KASAN: use-after-free Write in smpboot_thread_fn
8 views
Skip to first unread message
syzbot
Sep 17, 2022, 4:32:45 PM9/17/22
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0966d385830d riscv: Fix auipc+jalr relocation range checks
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=12f034e8880000
kernel config: https://syzkaller.appspot.com/x/.config?x=6295d67591064921
dashboard link: https://syzkaller.appspot.com/bug?extid=b7081aeef567de5fb096
compiler: riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: riscv64
CC: [Henry...@arm.com big...@linutronix.de linux-...@vger.kernel.org long...@huawei.com tg...@linutronix.de vsch...@redhat.com]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b7081a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in smpboot_thread_fn+0x6a/0x6cc kernel/smpboot.c:112
Write of size 8 at addr ffffaf8048f6ebb3 by task ksoftirqd/1/19
CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475bb6>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475bb6>] __asan_store8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff800b1f20>] smpboot_thread_fn+0x6a/0x6cc kernel/smpboot.c:112
[<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377
The buggy address belongs to the page:
page:ffffaf807bace6f0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc916e
flags: 0xc800000000(section=25|node=0|zone=0)
raw: 000000c800000000 ffffaf807bace6f8 ffffaf807bace6f8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffaf8048f6ea80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffaf8048f6eb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffaf8048f6eb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffffaf8048f6ec00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffaf8048f6ec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Unable to handle kernel paging request at virtual address ffffaf7f8b935c90
Oops [#1]
Modules linked in:
CPU: 1 PID: 19 Comm: ksoftirqd/1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : smpboot_thread_fn+0x6e/0x6cc kernel/smpboot.c:112
ra : smpboot_thread_fn+0x6a/0x6cc kernel/smpboot.c:112
epc : ffffffff800b1f24 ra : ffffffff800b1f20 sp : ffffaf800743be10
gp : ffffffff85863ac0 tp : ffffaf8007416100 t0 : 0000000000046000
t1 : fffff5ef012f2bc7 t2 : 0000000000000008 s0 : ffffaf800743be90
s1 : ffffaf80072eb3a0 a0 : 0000000000000001 a1 : 0000000000000007
a2 : 1ffff5f000e82c20 a3 : ffffffff831a6b2e a4 : 0000000000000000
a5 : ffffaf7f8b935730 a6 : 0000000000f00000 a7 : ffffaf8009795e3f
s2 : ffffffff80110fdc s3 : ffffffff8451f630 s4 : 0000000041b58ab3
s5 : 0000000000000001 s6 : ffffaf80072eb3a4 s7 : ffffffff800b1f0a
s8 : ffffaf8007416100 s9 : ffffffff801110e4 s10: ffffaf800743bf40
s11: ffffffff84a5aa90 t3 : 00007fffff513940 t4 : fffff5ef012f2bc7
t5 : fffff5ef012f2bc8 t6 : 2d32303030000000
status: 0000000000000120 badaddr: ffffaf7f8b935c90 cause: 000000000000000f
[<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 0966d385830d riscv: Fix auipc+jalr relocation range checks
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=12f034e8880000
kernel config: https://syzkaller.appspot.com/x/.config?x=6295d67591064921
dashboard link: https://syzkaller.appspot.com/bug?extid=b7081aeef567de5fb096
compiler: riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: riscv64
CC: [Henry...@arm.com big...@linutronix.de linux-...@vger.kernel.org long...@huawei.com tg...@linutronix.de vsch...@redhat.com]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b7081a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in smpboot_thread_fn+0x6a/0x6cc kernel/smpboot.c:112
Write of size 8 at addr ffffaf8048f6ebb3 by task ksoftirqd/1/19
CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475bb6>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475bb6>] __asan_store8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff800b1f20>] smpboot_thread_fn+0x6a/0x6cc kernel/smpboot.c:112
[<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377
The buggy address belongs to the page:
page:ffffaf807bace6f0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc916e
flags: 0xc800000000(section=25|node=0|zone=0)
raw: 000000c800000000 ffffaf807bace6f8 ffffaf807bace6f8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffaf8048f6ea80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffaf8048f6eb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffaf8048f6eb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffffaf8048f6ec00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffaf8048f6ec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Unable to handle kernel paging request at virtual address ffffaf7f8b935c90
Oops [#1]
Modules linked in:
CPU: 1 PID: 19 Comm: ksoftirqd/1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : smpboot_thread_fn+0x6e/0x6cc kernel/smpboot.c:112
ra : smpboot_thread_fn+0x6a/0x6cc kernel/smpboot.c:112
epc : ffffffff800b1f24 ra : ffffffff800b1f20 sp : ffffaf800743be10
gp : ffffffff85863ac0 tp : ffffaf8007416100 t0 : 0000000000046000
t1 : fffff5ef012f2bc7 t2 : 0000000000000008 s0 : ffffaf800743be90
s1 : ffffaf80072eb3a0 a0 : 0000000000000001 a1 : 0000000000000007
a2 : 1ffff5f000e82c20 a3 : ffffffff831a6b2e a4 : 0000000000000000
a5 : ffffaf7f8b935730 a6 : 0000000000f00000 a7 : ffffaf8009795e3f
s2 : ffffffff80110fdc s3 : ffffffff8451f630 s4 : 0000000041b58ab3
s5 : 0000000000000001 s6 : ffffaf80072eb3a4 s7 : ffffffff800b1f0a
s8 : ffffaf8007416100 s9 : ffffffff801110e4 s10: ffffaf800743bf40
s11: ffffffff84a5aa90 t3 : 00007fffff513940 t4 : fffff5ef012f2bc7
t5 : fffff5ef012f2bc8 t6 : 2d32303030000000
status: 0000000000000120 badaddr: ffffaf7f8b935c90 cause: 000000000000000f
[<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 12, 2022, 3:26:27 PM12/12/22
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages