lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <0000000000001acac206201f3799@google.com>
Date: Tue, 20 Aug 2024 08:38:20 -0700
From: syzbot <syzbot+474a2013b471c709388f@...kaller.appspotmail.com>
To: andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org, 
	daniel@...earbox.net, eddyz87@...il.com, haoluo@...gle.com, 
	john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org, 
	linux-kernel@...r.kernel.org, martin.lau@...ux.dev, sdf@...ichev.me, 
	song@...nel.org, syzkaller-bugs@...glegroups.com, yonghong.song@...ux.dev
Subject: [syzbot] [bpf?] WARNING: bad unlock balance in search_bpf_extables

Hello,

syzbot found the following issue on:

HEAD commit:    bb1b0acdcd66 Add linux-next specific files for 20240820
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=139e8bc5980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=49406de25a441ccf
dashboard link: https://syzkaller.appspot.com/bug?extid=474a2013b471c709388f
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ebc2ae824293/disk-bb1b0acd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5f62bd0c0e25/vmlinux-bb1b0acd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ddf6d0bc053d/bzImage-bb1b0acd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+474a2013b471c709388f@...kaller.appspotmail.com

=====================================
WARNING: bad unlock balance detected!
6.11.0-rc4-next-20240820-syzkaller #0 Tainted: G        W         
-------------------------------------
syz.0.777/8282 is trying to release lock (rcu_read_lock) at:
[<ffffffff81a2bae6>] rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
[<ffffffff81a2bae6>] rcu_read_lock include/linux/rcupdate.h:849 [inline]
[<ffffffff81a2bae6>] search_bpf_extables+0x26/0x3f0 kernel/bpf/core.c:788
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz.0.777/8282:
 #0: ffffffff8e7f6780 (sched_map-wait-type-override){+.+.}-{2:2}, at: sched_submit_work kernel/sched/core.c:6710 [inline]
 #0: ffffffff8e7f6780 (sched_map-wait-type-override){+.+.}-{2:2}, at: schedule+0x90/0x320 kernel/sched/core.c:6768

stack backtrace:
CPU: 1 UID: 0 PID: 8282 Comm: syz.0.777 Tainted: G        W          6.11.0-rc4-next-20240820-syzkaller #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_unlock_imbalance_bug+0x256/0x2c0 kernel/locking/lockdep.c:5202
 __lock_release kernel/locking/lockdep.c:5439 [inline]
 lock_release+0x5cb/0xa30 kernel/locking/lockdep.c:5783
 rcu_lock_release include/linux/rcupdate.h:347 [inline]
 rcu_read_unlock include/linux/rcupdate.h:880 [inline]
 search_bpf_extables+0x39b/0x3f0 kernel/bpf/core.c:797
 fixup_exception+0xaf/0x1cc0 arch/x86/mm/extable.c:320
 kernelmode_fixup_or_oops+0x66/0xf0 arch/x86/mm/fault.c:728
 __bad_area_nosemaphore+0x118/0x770 arch/x86/mm/fault.c:785
 </TASK>
BUG: unable to handle page fault for address: fffff91f94aa1658
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffe5067 P4D 23ffe5067 PUD 0 
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 8282 Comm: syz.0.777 Tainted: G        W          6.11.0-rc4-next-20240820-syzkaller #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 7380:vprintk_emit+0x387/0x7c0
Code: 00 00 00 fa 41 bf 00 02 00 00 be 00 02 00 00 48 21 de 31 ff e8 1a f5 1f 00 49 21 df 75 27 e8 30 f0 1f 00 eb 2a e8 29 f0 1f 00 <48> 8b 5c 24 08 e9 d6 02 00 00 e8 1a f0 1f 00 c6 05 c3 5c 84 13 01
RSP: 3e16:0000000000000000 EFLAGS: 1ffff92001342e48 ORIG_RAX: ffffc90009a17310
RAX: ffffffff8e0428e9 RBX: ffffc90009a17320 RCX: ffffffff8e7d1aa0
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff8173d087 R08: 0000000045e0360e R09: ffffffff8c051300
R10: 0000000000000000 R11: 1ffff92001342e3c R12: ffffc90009a172b0
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS:  00005555889b6500(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  7380 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff91f94aa1658 CR3: 000000002f8fc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 </TASK>
Modules linked in:
CR2: fffff91f94aa1658
---[ end trace 0000000000000000 ]---
RIP: 7380:vprintk_emit+0x387/0x7c0
Code: 00 00 00 fa 41 bf 00 02 00 00 be 00 02 00 00 48 21 de 31 ff e8 1a f5 1f 00 49 21 df 75 27 e8 30 f0 1f 00 eb 2a e8 29 f0 1f 00 <48> 8b 5c 24 08 e9 d6 02 00 00 e8 1a f0 1f 00 c6 05 c3 5c 84 13 01
RSP: 3e16:0000000000000000 EFLAGS: 1ffff92001342e48 ORIG_RAX: ffffc90009a17310
RAX: ffffffff8e0428e9 RBX: ffffc90009a17320 RCX: ffffffff8e7d1aa0
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff8173d087 R08: 0000000045e0360e R09: ffffffff8c051300
R10: 0000000000000000 R11: 1ffff92001342e3c R12: ffffc90009a172b0
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS:  00005555889b6500(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  7380 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff91f94aa1658 CR3: 000000002f8fc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 fa                	add    %bh,%dl
   4:	41 bf 00 02 00 00    	mov    $0x200,%r15d
   a:	be 00 02 00 00       	mov    $0x200,%esi
   f:	48 21 de             	and    %rbx,%rsi
  12:	31 ff                	xor    %edi,%edi
  14:	e8 1a f5 1f 00       	call   0x1ff533
  19:	49 21 df             	and    %rbx,%r15
  1c:	75 27                	jne    0x45
  1e:	e8 30 f0 1f 00       	call   0x1ff053
  23:	eb 2a                	jmp    0x4f
  25:	e8 29 f0 1f 00       	call   0x1ff053
* 2a:	48 8b 5c 24 08       	mov    0x8(%rsp),%rbx <-- trapping instruction
  2f:	e9 d6 02 00 00       	jmp    0x30a
  34:	e8 1a f0 1f 00       	call   0x1ff053
  39:	c6 05 c3 5c 84 13 01 	movb   $0x1,0x13845cc3(%rip)        # 0x13845d03


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ