/profile.c:324
profile_hits kernel/profile.c:398 [inline]
profile_hit include/linux/profile.h:64 [inline]
profile_tick+0xd7/0xf0 kernel/profile.c:408
tick_sched_timer+0xfc/0x290 kernel/time/tick-sched.c:1278
__run_hrtimer kernel/time/hrtimer.c:1465 [inline]
__hrtimer_run_queues+0x3f6/0xe60 kernel/time/hrtimer.c:1527
hrtimer_interrupt+0x326/0x9e0 kernel/time/hrtimer.c:1585
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1071 [inline]
smp_apic_timer_interrupt+0x10c/0x550 arch/x86/kernel/apic/apic.c:1096
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
</IRQ>
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x50/0x80 kernel/locking/spinlock.c:192
Code: c0 98 82 f1 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 31 48 83 3d 01 31 d8 01 00 74 25 fb 66 0f 1f 44 00 00 <bf> 01 00 00 00 e8 26 1b 28 f9 65 8b 05 9f 8d e8 77 85 c0 74 02 5d
RSP: 0018:ffff88803ee37b58 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13e3053 RBX: ffff8880af631230 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff88809294cbc4
RBP: ffffffff89e09140 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff89f56fc0
R13: ffff8880af631230 R14: dffffc0000000000 R15: ffff88809ad1de50
spin_unlock_irq include/linux/spinlock.h:379 [inline]
alloc_pid+0x507/0x8f0 kernel/pid.c:226
copy_process.part.0+0x3bc0/0x8260 kernel/fork.c:1927
copy_process kernel/fork.c:1710 [inline]
_do_fork+0x22f/0xf30 kernel/fork.c:2219
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f258d13c9d1
Code: 48 85 ff 74 3d 48 85 f6 74 38 48 83 ee 10 48 89 4e 08 48 89 3e 48 89 d7 4c 89 c2 4d 89 c8 4c 8b 54 24 08 b8 38 00 00 00 0f 05 <48> 85 c0 7c 13 74 01 c3 31 ed 58 5f ff d0 48 89 c7 b8 3c 00 00 00
RSP: 002b:00007ffea98ece58 EFLAGS: 00000206 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007f258baaf700 RCX: 00007f258d13c9d1
RDX: 00007f258baaf9d0 RSI: 00007f258baaf2f0 RDI: 00000000003d0f00
RBP: 00007ffea98ed0a0 R08: 00007f258baaf700 R09: 00007f258baaf700
R10: 00007f258baaf9d0 R11: 0000000000000206 R12: 00007ffea98ecf0e
R13: 00007ffea98ecf0f R14: 00007f258baaf300 R15: 0000000000022000
==================================================================
----------------
Code disassembly (best guess), 5 bytes skipped:
0: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
7: fc ff df
a: 48 c1 e8 03 shr $0x3,%rax
e: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1)
12: 75 31 jne 0x45
14: 48 83 3d 01 31 d8 01 cmpq $0x0,0x1d83101(%rip) # 0x1d8311d
1b: 00
1c: 74 25 je 0x43
1e: fb sti
1f: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
* 25: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction
2a: e8 26 1b 28 f9 callq 0xf9281b55
2f: 65 8b 05 9f 8d e8 77 mov %gs:0x77e88d9f(%rip),%eax # 0x77e88dd5
36: 85 c0 test %eax,%eax
38: 74 02 je 0x3c
3a: 5d pop %rbp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=159d81dc880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=7644c4ee8857e8fd1bfd
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7644c4...@syzkaller.appspotmail.com
loop5: p28 start 1728127931 is beyond EOD, truncated
loop5: p29 start 3935902735 is beyond EOD, truncated
==================================================================
BUG: KASAN: user-memory-access in atomic_add include/asm-generic/atomic-instrumented.h:143 [inline]
BUG: KASAN: user-memory-access in do_profile_hits.constprop.0+0x2ae/0x610 kernel/profile.c:324
Write of size 4 at addr 00000006ffffe010 by task syz-executor.0/7828
CPU: 1 PID: 7828 Comm: syz-executor.0 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
kasan_report_error.cold+0x15b/0x1b9 mm/kasan/report.c:352
kasan_report+0x8f/0xa0 mm/kasan/report.c:412
atomic_add include/asm-generic/atomic-instrumented.h:143 [inline]
do_profile_hits.constprop.0+0x2ae/0x610 kernel/profile.c:324
profile_hits kernel/profile.c:398 [inline]
profile_hit include/linux/profile.h:64 [inline]
profile_tick+0xd7/0xf0 kernel/profile.c:408
tick_sched_timer+0xfc/0x290 kernel/time/tick-sched.c:1278
__run_hrtimer kernel/time/hrtimer.c:1465 [inline]
__hrtimer_run_queues+0x3f6/0xe60 kernel/time/hrtimer.c:1527
hrtimer_interrupt+0x326/0x9e0 kernel/time/hrtimer.c:1585
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1071 [inline]
smp_apic_timer_interrupt+0x10c/0x550 arch/x86/kernel/apic/apic.c:1096
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
</IRQ>
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x50/0x80 kernel/locking/spinlock.c:192
Code: c0 98 82 f1 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 31 48 83 3d 01 31 d8 01 00 74 25 fb 66 0f 1f 44 00 00 <bf> 01 00 00 00 e8 26 1b 28 f9 65 8b 05 9f 8d e8 77 85 c0 74 02 5d
RSP: 0018:ffff88803ee37b58 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13e3053 RBX: ffff8880af631230 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff88809294cbc4
RBP: ffffffff89e09140 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff89f56fc0
R13: ffff8880af631230 R14: dffffc0000000000 R15: ffff88809ad1de50
spin_unlock_irq include/linux/spinlock.h:379 [inline]
alloc_pid+0x507/0x8f0 kernel/pid.c:226
copy_process.part.0+0x3bc0/0x8260 kernel/fork.c:1927
copy_process kernel/fork.c:1710 [inline]
_do_fork+0x22f/0xf30 kernel/fork.c:2219
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f258d13c9d1
Code: 48 85 ff 74 3d 48 85 f6 74 38 48 83 ee 10 48 89 4e 08 48 89 3e 48 89 d7 4c 89 c2 4d 89 c8 4c 8b 54 24 08 b8 38 00 00 00 0f 05 <48> 85 c0 7c 13 74 01 c3 31 ed 58 5f ff d0 48 89 c7 b8 3c 00 00 00
RSP: 002b:00007ffea98ece58 EFLAGS: 00000206 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007f258baaf700 RCX: 00007f258d13c9d1
RDX: 00007f258baaf9d0 RSI: 00007f258baaf2f0 RDI: 00000000003d0f00
RBP: 00007ffea98ed0a0 R08: 00007f258baaf700 R09: 00007f258baaf700
R10: 00007f258baaf9d0 R11: 0000000000000206 R12: 00007ffea98ecf0e
R13: 00007ffea98ecf0f R14: 00007f258baaf300 R15: 0000000000022000
==================================================================
----------------
Code disassembly (best guess), 5 bytes skipped:
0: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
7: fc ff df
a: 48 c1 e8 03 shr $0x3,%rax
e: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1)
12: 75 31 jne 0x45
14: 48 83 3d 01 31 d8 01 cmpq $0x0,0x1d83101(%rip) # 0x1d8311d
1b: 00
1c: 74 25 je 0x43
1e: fb sti
1f: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
* 25: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction
2a: e8 26 1b 28 f9 callq 0xf9281b55
2f: 65 8b 05 9f 8d e8 77 mov %gs:0x77e88d9f(%rip),%eax # 0x77e88dd5
36: 85 c0 test %eax,%eax
38: 74 02 je 0x3c
3a: 5d pop %rbp
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 6, 2023, 9:46:32 PM2/6/23
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages