KASAN: invalid-free in rcu_core
13 views
Skip to first unread message
syzbot
Mar 14, 2019, 11:32:06 PM3/14/19
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 3b319ee2 Merge tag 'acpi-5.1-rc1-2' of git://git.kernel.or..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11cbbb6f200000
kernel config: https://syzkaller.appspot.com/x/.config?x=f05902bca21d8935
dashboard link: https://syzkaller.appspot.com/bug?extid=9e7d5ddd584b5ea6c40f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: amd64
CC: [linux-...@vger.kernel.org mi...@kernel.org
pet...@infradead.org net...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9e7d5d...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: double-free or invalid-free in __rcu_reclaim
kernel/rcu/rcu.h:220 [inline]
BUG: KASAN: double-free or invalid-free in rcu_do_batch
kernel/rcu/tree.c:2475 [inline]
BUG: KASAN: double-free or invalid-free in invoke_rcu_callbacks
kernel/rcu/tree.c:2788 [inline]
BUG: KASAN: double-free or invalid-free in rcu_core+0xa4b/0x1390
kernel/rcu/tree.c:2769
CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.0.0+ #98
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report_invalid_free+0x65/0xa0 mm/kasan/report.c:278
__kasan_slab_free+0x13a/0x150 mm/kasan/common.c:438
kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3821
__rcu_reclaim kernel/rcu/rcu.h:220 [inline]
rcu_do_batch kernel/rcu/tree.c:2475 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2788 [inline]
rcu_core+0xa4b/0x1390 kernel/rcu/tree.c:2769
__do_softirq+0x266/0x95a kernel/softirq.c:293
run_ksoftirqd kernel/softirq.c:655 [inline]
run_ksoftirqd+0x8e/0x110 kernel/softirq.c:647
smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
kthread+0x357/0x430 kernel/kthread.c:253
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Allocated by task 7676:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_kmalloc mm/kasan/common.c:497 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
slab_post_alloc_hook mm/slab.h:436 [inline]
slab_alloc mm/slab.c:3392 [inline]
kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3554
prepare_creds+0x3e/0x3f0 kernel/cred.c:254
copy_creds+0x7b/0x6c0 kernel/cred.c:346
copy_process.part.0+0xb54/0x7980 kernel/fork.c:1785
copy_process kernel/fork.c:1709 [inline]
_do_fork+0x257/0xfd0 kernel/fork.c:2226
__do_sys_clone kernel/fork.c:2333 [inline]
__se_sys_clone kernel/fork.c:2327 [inline]
__x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 7690:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
__cache_free mm/slab.c:3498 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3764
put_cred_rcu+0x2b6/0x4b0 kernel/cred.c:127
__rcu_reclaim kernel/rcu/rcu.h:227 [inline]
rcu_do_batch kernel/rcu/tree.c:2475 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2788 [inline]
rcu_core+0x928/0x1390 kernel/rcu/tree.c:2769
__do_softirq+0x266/0x95a kernel/softirq.c:293
The buggy address belongs to the object at ffff88809af4e000
which belongs to the cache cred_jar(17:syz0) of size 184
The buggy address is located 168 bytes inside of
184-byte region [ffff88809af4e000, ffff88809af4e0b8)
The buggy address belongs to the page:
page:ffffea00026bd380 count:1 mapcount:0 mapping:ffff88808fefeb00
index:0xffff88809af4e200
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002854888 ffffea0002565ec8 ffff88808fefeb00
raw: ffff88809af4e200 ffff88809af4e000 0000000100000002 ffff88806d57e300
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88806d57e300
Memory state around the buggy address:
ffff88809af4df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809af4e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88809af4e080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
^
ffff88809af4e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809af4e180: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 3b319ee2 Merge tag 'acpi-5.1-rc1-2' of git://git.kernel.or..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11cbbb6f200000
kernel config: https://syzkaller.appspot.com/x/.config?x=f05902bca21d8935
dashboard link: https://syzkaller.appspot.com/bug?extid=9e7d5ddd584b5ea6c40f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: amd64
CC: [linux-...@vger.kernel.org mi...@kernel.org
pet...@infradead.org net...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9e7d5d...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: double-free or invalid-free in __rcu_reclaim
kernel/rcu/rcu.h:220 [inline]
BUG: KASAN: double-free or invalid-free in rcu_do_batch
kernel/rcu/tree.c:2475 [inline]
BUG: KASAN: double-free or invalid-free in invoke_rcu_callbacks
kernel/rcu/tree.c:2788 [inline]
BUG: KASAN: double-free or invalid-free in rcu_core+0xa4b/0x1390
kernel/rcu/tree.c:2769
CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.0.0+ #98
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report_invalid_free+0x65/0xa0 mm/kasan/report.c:278
__kasan_slab_free+0x13a/0x150 mm/kasan/common.c:438
kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3821
__rcu_reclaim kernel/rcu/rcu.h:220 [inline]
rcu_do_batch kernel/rcu/tree.c:2475 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2788 [inline]
rcu_core+0xa4b/0x1390 kernel/rcu/tree.c:2769
__do_softirq+0x266/0x95a kernel/softirq.c:293
run_ksoftirqd kernel/softirq.c:655 [inline]
run_ksoftirqd+0x8e/0x110 kernel/softirq.c:647
smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
kthread+0x357/0x430 kernel/kthread.c:253
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Allocated by task 7676:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_kmalloc mm/kasan/common.c:497 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
slab_post_alloc_hook mm/slab.h:436 [inline]
slab_alloc mm/slab.c:3392 [inline]
kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3554
prepare_creds+0x3e/0x3f0 kernel/cred.c:254
copy_creds+0x7b/0x6c0 kernel/cred.c:346
copy_process.part.0+0xb54/0x7980 kernel/fork.c:1785
copy_process kernel/fork.c:1709 [inline]
_do_fork+0x257/0xfd0 kernel/fork.c:2226
__do_sys_clone kernel/fork.c:2333 [inline]
__se_sys_clone kernel/fork.c:2327 [inline]
__x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 7690:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
__cache_free mm/slab.c:3498 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3764
put_cred_rcu+0x2b6/0x4b0 kernel/cred.c:127
__rcu_reclaim kernel/rcu/rcu.h:227 [inline]
rcu_do_batch kernel/rcu/tree.c:2475 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2788 [inline]
rcu_core+0x928/0x1390 kernel/rcu/tree.c:2769
__do_softirq+0x266/0x95a kernel/softirq.c:293
The buggy address belongs to the object at ffff88809af4e000
which belongs to the cache cred_jar(17:syz0) of size 184
The buggy address is located 168 bytes inside of
184-byte region [ffff88809af4e000, ffff88809af4e0b8)
The buggy address belongs to the page:
page:ffffea00026bd380 count:1 mapcount:0 mapping:ffff88808fefeb00
index:0xffff88809af4e200
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002854888 ffffea0002565ec8 ffff88808fefeb00
raw: ffff88809af4e200 ffff88809af4e000 0000000100000002 ffff88806d57e300
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88806d57e300
Memory state around the buggy address:
ffff88809af4df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809af4e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88809af4e080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
^
ffff88809af4e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809af4e180: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Sep 10, 2019, 8:10:04 PM9/10/19
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages