BUG: bad usercopy in __check_heap_object (2)

[syzbot]

Hello,

syzbot hit the following crash on net-next commit
5d1365940a68dd57b031b6e3c07d7d451cd69daf (Thu Apr 12 18:09:05 2018 +0000)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=73825a3f080d559e4a9a

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=4664868057645056
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-5947642240294114534
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [kees...@chromium.org linux-...@vger.kernel.org linu...@kvack.org]

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+73825a...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

device lo entered promiscuous mode
usercopy: Kernel memory overwrite attempt detected to SLAB
object 'names_cache' (offset 352, size 4064)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:100!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 11981 Comm: udevd Not tainted 4.16.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:usercopy_abort+0xbb/0xbd mm/usercopy.c:88
RSP: 0018:ffff8801ca447a68 EFLAGS: 00010286
RAX: 0000000000000068 RBX: ffffffff887aef8c RCX: 0000000000000000
RDX: 0000000000000068 RSI: ffffffff815fa581 RDI: ffffed0039488f43
RBP: ffff8801ca447ac0 R08: ffff8801d0024780 R09: ffffed003b604f90
R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffffffff87b2fec0
R13: ffffffff87b2fe00 R14: ffffffff87b2fdc0 R15: ffffffff87b339c0
FS: 00007fb59da6e7a0(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc38c98108 CR3: 00000001adf51000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__check_heap_object+0xb5/0xb5 mm/slab.c:4443
check_heap_object mm/usercopy.c:236 [inline]
__check_object_size+0x4c7/0x5d9 mm/usercopy.c:259
check_object_size include/linux/thread_info.h:112 [inline]
strncpy_from_user+0x109/0x500 lib/strncpy_from_user.c:116
getname_flags+0x113/0x5a0 fs/namei.c:151
getname+0x19/0x20 fs/namei.c:211
do_sys_open+0x39a/0x740 fs/open.c:1087
SYSC_open fs/open.c:1111 [inline]
SyS_open+0x2d/0x40 fs/open.c:1106
do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7fb59d176120
RSP: 002b:00007ffc38ca0528 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00000000013f2870 RCX: 00007fb59d176120
RDX: 00000000000001b6 RSI: 0000000000080000 RDI: 00007ffc38ca05f0
RBP: 00007ffc38ca05a0 R08: 0000000000000008 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008
R13: 000000000041f57a R14: 00000000013e1250 R15: 000000000000000b
Code: 55 c0 e8 90 3e bc ff ff 75 c8 48 8b 55 c0 4d 89 f9 ff 75 d0 4d 89 e8
48 89 d9 4c 89 e6 41 56 48 c7 c7 60 00 b3 87 e8 80 a6 a4 ff <0f> 0b e8 65
3e bc ff e8 d0 b5 f7 ff 8b 95 14 ff ff ff 4d 89 e8
RIP: usercopy_abort+0xbb/0xbd mm/usercopy.c:88 RSP: ffff8801ca447a68
---[ end trace 526cceb6fa94ca84 ]---


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream

[Dmitry Vyukov]

On Mon, Apr 16, 2018 at 6:02 PM, syzbot
<syzbot+73825a...@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot hit the following crash on net-next commit
> 5d1365940a68dd57b031b6e3c07d7d451cd69daf (Thu Apr 12 18:09:05 2018 +0000)
> Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
> syzbot dashboard link:
> https://syzkaller.appspot.com/bug?extid=73825a3f080d559e4a9a
>
> Unfortunately, I don't have any reproducer for this crash yet.
> Raw console output:
> https://syzkaller.appspot.com/x/log.txt?id=4664868057645056
> Kernel config:
> https://syzkaller.appspot.com/x/.config?id=-5947642240294114534
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> CC: [kees...@chromium.org linux-...@vger.kernel.org linu...@kvack.org]
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+73825a...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> device lo entered promiscuous mode
> usercopy: Kernel memory overwrite attempt detected to SLAB object
> 'names_cache' (offset 352, size 4064)!

This looks like something induced by a previous silent memory
corruption. Happened only once.

#syz invalid

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/000000000000af6fd90569f957ba%40google.com.
> For more options, visit https://groups.google.com/d/optout.