lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <0000000000002a3bfb057f6e4c96@google.com>
Date:   Mon, 14 Jan 2019 09:23:04 -0800
From:   syzbot <syzbot+af057431e1ebbdadd4d1@...kaller.appspotmail.com>
To:     linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        tglx@...utronix.de
Subject: KASAN: stack-out-of-bounds Read in swake_up_one

Hello,

syzbot found the following crash on:

HEAD commit:    de6629eb262e Merge tag 'pci-v5.0-fixes-1' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10dd2fab400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=edf1c3031097c304
dashboard link: https://syzkaller.appspot.com/bug?extid=af057431e1ebbdadd4d1
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10bd0237400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+af057431e1ebbdadd4d1@...kaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: stack-out-of-bounds in swake_up_locked kernel/sched/swait.c:30  
[inline]
BUG: KASAN: stack-out-of-bounds in swake_up_locked kernel/sched/swait.c:22  
[inline]
BUG: KASAN: stack-out-of-bounds in swake_up_one+0x2bf/0x3c0  
kernel/sched/swait.c:40
kasan: CONFIG_KASAN_INLINE enabled
Read of size 8 at addr ffff8880a9487a88 by task syz-executor5/8368
kasan: GPF could be caused by NULL-ptr deref or user memory access

general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8368 Comm: syz-executor5 Not tainted 5.0.0-rc1+ #20
CPU: 1 PID: 64 Comm: ksoftirq��1 Not tainted 5.0.0-rc1+ #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
RIP: 0010:lookup_object lib/debugobjects.c:156 [inline]
RIP: 0010:debug_object_deactivate lib/debugobjects.c:542 [inline]
RIP: 0010:debug_object_deactivate+0x16c/0x4b0 lib/debugobjects.c:529
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
Code: c1 ea 03 42 80 3c 2a 00 0f 85 49 02 00 00 4d 8b 24 24 4d 85 e4 0f 84  
d1 00 00 00 49 8d 7c 24 18 83 c3 01 48 89 fa 48 c1 ea 03 <42> 80 3c 2a 00  
0f 85 fa 01 00 00 49 3b 4c 24 18 75 c0 49 8d 7c 24
RSP: 0018:ffff8880ae707b80 EFLAGS: 00010003
RAX: 1ffffffff16d60bc RBX: 0000000000000004 RCX: ffff8880ae726620
  print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
RDX: 000000000000019d RSI: 0000000000000004 RDI: 0000000000000ced
RBP: ffff8880ae707c70 R08: 1ffff11015ce0f5c R09: ffffffff899b13e0
R10: 0000000000000086 R11: 0000000000000003 R12: 0000000000000cd5
R13: dffffc0000000000 R14: 1ffff11015ce0f74 R15: ffffffff8b6b05e8
  kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000068 CR3: 0000000096ff7000 CR4: 00000000001406e0
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  swake_up_locked kernel/sched/swait.c:30 [inline]
  swake_up_locked kernel/sched/swait.c:22 [inline]
  swake_up_one+0x2bf/0x3c0 kernel/sched/swait.c:40
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  <IRQ>
  rcu_gp_kthread_wake+0xc3/0x100 kernel/rcu/tree.c:1571
  debug_hrtimer_deactivate kernel/time/hrtimer.c:412 [inline]
  debug_deactivate kernel/time/hrtimer.c:462 [inline]
  __run_hrtimer kernel/time/hrtimer.c:1359 [inline]
  __hrtimer_run_queues+0x225/0x1050 kernel/time/hrtimer.c:1451
  rcu_report_qs_rsp+0x177/0x220 kernel/rcu/tree.c:2131
  rcu_report_unblock_qs_rnp kernel/rcu/tree.c:2235 [inline]
  rcu_preempt_deferred_qs_irqrestore+0xc03/0xfd0 kernel/rcu/tree_plugin.h:574
  hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
  smp_apic_timer_interrupt+0x18d/0x760 arch/x86/kernel/apic/apic.c:1060
  rcu_read_unlock_special+0x1cd/0x380 kernel/rcu/tree_plugin.h:665
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
  __rcu_read_unlock+0x204/0x210 kernel/rcu/tree_plugin.h:437
  </IRQ>
Modules linked in:
---[ end trace d4ad3f10efc73e81 ]---
RIP: 0010:lookup_object lib/debugobjects.c:156 [inline]
RIP: 0010:debug_object_deactivate lib/debugobjects.c:542 [inline]
RIP: 0010:debug_object_deactivate+0x16c/0x4b0 lib/debugobjects.c:529
  rcu_read_unlock include/linux/rcupdate.h:660 [inline]
  is_bpf_text_address+0xb6/0x170 kernel/bpf/core.c:668
Code: c1 ea 03 42 80 3c 2a 00 0f 85 49 02 00 00 4d 8b 24 24 4d 85 e4 0f 84  
d1 00 00 00 49 8d 7c 24 18 83 c3 01 48 89 fa 48 c1 ea 03 <42> 80 3c 2a 00  
0f 85 fa 01 00 00 49 3b 4c 24 18 75 c0 49 8d 7c 24
  kernel_text_address+0x73/0xf0 kernel/extable.c:152
RSP: 0018:ffff8880ae707b80 EFLAGS: 00010003
  __kernel_text_address+0xd/0x40 kernel/extable.c:107
RAX: 1ffffffff16d60bc RBX: 0000000000000004 RCX: ffff8880ae726620
  unwind_get_return_address arch/x86/kernel/unwind_frame.c:18 [inline]
  unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:13
RDX: 000000000000019d RSI: 0000000000000004 RDI: 0000000000000ced
  __save_stack_trace+0x8a/0xf0 arch/x86/kernel/stacktrace.c:45
RBP: ffff8880ae707c70 R08: 1ffff11015ce0f5c R09: ffffffff899b13e0
  save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60
R10: 0000000000000086 R11: 0000000000000003 R12: 0000000000000cd5
R13: dffffc0000000000 R14: 1ffff11015ce0f74 R15: ffffffff8b6b05e8
  save_stack+0x45/0xd0 mm/kasan/common.c:73
FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000068 CR3: 0000000096ff7000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ