[syzbot] [mm?] general protection fault in find_lock_task_mm
3 views
Skip to first unread message
syzbot
Dec 16, 2024, 2:16:30 PM12/16/24
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 231825b2e1ff Revert "unicode: Don't special case ignorable..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133b4d44580000
kernel config: https://syzkaller.appspot.com/x/.config?x=99a5586995ec03b2
dashboard link: https://syzkaller.appspot.com/bug?extid=c2e074db555379260750
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=102844f8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/41e68d86d902/disk-231825b2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0cb4e353f885/vmlinux-231825b2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c4df524e0176/bzImage-231825b2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c2e074...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc000000006c: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
CPU: 0 UID: 0 PID: 8122 Comm: syz-executor Not tainted 6.13.0-rc2-syzkaller-00036-g231825b2e1ff #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089
Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d 4a 00 a7 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 17 32 93 0f 84
RSP: 0018:ffffc9000d087990 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000006c RSI: 1ffff92001a10f44 RDI: 0000000000000360
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff901cc317 R11: 0000000000000002 R12: 0000000000000360
R13: ffff888034c38000 R14: 0000000000000000 R15: 0000000000000000
FS: 00005555879c4500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555879c4808 CR3: 0000000030ed6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
task_lock include/linux/sched/task.h:229 [inline]
find_lock_task_mm+0xd4/0x2f0 mm/oom_kill.c:140
__set_oom_adj.isra.0+0xcd8/0x1120 fs/proc/base.c:1157
oom_score_adj_write+0x1b8/0x200 fs/proc/base.c:1294
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3c079847cf
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007fffc0defcf0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3c079847cf
RDX: 0000000000000004 RSI: 00007fffc0defd40 RDI: 0000000000000003
RBP: 00007f3c07a0320c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000004
R13: 00007fffc0defd40 R14: 00007fffc0df02a0 R15: 00007fffc0df02a0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089
Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d 4a 00 a7 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 17 32 93 0f 84
RSP: 0018:ffffc9000d087990 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000006c RSI: 1ffff92001a10f44 RDI: 0000000000000360
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff901cc317 R11: 0000000000000002 R12: 0000000000000360
R13: ffff888034c38000 R14: 0000000000000000 R15: 0000000000000000
FS: 00005555879c4500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555879c4808 CR3: 0000000030ed6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 84 d2 0f 85 15 14 or %al,0x1415850f(%rdx,%rdx,8)
7: 00 00 add %al,(%rax)
9: 44 8b 0d 4a 00 a7 0e mov 0xea7004a(%rip),%r9d # 0xea7005a
10: 45 85 c9 test %r9d,%r9d
13: 0f 84 b4 0e 00 00 je 0xecd
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 4c 89 e2 mov %r12,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 96 2c 00 00 jne 0x2cca
34: 49 8b 04 24 mov (%r12),%rax
38: 48 3d a0 17 32 93 cmp $0xffffffff933217a0,%rax
3e: 0f .byte 0xf
3f: 84 .byte 0x84
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 231825b2e1ff Revert "unicode: Don't special case ignorable..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133b4d44580000
kernel config: https://syzkaller.appspot.com/x/.config?x=99a5586995ec03b2
dashboard link: https://syzkaller.appspot.com/bug?extid=c2e074db555379260750
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=102844f8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/41e68d86d902/disk-231825b2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0cb4e353f885/vmlinux-231825b2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c4df524e0176/bzImage-231825b2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c2e074...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc000000006c: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
CPU: 0 UID: 0 PID: 8122 Comm: syz-executor Not tainted 6.13.0-rc2-syzkaller-00036-g231825b2e1ff #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089
Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d 4a 00 a7 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 17 32 93 0f 84
RSP: 0018:ffffc9000d087990 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000006c RSI: 1ffff92001a10f44 RDI: 0000000000000360
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff901cc317 R11: 0000000000000002 R12: 0000000000000360
R13: ffff888034c38000 R14: 0000000000000000 R15: 0000000000000000
FS: 00005555879c4500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555879c4808 CR3: 0000000030ed6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
task_lock include/linux/sched/task.h:229 [inline]
find_lock_task_mm+0xd4/0x2f0 mm/oom_kill.c:140
__set_oom_adj.isra.0+0xcd8/0x1120 fs/proc/base.c:1157
oom_score_adj_write+0x1b8/0x200 fs/proc/base.c:1294
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3c079847cf
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007fffc0defcf0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3c079847cf
RDX: 0000000000000004 RSI: 00007fffc0defd40 RDI: 0000000000000003
RBP: 00007f3c07a0320c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000004
R13: 00007fffc0defd40 R14: 00007fffc0df02a0 R15: 00007fffc0df02a0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089
Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d 4a 00 a7 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 17 32 93 0f 84
RSP: 0018:ffffc9000d087990 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000006c RSI: 1ffff92001a10f44 RDI: 0000000000000360
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff901cc317 R11: 0000000000000002 R12: 0000000000000360
R13: ffff888034c38000 R14: 0000000000000000 R15: 0000000000000000
FS: 00005555879c4500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555879c4808 CR3: 0000000030ed6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 84 d2 0f 85 15 14 or %al,0x1415850f(%rdx,%rdx,8)
7: 00 00 add %al,(%rax)
9: 44 8b 0d 4a 00 a7 0e mov 0xea7004a(%rip),%r9d # 0xea7005a
10: 45 85 c9 test %r9d,%r9d
13: 0f 84 b4 0e 00 00 je 0xecd
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 4c 89 e2 mov %r12,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 96 2c 00 00 jne 0x2cca
34: 49 8b 04 24 mov (%r12),%rax
38: 48 3d a0 17 32 93 cmp $0xffffffff933217a0,%rax
3e: 0f .byte 0xf
3f: 84 .byte 0x84
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Dec 17, 2024, 5:31:19 AM12/17/24
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Mon, 16 Dec 2024 11:16:28 -0800
#syz test
--- x/mm/oom_kill.c
+++ y/mm/oom_kill.c
@@ -137,7 +137,10 @@ struct task_struct *find_lock_task_mm(st
rcu_read_lock();
for_each_thread(p, t) {
+ if (!tryget_task_struct(t))
+ continue;
task_lock(t);
+ put_task_struct(t);
if (likely(t->mm))
goto found;
task_unlock(t);
--
> syzbot found the following issue on:
>
> HEAD commit: 231825b2e1ff Revert "unicode: Don't special case ignorable..
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=102844f8580000
>
> HEAD commit: 231825b2e1ff Revert "unicode: Don't special case ignorable..
> git tree: upstream
#syz test
--- x/mm/oom_kill.c
+++ y/mm/oom_kill.c
@@ -137,7 +137,10 @@ struct task_struct *find_lock_task_mm(st
rcu_read_lock();
for_each_thread(p, t) {
+ if (!tryget_task_struct(t))
+ continue;
task_lock(t);
+ put_task_struct(t);
if (likely(t->mm))
goto found;
task_unlock(t);
--
syzbot
Dec 17, 2024, 5:48:05 AM12/17/24
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: shift-out-of-bounds in ip_finish_output2
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in ./include/net/neighbour.h:306:44
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 0 UID: 0 PID: 12 Comm: kworker/u8:1 Not tainted 6.13.0-rc3-syzkaller-gf44d154d6e3d-dirty #0
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_shift_out_of_bounds+0x2a5/0x480 lib/ubsan.c:468
___neigh_lookup_noref include/net/neighbour.h:306 [inline]
__ipv4_neigh_lookup_noref include/net/arp.h:27 [inline]
ip_neigh_gw4 include/net/route.h:383 [inline]
ip_neigh_for_gw include/net/route.h:403 [inline]
ip_finish_output2.cold+0x56/0x5b net/ipv4/ip_output.c:230
__ip_finish_output net/ipv4/ip_output.c:314 [inline]
__ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:296
ip_finish_output+0x35/0x380 net/ipv4/ip_output.c:324
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:434
dst_output include/net/dst.h:450 [inline]
ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:130
iptunnel_xmit+0x5d9/0xa00 net/ipv4/ip_tunnel_core.c:82
send4+0x48e/0xe30 drivers/net/wireguard/socket.c:85
wg_socket_send_skb_to_peer+0x196/0x220 drivers/net/wireguard/socket.c:175
wg_socket_send_buffer_to_peer+0x148/0x1a0 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
process_one_work+0x958/0x1b30 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
---[ end trace ]---
Tested on:
commit: f44d154d Merge tag 'soc-fixes-6.13' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12c9560f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: shift-out-of-bounds in ip_finish_output2
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in ./include/net/neighbour.h:306:44
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 0 UID: 0 PID: 12 Comm: kworker/u8:1 Not tainted 6.13.0-rc3-syzkaller-gf44d154d6e3d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_shift_out_of_bounds+0x2a5/0x480 lib/ubsan.c:468
___neigh_lookup_noref include/net/neighbour.h:306 [inline]
__ipv4_neigh_lookup_noref include/net/arp.h:27 [inline]
ip_neigh_gw4 include/net/route.h:383 [inline]
ip_neigh_for_gw include/net/route.h:403 [inline]
ip_finish_output2.cold+0x56/0x5b net/ipv4/ip_output.c:230
__ip_finish_output net/ipv4/ip_output.c:314 [inline]
__ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:296
ip_finish_output+0x35/0x380 net/ipv4/ip_output.c:324
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:434
dst_output include/net/dst.h:450 [inline]
ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:130
iptunnel_xmit+0x5d9/0xa00 net/ipv4/ip_tunnel_core.c:82
send4+0x48e/0xe30 drivers/net/wireguard/socket.c:85
wg_socket_send_skb_to_peer+0x196/0x220 drivers/net/wireguard/socket.c:175
wg_socket_send_buffer_to_peer+0x148/0x1a0 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
process_one_work+0x958/0x1b30 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
---[ end trace ]---
Tested on:
commit: f44d154d Merge tag 'soc-fixes-6.13' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12c9560f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
dashboard link: https://syzkaller.appspot.com/bug?extid=c2e074db555379260750
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=175f27e8580000
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Hillf Danton
Dec 17, 2024, 6:15:28 AM12/17/24
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Mon, 16 Dec 2024 11:16:28 -0800
> syzbot found the following issue on:
>
> HEAD commit: 231825b2e1ff Revert "unicode: Don't special case ignorable..
> git tree: upstream
>
> HEAD commit: 231825b2e1ff Revert "unicode: Don't special case ignorable..
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=102844f8580000
#syz test
--- x/mm/oom_kill.c
+++ y/mm/oom_kill.c
@@ -137,7 +137,10 @@ struct task_struct *find_lock_task_mm(st
rcu_read_lock();
for_each_thread(p, t) {
+ if (!tryget_task_struct(t))
+ continue;
task_lock(t);
+ put_task_struct(t);
if (likely(t->mm))
goto found;
task_unlock(t);
--- x/include/net/neighbour.h
#syz test
--- x/mm/oom_kill.c
+++ y/mm/oom_kill.c
@@ -137,7 +137,10 @@ struct task_struct *find_lock_task_mm(st
rcu_read_lock();
for_each_thread(p, t) {
+ if (!tryget_task_struct(t))
+ continue;
task_lock(t);
+ put_task_struct(t);
if (likely(t->mm))
goto found;
task_unlock(t);
+++ y/include/net/neighbour.h
@@ -302,8 +302,11 @@ static inline struct neighbour *___neigh
struct neigh_hash_table *nht = rcu_dereference(tbl->nht);
struct neighbour *n;
u32 hash_val;
+ u32 shift = 32 - nht->hash_shift;
- hash_val = hash(pkey, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
+ if (shift > 31)
+ shift = 31;
+ hash_val = hash(pkey, dev, nht->hash_rnd) >> shift;
neigh_for_each_in_bucket_rcu(n, &nht->hash_heads[hash_val])
if (n->dev == dev && key_eq(n, pkey))
return n;
--
syzbot
Dec 17, 2024, 6:34:06 AM12/17/24
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in tomoyo_init_request_info
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000a: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057]
CPU: 0 UID: 0 PID: 12774 Comm: syz.0.2725 Not tainted 6.13.0-rc3-syzkaller-gf44d154d6e3d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
RIP: 0010:tomoyo_init_request_info+0x6f/0x370 security/tomoyo/util.c:1028
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 98 02 00 00 48 8d 7d 50 48 89 6b 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 5d 02 00 00 48 8d 7b 4b 44 0f b6 6d
RSP: 0018:ffffc9000d0af790 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffc9000d0af808 RCX: 0000000000000000
RDX: 000000000000000a RSI: ffffffff8452d8b7 RDI: 0000000000000050
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: ffffc9000d0af808 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000109002 R14: ffff88802d9bae80 R15: 0000000000000006
FS: 00007fb5170df6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb5170def98 CR3: 000000001ff52000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tomoyo_check_open_permission+0x27a/0x3c0 security/tomoyo/file.c:769
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tomoyo_file_open+0x6b/0x90 security/tomoyo/tomoyo.c:334
security_file_open+0x84/0x1e0 security/security.c:3105
do_dentry_open+0x57e/0x1ea0 fs/open.c:928
vfs_open+0x82/0x3f0 fs/open.c:1075
do_open fs/namei.c:3828 [inline]
path_openat+0x1e6a/0x2d60 fs/namei.c:3987
do_filp_open+0x20c/0x470 fs/namei.c:4014
do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_openat fs/open.c:1433 [inline]
__se_sys_openat fs/open.c:1428 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1428
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb516385d19
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb5170df038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fb516575fa0 RCX: 00007fb516385d19
RDX: 0000000000189002 RSI: 0000000020000100 RDI: ffffffffffffff9c
RBP: 00007fb516401a20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fb516575fa0 R15: 00007fff07409218
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:tomoyo_init_request_info+0x6f/0x370 security/tomoyo/util.c:1028
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 98 02 00 00 48 8d 7d 50 48 89 6b 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 5d 02 00 00 48 8d 7b 4b 44 0f b6 6d
RSP: 0018:ffffc9000d0af790 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffc9000d0af808 RCX: 0000000000000000
RDX: 000000000000000a RSI: ffffffff8452d8b7 RDI: 0000000000000050
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: ffffc9000d0af808 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000109002 R14: ffff88802d9bae80 R15: 0000000000000006
FS: 00007fb5170df6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b7f5b65950 CR3: 000000001ff52000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 89 fa mov %rdi,%rdx
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
3: 48 c1 ea 03 shr $0x3,%rdx
7: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
b: 0f 85 98 02 00 00 jne 0x2a9
11: 48 8d 7d 50 lea 0x50(%rbp),%rdi
15: 48 89 6b 10 mov %rbp,0x10(%rbx)
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
20: fc ff df
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 06 je 0x38
32: 0f 8e 5d 02 00 00 jle 0x295
38: 48 8d 7b 4b lea 0x4b(%rbx),%rdi
3c: 44 rex.R
3d: 0f .byte 0xf
3e: b6 6d mov $0x6d,%dh
Tested on:
commit: f44d154d Merge tag 'soc-fixes-6.13' of git://git.kerne..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
dashboard link: https://syzkaller.appspot.com/bug?extid=c2e074db555379260750
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15d9560f980000
dashboard link: https://syzkaller.appspot.com/bug?extid=c2e074db555379260750
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Tetsuo Handa
Jan 4, 2025, 9:30:45 AM1/4/25
to syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
#syz dup: general protection fault in account_kernel_stack (3)
Reply all
Reply to author
Forward
0 new messages