BUG: unable to handle kernel paging request in free_block (3)
18 views
Skip to first unread message
syzbot
Mar 29, 2018, 7:01:03 PM3/29/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on net-next commit
5d22d47b9ed96eddb35821dc2cc4f629f45827f7 (Tue Mar 27 17:33:21 2018 +0000)
Merge branch 'sfc-filter-locking'
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=a438b986a3ad4641a320
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6449941023031296
Kernel config:
https://syzkaller.appspot.com/x/.config?id=4372867303600475372
compiler: gcc (GCC) 7.1.1 20170620
CC: [ak...@linux-foundation.org dan.j.w...@intel.com hu...@google.com
jgl...@redhat.com kirill....@linux.intel.com
linux-...@vger.kernel.org linu...@kvack.org mho...@suse.com
min...@kernel.org ross.z...@linux.intel.com wi...@infradead.org
ying....@intel.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a438b9...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
kernel msg: ebtables bug: please report to author: counter_offset !=
totalcnt
sctp: [Deprecated]: syz-executor0 (pid 22827) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
BUG: unable to handle kernel paging request at ffff8802b62ec347
IP: slab_put_obj mm/slab.c:2612 [inline]
IP: free_block+0x158/0x280 mm/slab.c:3405
PGD 9cf2067 P4D 9cf2067 PUD 0
Oops: 0002 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 22835 Comm: syz-executor4 Not tainted 4.16.0-rc6+ #284
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:slab_put_obj mm/slab.c:2612 [inline]
RIP: 0010:free_block+0x158/0x280 mm/slab.c:3405
RSP: 0000:ffff8801b065f7c0 EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff8801db333ef8 RCX: 00000000ffffffff
RDX: ffff8801b62ec348 RSI: ffff8801b62ec348 RDI: 0000000000000000
RBP: ffff8801b065f808 R08: 0000000006d8bb00 R09: ffff8801dac01a58
R10: ffff8801b065f6d0 R11: 0000000000000000 R12: ffff8801dac00dc0
R13: ffffea0006d8bb20 R14: ffff8801dac01a00 R15: ffffea0006d8bb00
FS: 000000000189c940(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8802b62ec347 CR3: 00000001ac6ca002 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
cache_flusharray mm/slab.c:3456 [inline]
___cache_free+0x20a/0x2f0 mm/slab.c:3514
qlink_free mm/kasan/quarantine.c:147 [inline]
qlist_free_all+0x8c/0x160 mm/kasan/quarantine.c:166
quarantine_reduce+0x141/0x170 mm/kasan/quarantine.c:259
kasan_kmalloc+0xca/0xe0 mm/kasan/kasan.c:537
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
slab_post_alloc_hook mm/slab.h:443 [inline]
slab_alloc mm/slab.c:3379 [inline]
kmem_cache_alloc+0x11b/0x760 mm/slab.c:3539
ptlock_alloc mm/memory.c:4728 [inline]
ptlock_init include/linux/mm.h:1796 [inline]
pgtable_pmd_page_ctor include/linux/mm.h:1888 [inline]
pmd_alloc_one arch/x86/include/asm/pgalloc.h:105 [inline]
__pmd_alloc+0xb6/0x4e0 mm/memory.c:4221
pmd_alloc include/linux/mm.h:1746 [inline]
__handle_mm_fault+0xcc0/0x38c0 mm/memory.c:4070
handle_mm_fault+0x44a/0xb10 mm/memory.c:4140
__do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1422
do_page_fault+0xee/0x730 arch/x86/mm/fault.c:1497
page_fault+0x45/0x50 arch/x86/entry/entry_64.S:1151
RIP: 0033:0x407890
RSP: 002b:0000000000a3e9f0 EFLAGS: 00010287
RAX: 0000001b9bc20000 RBX: 0000000000000251 RCX: 000000000040e990
RDX: 0000001b9bc20004 RSI: 0000000000a3f930 RDI: 0000000000000000
RBP: 0000000000a3f1a0 R08: 0000000000000000 R09: 000000000189c940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000013 R14: 0000000000000000 R15: 0000000000001380
Code: 0f b6 4c 24 1c 48 c1 ee 20 29 f0 d3 e8 41 0f b6 4c 24 1d 01 f0 49 8b
77 10 d3 e8 8d 4f ff 48 85 f6 41 89 4f 18 0f 84 05 01 00 00 <88> 04 0e 41
8b 47 18 85 c0 0f 84 e0 fe ff ff 49 8b 4e 40 4d 8d
RIP: slab_put_obj mm/slab.c:2612 [inline] RSP: ffff8801b065f7c0
RIP: free_block+0x158/0x280 mm/slab.c:3405 RSP: ffff8801b065f7c0
CR2: ffff8802b62ec347
---[ end trace fe334da8f4d2e894 ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on net-next commit
5d22d47b9ed96eddb35821dc2cc4f629f45827f7 (Tue Mar 27 17:33:21 2018 +0000)
Merge branch 'sfc-filter-locking'
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=a438b986a3ad4641a320
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6449941023031296
Kernel config:
https://syzkaller.appspot.com/x/.config?id=4372867303600475372
compiler: gcc (GCC) 7.1.1 20170620
CC: [ak...@linux-foundation.org dan.j.w...@intel.com hu...@google.com
jgl...@redhat.com kirill....@linux.intel.com
linux-...@vger.kernel.org linu...@kvack.org mho...@suse.com
min...@kernel.org ross.z...@linux.intel.com wi...@infradead.org
ying....@intel.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a438b9...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
kernel msg: ebtables bug: please report to author: counter_offset !=
totalcnt
sctp: [Deprecated]: syz-executor0 (pid 22827) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
BUG: unable to handle kernel paging request at ffff8802b62ec347
IP: slab_put_obj mm/slab.c:2612 [inline]
IP: free_block+0x158/0x280 mm/slab.c:3405
PGD 9cf2067 P4D 9cf2067 PUD 0
Oops: 0002 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 22835 Comm: syz-executor4 Not tainted 4.16.0-rc6+ #284
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:slab_put_obj mm/slab.c:2612 [inline]
RIP: 0010:free_block+0x158/0x280 mm/slab.c:3405
RSP: 0000:ffff8801b065f7c0 EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff8801db333ef8 RCX: 00000000ffffffff
RDX: ffff8801b62ec348 RSI: ffff8801b62ec348 RDI: 0000000000000000
RBP: ffff8801b065f808 R08: 0000000006d8bb00 R09: ffff8801dac01a58
R10: ffff8801b065f6d0 R11: 0000000000000000 R12: ffff8801dac00dc0
R13: ffffea0006d8bb20 R14: ffff8801dac01a00 R15: ffffea0006d8bb00
FS: 000000000189c940(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8802b62ec347 CR3: 00000001ac6ca002 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
cache_flusharray mm/slab.c:3456 [inline]
___cache_free+0x20a/0x2f0 mm/slab.c:3514
qlink_free mm/kasan/quarantine.c:147 [inline]
qlist_free_all+0x8c/0x160 mm/kasan/quarantine.c:166
quarantine_reduce+0x141/0x170 mm/kasan/quarantine.c:259
kasan_kmalloc+0xca/0xe0 mm/kasan/kasan.c:537
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
slab_post_alloc_hook mm/slab.h:443 [inline]
slab_alloc mm/slab.c:3379 [inline]
kmem_cache_alloc+0x11b/0x760 mm/slab.c:3539
ptlock_alloc mm/memory.c:4728 [inline]
ptlock_init include/linux/mm.h:1796 [inline]
pgtable_pmd_page_ctor include/linux/mm.h:1888 [inline]
pmd_alloc_one arch/x86/include/asm/pgalloc.h:105 [inline]
__pmd_alloc+0xb6/0x4e0 mm/memory.c:4221
pmd_alloc include/linux/mm.h:1746 [inline]
__handle_mm_fault+0xcc0/0x38c0 mm/memory.c:4070
handle_mm_fault+0x44a/0xb10 mm/memory.c:4140
__do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1422
do_page_fault+0xee/0x730 arch/x86/mm/fault.c:1497
page_fault+0x45/0x50 arch/x86/entry/entry_64.S:1151
RIP: 0033:0x407890
RSP: 002b:0000000000a3e9f0 EFLAGS: 00010287
RAX: 0000001b9bc20000 RBX: 0000000000000251 RCX: 000000000040e990
RDX: 0000001b9bc20004 RSI: 0000000000a3f930 RDI: 0000000000000000
RBP: 0000000000a3f1a0 R08: 0000000000000000 R09: 000000000189c940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000013 R14: 0000000000000000 R15: 0000000000001380
Code: 0f b6 4c 24 1c 48 c1 ee 20 29 f0 d3 e8 41 0f b6 4c 24 1d 01 f0 49 8b
77 10 d3 e8 8d 4f ff 48 85 f6 41 89 4f 18 0f 84 05 01 00 00 <88> 04 0e 41
8b 47 18 85 c0 0f 84 e0 fe ff ff 49 8b 4e 40 4d 8d
RIP: slab_put_obj mm/slab.c:2612 [inline] RSP: ffff8801b065f7c0
RIP: free_block+0x158/0x280 mm/slab.c:3405 RSP: ffff8801b065f7c0
CR2: ffff8802b62ec347
---[ end trace fe334da8f4d2e894 ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Sep 5, 2018, 7:23:52 AM9/5/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Looks like corrupted heap. Stopped happenning 4 months ago.
#syz invalid
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a113ec036ffb1e405689518ec%40google.com.
> For more options, visit https://groups.google.com/d/optout.
#syz invalid
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a113ec036ffb1e405689518ec%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages