BUG: stack guard page was hit in update_stack_state

BUG: stack guard page was hit in update_stack_state

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    b3a60822 Merge branch 'for-v5.6' of git://git.kernel.org:/..
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=147ae5f1e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=614e56d86457f3a7
dashboard link: https://syzkaller.appspot.com/bug?extid=c2fb6f9ddcea95ba49b5
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com

8021q: adding VLAN 0 to HW filter on device bond40
BUG: stack guard page was hit at 0000000018e8ec40 (stack is 000000008cfdf90e..000000000f88bd28)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 28658 Comm: syz-executor.3 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:update_stack_state+0x4b/0x5f0 arch/x86/kernel/unwind_frame.c:194
Code: fd 41 54 49 8d 0c 06 53 48 81 ec a0 00 00 00 48 c7 45 80 42 54 41 89 48 c7 85 78 ff ff ff b3 8a b5 41 48 c7 45 88 00 3f 33 81 <48> 89 b5 68 ff ff ff c7 01 f1 f1 f1 f1 c7 41 04 00 f3 f3 f3 48 89
RSP: 0018:ffffc9000769ffc0 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: ffffc900076a01a8 RCX: fffff52000ed4000
RDX: 1ffff92000ed4033 RSI: ffffc900076a0230 RDI: ffffc900076a01a8
RBP: ffffc900076a0088 R08: ffffc900076a01d0 R09: ffffc900076a0200
R10: ffffc900076a01d0 R11: ffffc900076a01e0 R12: 1ffff92000ed4018
R13: ffffc900076a01a8 R14: 1ffff92000ed4000 R15: ffffc900076a0230
FS:  00007fd172d8f700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000769ffb8 CR3: 0000000097238000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace 04286e13cba26a71 ]---
RIP: 0010:update_stack_state+0x4b/0x5f0 arch/x86/kernel/unwind_frame.c:194
Code: fd 41 54 49 8d 0c 06 53 48 81 ec a0 00 00 00 48 c7 45 80 42 54 41 89 48 c7 85 78 ff ff ff b3 8a b5 41 48 c7 45 88 00 3f 33 81 <48> 89 b5 68 ff ff ff c7 01 f1 f1 f1 f1 c7 41 04 00 f3 f3 f3 48 89
RSP: 0018:ffffc9000769ffc0 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: ffffc900076a01a8 RCX: fffff52000ed4000
RDX: 1ffff92000ed4033 RSI: ffffc900076a0230 RDI: ffffc900076a01a8
RBP: ffffc900076a0088 R08: ffffc900076a01d0 R09: ffffc900076a0200
R10: ffffc900076a01d0 R11: ffffc900076a01e0 R12: 1ffff92000ed4018
R13: ffffc900076a01a8 R14: 1ffff92000ed4000 R15: ffffc900076a0230
FS:  00007fd172d8f700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000769ffb8 CR3: 0000000097238000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

unbounded recursion through bond_netdev_event notifier? [was: BUG: stack guard page was hit in update_stack_state]

[Jann Horn]

On Tue, Feb 4, 2020 at 5:43 AM syzbot
<syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    b3a60822 Merge branch 'for-v5.6' of git://git.kernel.org:/..
> git tree:       net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=147ae5f1e00000

In the console output, you can see that this seems to be an unbounded
recursion bug. The stack trace is unreliable, but it looks like the
actual recursion might be something like the following, where a netdev
change triggers the bond_netdev_event notifier, which in turn causes
another netdev change, and so on:

[  734.548523][T28658]  ? netdev_lower_get_next_private+0x85/0xb0
[  734.554632][T28658]  ? bond_compute_features.isra.0+0x56a/0xa80
[inlined bond_slave_netdev_event ?]
[  734.572769][T28658]  ? bond_netdev_event+0x71a/0x950
[  734.577901][T28658]  ? notifier_call_chain+0xc2/0x230
[  734.583113][T28658]  ? raw_notifier_call_chain+0x2e/0x40
[  734.588589][T28658]  ? call_netdevice_notifiers_info+0xba/0x130
[  734.594765][T28658]  ? netdev_update_features+0xc7/0xd0
[  734.600142][T28658]  ? __netdev_update_features+0x13e0/0x13e0
[...]
[  734.617522][T28658]  ? netdev_upper_get_next_dev_rcu+0xac/0x110
[  734.623605][T28658]  ? __netdev_update_features+0x8af/0x13e0
[...]
[  734.649988][T28658]  ? netdev_change_features+0x64/0xb0
[...]


> kernel config:  https://syzkaller.appspot.com/x/.config?x=614e56d86457f3a7

says CONFIG_UNWINDER_FRAME_POINTER=y. Unfortunately, the x86 frame
pointer unwinder apparently can't unwind out of a double fault...
maybe it'd be better to use ORC for syzkaller?

> dashboard link: https://syzkaller.appspot.com/bug?extid=c2fb6f9ddcea95ba49b5
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com