* BUG: unable to handle kernel NULL pointer dereference in call_rcu @ 2020-12-26 23:25 syzbot 2020-12-27 19:45 ` Andrew Morton 2021-02-24 12:58 ` syzbot 0 siblings, 2 replies; 6+ messages in thread From: syzbot @ 2020-12-26 23:25 UTC (permalink / raw) To: adobriyan, akpm, linux-kernel, longman, sfr, syzkaller-bugs, vvs Hello, syzbot found the following issue on: HEAD commit: 614cb589 Merge tag 'acpi-5.11-rc1-2' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10a82a50d00000 kernel config: https://syzkaller.appspot.com/x/.config?x=bf519e1e96191576 dashboard link: https://syzkaller.appspot.com/bug?extid=9d3ede723bdc58553f13 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11830e93500000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d92057500000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 2d993067 P4D 2d993067 PUD 19a3c067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 3852 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events free_ipc RIP: 0010:kasan_record_aux_stack+0x77/0xb0 mm/kasan/generic.c:341 Code: 48 f7 fe 8b 47 24 49 89 f0 48 29 d3 8d 70 ff 41 0f af f0 48 01 ce 48 39 f3 48 0f 46 f3 e8 81 e9 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 1e e6 ff ff 89 43 08 5b c3 48 8b 50 08 48 c7 RSP: 0018:ffffc90002e6fae8 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888039800000 RDX: 0000000000000078 RSI: ffff888039800000 RDI: 0000000000000800 RBP: ffffffff837ef3a0 R08: 0000000000400000 R09: 000000000000002e R10: ffffffff8132b7ea R11: 000000000000003f R12: 0000000000035b40 R13: ffff888039800088 R14: ffffc90002e6fc08 R15: 0000000000000200 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000011841000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __call_rcu kernel/rcu/tree.c:2965 [inline] call_rcu+0xbb/0x710 kernel/rcu/tree.c:3038 ipc_rcu_putref+0x83/0xb0 ipc/util.c:505 freeary+0x139c/0x1b30 ipc/sem.c:1188 free_ipcs+0x98/0x1e0 ipc/namespace.c:112 sem_exit_ns+0x1b/0x40 ipc/sem.c:260 free_ipc_ns ipc/namespace.c:124 [inline] free_ipc+0xf8/0x200 ipc/namespace.c:141 process_one_work+0x98d/0x1630 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: CR2: 0000000000000008 ---[ end trace 28dc093e61d44dc2 ]--- RIP: 0010:kasan_record_aux_stack+0x77/0xb0 mm/kasan/generic.c:341 Code: 48 f7 fe 8b 47 24 49 89 f0 48 29 d3 8d 70 ff 41 0f af f0 48 01 ce 48 39 f3 48 0f 46 f3 e8 81 e9 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 1e e6 ff ff 89 43 08 5b c3 48 8b 50 08 48 c7 RSP: 0018:ffffc90002e6fae8 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888039800000 RDX: 0000000000000078 RSI: ffff888039800000 RDI: 0000000000000800 RBP: ffffffff837ef3a0 R08: 0000000000400000 R09: 000000000000002e R10: ffffffff8132b7ea R11: 000000000000003f R12: 0000000000035b40 R13: ffff888039800088 R14: ffffc90002e6fc08 R15: 0000000000000200 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000011841000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: BUG: unable to handle kernel NULL pointer dereference in call_rcu 2020-12-26 23:25 BUG: unable to handle kernel NULL pointer dereference in call_rcu syzbot @ 2020-12-27 19:45 ` Andrew Morton 2020-12-27 19:51 ` Dmitry Vyukov 2021-02-24 12:58 ` syzbot 1 sibling, 1 reply; 6+ messages in thread From: Andrew Morton @ 2020-12-27 19:45 UTC (permalink / raw) To: syzbot Cc: adobriyan, linux-kernel, longman, sfr, syzkaller-bugs, vvs, Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov (cc KASAN developers) On Sat, 26 Dec 2020 15:25:14 -0800 syzbot <syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com> wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 614cb589 Merge tag 'acpi-5.11-rc1-2' of git://git.kernel.o.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=10a82a50d00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=bf519e1e96191576 > dashboard link: https://syzkaller.appspot.com/bug?extid=9d3ede723bdc58553f13 > compiler: gcc (GCC) 10.1.0-syz 20200507 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11830e93500000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d92057500000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com > > BUG: kernel NULL pointer dereference, address: 0000000000000008 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 2d993067 P4D 2d993067 PUD 19a3c067 PMD 0 > Oops: 0000 [#1] PREEMPT SMP KASAN > CPU: 1 PID: 3852 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Workqueue: events free_ipc > RIP: 0010:kasan_record_aux_stack+0x77/0xb0 mm/kasan/generic.c:341 > Code: 48 f7 fe 8b 47 24 49 89 f0 48 29 d3 8d 70 ff 41 0f af f0 48 01 ce 48 39 f3 48 0f 46 f3 e8 81 e9 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 1e e6 ff ff 89 43 08 5b c3 48 8b 50 08 48 c7 > RSP: 0018:ffffc90002e6fae8 EFLAGS: 00010046 > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888039800000 > RDX: 0000000000000078 RSI: ffff888039800000 RDI: 0000000000000800 > RBP: ffffffff837ef3a0 R08: 0000000000400000 R09: 000000000000002e > R10: ffffffff8132b7ea R11: 000000000000003f R12: 0000000000035b40 > R13: ffff888039800088 R14: ffffc90002e6fc08 R15: 0000000000000200 > FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000008 CR3: 0000000011841000 CR4: 00000000001506e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > __call_rcu kernel/rcu/tree.c:2965 [inline] > call_rcu+0xbb/0x710 kernel/rcu/tree.c:3038 > ipc_rcu_putref+0x83/0xb0 ipc/util.c:505 > freeary+0x139c/0x1b30 ipc/sem.c:1188 > free_ipcs+0x98/0x1e0 ipc/namespace.c:112 > sem_exit_ns+0x1b/0x40 ipc/sem.c:260 > free_ipc_ns ipc/namespace.c:124 [inline] > free_ipc+0xf8/0x200 ipc/namespace.c:141 > process_one_work+0x98d/0x1630 kernel/workqueue.c:2275 > worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 > kthread+0x3b1/0x4a0 kernel/kthread.c:292 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 > Modules linked in: > CR2: 0000000000000008 > ---[ end trace 28dc093e61d44dc2 ]--- > RIP: 0010:kasan_record_aux_stack+0x77/0xb0 mm/kasan/generic.c:341 > Code: 48 f7 fe 8b 47 24 49 89 f0 48 29 d3 8d 70 ff 41 0f af f0 48 01 ce 48 39 f3 48 0f 46 f3 e8 81 e9 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 1e e6 ff ff 89 43 08 5b c3 48 8b 50 08 48 c7 > RSP: 0018:ffffc90002e6fae8 EFLAGS: 00010046 > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888039800000 > RDX: 0000000000000078 RSI: ffff888039800000 RDI: 0000000000000800 > RBP: ffffffff837ef3a0 R08: 0000000000400000 R09: 000000000000002e > R10: ffffffff8132b7ea R11: 000000000000003f R12: 0000000000035b40 > R13: ffff888039800088 R14: ffffc90002e6fc08 R15: 0000000000000200 > FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000008 CR3: 0000000011841000 CR4: 00000000001506e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this issue, for details see: > https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: BUG: unable to handle kernel NULL pointer dereference in call_rcu 2020-12-27 19:45 ` Andrew Morton @ 2020-12-27 19:51 ` Dmitry Vyukov 2020-12-28 4:19 ` Walter Wu 0 siblings, 1 reply; 6+ messages in thread From: Dmitry Vyukov @ 2020-12-27 19:51 UTC (permalink / raw) To: Andrew Morton, Walter Wu, Andrey Konovalov Cc: syzbot, Alexey Dobriyan, LKML, Waiman Long, Stephen Rothwell, syzkaller-bugs, Vasily Averin, Andrey Ryabinin, Alexander Potapenko /\/\/\/\On Sun, Dec 27, 2020 at 8:45 PM Andrew Morton <akpm@linux-foundation.org> wrote: > > (cc KASAN developers) > > On Sat, 26 Dec 2020 15:25:14 -0800 syzbot <syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com> wrote: > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 614cb589 Merge tag 'acpi-5.11-rc1-2' of git://git.kernel.o.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=10a82a50d00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=bf519e1e96191576 > > dashboard link: https://syzkaller.appspot.com/bug?extid=9d3ede723bdc58553f13 > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11830e93500000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d92057500000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com > > > > BUG: kernel NULL pointer dereference, address: 0000000000000008 > > #PF: supervisor read access in kernel mode > > #PF: error_code(0x0000) - not-present page > > PGD 2d993067 P4D 2d993067 PUD 19a3c067 PMD 0 > > Oops: 0000 [#1] PREEMPT SMP KASAN > > CPU: 1 PID: 3852 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > Workqueue: events free_ipc > > RIP: 0010:kasan_record_aux_stack+0x77/0xb0 mm/kasan/generic.c:341 +Walter, Andrey void kasan_record_aux_stack(void *addr) { ... alloc_meta = kasan_get_alloc_meta(cache, object); alloc_meta->aux_stack[1] = alloc_meta->aux_stack[0]; /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ It crashes on NULL deref here, I assume alloc_meta is NULL. We may not have it for some slabs. Do we miss a NULL check here? > > Code: 48 f7 fe 8b 47 24 49 89 f0 48 29 d3 8d 70 ff 41 0f af f0 48 01 ce 48 39 f3 48 0f 46 f3 e8 81 e9 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 1e e6 ff ff 89 43 08 5b c3 48 8b 50 08 48 c7 > > RSP: 0018:ffffc90002e6fae8 EFLAGS: 00010046 > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888039800000 > > RDX: 0000000000000078 RSI: ffff888039800000 RDI: 0000000000000800 > > RBP: ffffffff837ef3a0 R08: 0000000000400000 R09: 000000000000002e > > R10: ffffffff8132b7ea R11: 000000000000003f R12: 0000000000035b40 > > R13: ffff888039800088 R14: ffffc90002e6fc08 R15: 0000000000000200 > > FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000000000000008 CR3: 0000000011841000 CR4: 00000000001506e0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > Call Trace: > > __call_rcu kernel/rcu/tree.c:2965 [inline] > > call_rcu+0xbb/0x710 kernel/rcu/tree.c:3038 > > ipc_rcu_putref+0x83/0xb0 ipc/util.c:505 > > freeary+0x139c/0x1b30 ipc/sem.c:1188 > > free_ipcs+0x98/0x1e0 ipc/namespace.c:112 > > sem_exit_ns+0x1b/0x40 ipc/sem.c:260 > > free_ipc_ns ipc/namespace.c:124 [inline] > > free_ipc+0xf8/0x200 ipc/namespace.c:141 > > process_one_work+0x98d/0x1630 kernel/workqueue.c:2275 > > worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 > > kthread+0x3b1/0x4a0 kernel/kthread.c:292 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 > > Modules linked in: > > CR2: 0000000000000008 > > ---[ end trace 28dc093e61d44dc2 ]--- > > RIP: 0010:kasan_record_aux_stack+0x77/0xb0 mm/kasan/generic.c:341 > > Code: 48 f7 fe 8b 47 24 49 89 f0 48 29 d3 8d 70 ff 41 0f af f0 48 01 ce 48 39 f3 48 0f 46 f3 e8 81 e9 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 1e e6 ff ff 89 43 08 5b c3 48 8b 50 08 48 c7 > > RSP: 0018:ffffc90002e6fae8 EFLAGS: 00010046 > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888039800000 > > RDX: 0000000000000078 RSI: ffff888039800000 RDI: 0000000000000800 > > RBP: ffffffff837ef3a0 R08: 0000000000400000 R09: 000000000000002e > > R10: ffffffff8132b7ea R11: 000000000000003f R12: 0000000000035b40 > > R13: ffff888039800088 R14: ffffc90002e6fc08 R15: 0000000000000200 > > FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000000000000008 CR3: 0000000011841000 CR4: 00000000001506e0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > > > > --- > > This report is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this issue. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > syzbot can test patches for this issue, for details see: > > https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: BUG: unable to handle kernel NULL pointer dereference in call_rcu 2020-12-27 19:51 ` Dmitry Vyukov @ 2020-12-28 4:19 ` Walter Wu 0 siblings, 0 replies; 6+ messages in thread From: Walter Wu @ 2020-12-28 4:19 UTC (permalink / raw) To: Dmitry Vyukov Cc: Andrew Morton, Andrey Konovalov, syzbot, Alexey Dobriyan, LKML, Waiman Long, Stephen Rothwell, syzkaller-bugs, Vasily Averin, Andrey Ryabinin, Alexander Potapenko On Sun, 2020-12-27 at 20:51 +0100, Dmitry Vyukov wrote: > /\/\/\/\On Sun, Dec 27, 2020 at 8:45 PM Andrew Morton > <akpm@linux-foundation.org> wrote: > > > > (cc KASAN developers) > > > > On Sat, 26 Dec 2020 15:25:14 -0800 syzbot <syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com> wrote: > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 614cb589 Merge tag 'acpi-5.11-rc1-2' of git://git.kernel.o.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10a82a50d00000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=bf519e1e96191576 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=9d3ede723bdc58553f13 > > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11830e93500000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d92057500000 > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com > > > > > > BUG: kernel NULL pointer dereference, address: 0000000000000008 > > > #PF: supervisor read access in kernel mode > > > #PF: error_code(0x0000) - not-present page > > > PGD 2d993067 P4D 2d993067 PUD 19a3c067 PMD 0 > > > Oops: 0000 [#1] PREEMPT SMP KASAN > > > CPU: 1 PID: 3852 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > > Workqueue: events free_ipc > > > RIP: 0010:kasan_record_aux_stack+0x77/0xb0 mm/kasan/generic.c:341 > > +Walter, Andrey > > void kasan_record_aux_stack(void *addr) > { > ... > alloc_meta = kasan_get_alloc_meta(cache, object); > alloc_meta->aux_stack[1] = alloc_meta->aux_stack[0]; > > /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ > It crashes on NULL deref here, I assume alloc_meta is NULL. We may not > have it for some slabs. Do we miss a NULL check here? > Hi Dmitry, Yes, I will send a patch to fix it. Thanks for your suggestion. Walter > > > > > > Code: 48 f7 fe 8b 47 24 49 89 f0 48 29 d3 8d 70 ff 41 0f af f0 48 01 ce 48 39 f3 48 0f 46 f3 e8 81 e9 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 1e e6 ff ff 89 43 08 5b c3 48 8b 50 08 48 c7 > > > RSP: 0018:ffffc90002e6fae8 EFLAGS: 00010046 > > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888039800000 > > > RDX: 0000000000000078 RSI: ffff888039800000 RDI: 0000000000000800 > > > RBP: ffffffff837ef3a0 R08: 0000000000400000 R09: 000000000000002e > > > R10: ffffffff8132b7ea R11: 000000000000003f R12: 0000000000035b40 > > > R13: ffff888039800088 R14: ffffc90002e6fc08 R15: 0000000000000200 > > > FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 > > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > CR2: 0000000000000008 CR3: 0000000011841000 CR4: 00000000001506e0 > > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > Call Trace: > > > __call_rcu kernel/rcu/tree.c:2965 [inline] > > > call_rcu+0xbb/0x710 kernel/rcu/tree.c:3038 > > > ipc_rcu_putref+0x83/0xb0 ipc/util.c:505 > > > freeary+0x139c/0x1b30 ipc/sem.c:1188 > > > free_ipcs+0x98/0x1e0 ipc/namespace.c:112 > > > sem_exit_ns+0x1b/0x40 ipc/sem.c:260 > > > free_ipc_ns ipc/namespace.c:124 [inline] > > > free_ipc+0xf8/0x200 ipc/namespace.c:141 > > > process_one_work+0x98d/0x1630 kernel/workqueue.c:2275 > > > worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 > > > kthread+0x3b1/0x4a0 kernel/kthread.c:292 > > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 > > > Modules linked in: > > > CR2: 0000000000000008 > > > ---[ end trace 28dc093e61d44dc2 ]--- > > > RIP: 0010:kasan_record_aux_stack+0x77/0xb0 mm/kasan/generic.c:341 > > > Code: 48 f7 fe 8b 47 24 49 89 f0 48 29 d3 8d 70 ff 41 0f af f0 48 01 ce 48 39 f3 48 0f 46 f3 e8 81 e9 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 1e e6 ff ff 89 43 08 5b c3 48 8b 50 08 48 c7 > > > RSP: 0018:ffffc90002e6fae8 EFLAGS: 00010046 > > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888039800000 > > > RDX: 0000000000000078 RSI: ffff888039800000 RDI: 0000000000000800 > > > RBP: ffffffff837ef3a0 R08: 0000000000400000 R09: 000000000000002e > > > R10: ffffffff8132b7ea R11: 000000000000003f R12: 0000000000035b40 > > > R13: ffff888039800088 R14: ffffc90002e6fc08 R15: 0000000000000200 > > > FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 > > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > CR2: 0000000000000008 CR3: 0000000011841000 CR4: 00000000001506e0 > > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > > > > > > > --- > > > This report is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this issue. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > syzbot can test patches for this issue, for details see: > > > https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: BUG: unable to handle kernel NULL pointer dereference in call_rcu 2020-12-26 23:25 BUG: unable to handle kernel NULL pointer dereference in call_rcu syzbot 2020-12-27 19:45 ` Andrew Morton @ 2021-02-24 12:58 ` syzbot 2021-02-24 15:11 ` Andrey Konovalov 1 sibling, 1 reply; 6+ messages in thread From: syzbot @ 2021-02-24 12:58 UTC (permalink / raw) To: adobriyan, akpm, andreyknvl, aryabinin, dvyukov, elver, glider, gustavoars, linux-kernel, longman, sfr, syzkaller-bugs, torvalds, vincenzo.frascino, vvs, walter-zh.wu syzbot has bisected this issue to: commit 97593cad003c668e2532cb2939a24a031f8de52d Author: Andrey Konovalov <andreyknvl@google.com> Date: Tue Dec 22 20:03:28 2020 +0000 kasan: sanitize objects when metadata doesn't fit bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=106689b6d00000 start commit: 614cb589 Merge tag 'acpi-5.11-rc1-2' of git://git.kernel.o.. git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=126689b6d00000 console output: https://syzkaller.appspot.com/x/log.txt?x=146689b6d00000 kernel config: https://syzkaller.appspot.com/x/.config?x=bf519e1e96191576 dashboard link: https://syzkaller.appspot.com/bug?extid=9d3ede723bdc58553f13 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11830e93500000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d92057500000 Reported-by: syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com Fixes: 97593cad003c ("kasan: sanitize objects when metadata doesn't fit") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: BUG: unable to handle kernel NULL pointer dereference in call_rcu 2021-02-24 12:58 ` syzbot @ 2021-02-24 15:11 ` Andrey Konovalov 0 siblings, 0 replies; 6+ messages in thread From: Andrey Konovalov @ 2021-02-24 15:11 UTC (permalink / raw) To: syzbot Cc: Alexey Dobriyan, Andrew Morton, Andrey Ryabinin, Dmitry Vyukov, Marco Elver, Alexander Potapenko, gustavoars, LKML, longman, Stephen Rothwell, syzkaller-bugs, Linus Torvalds, Vincenzo Frascino, Vasily Averin, Walter Wu On Wed, Feb 24, 2021 at 1:58 PM syzbot <syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com> wrote: > > syzbot has bisected this issue to: > > commit 97593cad003c668e2532cb2939a24a031f8de52d > Author: Andrey Konovalov <andreyknvl@google.com> > Date: Tue Dec 22 20:03:28 2020 +0000 > > kasan: sanitize objects when metadata doesn't fit > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=106689b6d00000 > start commit: 614cb589 Merge tag 'acpi-5.11-rc1-2' of git://git.kernel.o.. > git tree: upstream > final oops: https://syzkaller.appspot.com/x/report.txt?x=126689b6d00000 > console output: https://syzkaller.appspot.com/x/log.txt?x=146689b6d00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=bf519e1e96191576 > dashboard link: https://syzkaller.appspot.com/bug?extid=9d3ede723bdc58553f13 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11830e93500000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d92057500000 > > Reported-by: syzbot+9d3ede723bdc58553f13@syzkaller.appspotmail.com > Fixes: 97593cad003c ("kasan: sanitize objects when metadata doesn't fit") > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection #syz fix: kasan: fix null pointer dereference in kasan_record_aux_stack ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-02-24 15:40 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-12-26 23:25 BUG: unable to handle kernel NULL pointer dereference in call_rcu syzbot 2020-12-27 19:45 ` Andrew Morton 2020-12-27 19:51 ` Dmitry Vyukov 2020-12-28 4:19 ` Walter Wu 2021-02-24 12:58 ` syzbot 2021-02-24 15:11 ` Andrey Konovalov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.