| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <67176c28.050a0220.10f4f4.0116.GAE@google.com>
Date: Tue, 22 Oct 2024 02:11:04 -0700
From: syzbot <syzbot+a234c2d63e0c171ca10e@...kaller.appspotmail.com>
To: eadavis@...com, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [serial?] BUG: soft lockup in debug_check_no_obj_freed
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
dm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 48.861396][ T2667] BUG: sleeping function called from invalid context at lib/debugobjects.c:980
[ 48.877826][ T2667] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2667, name: syz-executor
[ 48.890544][ T2667] preempt_count: 1, expected: 0
[ 48.898231][ T2667] RCU nest depth: 0, expected: 0
[ 48.904686][ T2667] 4 locks held by syz-executor/2667:
[ 48.911218][ T2667] #0: ffff888114445278 (&type->i_mutex_dir_key#3){++++}-{3:3}, at: do_lock_mount+0xb0/0x5b0
[ 48.924655][ T2667] #1: ffffffff89081290 (namespace_sem){++++}-{3:3}, at: do_lock_mount+0xfc/0x5b0
[ 48.935892][ T2667] #2: ffffffff88c147d0 (mount_lock){+.+.}-{2:2}, at: attach_recursive_mnt+0x3c2/0x1390
[ 48.948526][ T2667] #3: ffffffff88c14788 (mount_lock.seqcount){+.+.}-{0:0}, at: graft_tree+0x189/0x210
[ 48.960552][ T2667] Preemption disabled at:
[ 48.960567][ T2667] [<0000000000000000>] 0x0
[ 48.970864][ T2667] CPU: 0 UID: 0 PID: 2667 Comm: syz-executor Tainted: G W 6.12.0-rc4-syzkaller-gc6d9e43954bf-dirty #0
[ 48.985996][ T2667] Tainted: [W]=WARN
[ 48.991724][ T2667] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 49.005223][ T2667] Call Trace:
[ 49.008776][ T2667] <TASK>
[ 49.012127][ T2667] dump_stack_lvl+0x16c/0x1f0
[ 49.018075][ T2667] __might_resched+0x3c0/0x5e0
[ 49.023869][ T2667] ? __pfx___might_resched+0x10/0x10
[ 49.029728][ T2667] ? __pfx___lock_acquire+0x10/0x10
[ 49.036238][ T2667] debug_check_no_obj_freed+0x53c/0x630
[ 49.043451][ T2667] ? lock_acquire.part.0+0x11b/0x380
[ 49.049655][ T2667] ? find_held_lock+0x2d/0x110
[ 49.054935][ T2667] ? __pfx_debug_check_no_obj_freed+0x10/0x10
[ 49.061395][ T2667] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 49.067070][ T2667] ? lock_acquire+0x2f/0xb0
[ 49.072430][ T2667] kfree+0x294/0x480
[ 49.077721][ T2667] ? dput_to_list+0xcb/0x620
[ 49.083416][ T2667] ? attach_recursive_mnt+0x81e/0x1390
[ 49.089902][ T2667] attach_recursive_mnt+0x81e/0x1390
[ 49.096318][ T2667] ? __pfx_attach_recursive_mnt+0x10/0x10
[ 49.102547][ T2667] ? do_raw_spin_lock+0x12d/0x2c0
[ 49.108084][ T2667] ? rcu_is_watching+0x12/0xc0
[ 49.113238][ T2667] ? kfree+0x255/0x480
[ 49.117674][ T2667] ? lockref_get+0x15/0x50
[ 49.122409][ T2667] graft_tree+0x189/0x210
[ 49.127635][ T2667] do_add_mount+0x1ca/0x320
[ 49.132594][ T2667] path_mount+0x1a55/0x1f20
[ 49.137597][ T2667] ? kmem_cache_free+0x133/0x480
[ 49.142592][ T2667] ? __pfx_path_mount+0x10/0x10
[ 49.148066][ T2667] ? putname+0x12e/0x170
[ 49.152345][ T2667] __x64_sys_mount+0x294/0x320
[ 49.157339][ T2667] ? __pfx___x64_sys_mount+0x10/0x10
[ 49.162856][ T2667] do_syscall_64+0xcd/0x250
[ 49.167666][ T2667] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 49.173754][ T2667] RIP: 0033:0x7fa944d2f79a
[ 49.178378][ T2667] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 49.199423][ T2667] RSP: 002b:00007fffc0b53128 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 49.207960][ T2667] RAX: ffffffffffffffda RBX: 00007fa944da0685 RCX: 00007fa944d2f79a
[ 49.216037][ T2667] RDX: 00007fa944db1e82 RSI: 00007fa944da0685 RDI: 00007fa944dd6142
[ 49.224417][ T2667] RBP: 00007fffc0b531c0 R08: 0000000000000000 R09: 0000000000000000
[ 49.232670][ T2667] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffc0b531c0
[ 49.241111][ T2667] R13: 00007fffc0b531c8 R14: 0000000000000009 R15: 0000000000000000
[ 49.250017][ T2667] </TASK>
[ 49.276465][ T29] audit: type=1400 audit(1729588219.617:104): avc: denied { open } for pid=2667 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 49.306676][ T29] audit: type=1400 audit(1729588219.617:105): avc: denied { mounton } for pid=2667 comm="syz-executor" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[ 49.330945][ T29] audit: type=1400 audit(1729588219.667:106): avc: denied { create } for pid=2664 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=user_namespace permissive=1
[ 49.369864][ T29] audit: type=1400 audit(1729588219.667:107): avc: denied { sys_admin } for pid=2664 comm="syz-executor" capability=21 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1
[ 49.394939][ T29] audit: type=1400 audit(1729588219.677:108): avc: denied { mounton } for pid=2667 comm="syz-executor" path="/root/syzkaller.BUEqlw/syz-tmp" dev="sda1" ino=1945 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[ 49.436103][ T29] audit: type=1400 audit(1729588219.677:109): avc: denied { mount } for pid=2667 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[ 49.468685][ T29] audit: type=1400 audit(1729588220.087:110): avc: denied { mounton } for pid=2670 comm="syz-executor" path="/root/syzkaller.Oc9e9i/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[ 49.528778][ T2670] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@...ck.org if you depend on this functionality.
[ 49.556665][ T29] audit: type=1400 audit(1729588220.097:111): avc: denied { mount } for pid=2670 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[ 49.879856][ T2694] BUG: sleeping function called from invalid context at lib/debugobjects.c:980
[ 49.889038][ T2694] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2694, name: syz-executor
[ 49.898916][ T2694] preempt_count: 1, expected: 0
[ 49.903970][ T2694] RCU nest depth: 0, expected: 0
[ 49.909388][ T2694] 4 locks held by syz-executor/2694:
[ 49.916059][ T2694] #0: ffff888114446fe8 (&type->i_mutex_dir_key#3){++++}-{3:3}, at: do_lock_mount+0xb0/0x5b0
[ 49.927597][ T2694] #1: ffffffff89081290 (namespace_sem){++++}-{3:3}, at: do_lock_mount+0xfc/0x5b0
[ 49.938187][ T2694] #2: ffffffff88c147d0 (mount_lock){+.+.}-{2:2}, at: attach_recursive_mnt+0x3c2/0x1390
[ 49.950112][ T2694] #3: ffffffff88c14788 (mount_lock.seqcount){+.+.}-{0:0}, at: graft_tree+0x189/0x210
[ 49.961153][ T2694] Preemption disabled at:
[ 49.961167][ T2694] [<0000000000000000>] 0x0
[ 49.971018][ T2694] CPU: 0 UID: 0 PID: 2694 Comm: syz-executor Tainted: G W 6.12.0-rc4-syzkaller-gc6d9e43954bf-dirty #0
[ 49.983652][ T2694] Tainted: [W]=WARN
[ 49.988417][ T2694] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 50.001247][ T2694] Call Trace:
[ 50.006329][ T2694] <TASK>
[ 50.009559][ T2694] dump_stack_lvl+0x16c/0x1f0
[ 50.015178][ T2694] __might_resched+0x3c0/0x5e0
[ 50.020783][ T2694] ? __pfx___might_resched+0x10/0x10
[ 50.026571][ T2694] ? __pfx___lock_acquire+0x10/0x10
[ 50.032495][ T2694] debug_check_no_obj_freed+0x53c/0x630
[ 50.038401][ T2694] ? lock_acquire.part.0+0x11b/0x380
[ 50.043967][ T2694] ? find_held_lock+0x2d/0x110
[ 50.049009][ T2694] ? __pfx_debug_check_no_obj_freed+0x10/0x10
[ 50.056534][ T2694] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 50.063524][ T2694] ? lock_acquire+0x2f/0xb0
[ 50.069512][ T2694] kfree+0x294/0x480
[ 50.073942][ T2694] ? dput_to_list+0xcb/0x620
[ 50.078993][ T2694] ? attach_recursive_mnt+0x81e/0x1390
[ 50.084650][ T2694] attach_recursive_mnt+0x81e/0x1390
[ 50.090375][ T2694] ? __pfx_attach_recursive_mnt+0x10/0x10
[ 50.096406][ T2694] ? do_raw_spin_lock+0x12d/0x2c0
[ 50.101639][ T2694] ? rcu_is_watching+0x12/0xc0
[ 50.107048][ T2694] ? kfree+0x255/0x480
[ 50.111527][ T2694] ? lockref_get+0x15/0x50
[ 50.116322][ T2694] graft_tree+0x189/0x210
[ 50.120999][ T2694] do_add_mount+0x1ca/0x320
[ 50.125642][ T2694] path_mount+0x1a55/0x1f20
[ 50.130719][ T2694] ? kmem_cache_free+0x133/0x480
[ 50.136047][ T2694] ? __pfx_path_mount+0x10/0x10
[ 50.141031][ T2694] ? putname+0x12e/0x170
[ 50.145439][ T2694] __x64_sys_mount+0x294/0x320
[ 50.150405][ T2694] ? __pfx___x64_sys_mount+0x10/0x10
[ 50.155833][ T2694] do_syscall_64+0xcd/0x250
[ 50.160621][ T2694] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 50.166720][ T2694] RIP: 0033:0x7f0800fbf79a
[ 50.171157][ T2694] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 50.192471][ T2694] RSP: 002b:00007fffa61824c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 50.201814][ T2694] RAX: ffffffffffffffda RBX: 00007f0801030685 RCX: 00007f0800fbf79a
[ 50.210350][ T2694] RDX: 00007f0801041e82 RSI: 00007f0801030685 RDI: 00007f0801066142
[ 50.218627][ T2694] RBP: 00007fffa6182560 R08: 0000000000000000 R09: 0000000000000000
[ 50.226813][ T2694] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffa6182560
[ 50.235377][ T2694] R13: 00007fffa6182568 R14: 0000000000000009 R15: 0000000000000000
[ 50.244127][ T2694] </TASK>
[ 50.896859][ T2653] BUG: sleeping function called from invalid context at lib/debugobjects.c:980
[ 50.907013][ T2653] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2653, name: syz-executor
[ 50.916798][ T2653] preempt_count: 1, expected: 0
[ 50.922192][ T2653] RCU nest depth: 0, expected: 0
[ 50.927337][ T2653] 1 lock held by syz-executor/2653:
[ 50.932920][ T2653] #0: ffffffff88c0a098 (tasklist_lock){.+.+}-{2:2}, at: release_task+0x20c/0x1b00
[ 50.942394][ T2653] irq event stamp: 270764
[ 50.946827][ T2653] hardirqs last enabled at (270763): [<ffffffff86f0d633>] _raw_spin_unlock_irq+0x23/0x50
[ 50.957663][ T2653] hardirqs last disabled at (270764): [<ffffffff86f0da65>] _raw_write_lock_irq+0x45/0x50
[ 50.967761][ T2653] softirqs last enabled at (270736): [<ffffffff861312d8>] tcp_sendmsg+0x38/0x50
[ 50.977328][ T2653] softirqs last disabled at (270734): [<ffffffff85d1969b>] __release_sock+0x28b/0x400
[ 50.987418][ T2653] Preemption disabled at:
[ 50.987427][ T2653] [<0000000000000000>] 0x0
[ 50.996480][ T2653] CPU: 0 UID: 0 PID: 2653 Comm: syz-executor Tainted: G W 6.12.0-rc4-syzkaller-gc6d9e43954bf-dirty #0
[ 51.009719][ T2653] Tainted: [W]=WARN
[ 51.013983][ T2653] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 51.024137][ T2653] Call Trace:
[ 51.027455][ T2653] <TASK>
[ 51.030617][ T2653] dump_stack_lvl+0x116/0x1f0
[ 51.035498][ T2653] __might_resched+0x3c0/0x5e0
[ 51.040663][ T2653] ? __pfx___might_resched+0x10/0x10
[ 51.046499][ T2653] debug_check_no_obj_freed+0x53c/0x630
[ 51.052798][ T2653] ? __pfx_debug_check_no_obj_freed+0x10/0x10
[ 51.059186][ T2653] ? find_held_lock+0x2d/0x110
[ 51.065306][ T2653] ? release_task+0xd24/0x1b00
[ 51.071852][ T2653] kmem_cache_free+0x27d/0x480
[ 51.076943][ T2653] ? __cleanup_sighand+0x73/0xa0
[ 51.082519][ T2653] __cleanup_sighand+0x73/0xa0
[ 51.087562][ T2653] release_task+0xd2c/0x1b00
[ 51.093620][ T2653] ? __pfx_release_task+0x10/0x10
[ 51.098928][ T2653] ? trace_lock_acquire+0x14a/0x1d0
[ 51.104523][ T2653] wait_consider_task+0x1812/0x4100
[ 51.109776][ T2653] ? rcu_is_watching+0x12/0xc0
[ 51.115012][ T2653] ? __pfx_wait_consider_task+0x10/0x10
[ 51.120889][ T2653] ? do_wait+0x1e9/0x570
[ 51.125215][ T2653] __do_wait+0x744/0x890
[ 51.129478][ T2653] ? do_wait+0x1e9/0x570
[ 51.133950][ T2653] do_wait+0x219/0x570
[ 51.138247][ T2653] kernel_wait4+0x16c/0x280
[ 51.142849][ T2653] ? __pfx_kernel_wait4+0x10/0x10
[ 51.147984][ T2653] ? __pfx_child_wait_callback+0x10/0x10
[ 51.153757][ T2653] __do_sys_wait4+0x15f/0x170
[ 51.158549][ T2653] ? __pfx___do_sys_wait4+0x10/0x10
[ 51.163781][ T2653] do_syscall_64+0xcd/0x250
[ 51.168601][ T2653] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 51.174804][ T2653] RIP: 0033:0x7fd1d73a4213
[ 51.179334][ T2653] Code: 00 00 0f 1f 44 00 00 31 c9 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 80 3d 31 83 19 00 00 49 89 ca 74 14 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5d c3 0f 1f 40 00 48 83 ec 28 89 54 24 14 48
[ 51.199767][ T2653] RSP: 002b:00007ffeeea6b488 EFLAGS: 00000202 ORIG_RAX: 000000000000003d
[ 51.209094][ T2653] RAX: ffffffffffffffda RBX: 000055559498b650 RCX: 00007fd1d73a4213
[ 51.217993][ T2653] RDX: 0000000040000000 RSI: 00007ffeeea6b49c RDI: 0000000000000a67
[ 51.227133][ T2653] RBP: 000055559498c030 R08: 0000000000000007 R09: 000055559498bdc0
[ 51.235697][ T2653] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffeeea6b49c
[ 51.243852][ T2653] R13: 0000555594998340 R14: 0000000000000004 R15: 000055559498b650
[ 51.253794][ T2653] </TASK>
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build162586199=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at cd6fc0a301
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=cd6fc0a3018e5d793bdcca6530622493f5e88307 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241018-123137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"cd6fc0a3018e5d793bdcca6530622493f5e88307\"
/usr/bin/ld: /tmp/cc2MMZ1Z.o: in function `test_cover_filter()':
executor.cc:(.text+0x1424b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/cc2MMZ1Z.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=109ac640580000
Tested on:
commit: c6d9e439 Merge 6.12-rc4 into usb-next
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
kernel config: https://syzkaller.appspot.com/x/.config?x=4a2bb21f91d75c65
dashboard link: https://syzkaller.appspot.com/bug?extid=a234c2d63e0c171ca10e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11110287980000
Powered by blists - more mailing lists