| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <23203b71-c2fe-4c0c-b121-95368678eaa5@redhat.com>
Date: Fri, 9 May 2025 15:56:01 -0400
From: Waiman Long <llong@...hat.com>
To: syzbot <syzbot+175b931e69c9ad9e1945@...kaller.appspotmail.com>,
cgroups@...r.kernel.org, hannes@...xchg.org, linux-kernel@...r.kernel.org,
mkoutny@...e.com, syzkaller-bugs@...glegroups.com, tj@...nel.org
Subject: Re: [syzbot] [cgroups?] general protection fault in
cgroup_rstat_flush
On 5/9/25 3:04 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9c69f8884904 Merge tag 'bcachefs-2025-05-08' of git://evil..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1440acf4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b9683d529ec1b880
> dashboard link: https://syzkaller.appspot.com/bug?extid=175b931e69c9ad9e1945
> compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/062b75278fb3/disk-9c69f888.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/868b31a2cf71/vmlinux-9c69f888.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/e773657fdf9c/bzImage-9c69f888.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+175b931e69c9ad9e1945@...kaller.appspotmail.com
>
> Oops: general protection fault, probably for non-canonical address 0xe7ffed1c349f36f7: 0000 [#1] SMP KASAN PTI
> KASAN: maybe wild-memory-access in range [0x3fff88e1a4f9b7b8-0x3fff88e1a4f9b7bf]
> CPU: 0 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.15.0-rc5-syzkaller-00136-g9c69f8884904 #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
> Workqueue: events_unbound flush_memcg_stats_dwork
> RIP: 0010:cgroup_rstat_push_children kernel/cgroup/rstat.c:165 [inline]
> RIP: 0010:cgroup_rstat_updated_list kernel/cgroup/rstat.c:245 [inline]
> RIP: 0010:cgroup_rstat_flush+0x840/0x1e70 kernel/cgroup/rstat.c:325
> Code: 70 74 08 48 89 df e8 ef e6 66 00 4c 8b 23 4b 8d 1c 3c 48 81 c3 a0 00 00 00 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 c0 e6 66 00 48 8b 03 48 3b 44
> RSP: 0018:ffffc90000bd7920 EFLAGS: 00010003
> RAX: dffffc0000000000 RBX: 3fff88e1a4f9b7bd RCX: 1ffffffff1b2b383
> RDX: 0000000000000000 RSI: ffffffff8bc0fec0 RDI: ffff88806481c5c1
> RBP: ffffc90000bd7b08 R08: ffffffff8f7da777 R09: 1ffffffff1efb4ee
> R10: dffffc0000000000 R11: fffffbfff1efb4ef R12: ffff888126200000
> R13: 07fff11c349f36f7 R14: 0000000000000000 R15: 400000607ed9b71d
> FS: 0000000000000000(0000) GS:ffff888126100000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005598d2923440 CR3: 000000005d74e000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> flush_memcg_stats_dwork+0x15/0x60 mm/memcontrol.c:653
> process_one_work kernel/workqueue.c:3238 [inline]
> process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
> kthread+0x70e/0x8a0 kernel/kthread.c:464
> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> </TASK>
144 static struct cgroup *cgroup_rstat_push_children(struct cgroup *head,
:
161 while (child != parent) {
162 child->rstat_flush_next = head;
163 head = child;
164 crstatc = cgroup_rstat_cpu(child, cpu);
165 grandchild = crstatc->updated_children; <--
Crash here
166 if (grandchild != child) {
167 /* Push the grand child to the next
level */
168 crstatc->updated_children = child;
169 grandchild->rstat_flush_next = ghead;
170 ghead = grandchild;
171 }
172 child = crstatc->updated_next;
173 crstatc->updated_next = NULL;
It looks like crstatc is invalid. That means the updated_next list may
contain invalid data. Maybe it becomes NULL terminated somehow, but that
should not normally happen.
Anyway, there isn't enough data to determine the root cause yet.
Regards,
Longman
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:cgroup_rstat_push_children kernel/cgroup/rstat.c:165 [inline]
> RIP: 0010:cgroup_rstat_updated_list kernel/cgroup/rstat.c:245 [inline]
> RIP: 0010:cgroup_rstat_flush+0x840/0x1e70 kernel/cgroup/rstat.c:325
> Code: 70 74 08 48 89 df e8 ef e6 66 00 4c 8b 23 4b 8d 1c 3c 48 81 c3 a0 00 00 00 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 c0 e6 66 00 48 8b 03 48 3b 44
> RSP: 0018:ffffc90000bd7920 EFLAGS: 00010003
> RAX: dffffc0000000000 RBX: 3fff88e1a4f9b7bd RCX: 1ffffffff1b2b383
> RDX: 0000000000000000 RSI: ffffffff8bc0fec0 RDI: ffff88806481c5c1
> RBP: ffffc90000bd7b08 R08: ffffffff8f7da777 R09: 1ffffffff1efb4ee
> R10: dffffc0000000000 R11: fffffbfff1efb4ef R12: ffff888126200000
> R13: 07fff11c349f36f7 R14: 0000000000000000 R15: 400000607ed9b71d
> FS: 0000000000000000(0000) GS:ffff888126100000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005598d2923440 CR3: 000000005d74e000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess):
> 0: 70 74 jo 0x76
> 2: 08 48 89 or %cl,-0x77(%rax)
> 5: df e8 fucomip %st(0),%st
> 7: ef out %eax,(%dx)
> 8: e6 66 out %al,$0x66
> a: 00 4c 8b 23 add %cl,0x23(%rbx,%rcx,4)
> e: 4b 8d 1c 3c lea (%r12,%r15,1),%rbx
> 12: 48 81 c3 a0 00 00 00 add $0xa0,%rbx
> 19: 49 89 dd mov %rbx,%r13
> 1c: 49 c1 ed 03 shr $0x3,%r13
> 20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
> 27: fc ff df
> * 2a: 41 80 7c 05 00 00 cmpb $0x0,0x0(%r13,%rax,1) <-- trapping instruction
> 30: 74 08 je 0x3a
> 32: 48 89 df mov %rbx,%rdi
> 35: e8 c0 e6 66 00 call 0x66e6fa
> 3a: 48 8b 03 mov (%rbx),%rax
> 3d: 48 rex.W
> 3e: 3b .byte 0x3b
> 3f: 44 rex.R
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
Powered by blists - more mailing lists