lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6792a5db.050a0220.3ab881.0002.GAE@google.com>
Date: Thu, 23 Jan 2025 12:26:03 -0800
From: syzbot <syzbot+7015dcf45953112c8b45@...kaller.appspotmail.com>
To: arve@...roid.com, brauner@...nel.org, cmllamas@...gle.com, 
	gregkh@...uxfoundation.org, joel@...lfernandes.org, 
	linux-kernel@...r.kernel.org, linux-next@...r.kernel.org, maco@...roid.com, 
	sfr@...b.auug.org.au, surenb@...gle.com, syzkaller-bugs@...glegroups.com, 
	tkjos@...roid.com
Subject: Re: [syzbot] [kernel?] linux-next test error: KASAN:
 slab-use-after-free Write in binder_add_device

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

0][   T52]  ieee80211_unregister_hw+0x5d/0x2c0
[   72.827744][   T52]  mac80211_hwsim_del_radio+0x2c4/0x4c0
[   72.827761][   T52]  ? __pfx_mac80211_hwsim_del_radio+0x10/0x10
[   72.827777][   T52]  hwsim_exit_net+0x5c1/0x670
[   72.827790][   T52]  ? __pfx_hwsim_exit_net+0x10/0x10
[   72.827802][   T52]  ? __ip_vs_dev_cleanup_batch+0x239/0x260
[   72.827818][   T52]  cleanup_net+0x812/0xd60
[   72.827831][   T52]  ? __pfx_cleanup_net+0x10/0x10
[   72.827847][   T52]  ? process_scheduled_works+0x976/0x1840
[   72.827861][   T52]  process_scheduled_works+0xa66/0x1840
[   72.827882][   T52]  ? __pfx_process_scheduled_works+0x10/0x10
[   72.827898][   T52]  ? assign_work+0x364/0x3d0
[   72.827913][   T52]  worker_thread+0x870/0xd30
[   72.827931][   T52]  ? __kthread_parkme+0x169/0x1d0
[   72.827946][   T52]  ? __pfx_worker_thread+0x10/0x10
[   72.827960][   T52]  kthread+0x7a9/0x920
[   72.827975][   T52]  ? __pfx_kthread+0x10/0x10
[   72.827991][   T52]  ? __pfx_worker_thread+0x10/0x10
[   72.828004][   T52]  ? __pfx_kthread+0x10/0x10
[   72.828019][   T52]  ? __pfx_kthread+0x10/0x10
[   72.828035][   T52]  ? __pfx_kthread+0x10/0x10
[   72.828057][   T52]  ? _raw_spin_unlock_irq+0x23/0x50
[   72.828073][   T52]  ? lockdep_hardirqs_on+0x99/0x150
[   72.828083][   T52]  ? __pfx_kthread+0x10/0x10
[   72.828099][   T52]  ret_from_fork+0x4b/0x80
[   72.828115][   T52]  ? __pfx_kthread+0x10/0x10
[   72.828130][   T52]  ret_from_fork_asm+0x1a/0x30
[   72.828147][   T52]  </TASK>
[   73.225971][ T5846] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   73.272138][ T5846] 8021q: adding VLAN 0 to HW filter on device bond0
[   73.285789][ T5846] 8021q: adding VLAN 0 to HW filter on device team0
[   73.297132][   T12] bridge0: port 1(bridge_slave_0) entered blocking state
[   73.304260][   T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[   73.315883][ T3458] bridge0: port 2(bridge_slave_1) entered blocking state
[   73.323014][ T3458] bridge0: port 2(bridge_slave_1) entered forwarding state
[   73.369208][ T5146] Bluetooth: hci0: command tx timeout
[   73.423445][ T5846] 8021q: adding VLAN 0 to HW filter on device batadv0
[   73.447473][ T5846] veth0_vlan: entered promiscuous mode
[   73.463271][ T5846] veth1_vlan: entered promiscuous mode
[   73.482621][ T5846] veth0_macvtap: entered promiscuous mode
[   73.490813][ T5846] veth1_macvtap: entered promiscuous mode
[   73.503910][ T5846] batman_adv: batadv0: Interface activated: batadv_slave_0
[   73.513805][ T5846] batman_adv: batadv0: Interface activated: batadv_slave_1
[   73.525794][ T5846] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   73.534958][ T5846] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   73.543749][ T5846] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   73.553559][ T5846] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
2025/01/23 20:25:37 executed programs: 0
[   73.650024][ T5897] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   73.657273][ T5897] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   73.658001][   T52] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   73.666246][ T5897] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   73.682494][ T5897] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   73.690142][ T5897] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   73.697286][ T5897] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   73.755858][   T52] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   73.775051][ T5929] chnl_net:caif_netlink_parms(): no params data found
[   73.811171][   T52] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   73.822996][ T5929] bridge0: port 1(bridge_slave_0) entered blocking state
[   73.830321][ T5929] bridge0: port 1(bridge_slave_0) entered disabled state
[   73.837466][ T5929] bridge_slave_0: entered allmulticast mode
[   73.844302][ T5929] bridge_slave_0: entered promiscuous mode
[   73.854059][   T52] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   73.865862][ T5929] bridge0: port 2(bridge_slave_1) entered blocking state
[   73.873181][ T5929] bridge0: port 2(bridge_slave_1) entered disabled state
[   73.880397][ T5929] bridge_slave_1: entered allmulticast mode
[   73.886763][ T5929] bridge_slave_1: entered promiscuous mode
[   73.905971][ T5929] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   73.917313][ T5929] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   73.938272][ T5929] team0: Port device team_slave_0 added
[   73.945367][ T5929] team0: Port device team_slave_1 added
[   73.959711][ T5929] batman_adv: batadv0: Adding interface: batadv_slave_0
[   73.966762][ T5929] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   73.993111][ T5929] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   74.005166][ T5929] batman_adv: batadv0: Adding interface: batadv_slave_1
[   74.012388][ T5929] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   74.038749][ T5929] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   74.066987][ T5929] hsr_slave_0: entered promiscuous mode
[   74.073635][ T5929] hsr_slave_1: entered promiscuous mode
[   74.079902][ T5929] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[   74.087455][ T5929] Cannot create hsr debugfs directory
[   75.449017][ T5897] Bluetooth: hci0: command tx timeout
[   75.769077][ T5897] Bluetooth: hci1: command tx timeout
[   77.119131][   T52] bridge_slave_1: left allmulticast mode
[   77.124824][   T52] bridge_slave_1: left promiscuous mode
[   77.134269][   T52] bridge0: port 2(bridge_slave_1) entered disabled state
[   77.142674][   T52] bridge_slave_0: left allmulticast mode
[   77.148309][   T52] bridge_slave_0: left promiscuous mode
[   77.154184][   T52] bridge0: port 1(bridge_slave_0) entered disabled state
[   77.253950][   T52] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[   77.263928][   T52] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[   77.273441][   T52] bond0 (unregistering): Released all slaves
[   77.383555][   T52] hsr_slave_0: left promiscuous mode
[   77.390134][   T52] hsr_slave_1: left promiscuous mode
[   77.395926][   T52] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[   77.403407][   T52] batman_adv: batadv0: Removing interface: batadv_slave_0
[   77.411905][   T52] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[   77.419472][   T52] batman_adv: batadv0: Removing interface: batadv_slave_1
[   77.432774][   T52] veth1_macvtap: left promiscuous mode
[   77.438318][   T52] veth0_macvtap: left promiscuous mode
[   77.447662][   T52] veth1_vlan: left promiscuous mode
[   77.453909][   T52] veth0_vlan: left promiscuous mode
[   77.529653][ T5897] Bluetooth: hci0: command tx timeout
[   77.572399][   T52] team0 (unregistering): Port device team_slave_1 removed
[   77.596882][   T52] team0 (unregistering): Port device team_slave_0 removed
[   77.696933][ T5929] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   77.714514][ T5929] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   77.725334][ T5929] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   77.735884][ T5929] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   77.805349][ T5929] 8021q: adding VLAN 0 to HW filter on device bond0
[   77.822003][ T5929] 8021q: adding VLAN 0 to HW filter on device team0
[   77.834543][ T3423] bridge0: port 1(bridge_slave_0) entered blocking state
[   77.841705][ T3423] bridge0: port 1(bridge_slave_0) entered forwarding state
[   77.849243][ T5897] Bluetooth: hci1: command tx timeout
[   77.870686][ T3423] bridge0: port 2(bridge_slave_1) entered blocking state
[   77.877810][ T3423] bridge0: port 2(bridge_slave_1) entered forwarding state
[   77.973541][ T5929] 8021q: adding VLAN 0 to HW filter on device batadv0
[   78.000016][ T5929] veth0_vlan: entered promiscuous mode
[   78.008639][ T5929] veth1_vlan: entered promiscuous mode
[   78.024796][ T5929] veth0_macvtap: entered promiscuous mode
[   78.033395][ T5929] veth1_macvtap: entered promiscuous mode
[   78.045017][ T5929] batman_adv: batadv0: Interface activated: batadv_slave_0
[   78.056288][ T5929] batman_adv: batadv0: Interface activated: batadv_slave_1
[   78.065987][ T5929] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   78.074959][ T5929] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   78.084639][ T5929] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   78.093477][ T5929] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   78.115638][ T5929] ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
[   78.132089][   T52] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   78.133333][ T5929] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
[   78.150518][   T52] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   78.165307][   T52] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   78.173380][   T52] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build784600658=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at f6a35ef3a5
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go: downloading github.com/prometheus/client_golang v1.20.5
go: downloading github.com/VividCortex/gohistogram v1.0.0
go: downloading golang.org/x/sys v0.29.0
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/prometheus/procfs v0.15.1
go: downloading github.com/prometheus/client_model v0.6.1
go: downloading github.com/prometheus/common v0.55.0
go: downloading google.golang.org/protobuf v1.35.2
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=f6a35ef3a59d5a0ad14de993e51c186016ea91de -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250123-131638'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"f6a35ef3a59d5a0ad14de993e51c186016ea91de\"
go: downloading github.com/ulikunitz/xz v0.5.12
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/google/flatbuffers v24.3.25+incompatible
go: downloading google.golang.org/api v0.198.0
go: downloading cloud.google.com/go/storage v1.43.0
go: downloading github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465
go: downloading cloud.google.com/go/spanner v1.67.0
go: downloading golang.org/x/exp v0.0.0-20240909161429-701f63a606c0
go: downloading golang.org/x/sync v0.10.0
go: downloading cloud.google.com/go v0.116.0
go: downloading github.com/sergi/go-diff v1.3.1
go: downloading cloud.google.com/go/bigquery v1.63.0
go: downloading cloud.google.com/go/iam v1.2.1
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1
go: downloading google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1
go: downloading go.opentelemetry.io/otel/trace v1.29.0
go: downloading github.com/googleapis/gax-go/v2 v2.13.0
go: downloading go.opentelemetry.io/otel v1.29.0
go: downloading cloud.google.com/go/compute/metadata v0.5.1
go: downloading google.golang.org/grpc v1.66.2
go: downloading go.opencensus.io v0.24.0
go: downloading golang.org/x/oauth2 v0.24.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1
go: downloading go.opentelemetry.io/otel/metric v1.29.0
go: downloading github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.0
go: downloading github.com/apache/arrow/go/v15 v15.0.2
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/go-logr/logr v1.4.2
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading golang.org/x/net v0.34.0
go: downloading github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155
go: downloading github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b
go: downloading github.com/envoyproxy/protoc-gen-validate v1.0.4
go: downloading cel.dev/expr v0.15.0
go: downloading golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da
go: downloading github.com/klauspost/compress v1.17.9
go: downloading github.com/pierrec/lz4/v4 v4.1.18
go: downloading github.com/goccy/go-json v0.10.3
go: downloading github.com/zeebo/xxh3 v1.0.2
go: downloading github.com/klauspost/cpuid/v2 v2.2.8
go: downloading golang.org/x/text v0.21.0
go: downloading github.com/census-instrumentation/opencensus-proto v0.4.1
go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.4
go: downloading github.com/google/s2a-go v0.1.8
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0
go: downloading cloud.google.com/go/auth v0.9.4
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.4
go: downloading golang.org/x/time v0.7.0
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading golang.org/x/crypto v0.32.0
/usr/bin/ld: /tmp/cc8ycaYm.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=102ce5df980000


Tested on:

commit:         853d1f41 Add linux-next specific files for 20250123
git tree:       linux-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=364db892f6981d27
dashboard link: https://syzkaller.appspot.com/bug?extid=7015dcf45953112c8b45
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10d7a9f8580000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ