* KASAN: slab-out-of-bounds Write in validate_chain
@ 2019-06-21 16:27 ` syzbot
0 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2019-06-21 16:27 UTC (permalink / raw)
To: akpm, cai, crecklin, keescook, linux-kernel, linux-mm, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16894709a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=28ec3437a5394ee0
dashboard link: https://syzkaller.appspot.com/bug?extid=8893700724999566d6a9
compiler: clang version 9.0.0 (/home/glider/llvm/clang
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167098b2a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8893700724999566d6a9@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in check_prev_add
kernel/locking/lockdep.c:2298 [inline]
BUG: KASAN: slab-out-of-bounds in check_prevs_add
kernel/locking/lockdep.c:2418 [inline]
BUG: KASAN: slab-out-of-bounds in validate_chain+0x1a35/0x84f0
kernel/locking/lockdep.c:2800
Write of size 8 at addr ffff88807aeb00d0 by task syz-executor.5/8425
CPU: 0 PID: 8425 Comm: syz-executor.5 Not tainted 5.2.0-rc5+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
Allocated by task 2062228080:
usercopy: Kernel memory overwrite attempt detected to SLAB
object 'kmalloc-4k' (offset 4112, size 1)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8425 Comm: syz-executor.5 Not tainted 5.2.0-rc5+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:usercopy_abort+0x8d/0x90 mm/usercopy.c:90
Code: 84 5e 88 48 0f 44 de 48 c7 c7 7e a3 5d 88 4c 89 ce 4c 89 d1 4d 89 d8
49 89 c1 31 c0 41 57 41 56 53 e8 3a 92 a8 ff 48 83 c4 18 <0f> 0b 90 55 48
89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 30 41 89
RSP: 0018:ffff88807aeaf648 EFLAGS: 00010086
RAX: 0000000000000068 RBX: ffffffff885e841b RCX: defe62446f204b00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff88807aeaf660 R08: ffffffff817fec49 R09: ffffed1015d444c6
R10: ffffed1015d444c6 R11: 1ffff11015d444c5 R12: ffff88807aeaf7d1
R13: 0000000000000200 R14: 0000000000001010 R15: 0000000000000001
FS: 0000555556495940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8adaea30 CR3: 00000000a0d73000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace e8702886173758cd ]---
RIP: 0010:usercopy_abort+0x8d/0x90 mm/usercopy.c:90
Code: 84 5e 88 48 0f 44 de 48 c7 c7 7e a3 5d 88 4c 89 ce 4c 89 d1 4d 89 d8
49 89 c1 31 c0 41 57 41 56 53 e8 3a 92 a8 ff 48 83 c4 18 <0f> 0b 90 55 48
89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 30 41 89
RSP: 0018:ffff88807aeaf648 EFLAGS: 00010086
RAX: 0000000000000068 RBX: ffffffff885e841b RCX: defe62446f204b00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff88807aeaf660 R08: ffffffff817fec49 R09: ffffed1015d444c6
R10: ffffed1015d444c6 R11: 1ffff11015d444c5 R12: ffff88807aeaf7d1
R13: 0000000000000200 R14: 0000000000001010 R15: 0000000000000001
FS: 0000555556495940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8adaea30 CR3: 00000000a0d73000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 7+ messages in thread
* KASAN: slab-out-of-bounds Write in validate_chain
@ 2019-06-21 16:27 ` syzbot
0 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2019-06-21 16:27 UTC (permalink / raw)
To: akpm, cai, crecklin, keescook, linux-kernel, linux-mm, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16894709a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=28ec3437a5394ee0
dashboard link: https://syzkaller.appspot.com/bug?extid=8893700724999566d6a9
compiler: clang version 9.0.0 (/home/glider/llvm/clang
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167098b2a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8893700724999566d6a9@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in check_prev_add
kernel/locking/lockdep.c:2298 [inline]
BUG: KASAN: slab-out-of-bounds in check_prevs_add
kernel/locking/lockdep.c:2418 [inline]
BUG: KASAN: slab-out-of-bounds in validate_chain+0x1a35/0x84f0
kernel/locking/lockdep.c:2800
Write of size 8 at addr ffff88807aeb00d0 by task syz-executor.5/8425
CPU: 0 PID: 8425 Comm: syz-executor.5 Not tainted 5.2.0-rc5+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
Allocated by task 2062228080:
usercopy: Kernel memory overwrite attempt detected to SLAB
object 'kmalloc-4k' (offset 4112, size 1)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8425 Comm: syz-executor.5 Not tainted 5.2.0-rc5+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:usercopy_abort+0x8d/0x90 mm/usercopy.c:90
Code: 84 5e 88 48 0f 44 de 48 c7 c7 7e a3 5d 88 4c 89 ce 4c 89 d1 4d 89 d8
49 89 c1 31 c0 41 57 41 56 53 e8 3a 92 a8 ff 48 83 c4 18 <0f> 0b 90 55 48
89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 30 41 89
RSP: 0018:ffff88807aeaf648 EFLAGS: 00010086
RAX: 0000000000000068 RBX: ffffffff885e841b RCX: defe62446f204b00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff88807aeaf660 R08: ffffffff817fec49 R09: ffffed1015d444c6
R10: ffffed1015d444c6 R11: 1ffff11015d444c5 R12: ffff88807aeaf7d1
R13: 0000000000000200 R14: 0000000000001010 R15: 0000000000000001
FS: 0000555556495940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8adaea30 CR3: 00000000a0d73000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace e8702886173758cd ]---
RIP: 0010:usercopy_abort+0x8d/0x90 mm/usercopy.c:90
Code: 84 5e 88 48 0f 44 de 48 c7 c7 7e a3 5d 88 4c 89 ce 4c 89 d1 4d 89 d8
49 89 c1 31 c0 41 57 41 56 53 e8 3a 92 a8 ff 48 83 c4 18 <0f> 0b 90 55 48
89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 30 41 89
RSP: 0018:ffff88807aeaf648 EFLAGS: 00010086
RAX: 0000000000000068 RBX: ffffffff885e841b RCX: defe62446f204b00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff88807aeaf660 R08: ffffffff817fec49 R09: ffffed1015d444c6
R10: ffffed1015d444c6 R11: 1ffff11015d444c5 R12: ffff88807aeaf7d1
R13: 0000000000000200 R14: 0000000000001010 R15: 0000000000000001
FS: 0000555556495940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8adaea30 CR3: 00000000a0d73000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: slab-out-of-bounds Write in validate_chain
2019-06-21 16:27 ` syzbot
@ 2019-06-25 23:07 ` syzbot
-1 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2019-06-25 23:07 UTC (permalink / raw)
To: akpm, ast, cai, crecklin, daniel, john.fastabend, keescook,
linux-kernel, linux-mm, netdev, syzkaller-bugs
syzbot has bisected this bug to:
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000
bpf: sockhash fix omitted bucket lock in sock_close
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14a4e9b5a00000
start commit: abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=16a4e9b5a00000
console output: https://syzkaller.appspot.com/x/log.txt?x=12a4e9b5a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=28ec3437a5394ee0
dashboard link: https://syzkaller.appspot.com/bug?extid=8893700724999566d6a9
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167098b2a00000
Reported-by: syzbot+8893700724999566d6a9@syzkaller.appspotmail.com
Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: slab-out-of-bounds Write in validate_chain
@ 2019-06-25 23:07 ` syzbot
0 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2019-06-25 23:07 UTC (permalink / raw)
To: akpm, ast, cai, crecklin, daniel, john.fastabend, keescook,
linux-kernel, linux-mm, netdev, syzkaller-bugs
syzbot has bisected this bug to:
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000
bpf: sockhash fix omitted bucket lock in sock_close
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14a4e9b5a00000
start commit: abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=16a4e9b5a00000
console output: https://syzkaller.appspot.com/x/log.txt?x=12a4e9b5a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=28ec3437a5394ee0
dashboard link: https://syzkaller.appspot.com/bug?extid=8893700724999566d6a9
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167098b2a00000
Reported-by: syzbot+8893700724999566d6a9@syzkaller.appspotmail.com
Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: slab-out-of-bounds Write in validate_chain
2019-06-25 23:07 ` syzbot
(?)
@ 2019-06-25 23:48 ` Eric Biggers
2019-06-26 22:24 ` John Fastabend
-1 siblings, 1 reply; 7+ messages in thread
From: Eric Biggers @ 2019-06-25 23:48 UTC (permalink / raw)
To: John Fastabend
Cc: syzbot, akpm, ast, cai, crecklin, daniel, keescook, linux-kernel,
linux-mm, netdev, bpf, syzkaller-bugs
Hi John,
On Tue, Jun 25, 2019 at 04:07:00PM -0700, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
> Author: John Fastabend <john.fastabend@gmail.com>
> Date: Sat Jun 30 13:17:47 2018 +0000
>
> bpf: sockhash fix omitted bucket lock in sock_close
>
Are you working on this? This is the 6th open syzbot report that has been
bisected to this commit, and I suspect it's the cause of many of the other
30 open syzbot reports I assigned to the bpf subsystem too
(https://lore.kernel.org/bpf/20190624050114.GA30702@sol.localdomain/).
Also, this is happening in mainline (v5.2-rc6).
- Eric
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: slab-out-of-bounds Write in validate_chain
2019-06-25 23:48 ` Eric Biggers
@ 2019-06-26 22:24 ` John Fastabend
0 siblings, 0 replies; 7+ messages in thread
From: John Fastabend @ 2019-06-26 22:24 UTC (permalink / raw)
To: Eric Biggers, John Fastabend
Cc: syzbot, akpm, ast, cai, crecklin, daniel, keescook, linux-kernel,
linux-mm, netdev, bpf, syzkaller-bugs
Eric Biggers wrote:
> Hi John,
>
> On Tue, Jun 25, 2019 at 04:07:00PM -0700, syzbot wrote:
> > syzbot has bisected this bug to:
> >
> > commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
> > Author: John Fastabend <john.fastabend@gmail.com>
> > Date: Sat Jun 30 13:17:47 2018 +0000
> >
> > bpf: sockhash fix omitted bucket lock in sock_close
> >
>
> Are you working on this? This is the 6th open syzbot report that has been
> bisected to this commit, and I suspect it's the cause of many of the other
> 30 open syzbot reports I assigned to the bpf subsystem too
> (https://lore.kernel.org/bpf/20190624050114.GA30702@sol.localdomain/).
>
> Also, this is happening in mainline (v5.2-rc6).
>
> - Eric
Should have a fix today. It seems syzbot has found this bug repeatedly.
.John
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: slab-out-of-bounds Write in validate_chain
@ 2019-06-26 22:24 ` John Fastabend
0 siblings, 0 replies; 7+ messages in thread
From: John Fastabend @ 2019-06-26 22:24 UTC (permalink / raw)
To: Eric Biggers, John Fastabend
Cc: syzbot, akpm, ast, cai, crecklin, daniel, keescook, linux-kernel,
linux-mm, netdev, bpf, syzkaller-bugs
Eric Biggers wrote:
> Hi John,
>
> On Tue, Jun 25, 2019 at 04:07:00PM -0700, syzbot wrote:
> > syzbot has bisected this bug to:
> >
> > commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
> > Author: John Fastabend <john.fastabend@gmail.com>
> > Date: Sat Jun 30 13:17:47 2018 +0000
> >
> > bpf: sockhash fix omitted bucket lock in sock_close
> >
>
> Are you working on this? This is the 6th open syzbot report that has been
> bisected to this commit, and I suspect it's the cause of many of the other
> 30 open syzbot reports I assigned to the bpf subsystem too
> (https://lore.kernel.org/bpf/20190624050114.GA30702@sol.localdomain/).
>
> Also, this is happening in mainline (v5.2-rc6).
>
> - Eric
Should have a fix today. It seems syzbot has found this bug repeatedly.
.John
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-06-26 22:25 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-21 16:27 KASAN: slab-out-of-bounds Write in validate_chain syzbot
2019-06-21 16:27 ` syzbot
2019-06-25 23:07 ` syzbot
2019-06-25 23:07 ` syzbot
2019-06-25 23:48 ` Eric Biggers
2019-06-26 22:24 ` John Fastabend
2019-06-26 22:24 ` John Fastabend
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.