syzbot has found a reproducer for the following crash on:
HEAD commit: f25804f3 Linux 4.19.106
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=14a93c2de00000
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=13480c91e00000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=11d376fde00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+92fff1...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1440/0x18a0 arch/x86/kernel/unwind_orc.c:522
Read of size 8 at addr ffff8880ae607828 by task syz-executor166/8197
CPU: 0 PID: 8197 Comm: syz-executor166 Not tainted 4.19.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
unwind_next_frame+0x1440/0x18a0 arch/x86/kernel/unwind_orc.c:522
perf_callchain_kernel+0x402/0x5c0 arch/x86/events/core.c:2346
get_perf_callchain+0x390/0x860 kernel/events/callchain.c:202
perf_callchain+0x165/0x1c0 kernel/events/core.c:6440
perf_prepare_sample+0x80a/0x1570 kernel/events/core.c:6467
__perf_event_output kernel/events/core.c:6582 [inline]
perf_event_output_forward+0xf3/0x270 kernel/events/core.c:6600
__perf_event_overflow+0x13c/0x370 kernel/events/core.c:7866
perf_swevent_overflow+0xac/0x150 kernel/events/core.c:7942
perf_swevent_event+0x14d/0x2e0 kernel/events/core.c:7980
perf_tp_event+0x29f/0x850 kernel/events/core.c:8398
perf_trace_run_bpf_submit+0x136/0x190 kernel/events/core.c:8372
perf_trace_lock_acquire+0x362/0x530 include/trace/events/lock.h:13
trace_lock_acquire include/trace/events/lock.h:13 [inline]
lock_acquire+0x2a0/0x400 kernel/locking/lockdep.c:3902
seqcount_lockdep_reader_access include/linux/seqlock.h:81 [inline]
read_seqcount_begin include/linux/seqlock.h:164 [inline]
read_seqbegin include/linux/seqlock.h:433 [inline]
zone_span_seqbegin include/linux/memory_hotplug.h:65 [inline]
page_outside_zone_boundaries mm/page_alloc.c:490 [inline]
bad_range+0xc0/0x3c0 mm/page_alloc.c:519
__free_one_page mm/page_alloc.c:819 [inline]
free_one_page+0x127/0xee0 mm/page_alloc.c:1195
__free_pages_ok+0x438/0xd80 mm/page_alloc.c:1279
__put_page+0x71/0x380 mm/swap.c:112
put_page include/linux/mm.h:951 [inline]
page_to_skb+0x5e2/0x800 drivers/net/virtio_net.c:427
receive_mergeable drivers/net/virtio_net.c:936 [inline]
receive_buf+0x1da4/0x5c70 drivers/net/virtio_net.c:1045
virtnet_receive drivers/net/virtio_net.c:1334 [inline]
virtnet_poll+0x541/0xd60 drivers/net/virtio_net.c:1439
napi_poll net/core/dev.c:6264 [inline]
net_rx_action+0x4ab/0xfc0 net/core/dev.c:6330
__do_softirq+0x26c/0x93c kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x17b/0x1c0 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:544 [inline]
do_IRQ+0x10c/0x1c0 arch/x86/kernel/irq.c:258
common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x91/0xe0 kernel/locking/spinlock.c:184
Code: 48 c7 c0 08 56 b2 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 37 48 83 3d 0e d1 92 01 00 74 22 48 89 df 57 9d <0f> 1f 44 00 00 bf 01 00 00 00 e8 50 05 27 fa 65 8b 05 b9 68 e2 78
RSP: 0018:ffff88808fb3f9a0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffffd5
RAX: 1ffffffff1164ac1 RBX: 0000000000000282 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffffffff8b7f3108 R08: ffff88808ea4e3c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000282
R13: ffff8880802e0000 R14: ffffffff8b7f3108 R15: 0000000000000000
__debug_check_no_obj_freed lib/debugobjects.c:798 [inline]
debug_check_no_obj_freed+0x20a/0x42e lib/debugobjects.c:817
free_pages_prepare mm/page_alloc.c:1055 [inline]
__free_pages_ok+0x241/0xd80 mm/page_alloc.c:1273
release_pages+0x595/0x18f0 mm/swap.c:768
tlb_flush_mmu_free+0x72/0x140 mm/memory.c:249
tlb_flush_mmu mm/memory.c:258 [inline]
arch_tlb_finish_mmu+0x224/0x510 mm/memory.c:273
tlb_finish_mmu+0x97/0x100 mm/memory.c:432
exit_mmap+0x2d2/0x510 mm/mmap.c:3093
__mmput kernel/fork.c:1015 [inline]
mmput+0x14e/0x4a0 kernel/fork.c:1036
exit_mm kernel/exit.c:546 [inline]
do_exit+0xac8/0x2f30 kernel/exit.c:867
do_group_exit+0x125/0x350 kernel/exit.c:983
__do_sys_exit_group kernel/exit.c:994 [inline]
__se_sys_exit_group kernel/exit.c:992 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:992
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43ff98
Code: Bad RIP value.
RSP: 002b:00007ffe0fe84d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff98
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004bf7d0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0002b981c0 count:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000800(reserved)
raw: 00fffe0000000800 ffffea0002b981c8 ffffea0002b981c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880ae607700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880ae607780: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffff8880ae607800: f1 f1 04 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00
^
ffff8880ae607880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880ae607900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================