lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <23203b71-c2fe-4c0c-b121-95368678eaa5@redhat.com>
Date: Fri, 9 May 2025 15:56:01 -0400
From: Waiman Long <llong@...hat.com>
To: syzbot <syzbot+175b931e69c9ad9e1945@...kaller.appspotmail.com>,
 cgroups@...r.kernel.org, hannes@...xchg.org, linux-kernel@...r.kernel.org,
 mkoutny@...e.com, syzkaller-bugs@...glegroups.com, tj@...nel.org
Subject: Re: [syzbot] [cgroups?] general protection fault in
 cgroup_rstat_flush

On 5/9/25 3:04 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    9c69f8884904 Merge tag 'bcachefs-2025-05-08' of git://evil..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1440acf4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b9683d529ec1b880
> dashboard link: https://syzkaller.appspot.com/bug?extid=175b931e69c9ad9e1945
> compiler:       Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/062b75278fb3/disk-9c69f888.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/868b31a2cf71/vmlinux-9c69f888.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/e773657fdf9c/bzImage-9c69f888.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+175b931e69c9ad9e1945@...kaller.appspotmail.com
>
> Oops: general protection fault, probably for non-canonical address 0xe7ffed1c349f36f7: 0000 [#1] SMP KASAN PTI
> KASAN: maybe wild-memory-access in range [0x3fff88e1a4f9b7b8-0x3fff88e1a4f9b7bf]
> CPU: 0 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.15.0-rc5-syzkaller-00136-g9c69f8884904 #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
> Workqueue: events_unbound flush_memcg_stats_dwork
> RIP: 0010:cgroup_rstat_push_children kernel/cgroup/rstat.c:165 [inline]
> RIP: 0010:cgroup_rstat_updated_list kernel/cgroup/rstat.c:245 [inline]
> RIP: 0010:cgroup_rstat_flush+0x840/0x1e70 kernel/cgroup/rstat.c:325
> Code: 70 74 08 48 89 df e8 ef e6 66 00 4c 8b 23 4b 8d 1c 3c 48 81 c3 a0 00 00 00 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 c0 e6 66 00 48 8b 03 48 3b 44
> RSP: 0018:ffffc90000bd7920 EFLAGS: 00010003
> RAX: dffffc0000000000 RBX: 3fff88e1a4f9b7bd RCX: 1ffffffff1b2b383
> RDX: 0000000000000000 RSI: ffffffff8bc0fec0 RDI: ffff88806481c5c1
> RBP: ffffc90000bd7b08 R08: ffffffff8f7da777 R09: 1ffffffff1efb4ee
> R10: dffffc0000000000 R11: fffffbfff1efb4ef R12: ffff888126200000
> R13: 07fff11c349f36f7 R14: 0000000000000000 R15: 400000607ed9b71d
> FS:  0000000000000000(0000) GS:ffff888126100000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005598d2923440 CR3: 000000005d74e000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   <TASK>
>   flush_memcg_stats_dwork+0x15/0x60 mm/memcontrol.c:653
>   process_one_work kernel/workqueue.c:3238 [inline]
>   process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
>   worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
>   kthread+0x70e/0x8a0 kernel/kthread.c:464
>   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>   </TASK>
144 static struct cgroup *cgroup_rstat_push_children(struct cgroup *head,
   :
161                 while (child != parent) {
162                         child->rstat_flush_next = head;
163                         head = child;
164                         crstatc = cgroup_rstat_cpu(child, cpu);
165                         grandchild = crstatc->updated_children; <-- 
Crash here
166                         if (grandchild != child) {
167                                 /* Push the grand child to the next 
level */
168                                 crstatc->updated_children = child;
169                                 grandchild->rstat_flush_next = ghead;
170                                 ghead = grandchild;
171                         }
172                         child = crstatc->updated_next;
173                         crstatc->updated_next = NULL;

It looks like crstatc is invalid. That means the updated_next list may 
contain invalid data. Maybe it becomes NULL terminated somehow, but that 
should not normally happen.

Anyway, there isn't enough data to determine the root cause yet.

Regards,
Longman


> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:cgroup_rstat_push_children kernel/cgroup/rstat.c:165 [inline]
> RIP: 0010:cgroup_rstat_updated_list kernel/cgroup/rstat.c:245 [inline]
> RIP: 0010:cgroup_rstat_flush+0x840/0x1e70 kernel/cgroup/rstat.c:325
> Code: 70 74 08 48 89 df e8 ef e6 66 00 4c 8b 23 4b 8d 1c 3c 48 81 c3 a0 00 00 00 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 c0 e6 66 00 48 8b 03 48 3b 44
> RSP: 0018:ffffc90000bd7920 EFLAGS: 00010003
> RAX: dffffc0000000000 RBX: 3fff88e1a4f9b7bd RCX: 1ffffffff1b2b383
> RDX: 0000000000000000 RSI: ffffffff8bc0fec0 RDI: ffff88806481c5c1
> RBP: ffffc90000bd7b08 R08: ffffffff8f7da777 R09: 1ffffffff1efb4ee
> R10: dffffc0000000000 R11: fffffbfff1efb4ef R12: ffff888126200000
> R13: 07fff11c349f36f7 R14: 0000000000000000 R15: 400000607ed9b71d
> FS:  0000000000000000(0000) GS:ffff888126100000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005598d2923440 CR3: 000000005d74e000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess):
>     0:	70 74                	jo     0x76
>     2:	08 48 89             	or     %cl,-0x77(%rax)
>     5:	df e8                	fucomip %st(0),%st
>     7:	ef                   	out    %eax,(%dx)
>     8:	e6 66                	out    %al,$0x66
>     a:	00 4c 8b 23          	add    %cl,0x23(%rbx,%rcx,4)
>     e:	4b 8d 1c 3c          	lea    (%r12,%r15,1),%rbx
>    12:	48 81 c3 a0 00 00 00 	add    $0xa0,%rbx
>    19:	49 89 dd             	mov    %rbx,%r13
>    1c:	49 c1 ed 03          	shr    $0x3,%r13
>    20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
>    27:	fc ff df
> * 2a:	41 80 7c 05 00 00    	cmpb   $0x0,0x0(%r13,%rax,1) <-- trapping instruction
>    30:	74 08                	je     0x3a
>    32:	48 89 df             	mov    %rbx,%rdi
>    35:	e8 c0 e6 66 00       	call   0x66e6fa
>    3a:	48 8b 03             	mov    (%rbx),%rax
>    3d:	48                   	rex.W
>    3e:	3b                   	.byte 0x3b
>    3f:	44                   	rex.R
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ