linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: syzbot <syzbot+9bf843c33f782d73ae7d@syzkaller.appspotmail.com>
To: davem@davemloft.net, gregkh@linuxfoundation.org,
	herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, rafael@kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: BUG: sleeping function called from invalid context at mm/slab.h:LINE (4)
Date: Sat, 15 Dec 2018 10:43:03 -0800	[thread overview]
Message-ID: <000000000000fb268d057d13ea55@google.com> (raw)
In-Reply-To: <00000000000085c1ce05708f6724@google.com>

syzbot has found a reproducer for the following crash on:

HEAD commit:    d14b746c6c1c Add linux-next specific files for 20181214
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=129bc943400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
dashboard link: https://syzkaller.appspot.com/bug?extid=9bf843c33f782d73ae7d
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=136154cd400000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1687bfa3400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9bf843c33f782d73ae7d@syzkaller.appspotmail.com

sshd (6035) used greatest stack depth: 15600 bytes left
BUG: sleeping function called from invalid context at mm/slab.h:421
in_atomic(): 1, irqs_disabled(): 0, pid: 6051, name: syz-executor515
1 lock held by syz-executor515/6051:
  #0: 000000002f6552ef (sk_lock-AF_ALG){+.+.}, at: lock_sock  
include/net/sock.h:1502 [inline]
  #0: 000000002f6552ef (sk_lock-AF_ALG){+.+.}, at:  
skcipher_recvmsg+0xbb/0x1420 crypto/algif_skcipher.c:163
Preemption disabled at:
[<ffffffff812e4ae6>] kernel_fpu_begin+0x16/0x260  
arch/x86/kernel/fpu/core.c:127
CPU: 0 PID: 6051 Comm: syz-executor515 Not tainted  
4.20.0-rc6-next-20181214+ #171
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
  ___might_sleep.cold.86+0x221/0x254 kernel/sched/core.c:6148
  __might_sleep+0x95/0x190 kernel/sched/core.c:6101
  slab_pre_alloc_hook mm/slab.h:421 [inline]
  slab_alloc mm/slab.c:3365 [inline]
  __do_kmalloc mm/slab.c:3707 [inline]
  __kmalloc+0x2da/0x760 mm/slab.c:3718
  kmalloc include/linux/slab.h:550 [inline]
  kzalloc include/linux/slab.h:740 [inline]
  skcipher_next_slow crypto/skcipher.c:254 [inline]
  skcipher_walk_next+0x7f9/0x17f0 crypto/skcipher.c:358
  skcipher_walk_first+0xff/0x3a0 crypto/skcipher.c:441
  skcipher_walk_skcipher+0x541/0x700 crypto/skcipher.c:469
  skcipher_walk_virt+0x58/0xd0 crypto/skcipher.c:479
  chacha_simd_stream_xor+0xb3/0xa40 arch/x86/crypto/chacha_glue.c:141
  chacha_simd+0xd8/0x110 arch/x86/crypto/chacha_glue.c:179
  crypto_skcipher_decrypt include/crypto/skcipher.h:538 [inline]
  _skcipher_recvmsg crypto/algif_skcipher.c:146 [inline]
  skcipher_recvmsg+0xcc9/0x1420 crypto/algif_skcipher.c:165
  sock_recvmsg_nosec net/socket.c:795 [inline]
  sock_recvmsg+0xd0/0x110 net/socket.c:802
  ___sys_recvmsg+0x2b6/0x680 net/socket.c:2279
  do_recvmmsg+0x303/0xb90 net/socket.c:2392
  __sys_recvmmsg+0x265/0x2a0 net/socket.c:2471
  __do_sys_recvmmsg net/socket.c:2494 [inline]
  __se_sys_recvmmsg net/socket.c:2487 [inline]
  __x64_sys_recvmmsg+0xe6/0x140 net/socket.c:2487
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440349
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff9312c608 EFLAGS: 00000203 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440349
RDX: 0000000000000001 RSI: 000000002000a280 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000203 R12: 00000000


  reply	other threads:[~2018-12-15 18:43 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-09 11:35 BUG: sleeping function called from invalid context at mm/slab.h:LINE (4) syzbot
2018-12-15 18:43 ` syzbot [this message]
2018-12-15 20:40   ` [PATCH] crypto: x86/chacha - avoid sleeping under kernel_fpu_begin() Eric Biggers
2018-12-23  4:03     ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000fb268d057d13ea55@google.com \
    --to=syzbot+9bf843c33f782d73ae7d@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rafael@kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).