KASAN: wild-memory-access Read in ep_poll_callback

8 views
Skip to first unread message

syzbot

unread,
Nov 26, 2022, 6:25:50 AM11/26/22
to syzkaller-upst...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 0966d385830d riscv: Fix auipc+jalr relocation range checks
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=13d9f563880000
kernel config: https://syzkaller.appspot.com/x/.config?x=6295d67591064921
dashboard link: https://syzkaller.appspot.com/bug?extid=255b773a6676742482bf
compiler: riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: riscv64
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org vi...@zeniv.linux.org.uk]

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+255b77...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: wild-memory-access in __wake_up_common+0x108/0x236 kernel/sched/wait.c:101
Read of size 8 at addr 3120382032332033 by task sshd/2015

CPU: 1 PID: 2015 Comm: sshd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff80474da6>] __kasan_report mm/kasan/report.c:446 [inline]
[<ffffffff80474da6>] kasan_report+0x1de/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff800f76ca>] __wake_up_common+0x108/0x236 kernel/sched/wait.c:101
[<ffffffff800f78ce>] __wake_up_common_lock+0xd6/0x136 kernel/sched/wait.c:138
[<ffffffff800f793e>] __wake_up+0x10/0x18 kernel/sched/wait.c:157
[<ffffffff80587a32>] ep_poll_callback+0x194/0xa40 fs/eventpoll.c:1201
[<ffffffff800f7678>] __wake_up_common+0xb6/0x236 kernel/sched/wait.c:108
[<ffffffff800f78ce>] __wake_up_common_lock+0xd6/0x136 kernel/sched/wait.c:138
[<ffffffff800f795a>] __wake_up_sync_key+0x14/0x1e kernel/sched/wait.c:205
[<ffffffff826e2060>] sock_def_readable+0xe4/0x50e net/core/sock.c:3147
[<ffffffff82b406b6>] tcp_data_ready+0xa6/0x2e0 net/ipv4/tcp_input.c:4977
[<ffffffff82b44240>] tcp_rcv_established+0x146a/0x15e6 net/ipv4/tcp_input.c:5916
[<ffffffff82b6c712>] tcp_v4_do_rcv+0x4b4/0x66e net/ipv4/tcp_ipv4.c:1719
[<ffffffff82b710c2>] tcp_v4_rcv+0x1d22/0x1f46 net/ipv4/tcp_ipv4.c:2119
[<ffffffff82aeb282>] ip_protocol_deliver_rcu+0x9c/0x8c0 net/ipv4/ip_input.c:204
[<ffffffff82aebbd2>] ip_local_deliver_finish+0x12c/0x278 net/ipv4/ip_input.c:231
[<ffffffff82aebe7e>] NF_HOOK include/linux/netfilter.h:307 [inline]
[<ffffffff82aebe7e>] NF_HOOK include/linux/netfilter.h:301 [inline]
[<ffffffff82aebe7e>] ip_local_deliver+0x160/0x464 net/ipv4/ip_input.c:252
[<ffffffff82aead94>] dst_input include/net/dst.h:461 [inline]
[<ffffffff82aead94>] ip_rcv_finish+0x162/0x1f6 net/ipv4/ip_input.c:429
[<ffffffff82aec256>] NF_HOOK include/linux/netfilter.h:307 [inline]
[<ffffffff82aec256>] NF_HOOK include/linux/netfilter.h:301 [inline]
[<ffffffff82aec256>] ip_rcv+0xd4/0x3be net/ipv4/ip_input.c:540
[<ffffffff8273d308>] __netif_receive_skb_one_core+0xf0/0x13a net/core/dev.c:5351
[<ffffffff8273d534>] __netif_receive_skb+0x36/0xd8 net/core/dev.c:5465
[<ffffffff8273e15e>] process_backlog+0x206/0x4bc net/core/dev.c:5797
[<ffffffff82740c14>] __napi_poll+0x7c/0x358 net/core/dev.c:6365
[<ffffffff827418a0>] napi_poll net/core/dev.c:6432 [inline]
[<ffffffff827418a0>] net_rx_action+0x5d0/0x702 net/core/dev.c:6519
[<ffffffff831b082c>] __do_softirq+0x274/0x8fc kernel/softirq.c:558
[<ffffffff80060ea0>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
[<ffffffff80060ea0>] do_softirq kernel/softirq.c:459 [inline]
[<ffffffff80060ea0>] do_softirq+0x158/0x15a kernel/softirq.c:446
[<ffffffff80061124>] __local_bh_enable_ip+0x282/0x2a4 kernel/softirq.c:383
[<ffffffff82af5eaa>] local_bh_enable include/linux/bottom_half.h:33 [inline]
[<ffffffff82af5eaa>] rcu_read_unlock_bh include/linux/rcupdate.h:764 [inline]
[<ffffffff82af5eaa>] ip_finish_output2+0x57c/0x1720 net/ipv4/ip_output.c:222
[<ffffffff82af8978>] __ip_finish_output net/ipv4/ip_output.c:299 [inline]
[<ffffffff82af8978>] __ip_finish_output+0x25a/0x3ee net/ipv4/ip_output.c:281
[<ffffffff82af8b4a>] ip_finish_output+0x3e/0x176 net/ipv4/ip_output.c:309
[<ffffffff82af8e52>] NF_HOOK_COND include/linux/netfilter.h:296 [inline]
[<ffffffff82af8e52>] ip_output+0x1d0/0x2d0 net/ipv4/ip_output.c:423
[<ffffffff82afbbce>] dst_output include/net/dst.h:451 [inline]
[<ffffffff82afbbce>] ip_local_out net/ipv4/ip_output.c:126 [inline]
[<ffffffff82afbbce>] __ip_queue_xmit+0x4a0/0xeb2 net/ipv4/ip_output.c:525
[<ffffffff82afc616>] ip_queue_xmit+0x36/0x44 net/ipv4/ip_output.c:539
[<ffffffff82b4fd54>] __tcp_transmit_skb+0xce4/0x1f5e net/ipv4/tcp_output.c:1402
[<ffffffff82b54b90>] tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline]
[<ffffffff82b54b90>] tcp_write_xmit+0xd40/0x3344 net/ipv4/tcp_output.c:2680
[<ffffffff82b5720e>] __tcp_push_pending_frames+0x7a/0x22c net/ipv4/tcp_output.c:2864
[<ffffffff82b192c2>] tcp_push+0x19c/0x3b4 net/ipv4/tcp.c:725
[<ffffffff82b1b71e>] tcp_sendmsg_locked+0x5fc/0x1d9e net/ipv4/tcp.c:1412
[<ffffffff82b1cef2>] tcp_sendmsg+0x32/0x4e net/ipv4/tcp.c:1440
[<ffffffff82bbe3e6>] inet_sendmsg+0x74/0x94 net/ipv4/af_inet.c:819
[<ffffffff826d264e>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff826d264e>] sock_sendmsg+0xa0/0xc4 net/socket.c:725
[<ffffffff826d2832>] sock_write_iter+0x1c0/0x272 net/socket.c:1061
[<ffffffff804c4ce0>] call_write_iter include/linux/fs.h:2074 [inline]
[<ffffffff804c4ce0>] new_sync_write+0x296/0x3aa fs/read_write.c:503
[<ffffffff804c86f4>] vfs_write+0x2de/0x334 fs/read_write.c:590
[<ffffffff804c8b68>] ksys_write+0x1c4/0x224 fs/read_write.c:643
[<ffffffff804c8bf0>] __do_sys_write fs/read_write.c:655 [inline]
[<ffffffff804c8bf0>] sys_write+0x28/0x36 fs/read_write.c:652
[<ffffffff80005716>] ret_from_syscall+0x0/0x2
==================================================================
Unable to handle kernel paging request at virtual address 3120382032332033
Oops [#1]
Modules linked in:
CPU: 1 PID: 2015 Comm: sshd Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : __wake_up_common+0x108/0x236 kernel/sched/wait.c:101
ra : __wake_up_common+0x108/0x236 kernel/sched/wait.c:101
epc : ffffffff800f76ca ra : ffffffff800f76ca sp : ffffaf800c456200
gp : ffffffff85863ac0 tp : ffffaf800ba88000 t0 : ffffffff86bd9f98
t1 : fffff5ef0b53c90c t2 : 0000000000000000 s0 : ffffaf800c456270
s1 : ffffffff8451f618 a0 : 0000000000000001 a1 : 0000000000000003
a2 : 1ffff5f001751001 a3 : ffffffff831afd3a a4 : 0000000000000000
a5 : ffffaf800ba89000 a6 : 0000000000f00000 a7 : ffffaf805a9e4863
s2 : 312038203233201b s3 : 3120382032332033 s4 : 0000000000000000
s5 : ffffaf800b7568d0 s6 : ffffaf800c4562b0 s7 : 0000000000000001
s8 : 0000000000000003 s9 : 0000000000000000 s10: 0000000000000000
s11: 0000000032203634 t3 : 00000000746e6961 t4 : fffff5ef0b53c90c
t5 : fffff5ef0b53c90d t6 : ffffffff86bd9fc7
status: 0000000000000100 badaddr: 3120382032332033 cause: 000000000000000d
[<ffffffff800f78ce>] __wake_up_common_lock+0xd6/0x136 kernel/sched/wait.c:138
[<ffffffff800f793e>] __wake_up+0x10/0x18 kernel/sched/wait.c:157
[<ffffffff80587a32>] ep_poll_callback+0x194/0xa40 fs/eventpoll.c:1201
[<ffffffff800f7678>] __wake_up_common+0xb6/0x236 kernel/sched/wait.c:108
[<ffffffff800f78ce>] __wake_up_common_lock+0xd6/0x136 kernel/sched/wait.c:138
[<ffffffff800f795a>] __wake_up_sync_key+0x14/0x1e kernel/sched/wait.c:205
[<ffffffff826e2060>] sock_def_readable+0xe4/0x50e net/core/sock.c:3147
[<ffffffff82b406b6>] tcp_data_ready+0xa6/0x2e0 net/ipv4/tcp_input.c:4977
[<ffffffff82b44240>] tcp_rcv_established+0x146a/0x15e6 net/ipv4/tcp_input.c:5916
[<ffffffff82b6c712>] tcp_v4_do_rcv+0x4b4/0x66e net/ipv4/tcp_ipv4.c:1719
[<ffffffff82b710c2>] tcp_v4_rcv+0x1d22/0x1f46 net/ipv4/tcp_ipv4.c:2119
[<ffffffff82aeb282>] ip_protocol_deliver_rcu+0x9c/0x8c0 net/ipv4/ip_input.c:204
[<ffffffff82aebbd2>] ip_local_deliver_finish+0x12c/0x278 net/ipv4/ip_input.c:231
[<ffffffff82aebe7e>] NF_HOOK include/linux/netfilter.h:307 [inline]
[<ffffffff82aebe7e>] NF_HOOK include/linux/netfilter.h:301 [inline]
[<ffffffff82aebe7e>] ip_local_deliver+0x160/0x464 net/ipv4/ip_input.c:252
[<ffffffff82aead94>] dst_input include/net/dst.h:461 [inline]
[<ffffffff82aead94>] ip_rcv_finish+0x162/0x1f6 net/ipv4/ip_input.c:429
[<ffffffff82aec256>] NF_HOOK include/linux/netfilter.h:307 [inline]
[<ffffffff82aec256>] NF_HOOK include/linux/netfilter.h:301 [inline]
[<ffffffff82aec256>] ip_rcv+0xd4/0x3be net/ipv4/ip_input.c:540
[<ffffffff8273d308>] __netif_receive_skb_one_core+0xf0/0x13a net/core/dev.c:5351
[<ffffffff8273d534>] __netif_receive_skb+0x36/0xd8 net/core/dev.c:5465
[<ffffffff8273e15e>] process_backlog+0x206/0x4bc net/core/dev.c:5797
[<ffffffff82740c14>] __napi_poll+0x7c/0x358 net/core/dev.c:6365
[<ffffffff827418a0>] napi_poll net/core/dev.c:6432 [inline]
[<ffffffff827418a0>] net_rx_action+0x5d0/0x702 net/core/dev.c:6519
[<ffffffff831b082c>] __do_softirq+0x274/0x8fc kernel/softirq.c:558
[<ffffffff80060ea0>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
[<ffffffff80060ea0>] do_softirq kernel/softirq.c:459 [inline]
[<ffffffff80060ea0>] do_softirq+0x158/0x15a kernel/softirq.c:446
[<ffffffff80061124>] __local_bh_enable_ip+0x282/0x2a4 kernel/softirq.c:383
[<ffffffff82af5eaa>] local_bh_enable include/linux/bottom_half.h:33 [inline]
[<ffffffff82af5eaa>] rcu_read_unlock_bh include/linux/rcupdate.h:764 [inline]
[<ffffffff82af5eaa>] ip_finish_output2+0x57c/0x1720 net/ipv4/ip_output.c:222
[<ffffffff82af8978>] __ip_finish_output net/ipv4/ip_output.c:299 [inline]
[<ffffffff82af8978>] __ip_finish_output+0x25a/0x3ee net/ipv4/ip_output.c:281
[<ffffffff82af8b4a>] ip_finish_output+0x3e/0x176 net/ipv4/ip_output.c:309
[<ffffffff82af8e52>] NF_HOOK_COND include/linux/netfilter.h:296 [inline]
[<ffffffff82af8e52>] ip_output+0x1d0/0x2d0 net/ipv4/ip_output.c:423
[<ffffffff82afbbce>] dst_output include/net/dst.h:451 [inline]
[<ffffffff82afbbce>] ip_local_out net/ipv4/ip_output.c:126 [inline]
[<ffffffff82afbbce>] __ip_queue_xmit+0x4a0/0xeb2 net/ipv4/ip_output.c:525
[<ffffffff82afc616>] ip_queue_xmit+0x36/0x44 net/ipv4/ip_output.c:539
[<ffffffff82b4fd54>] __tcp_transmit_skb+0xce4/0x1f5e net/ipv4/tcp_output.c:1402
[<ffffffff82b54b90>] tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline]
[<ffffffff82b54b90>] tcp_write_xmit+0xd40/0x3344 net/ipv4/tcp_output.c:2680
[<ffffffff82b5720e>] __tcp_push_pending_frames+0x7a/0x22c net/ipv4/tcp_output.c:2864
[<ffffffff82b192c2>] tcp_push+0x19c/0x3b4 net/ipv4/tcp.c:725
[<ffffffff82b1b71e>] tcp_sendmsg_locked+0x5fc/0x1d9e net/ipv4/tcp.c:1412
[<ffffffff82b1cef2>] tcp_sendmsg+0x32/0x4e net/ipv4/tcp.c:1440
[<ffffffff82bbe3e6>] inet_sendmsg+0x74/0x94 net/ipv4/af_inet.c:819
[<ffffffff826d264e>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff826d264e>] sock_sendmsg+0xa0/0xc4 net/socket.c:725
[<ffffffff826d2832>] sock_write_iter+0x1c0/0x272 net/socket.c:1061
[<ffffffff804c4ce0>] call_write_iter include/linux/fs.h:2074 [inline]
[<ffffffff804c4ce0>] new_sync_write+0x296/0x3aa fs/read_write.c:503
[<ffffffff804c86f4>] vfs_write+0x2de/0x334 fs/read_write.c:590
[<ffffffff804c8b68>] ksys_write+0x1c4/0x224 fs/read_write.c:643
[<ffffffff804c8bf0>] __do_sys_write fs/read_write.c:655 [inline]
[<ffffffff804c8bf0>] sys_write+0x28/0x36 fs/read_write.c:652
[<ffffffff80005716>] ret_from_syscall+0x0/0x2


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,
Mar 9, 2023, 9:58:35 PM3/9/23
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages