lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 May 2024 13:40:19 +0800
From: Yuntao Wang <ytcoode@...il.com>
To: pengfei.xu@...el.com
Cc: akpm@...ux-foundation.org,
	andrii@...nel.org,
	ast@...nel.org,
	bpf@...r.kernel.org,
	daniel@...earbox.net,
	eddyz87@...il.com,
	haoluo@...gle.com,
	john.fastabend@...il.com,
	jolsa@...nel.org,
	kpsingh@...nel.org,
	linux-kernel@...r.kernel.org,
	martin.lau@...ux.dev,
	sdf@...gle.com,
	song@...nel.org,
	syzbot+a7f061d2d16154538c58@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com,
	yonghong.song@...ux.dev,
	ytcoode@...il.com,
	Baoquan He <bhe@...hat.com>
Subject: Re: [syzbot] [bpf?] possible deadlock in get_page_from_freelist

On Fri, 17 May 2024 15:15:00 +0800, Pengfei Xu <pengfei.xu@...el.com> wrote:

> Hi Yuntao,
> 
> Greeting!
> 
> On 2024-04-14 at 19:28:16 -0700, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    7efd0a74039f Merge tag 'ata-6.9-rc4' of git://git.kernel.o..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1358aeed180000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=285be8dd6baeb438
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a7f061d2d16154538c58
> > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > 
> > Unfortunately, I don't have any reproducer for this issue yet.
> > 
> 
> I used syzkaller and could reproduce the similar issue "WARNING in
> get_page_from_freelist" in v6.9 mainline kernel.
> 
> Bisected and found first bad commit:
> "
> 816d334afa85 kexec: modify the meaning of the end parameter in kimage_is_destination_range()
> "
> Revert above commit on top of v6.9 kernel this issue was gone.

Hi Pengfei,

I reviewed this commit multiple times, but I still couldn't figure out why this
commit would cause this issue. Could someone else please take a look? Thank you
very much!

Thanks,
Yuntao

> All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/240517_085953_get_page_from_freelist
> mount_*.gz are in above link.
> Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/240517_085953_get_page_from_freelist/rep.c
> Syzkaller syscall repro steps: https://github.com/xupengfe/syzkaller_logs/blob/main/240517_085953_get_page_from_freelist/repro.prog
> Syzkaller report: https://github.com/xupengfe/syzkaller_logs/blob/main/240517_085953_get_page_from_freelist/repro.report
> Kconfig(make olddefconfig): https://github.com/xupengfe/syzkaller_logs/blob/main/240517_085953_get_page_from_freelist/kconfig_origin
> Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/240517_085953_get_page_from_freelist/bisect_info.log
> v6.9 dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/240517_085953_get_page_from_freelist/a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6_dmesg.log
> v6.9 bzImage: https://github.com/xupengfe/syzkaller_logs/raw/main/240517_085953_get_page_from_freelist/bzImage_a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6.tar.gz
> 
> [   17.436013] loop0: detected capacity change from 0 to 1024
> [   17.456160] I/O error, dev loop0, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
> [   17.456746] loop0: detected capacity change from 0 to 1024
> [   17.456809] I/O error, dev loop0, sector 16 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
> [   17.457548] EXT4-fs: Invalid want_extra_isize 0
> [   17.575984] repro: page allocation failure: order:1, mode:0x10cc0(GFP_KERNEL|__GFP_NORETRY), nodemask=(null),cpuset=/,mems_allowed=0
> [   17.576621] CPU: 1 PID: 726 Comm: repro Not tainted 6.9.0-a38297e3fb01+ #1
> [   17.576930] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> [   17.577412] Call Trace:
> [   17.577526]  <TASK>
> [   17.577626]  dump_stack_lvl+0x121/0x150
> [   17.577813]  dump_stack+0x19/0x20
> [   17.577969]  warn_alloc+0x218/0x350
> [   17.578133]  ? __pfx_warn_alloc+0x10/0x10
> [   17.578317]  ? __alloc_pages_direct_compact+0x130/0xa00
> [   17.578552]  ? __pfx___alloc_pages_direct_compact+0x10/0x10
> [   17.578803]  ? __drain_all_pages+0x27b/0x480
> [   17.579021]  __alloc_pages_slowpath.constprop.0+0x1b62/0x2160
> [   17.579291]  ? __pfx___alloc_pages_slowpath.constprop.0+0x10/0x10
> [   17.579569]  ? __pfx_get_page_from_freelist+0x10/0x10
> [   17.579802]  ? prepare_alloc_pages.constprop.0+0x15b/0x4f0
> [   17.580032]  __alloc_pages+0x48f/0x580
> [   17.580212]  ? __pfx___alloc_pages+0x10/0x10
> [   17.580392]  ? kasan_save_stack+0x40/0x60
> [   17.580583]  ? kasan_save_stack+0x2c/0x60
> [   17.580772]  ? kasan_save_track+0x18/0x40
> [   17.580946]  ? _find_first_bit+0x95/0xc0
> [   17.581114]  ? policy_nodemask+0xf9/0x450
> [   17.581300]  alloc_pages_mpol+0x296/0x590
> [   17.581487]  ? __pfx_alloc_pages_mpol+0x10/0x10
> [   17.581695]  ? arch_kexec_post_alloc_pages+0x37/0x70
> [   17.581924]  ? __pfx_write_comp_data+0x10/0x10
> [   17.582133]  alloc_pages+0x13f/0x160
> [   17.582302]  kimage_alloc_pages+0x79/0x240
> [   17.582498]  kimage_alloc_control_pages+0x1cb/0xa60
> [   17.582727]  ? __pfx_kimage_alloc_control_pages+0x10/0x10
> [   17.582973]  ? __sanitizer_cov_trace_const_cmp1+0x1e/0x30
> [   17.583224]  do_kexec_load+0x337/0x750
> [   17.583406]  __x64_sys_kexec_load+0x1cc/0x240
> [   17.583619]  x64_sys_call+0x1aa2/0x20c0
> [   17.583807]  do_syscall_64+0x6f/0x150
> [   17.583988]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [   17.584217] RIP: 0033:0x7f4f2ec3ee5d
> [   17.584382] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48
> [   17.585171] RSP: 002b:00007ffd101da888 EFLAGS: 00000246 ORIG_RAX: 00000000000000f6
> [   17.585500] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4f2ec3ee5d
> [   17.585985] RDX: 00000000200003c0 RSI: 0000000000000002 RDI: 0000000000000000
> [   17.586346] RBP: 00007ffd101da8a0 R08: 0000000000000800 R09: 0000000000000800
> [   17.586656] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd101da9b8
> [   17.587001] R13: 0000000000402862 R14: 0000000000412e08 R15: 00007f4f2ef30000
> [   17.587381]  </TASK>
> [   17.587559] Mem-Info:
> [   17.587667] active_anon:117 inactive_anon:14235 isolated_anon:0
> [   17.587667]  active_file:25278 inactive_file:25394 isolated_file:0
> [   17.587667]  unevictable:0 dirty:82 writeback:189
> [   17.587667]  slab_reclaimable:14774 slab_unreclaimable:23678
> [   17.587667]  mapped:13500 shmem:1187 pagetables:846
> [   17.587667]  sec_pagetables:0 bounce:0
> [   17.587667]  kernel_misc_reclaimable:0
> [   17.587667]  free:13396 free_pcp:37 free_cma:0
> [   17.589349] Node 0 active_anon:468kB inactive_anon:56940kB active_file:101112kB inactive_file:101576kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:54000kB dirty:328kB writeback:756kB shmem:4748kB shmem_thp:0kB shmem_pmdmapped:0kB anon_thp:0kB writeback_tmp:0kB kernel_stack:5504kB pagetables:3384kB sec_pagetables:0kB all_unreclaimable? no
> [   17.590712] Node 0 DMA free:6664kB boost:0kB min:424kB low:528kB high:632kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
> [   17.591848] lowmem_reserve[]: 0 1564 1564 1564 1564
> [   17.592075] Node 0 DMA32 free:46920kB boost:0kB min:44628kB low:55784kB high:66940kB reserved_highatomic:0KB active_anon:468kB inactive_anon:56940kB active_file:101072kB inactive_file:101568kB unevictable:0kB writepending:1504kB present:2080640kB managed:1620324kB mlocked:0kB bounce:0kB free_pcp:468kB local_pcp:0kB free_cma:0kB
> [   17.593443] lowmem_reserve[]: 0 0 0 0 0
> [   17.593624] Node 0 DMA: 0*4kB 2*8kB (UM) 1*16kB (M) 1*32kB (M) 1*64kB (M) 1*128kB (M) 1*256kB (M) 2*512kB (UM) 1*1024kB (M) 0*2048kB 1*4096kB (M) = 6656kB
> [   17.594261] Node 0 DMA32: 770*4kB (UME) 193*8kB (UME) 121*16kB (UME) 72*32kB (UME) 39*64kB (UME) 15*128kB (ME) 7*256kB (UM) 4*512kB (ME) 2*1024kB (UM) 4*2048kB (UME) 5*4096kB (M) = 47840kB
> [   17.595020] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB
> [   17.595399] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
> [   17.595774] 51855 total pagecache pages
> [   17.595949] 0 pages in swap cache
> [   17.596170] Free swap  = 0kB
> [   17.596304] Total swap = 0kB
> [   17.596440] 524158 pages RAM
> [   17.596589] 0 pages HighMem/MovableOnly
> [   17.596767] 115237 pages reserved
> [   17.596934] 0 pages cma reserved
> [   17.597149] 0 pages hwpoisoned
> [   17.645660] kexec: Could not allocate control_code_buffer
> [   17.785654] loop0: detected capacity change from 0 to 65536
> [   17.787652] =======================================================
> [   17.787652] WARNING: The mand mount option has been deprecated and
> [   17.787652]          and is ignored by this kernel. Remove the mand
> [   17.787652]          option from the mount to silence this warning.
> [   17.787652] =======================================================
> [   17.801532] XFS (loop0): cannot change alignment: superblock does not support data alignment
> [   17.878479] loop0: detected capacity change from 0 to 1024
> [   17.888666] I/O error, dev loop0, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
> [   17.894988] loop0: detected capacity change from 0 to 1024
> [   17.895613] EXT4-fs: Invalid want_extra_isize 0
> [   17.909948] loop0: detected capacity change from 0 to 128
> [   18.105190] kexec: Could not allocate control_code_buffer
> 
> Hope it's helpful.
> 
> Thanks!
> 
> ---
> 
> If you don't need the following environment to reproduce the problem or if you
> already have one reproduced environment, please ignore the following information.
> 
> How to reproduce:
> git clone https://gitlab.com/xupengfe/repro_vm_env.git
> cd repro_vm_env
> tar -xvf repro_vm_env.tar.gz
> cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
>   // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
>   // You could change the bzImage_xxx as you want
>   // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
> You could use below command to log in, there is no password for root.
> ssh -p 10023 root@...alhost
> 
> After login vm(virtual machine) successfully, you could transfer reproduced
> binary to the vm by below way, and reproduce the problem in vm:
> gcc -pthread -o repro repro.c
> scp -P 10023 repro root@...alhost:/root/
> 
> Get the bzImage for target kernel:
> Please use target kconfig and copy it to kernel_src/.config
> make olddefconfig
> make -jx bzImage           //x should equal or less than cpu num your pc has
> 
> Fill the bzImage file into above start3.sh to load the target kernel in vm.
> 
> 
> Tips:
> If you already have qemu-system-x86_64, please ignore below info.
> If you want to install qemu v7.1.0 version:
> git clone https://github.com/qemu/qemu.git
> cd qemu
> git checkout -f v7.1.0
> mkdir build
> cd build
> yum install -y ninja-build.x86_64
> yum -y install libslirp-devel.x86_64
> ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
> make
> make install
> 
> Best Regards,
> Thanks!
> 
> 
> > Downloadable assets:
> > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-7efd0a74.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/39eb4e17e7f0/vmlinux-7efd0a74.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/b9a08c36e0ca/bzImage-7efd0a74.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+a7f061d2d16154538c58@...kaller.appspotmail.com
> > 
> > ======================================================
> > WARNING: possible circular locking dependency detected
> > 6.9.0-rc3-syzkaller-00355-g7efd0a74039f #0 Not tainted
> > ------------------------------------------------------
> > syz-executor.2/7645 is trying to acquire lock:
> > ffff88807ffd7d58 (&zone->lock){-.-.}-{2:2}, at: rmqueue_buddy mm/page_alloc.c:2730 [inline]
> > ffff88807ffd7d58 (&zone->lock){-.-.}-{2:2}, at: rmqueue mm/page_alloc.c:2911 [inline]
> > ffff88807ffd7d58 (&zone->lock){-.-.}-{2:2}, at: get_page_from_freelist+0x4b9/0x3780 mm/page_alloc.c:3314
> > 
> > but task is already holding lock:
> > ffff88802c8739f8 (&trie->lock){-.-.}-{2:2}, at: trie_update_elem+0xc8/0xdd0 kernel/bpf/lpm_trie.c:324
> > 
> > which lock already depends on the new lock.
> > 
> > 
> > the existing dependency chain (in reverse order) is:
> > 
> > -> #1 (&trie->lock){-.-.}-{2:2}:
> >        __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> >        _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
> >        trie_delete_elem+0xb0/0x7e0 kernel/bpf/lpm_trie.c:451
> >        ___bpf_prog_run+0x3e51/0xabd0 kernel/bpf/core.c:1997
> >        __bpf_prog_run32+0xc1/0x100 kernel/bpf/core.c:2236
> >        bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
> >        __bpf_prog_run include/linux/filter.h:657 [inline]
> >        bpf_prog_run include/linux/filter.h:664 [inline]
> >        __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
> >        bpf_trace_run2+0x151/0x420 kernel/trace/bpf_trace.c:2420
> >        __bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122
> >        trace_contention_end.constprop.0+0xea/0x170 include/trace/events/lock.h:122
> >        __pv_queued_spin_lock_slowpath+0x266/0xc80 kernel/locking/qspinlock.c:560
> >        pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline]
> >        queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
> >        queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
> >        do_raw_spin_lock+0x210/0x2c0 kernel/locking/spinlock_debug.c:116
> >        __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
> >        _raw_spin_lock_irqsave+0x42/0x60 kernel/locking/spinlock.c:162
> >        rmqueue_bulk mm/page_alloc.c:2131 [inline]
> >        __rmqueue_pcplist+0x5a8/0x1b00 mm/page_alloc.c:2826
> >        rmqueue_pcplist mm/page_alloc.c:2868 [inline]
> >        rmqueue mm/page_alloc.c:2905 [inline]
> >        get_page_from_freelist+0xbaa/0x3780 mm/page_alloc.c:3314
> >        __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
> >        __alloc_pages_node include/linux/gfp.h:238 [inline]
> >        alloc_pages_node include/linux/gfp.h:261 [inline]
> >        alloc_slab_page mm/slub.c:2175 [inline]
> >        allocate_slab mm/slub.c:2338 [inline]
> >        new_slab+0xcc/0x3a0 mm/slub.c:2391
> >        ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
> >        __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
> >        __slab_alloc_node mm/slub.c:3663 [inline]
> >        slab_alloc_node mm/slub.c:3835 [inline]
> >        __do_kmalloc_node mm/slub.c:3965 [inline]
> >        __kmalloc_node_track_caller+0x367/0x470 mm/slub.c:3986
> >        kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:599
> >        __alloc_skb+0x164/0x380 net/core/skbuff.c:668
> >        alloc_skb include/linux/skbuff.h:1313 [inline]
> >        nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
> >        nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
> >        nsim_dev_trap_report_work+0x2a4/0xc80 drivers/net/netdevsim/dev.c:850
> >        process_one_work+0x9a9/0x1ac0 kernel/workqueue.c:3254
> >        process_scheduled_works kernel/workqueue.c:3335 [inline]
> >        worker_thread+0x6c8/0xf70 kernel/workqueue.c:3416
> >        kthread+0x2c1/0x3a0 kernel/kthread.c:388
> >        ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
> >        ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> > 
> > -> #0 (&zone->lock){-.-.}-{2:2}:
> >        check_prev_add kernel/locking/lockdep.c:3134 [inline]
> >        check_prevs_add kernel/locking/lockdep.c:3253 [inline]
> >        validate_chain kernel/locking/lockdep.c:3869 [inline]
> >        __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137
> >        lock_acquire kernel/locking/lockdep.c:5754 [inline]
> >        lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
> >        __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> >        _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
> >        rmqueue_buddy mm/page_alloc.c:2730 [inline]
> >        rmqueue mm/page_alloc.c:2911 [inline]
> >        get_page_from_freelist+0x4b9/0x3780 mm/page_alloc.c:3314
> >        __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
> >        __alloc_pages_node include/linux/gfp.h:238 [inline]
> >        alloc_pages_node include/linux/gfp.h:261 [inline]
> >        __kmalloc_large_node+0x7f/0x1a0 mm/slub.c:3911
> >        __do_kmalloc_node mm/slub.c:3954 [inline]
> >        __kmalloc_node.cold+0x5/0x5f mm/slub.c:3973
> >        kmalloc_node include/linux/slab.h:648 [inline]
> >        bpf_map_kmalloc_node+0x98/0x4a0 kernel/bpf/syscall.c:422
> >        lpm_trie_node_alloc kernel/bpf/lpm_trie.c:291 [inline]
> >        trie_update_elem+0x1ef/0xdd0 kernel/bpf/lpm_trie.c:333
> >        bpf_map_update_value+0x2c1/0x6c0 kernel/bpf/syscall.c:203
> >        map_update_elem+0x623/0x910 kernel/bpf/syscall.c:1641
> >        __sys_bpf+0xab9/0x4b40 kernel/bpf/syscall.c:5648
> >        __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
> >        __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
> >        __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5765
> >        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >        do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
> >        entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > 
> > other info that might help us debug this:
> > 
> >  Possible unsafe locking scenario:
> > 
> >        CPU0                    CPU1
> >        ----                    ----
> >   lock(&trie->lock);
> >                                lock(&zone->lock);
> >                                lock(&trie->lock);
> >   lock(&zone->lock);
> > 
> >  *** DEADLOCK ***
> > 
> > 2 locks held by syz-executor.2/7645:
> >  #0: ffffffff8d7b0e20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
> >  #0: ffffffff8d7b0e20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
> >  #0: ffffffff8d7b0e20 (rcu_read_lock){....}-{1:2}, at: bpf_map_update_value+0x24b/0x6c0 kernel/bpf/syscall.c:202
> >  #1: ffff88802c8739f8 (&trie->lock){-.-.}-{2:2}, at: trie_update_elem+0xc8/0xdd0 kernel/bpf/lpm_trie.c:324
> > 
> > stack backtrace:
> > CPU: 1 PID: 7645 Comm: syz-executor.2 Not tainted 6.9.0-rc3-syzkaller-00355-g7efd0a74039f #0
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> > Call Trace:
> >  <TASK>
> >  __dump_stack lib/dump_stack.c:88 [inline]
> >  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
> >  check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2187
> >  check_prev_add kernel/locking/lockdep.c:3134 [inline]
> >  check_prevs_add kernel/locking/lockdep.c:3253 [inline]
> >  validate_chain kernel/locking/lockdep.c:3869 [inline]
> >  __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137
> >  lock_acquire kernel/locking/lockdep.c:5754 [inline]
> >  lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
> >  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> >  _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
> >  rmqueue_buddy mm/page_alloc.c:2730 [inline]
> >  rmqueue mm/page_alloc.c:2911 [inline]
> >  get_page_from_freelist+0x4b9/0x3780 mm/page_alloc.c:3314
> >  __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
> >  __alloc_pages_node include/linux/gfp.h:238 [inline]
> >  alloc_pages_node include/linux/gfp.h:261 [inline]
> >  __kmalloc_large_node+0x7f/0x1a0 mm/slub.c:3911
> >  __do_kmalloc_node mm/slub.c:3954 [inline]
> >  __kmalloc_node.cold+0x5/0x5f mm/slub.c:3973
> >  kmalloc_node include/linux/slab.h:648 [inline]
> >  bpf_map_kmalloc_node+0x98/0x4a0 kernel/bpf/syscall.c:422
> >  lpm_trie_node_alloc kernel/bpf/lpm_trie.c:291 [inline]
> >  trie_update_elem+0x1ef/0xdd0 kernel/bpf/lpm_trie.c:333
> >  bpf_map_update_value+0x2c1/0x6c0 kernel/bpf/syscall.c:203
> >  map_update_elem+0x623/0x910 kernel/bpf/syscall.c:1641
> >  __sys_bpf+0xab9/0x4b40 kernel/bpf/syscall.c:5648
> >  __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
> >  __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
> >  __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5765
> >  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >  do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
> >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > RIP: 0033:0x7fdb1c27de69
> > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00007fdb1d0210c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> > RAX: ffffffffffffffda RBX: 00007fdb1c3abf80 RCX: 00007fdb1c27de69
> > RDX: 0000000000000020 RSI: 0000000020001400 RDI: 0000000000000002
> > RBP: 00007fdb1c2ca47a R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> > R13: 000000000000000b R14: 00007fdb1c3abf80 R15: 00007ffe7cd30f08
> >  </TASK>
> > loop2: detected capacity change from 0 to 512
> > ext4: Unknown parameter '���������������3;�{\C	_r���f�gD\x19Z*��ג�Md�;�s�8)V^[�Z�-#��S%\x19�SY�E`1t\x10AS�>�>���\x0ed]�x��h'
> > 
> > 
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@...glegroups.com.
> > 
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > 
> > If the report is already addressed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> > 
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> > 
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> > 
> > If you want to undo deduplication, reply with:
> > #syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ