lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 17 Apr 2024 19:39:02 -0700
From: syzbot <syzbot+7fd4b85697bcf2a9daa2@...kaller.appspotmail.com>
To: hdanton@...a.com, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in hugetlb_fault

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: suspicious RCU usage in __do_softirq

=============================
WARNING: suspicious RCU usage
6.9.0-rc3-next-20240412-syzkaller-dirty #0 Not tainted
-----------------------------
kernel/rcu/tree.c:276 Illegal rcu_softirq_qs() in RCU read-side critical section!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
1 lock held by ksoftirqd/0/16:
 #0: ffffffff8e334060 (rcu_read_lock_sched){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #0: ffffffff8e334060 (rcu_read_lock_sched){....}-{1:2}, at: rcu_read_lock_sched include/linux/rcupdate.h:933 [inline]
 #0: ffffffff8e334060 (rcu_read_lock_sched){....}-{1:2}, at: pfn_valid include/linux/mmzone.h:2019 [inline]
 #0: ffffffff8e334060 (rcu_read_lock_sched){....}-{1:2}, at: __virt_addr_valid+0x183/0x520 arch/x86/mm/physaddr.c:65

stack backtrace:
CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.9.0-rc3-next-20240412-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
 rcu_softirq_qs+0xd9/0x370 kernel/rcu/tree.c:273
 __do_softirq+0x5fd/0x980 kernel/softirq.c:568
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_release+0x51/0x9f0 kernel/locking/lockdep.c:5762
Code: 04 25 28 00 00 00 48 89 84 24 e0 00 00 00 49 bf 00 00 00 00 00 fc ff df 48 c7 44 24 60 b3 8a b5 41 48 c7 44 24 68 5d 09 b4 8d <48> c7 44 24 70 e0 d2 72 81 4c 8d 64 24 60 49 c1 ec 03 48 b8 f1 f1
RSP: 0018:ffffc90000157920 EFLAGS: 00000282
RAX: 1ce013f6d4eb5b00 RBX: 0000000000000001 RCX: ffff888016ec5a00
RDX: 0000000000000000 RSI: ffffffff81423eb3 RDI: ffffffff8e334060
RBP: ffffc90000157a48 R08: ffffffff81424067 R09: 1ffffffff25ee6b4
R10: dffffc0000000000 R11: fffffbfff25ee6b5 R12: 000000002524d378
R13: ffffffff81423eb3 R14: ffffffff81423eb3 R15: dffffc0000000000
 rcu_lock_release include/linux/rcupdate.h:339 [inline]
 rcu_read_unlock_sched include/linux/rcupdate.h:954 [inline]
 pfn_valid include/linux/mmzone.h:2029 [inline]
 __virt_addr_valid+0x41e/0x520 arch/x86/mm/physaddr.c:65
 kasan_addr_to_slab+0xd/0x80 mm/kasan/common.c:37
 __kasan_record_aux_stack+0x11/0xc0 mm/kasan/generic.c:526
 __call_rcu_common kernel/rcu/tree.c:3102 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3206
 context_switch kernel/sched/core.c:5412 [inline]
 __schedule+0x17f0/0x4a50 kernel/sched/core.c:6746
 __schedule_loop kernel/sched/core.c:6823 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6838
 smpboot_thread_fn+0x61e/0xa30 kernel/smpboot.c:160
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
----------------
Code disassembly (best guess):
   0:	04 25                	add    $0x25,%al
   2:	28 00                	sub    %al,(%rax)
   4:	00 00                	add    %al,(%rax)
   6:	48 89 84 24 e0 00 00 	mov    %rax,0xe0(%rsp)
   d:	00
   e:	49 bf 00 00 00 00 00 	movabs $0xdffffc0000000000,%r15
  15:	fc ff df
  18:	48 c7 44 24 60 b3 8a 	movq   $0x41b58ab3,0x60(%rsp)
  1f:	b5 41
  21:	48 c7 44 24 68 5d 09 	movq   $0xffffffff8db4095d,0x68(%rsp)
  28:	b4 8d
* 2a:	48 c7 44 24 70 e0 d2 	movq   $0xffffffff8172d2e0,0x70(%rsp) <-- trapping instruction
  31:	72 81
  33:	4c 8d 64 24 60       	lea    0x60(%rsp),%r12
  38:	49 c1 ec 03          	shr    $0x3,%r12
  3c:	48                   	rex.W
  3d:	b8                   	.byte 0xb8
  3e:	f1                   	int1
  3f:	f1                   	int1


Tested on:

commit:         9ed46da1 Add linux-next specific files for 20240412
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1260ada3180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7ea0abc478c49859
dashboard link: https://syzkaller.appspot.com/bug?extid=7fd4b85697bcf2a9daa2
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16ccb37d180000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ