BUG: unable to handle kernel NULL pointer dereference in qlist_move_cache (2)
21 views
Skip to first unread message
syzbot
Mar 30, 2018, 4:01:03 AM3/30/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on upstream commit
3eb2ce825ea1ad89d20f7a3b5780df850e4be274 (Sun Mar 25 22:44:30 2018 +0000)
Linux 4.16-rc7
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=9cde57aea1fbeb7d3335
So far this crash happened 2 times on upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6174456586174464
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-2340295454854568752
compiler: gcc (GCC) 7.1.1 20170620
CC: [cgr...@vger.kernel.org han...@cmpxchg.org
linux-...@vger.kernel.org linu...@kvack.org mho...@kernel.org
vdavyd...@gmail.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9cde57...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000015
IP: qlist_put mm/kasan/quarantine.c:63 [inline]
IP: qlist_move_cache+0x4a/0xf0 mm/kasan/quarantine.c:281
PGD 0 P4D 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.16.0-rc7+ #367
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: cgroup_destroy css_free_work_fn
RIP: 0010:qlist_put mm/kasan/quarantine.c:63 [inline]
RIP: 0010:qlist_move_cache+0x4a/0xf0 mm/kasan/quarantine.c:281
RSP: 0018:ffff8801d94670c8 EFLAGS: 00010086
RAX: 0000000000000001 RBX: 000077ff80000000 RCX: ffff8801d8468440
RDX: ffff8801af4e5500 RSI: ffff8801d94670e8 RDI: ffffffff885eba90
RBP: ffff8801d94670d8 R08: 0000000000000000 R09: 0000000080000000
R10: ffff8801d4e38100 R11: ffffea0000000000 R12: ffffea000732d01f
R13: ffffffff86fd55a0 R14: ffffffff885ef2a0 R15: ffff8801af4e5500
FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000015 CR3: 0000000006e22006 CR4: 00000000001606f0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
quarantine_remove_cache+0x79/0xf0 mm/kasan/quarantine.c:317
kasan_cache_shutdown+0x9/0x10 mm/kasan/kasan.c:381
shutdown_cache+0x15/0x1b0 mm/slab_common.c:577
memcg_destroy_kmem_caches+0x62/0x80 mm/slab_common.c:781
memcg_free_kmem mm/memcontrol.c:2856 [inline]
mem_cgroup_css_free+0x2a4/0x3f0 mm/memcontrol.c:4298
css_free_work_fn+0x1c8/0x1420 kernel/cgroup/cgroup.c:4541
process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406
Code: 00 00 00 48 c7 47 10 00 00 00 00 49 bb 00 00 00 00 00 ea ff ff 48 89
e5 41 54 53 48 bb 00 00 00 80 ff 77 00 00 eb 27 48 83 3f 00 <8b> 40 14 74
7f 4c 8b 47 08 49 89 08 48 89 4f 08 48 c7 01 00 00
RIP: qlist_put mm/kasan/quarantine.c:63 [inline] RSP: ffff8801d94670c8
RIP: qlist_move_cache+0x4a/0xf0 mm/kasan/quarantine.c:281 RSP:
ffff8801d94670c8
CR2: 0000000000000015
---[ end trace 7f978c4e77247f30 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on upstream commit
3eb2ce825ea1ad89d20f7a3b5780df850e4be274 (Sun Mar 25 22:44:30 2018 +0000)
Linux 4.16-rc7
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=9cde57aea1fbeb7d3335
So far this crash happened 2 times on upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6174456586174464
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-2340295454854568752
compiler: gcc (GCC) 7.1.1 20170620
CC: [cgr...@vger.kernel.org han...@cmpxchg.org
linux-...@vger.kernel.org linu...@kvack.org mho...@kernel.org
vdavyd...@gmail.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9cde57...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000015
IP: qlist_put mm/kasan/quarantine.c:63 [inline]
IP: qlist_move_cache+0x4a/0xf0 mm/kasan/quarantine.c:281
PGD 0 P4D 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.16.0-rc7+ #367
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: cgroup_destroy css_free_work_fn
RIP: 0010:qlist_put mm/kasan/quarantine.c:63 [inline]
RIP: 0010:qlist_move_cache+0x4a/0xf0 mm/kasan/quarantine.c:281
RSP: 0018:ffff8801d94670c8 EFLAGS: 00010086
RAX: 0000000000000001 RBX: 000077ff80000000 RCX: ffff8801d8468440
RDX: ffff8801af4e5500 RSI: ffff8801d94670e8 RDI: ffffffff885eba90
RBP: ffff8801d94670d8 R08: 0000000000000000 R09: 0000000080000000
R10: ffff8801d4e38100 R11: ffffea0000000000 R12: ffffea000732d01f
R13: ffffffff86fd55a0 R14: ffffffff885ef2a0 R15: ffff8801af4e5500
FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000015 CR3: 0000000006e22006 CR4: 00000000001606f0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
quarantine_remove_cache+0x79/0xf0 mm/kasan/quarantine.c:317
kasan_cache_shutdown+0x9/0x10 mm/kasan/kasan.c:381
shutdown_cache+0x15/0x1b0 mm/slab_common.c:577
memcg_destroy_kmem_caches+0x62/0x80 mm/slab_common.c:781
memcg_free_kmem mm/memcontrol.c:2856 [inline]
mem_cgroup_css_free+0x2a4/0x3f0 mm/memcontrol.c:4298
css_free_work_fn+0x1c8/0x1420 kernel/cgroup/cgroup.c:4541
process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406
Code: 00 00 00 48 c7 47 10 00 00 00 00 49 bb 00 00 00 00 00 ea ff ff 48 89
e5 41 54 53 48 bb 00 00 00 80 ff 77 00 00 eb 27 48 83 3f 00 <8b> 40 14 74
7f 4c 8b 47 08 49 89 08 48 89 4f 08 48 c7 01 00 00
RIP: qlist_put mm/kasan/quarantine.c:63 [inline] RSP: ffff8801d94670c8
RIP: qlist_move_cache+0x4a/0xf0 mm/kasan/quarantine.c:281 RSP:
ffff8801d94670c8
CR2: 0000000000000015
---[ end trace 7f978c4e77247f30 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Sep 5, 2018, 7:24:16 AM9/5/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Looks like corrupted heap. Stopped happenning 4 months ago.
#syz invalid
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/94eb2c0b816e2b3f4305689ca463%40google.com.
> For more options, visit https://groups.google.com/d/optout.
#syz invalid
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/94eb2c0b816e2b3f4305689ca463%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages