[syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    13311e74 Linux 5.13-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
dashboard link: https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000

The issue was bisected to:

commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Apr 21 07:51:08 2021 +0000

    netfilter: arp_tables: pass table pointer via nf_hook_ops

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10788400300000
console output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com
Fixes: f9006acc8dfe ("netfilter: arp_tables: pass table pointer via nf_hook_ops")

usb 1-1: media controller created
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
cxusb: set interface failed
dvb-usb: bulk message failed: -22 (1/0)
DVB: Unable to find symbol mt352_attach()
dvb-usb: no frontend was attached by 'DViCO FusionHDTV DVB-T USB (LGZ201)'
dvbdev: DVB: registering new adapter (DViCO FusionHDTV DVB-T USB (LGZ201))
usb 1-1: media controller created
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2950 at mm/vmalloc.c:2873 __vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873
Modules linked in:
CPU: 1 PID: 2950 Comm: kworker/1:2 Not tainted 5.13.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873
Code: c7 04 24 00 00 00 00 eb 93 e8 b3 44 c5 ff 44 89 fa 44 89 f6 4c 89 ef e8 05 f7 09 00 48 89 04 24 e9 be fb ff ff e8 97 44 c5 ff <0f> 0b 48


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    13311e74 Linux 5.13-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
dashboard link: https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000

The issue was bisected to:

commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Apr 21 07:51:08 2021 +0000

    netfilter: arp_tables: pass table pointer via nf_hook_ops

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10788400300000
console output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com
Fixes: f9006acc8dfe ("netfilter: arp_tables: pass table pointer via nf_hook_ops")

usb 1-1: media controller created
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
cxusb: set interface failed
dvb-usb: bulk message failed: -22 (1/0)
DVB: Unable to find symbol mt352_attach()
dvb-usb: no frontend was attached by 'DViCO FusionHDTV DVB-T USB (LGZ201)'
dvbdev: DVB: registering new adapter (DViCO FusionHDTV DVB-T USB (LGZ201))
usb 1-1: media controller created
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2950 at mm/vmalloc.c:2873 __vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873
Modules linked in:
CPU: 1 PID: 2950 Comm: kworker/1:2 Not tainted 5.13.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__vmalloc_node_range+0x769/0x970 mm/vmalloc.c:2873
Code: c7 04 24 00 00 00 00 eb 93 e8 b3 44 c5 ff 44 89 fa 44 89 f6 4c 89 ef e8 05 f7 09 00 48 89 04 24 e9 be fb ff ff e8 97 44 c5 ff <0f> 0b 48


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[Pavel Skripkin]

[-- Attachment #1: Type: text/plain, Size: 1265 bytes --]

On Wed, 23 Jun 2021 02:15:23 -0700
syzbot <syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    13311e74 Linux 5.13-rc7
> git tree:       upstream
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000 kernel
> config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb syz
> repro:
> https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000 C
> reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000
> 
> The issue was bisected to:
> 
> commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
> Author: Florian Westphal <fw@strlen.de>
> Date:   Wed Apr 21 07:51:08 2021 +0000
> 
>     netfilter: arp_tables: pass table pointer via nf_hook_ops
> 
> bisection log:
> https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000 final
> oops:     https://syzkaller.appspot.com/x/report.txt?x=10788400300000
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=17b88400300000
> 

This one is similar to previous zero-size vmalloc, I guess :)

#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


With regards,
Pavel Skripkin

[-- Attachment #2: 0001-media-dvb-usb-fix-wrong-definition.patch --]
[-- Type: text/x-patch, Size: 821 bytes --]

From b1ed745713bb840e0778c5a13f1f83f535dca044 Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@gmail.com>
Date: Wed, 23 Jun 2021 19:18:09 +0300
Subject: [PATCH] media: dvb-usb: fix wrong definition

/* ..... */

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
index 761992ad05e2..7707de7bae7c 100644
--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
@@ -1947,7 +1947,7 @@ static struct dvb_usb_device_properties cxusb_bluebird_lgz201_properties = {
 
 	.size_of_priv     = sizeof(struct cxusb_state),
 
-	.num_adapters = 2,
+	.num_adapters = 1,
 	.adapter = {
 		{
 		.num_frontends = 1,
-- 
2.32.0

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[Pavel Skripkin]

On Wed, 23 Jun 2021 19:19:28 +0300
Pavel Skripkin <paskripkin@gmail.com> wrote:

> On Wed, 23 Jun 2021 02:15:23 -0700
> syzbot <syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:
> 
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    13311e74 Linux 5.13-rc7
> > git tree:       upstream
> > console output:
> > https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000 kernel
> > config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
> > dashboard link:
> > https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb syz
> > repro:
> > https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000 C
> > reproducer:
> > https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000
> > 
> > The issue was bisected to:
> > 
> > commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
> > Author: Florian Westphal <fw@strlen.de>
> > Date:   Wed Apr 21 07:51:08 2021 +0000
> > 
> >     netfilter: arp_tables: pass table pointer via nf_hook_ops
> > 
> > bisection log:
> > https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000 final
> > oops:
> > https://syzkaller.appspot.com/x/report.txt?x=10788400300000 console
> > output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000
> > 
> 
> This one is similar to previous zero-size vmalloc, I guess :)
> 
> #syz test
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> master
> 
> 

Hah, I didn't notice that this one is already fixed by me. But the
patch is in the media tree, it's not upstreamed yet:  

https://git.linuxtv.org/media_tree.git/commit/?id=c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6

So, 

#syz dup: WARNING: zero-size vmalloc in dvb_dmx_init

With regards,
Pavel Skripkin

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot]

> On Wed, 23 Jun 2021 19:19:28 +0300
> Pavel Skripkin <paskripkin@gmail.com> wrote:
>
>> On Wed, 23 Jun 2021 02:15:23 -0700
>> syzbot <syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:
>> 
>> > Hello,
>> > 
>> > syzbot found the following issue on:
>> > 
>> > HEAD commit:    13311e74 Linux 5.13-rc7
>> > git tree:       upstream
>> > console output:
>> > https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000 kernel
>> > config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
>> > dashboard link:
>> > https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb syz
>> > repro:
>> > https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000 C
>> > reproducer:
>> > https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000
>> > 
>> > The issue was bisected to:
>> > 
>> > commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
>> > Author: Florian Westphal <fw@strlen.de>
>> > Date:   Wed Apr 21 07:51:08 2021 +0000
>> > 
>> >     netfilter: arp_tables: pass table pointer via nf_hook_ops
>> > 
>> > bisection log:
>> > https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000 final
>> > oops:
>> > https://syzkaller.appspot.com/x/report.txt?x=10788400300000 console
>> > output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000
>> > 
>> 
>> This one is similar to previous zero-size vmalloc, I guess :)
>> 
>> #syz test
>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
>> master
>> 
>> 
>
> Hah, I didn't notice that this one is already fixed by me. But the
> patch is in the media tree, it's not upstreamed yet:  
>
> https://git.linuxtv.org/media_tree.git/commit/?id=c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6
>
> So, 
>
> #syz dup: WARNING: zero-size vmalloc in dvb_dmx_init

Can't dup bug to a bug in different reporting (upstream->internal).Please dup syzbot bugs only onto syzbot bugs for the same kernel/reporting.

>
> With regards,
> Pavel Skripkin

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot]

> On Wed, 23 Jun 2021 19:19:28 +0300
> Pavel Skripkin <paskripkin@gmail.com> wrote:
>
>> On Wed, 23 Jun 2021 02:15:23 -0700
>> syzbot <syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:
>> 
>> > Hello,
>> > 
>> > syzbot found the following issue on:
>> > 
>> > HEAD commit:    13311e74 Linux 5.13-rc7
>> > git tree:       upstream
>> > console output:
>> > https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000 kernel
>> > config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
>> > dashboard link:
>> > https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb syz
>> > repro:
>> > https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000 C
>> > reproducer:
>> > https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000
>> > 
>> > The issue was bisected to:
>> > 
>> > commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
>> > Author: Florian Westphal <fw@strlen.de>
>> > Date:   Wed Apr 21 07:51:08 2021 +0000
>> > 
>> >     netfilter: arp_tables: pass table pointer via nf_hook_ops
>> > 
>> > bisection log:
>> > https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000 final
>> > oops:
>> > https://syzkaller.appspot.com/x/report.txt?x=10788400300000 console
>> > output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000
>> > 
>> 
>> This one is similar to previous zero-size vmalloc, I guess :)
>> 
>> #syz test
>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
>> master
>> 
>> 
>
> Hah, I didn't notice that this one is already fixed by me. But the
> patch is in the media tree, it's not upstreamed yet:  
>
> https://git.linuxtv.org/media_tree.git/commit/?id=c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6
>
> So, 
>
> #syz dup: WARNING: zero-size vmalloc in dvb_dmx_init

Can't dup bug to a bug in different reporting (upstream->internal).Please dup syzbot bugs only onto syzbot bugs for the same kernel/reporting.

>
> With regards,
> Pavel Skripkin

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot]

> On Wed, 23 Jun 2021 19:19:28 +0300
> Pavel Skripkin <paskripkin@gmail.com> wrote:
>
>> On Wed, 23 Jun 2021 02:15:23 -0700
>> syzbot <syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:
>> 
>> > Hello,
>> > 
>> > syzbot found the following issue on:
>> > 
>> > HEAD commit:    13311e74 Linux 5.13-rc7
>> > git tree:       upstream
>> > console output:
>> > https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000 kernel
>> > config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
>> > dashboard link:
>> > https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb syz
>> > repro:
>> > https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000 C
>> > reproducer:
>> > https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000
>> > 
>> > The issue was bisected to:
>> > 
>> > commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
>> > Author: Florian Westphal <fw@strlen.de>
>> > Date:   Wed Apr 21 07:51:08 2021 +0000
>> > 
>> >     netfilter: arp_tables: pass table pointer via nf_hook_ops
>> > 
>> > bisection log:
>> > https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000 final
>> > oops:
>> > https://syzkaller.appspot.com/x/report.txt?x=10788400300000 console
>> > output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000
>> > 
>> 
>> This one is similar to previous zero-size vmalloc, I guess :)
>> 
>> #syz test
>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
>> master
>> 
>> 
>
> Hah, I didn't notice that this one is already fixed by me. But the
> patch is in the media tree, it's not upstreamed yet:  
>
> https://git.linuxtv.org/media_tree.git/commit/?id=c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6
>
> So, 
>
> #syz dup: WARNING: zero-size vmalloc in dvb_dmx_init

Can't dup bug to a bug in different reporting (upstream->internal).Please dup syzbot bugs only onto syzbot bugs for the same kernel/reporting.

>
> With regards,
> Pavel Skripkin
>
> -- 
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20210623192837.13792eae%40gmail.com.

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot]

> On Wed, 23 Jun 2021 19:19:28 +0300
> Pavel Skripkin <paskripkin@gmail.com> wrote:
>
>> On Wed, 23 Jun 2021 02:15:23 -0700
>> syzbot <syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:
>> 
>> > Hello,
>> > 
>> > syzbot found the following issue on:
>> > 
>> > HEAD commit:    13311e74 Linux 5.13-rc7
>> > git tree:       upstream
>> > console output:
>> > https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000 kernel
>> > config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
>> > dashboard link:
>> > https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb syz
>> > repro:
>> > https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000 C
>> > reproducer:
>> > https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000
>> > 
>> > The issue was bisected to:
>> > 
>> > commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
>> > Author: Florian Westphal <fw@strlen.de>
>> > Date:   Wed Apr 21 07:51:08 2021 +0000
>> > 
>> >     netfilter: arp_tables: pass table pointer via nf_hook_ops
>> > 
>> > bisection log:
>> > https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000 final
>> > oops:
>> > https://syzkaller.appspot.com/x/report.txt?x=10788400300000 console
>> > output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000
>> > 
>> 
>> This one is similar to previous zero-size vmalloc, I guess :)
>> 
>> #syz test
>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
>> master
>> 
>> 
>
> Hah, I didn't notice that this one is already fixed by me. But the
> patch is in the media tree, it's not upstreamed yet:  
>
> https://git.linuxtv.org/media_tree.git/commit/?id=c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6
>
> So, 
>
> #syz dup: WARNING: zero-size vmalloc in dvb_dmx_init

Can't dup bug to a bug in different reporting (upstream->internal).Please dup syzbot bugs only onto syzbot bugs for the same kernel/reporting.

>
> With regards,
> Pavel Skripkin
>
> -- 
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20210623192837.13792eae%40gmail.com.

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in lock_sock_nested

BUG: sleeping function called from invalid context at net/core/sock.c:3064
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 8843, name: syz-executor.2
1 lock held by syz-executor.2/8843:
 #0: ffffffff8d0c43c0 (hci_sk_list.lock){++++}-{2:2}, at: hci_sock_dev_event+0x3db/0x660 net/bluetooth/hci_sock.c:763
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 8843 Comm: syz-executor.2 Not tainted 5.13.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:8337
 lock_sock_nested+0x25/0x120 net/core/sock.c:3064
 lock_sock include/net/sock.h:1610 [inline]
 hci_sock_dev_event+0x465/0x660 net/bluetooth/hci_sock.c:765
 hci_unregister_dev+0x2fd/0x1130 net/bluetooth/hci_core.c:4013
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
 __fput+0x288/0x920 fs/file_table.c:280
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xbfc/0x2a60 kernel/exit.c:826
 do_group_exit+0x125/0x310 kernel/exit.c:923
 __do_sys_exit_group kernel/exit.c:934 [inline]
 __se_sys_exit_group kernel/exit.c:932 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:932
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.
RSP: 002b:00007fff82506ba8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fff82507368 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 0000000000000000 R08: 0000000000000025 R09: 00007fff82507368
R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004bef54
R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000400538

======================================================


Tested on:

commit:         0c18f29a module: limit enabling module.sig_enforce
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17ae9658300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3932cedd2c2d4a69
dashboard link: https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10fc8400300000

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in lock_sock_nested

BUG: sleeping function called from invalid context at net/core/sock.c:3064
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 8843, name: syz-executor.2
1 lock held by syz-executor.2/8843:
 #0: ffffffff8d0c43c0 (hci_sk_list.lock){++++}-{2:2}, at: hci_sock_dev_event+0x3db/0x660 net/bluetooth/hci_sock.c:763
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 8843 Comm: syz-executor.2 Not tainted 5.13.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:8337
 lock_sock_nested+0x25/0x120 net/core/sock.c:3064
 lock_sock include/net/sock.h:1610 [inline]
 hci_sock_dev_event+0x465/0x660 net/bluetooth/hci_sock.c:765
 hci_unregister_dev+0x2fd/0x1130 net/bluetooth/hci_core.c:4013
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
 __fput+0x288/0x920 fs/file_table.c:280
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xbfc/0x2a60 kernel/exit.c:826
 do_group_exit+0x125/0x310 kernel/exit.c:923
 __do_sys_exit_group kernel/exit.c:934 [inline]
 __se_sys_exit_group kernel/exit.c:932 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:932
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.
RSP: 002b:00007fff82506ba8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fff82507368 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 0000000000000000 R08: 0000000000000025 R09: 00007fff82507368
R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004bef54
R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000400538

======================================================


Tested on:

commit:         0c18f29a module: limit enabling module.sig_enforce
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17ae9658300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3932cedd2c2d4a69
dashboard link: https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10fc8400300000

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[Dmitry Vyukov]

On Wed, Jun 23, 2021 at 6:28 PM syzbot
<syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:
>
> > On Wed, 23 Jun 2021 19:19:28 +0300
> > Pavel Skripkin <paskripkin@gmail.com> wrote:
> >
> >> On Wed, 23 Jun 2021 02:15:23 -0700
> >> syzbot <syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:
> >>
> >> > Hello,
> >> >
> >> > syzbot found the following issue on:
> >> >
> >> > HEAD commit:    13311e74 Linux 5.13-rc7
> >> > git tree:       upstream
> >> > console output:
> >> > https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000 kernel
> >> > config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
> >> > dashboard link:
> >> > https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb syz
> >> > repro:
> >> > https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000 C
> >> > reproducer:
> >> > https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000
> >> >
> >> > The issue was bisected to:
> >> >
> >> > commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
> >> > Author: Florian Westphal <fw@strlen.de>
> >> > Date:   Wed Apr 21 07:51:08 2021 +0000
> >> >
> >> >     netfilter: arp_tables: pass table pointer via nf_hook_ops
> >> >
> >> > bisection log:
> >> > https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000 final
> >> > oops:
> >> > https://syzkaller.appspot.com/x/report.txt?x=10788400300000 console
> >> > output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000
> >> >
> >>
> >> This one is similar to previous zero-size vmalloc, I guess :)
> >>
> >> #syz test
> >> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> >> master
> >>
> >>
> >
> > Hah, I didn't notice that this one is already fixed by me. But the
> > patch is in the media tree, it's not upstreamed yet:
> >
> > https://git.linuxtv.org/media_tree.git/commit/?id=c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6
> >
> > So,
> >
> > #syz dup: WARNING: zero-size vmalloc in dvb_dmx_init
>
> Can't dup bug to a bug in different reporting (upstream->internal).Please dup syzbot bugs only onto syzbot bugs for the same kernel/reporting.

I think we can say:

#syz dup: WARNING in __vmalloc_node_range
https://syzkaller.appspot.com/bug?id=3c558412597cc402fd7fbb250ca30d04d46c8c60

as that was the original bug report.

Re: [syzbot] WARNING: zero-size vmalloc in corrupted

[Dmitry Vyukov]

On Wed, Jun 23, 2021 at 6:28 PM syzbot
<syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:
>
> > On Wed, 23 Jun 2021 19:19:28 +0300
> > Pavel Skripkin <paskripkin@gmail.com> wrote:
> >
> >> On Wed, 23 Jun 2021 02:15:23 -0700
> >> syzbot <syzbot+c2f6f09fe907a838effb@syzkaller.appspotmail.com> wrote:
> >>
> >> > Hello,
> >> >
> >> > syzbot found the following issue on:
> >> >
> >> > HEAD commit:    13311e74 Linux 5.13-rc7
> >> > git tree:       upstream
> >> > console output:
> >> > https://syzkaller.appspot.com/x/log.txt?x=15d01e58300000 kernel
> >> > config:  https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c
> >> > dashboard link:
> >> > https://syzkaller.appspot.com/bug?extid=c2f6f09fe907a838effb syz
> >> > repro:
> >> > https://syzkaller.appspot.com/x/repro.syz?x=14bb89e8300000 C
> >> > reproducer:
> >> > https://syzkaller.appspot.com/x/repro.c?x=17cc51b8300000
> >> >
> >> > The issue was bisected to:
> >> >
> >> > commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
> >> > Author: Florian Westphal <fw@strlen.de>
> >> > Date:   Wed Apr 21 07:51:08 2021 +0000
> >> >
> >> >     netfilter: arp_tables: pass table pointer via nf_hook_ops
> >> >
> >> > bisection log:
> >> > https://syzkaller.appspot.com/x/bisect.txt?x=13b88400300000 final
> >> > oops:
> >> > https://syzkaller.appspot.com/x/report.txt?x=10788400300000 console
> >> > output: https://syzkaller.appspot.com/x/log.txt?x=17b88400300000
> >> >
> >>
> >> This one is similar to previous zero-size vmalloc, I guess :)
> >>
> >> #syz test
> >> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> >> master
> >>
> >>
> >
> > Hah, I didn't notice that this one is already fixed by me. But the
> > patch is in the media tree, it's not upstreamed yet:
> >
> > https://git.linuxtv.org/media_tree.git/commit/?id=c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6
> >
> > So,
> >
> > #syz dup: WARNING: zero-size vmalloc in dvb_dmx_init
>
> Can't dup bug to a bug in different reporting (upstream->internal).Please dup syzbot bugs only onto syzbot bugs for the same kernel/reporting.

I think we can say:

#syz dup: WARNING in __vmalloc_node_range
https://syzkaller.appspot.com/bug?id=3c558412597cc402fd7fbb250ca30d04d46c8c60

as that was the original bug report.