* WARNING in handle_irq (3)
@ 2018-08-30 15:31 syzbot
2018-08-30 15:39 ` Dmitry Vyukov
0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2018-08-30 15:31 UTC (permalink / raw)
To: gregkh, hpa, kstewart, linux-kernel, luto, mingo, nstange,
syzkaller-bugs, tglx, x86
Hello,
syzbot found the following crash on:
HEAD commit: 58c3f14f86c9 Merge tag 'riscv-for-linus-4.19-rc2' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10be176a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=531a917630d2a492
dashboard link: https://syzkaller.appspot.com/bug?extid=a58b558e3e62d0604e5c
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a58b558e3e62d0604e5c@syzkaller.appspotmail.com
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
------------[ cut here ]------------
do_IRQ(): syz-executor5 has overflown the kernel stack
(cur:ffff88018aec0000,sp:ffff88018aeb0e18,irq stk
top-bottom:ffff8801db000080-ffff8801db008000,exception stk
top-bottom:fffffe0000007080-fffffe0000011000,ip:lock_is_held_type+0x18b/0x210)
WARNING: CPU: 0 PID: 13805 at arch/x86/kernel/irq_64.c:64
stack_overflow_check arch/x86/kernel/irq_64.c:61 [inline]
WARNING: CPU: 0 PID: 13805 at arch/x86/kernel/irq_64.c:64
handle_irq+0x1fb/0x2e7 arch/x86/kernel/irq_64.c:73
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 13805 Comm: syz-executor5 Not tainted 4.19.0-rc1+ #215
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
panic+0x238/0x4e7 kernel/panic.c:184
__warn.cold.8+0x163/0x1ba kernel/panic.c:536
report_bug+0x252/0x2d0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993
RIP: 0010:stack_overflow_check arch/x86/kernel/irq_64.c:61 [inline]
RIP: 0010:handle_irq+0x1fb/0x2e7 arch/x86/kernel/irq_64.c:73
Code: 00 00 ff b6 80 00 00 00 48 c7 c7 80 ca 24 87 41 54 41 55 65 48 8b 04
25 40 ee 01 00 48 05 68 06 00 00 48 89 c6 e8 95 c4 1c 00 <0f> 0b 48 83 c4
18 e9 3f ff ff ff 48 89 75 e0 e8 c1 fe 90 00 48 8b
RSP: 0018:ffff8801db007f58 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff8801cee0ad80 RCX: 0000000000000000
RDX: 0000000000010000 RSI: ffffffff8163ac01 RDI: 0000000000000001
RBP: ffff8801db007fb0 R08: ffff8801c9b4a700 R09: ffffed003b603eca
R10: ffffed003b603eca R11: ffff8801db01f657 R12: fffffe0000011000
R13: fffffe0000007080 R14: 000000000000002a R15: 0000000000000000
do_IRQ+0x80/0x1a0 arch/x86/kernel/irq.c:246
common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:643
</IRQ>
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: WARNING in handle_irq (3)
2018-08-30 15:31 WARNING in handle_irq (3) syzbot
@ 2018-08-30 15:39 ` Dmitry Vyukov
2018-08-30 23:05 ` John Fastabend
0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Vyukov @ 2018-08-30 15:39 UTC (permalink / raw)
To: syzbot, netdev, Alexei Starovoitov, Daniel Borkmann
Cc: Greg Kroah-Hartman, H. Peter Anvin, Kate Stewart, LKML,
Andy Lutomirski, Ingo Molnar, nstange, syzkaller-bugs,
Thomas Gleixner, the arch/x86 maintainers
On Thu, Aug 30, 2018 at 8:31 AM, syzbot
<syzbot+a58b558e3e62d0604e5c@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 58c3f14f86c9 Merge tag 'riscv-for-linus-4.19-rc2' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10be176a400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=531a917630d2a492
> dashboard link: https://syzkaller.appspot.com/bug?extid=a58b558e3e62d0604e5c
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
+bpf maintainers
Looks suspiciously similar to:
https://groups.google.com/d/msg/syzkaller-bugs/4v7MtbIT1hY/A87hInzyAwAJ
Note this commit seems to already have "bpf, sockmap: fix
sock_hash_alloc and reject zero-sized keys ".
Tentative reproducer from the log is:
14:08:59 executing program 5:
socketpair(0x20000, 0x0, 0x0, &(0x7f0000000140))
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r1, &(0x7f00000000c0)={0xa, 0x4e22}, 0x1c)
listen(r1, 0x0)
sendto$inet6(r0, &(0x7f0000000140), 0x2d6, 0x20000004,
&(0x7f0000000080)={0xa, 0x100000004e22, 0x0, @loopback}, 0x1c)
setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000080)='tls\x00', 0x152)
r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0xf, 0x4, 0x4, 0x70}, 0x2c)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000180)={r2, &(0x7f0000000000),
&(0x7f0000000140)}, 0x20)
Which does not create a 0-key map.
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a58b558e3e62d0604e5c@syzkaller.appspotmail.com
>
> TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
> cookies. Check SNMP counters.
> ------------[ cut here ]------------
> do_IRQ(): syz-executor5 has overflown the kernel stack
> (cur:ffff88018aec0000,sp:ffff88018aeb0e18,irq stk
> top-bottom:ffff8801db000080-ffff8801db008000,exception stk
> top-bottom:fffffe0000007080-fffffe0000011000,ip:lock_is_held_type+0x18b/0x210)
> WARNING: CPU: 0 PID: 13805 at arch/x86/kernel/irq_64.c:64
> stack_overflow_check arch/x86/kernel/irq_64.c:61 [inline]
> WARNING: CPU: 0 PID: 13805 at arch/x86/kernel/irq_64.c:64
> handle_irq+0x1fb/0x2e7 arch/x86/kernel/irq_64.c:73
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 0 PID: 13805 Comm: syz-executor5 Not tainted 4.19.0-rc1+ #215
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
> panic+0x238/0x4e7 kernel/panic.c:184
> __warn.cold.8+0x163/0x1ba kernel/panic.c:536
> report_bug+0x252/0x2d0 lib/bug.c:186
> fixup_bug arch/x86/kernel/traps.c:178 [inline]
> do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
> invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993
> RIP: 0010:stack_overflow_check arch/x86/kernel/irq_64.c:61 [inline]
> RIP: 0010:handle_irq+0x1fb/0x2e7 arch/x86/kernel/irq_64.c:73
> Code: 00 00 ff b6 80 00 00 00 48 c7 c7 80 ca 24 87 41 54 41 55 65 48 8b 04
> 25 40 ee 01 00 48 05 68 06 00 00 48 89 c6 e8 95 c4 1c 00 <0f> 0b 48 83 c4 18
> e9 3f ff ff ff 48 89 75 e0 e8 c1 fe 90 00 48 8b
> RSP: 0018:ffff8801db007f58 EFLAGS: 00010082
> RAX: 0000000000000000 RBX: ffff8801cee0ad80 RCX: 0000000000000000
> RDX: 0000000000010000 RSI: ffffffff8163ac01 RDI: 0000000000000001
> RBP: ffff8801db007fb0 R08: ffff8801c9b4a700 R09: ffffed003b603eca
> R10: ffffed003b603eca R11: ffff8801db01f657 R12: fffffe0000011000
> R13: fffffe0000007080 R14: 000000000000002a R15: 0000000000000000
> do_IRQ+0x80/0x1a0 arch/x86/kernel/irq.c:246
> common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:643
> </IRQ>
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: WARNING in handle_irq (3)
2018-08-30 15:39 ` Dmitry Vyukov
@ 2018-08-30 23:05 ` John Fastabend
0 siblings, 0 replies; 3+ messages in thread
From: John Fastabend @ 2018-08-30 23:05 UTC (permalink / raw)
To: Dmitry Vyukov, syzbot, netdev, Alexei Starovoitov, Daniel Borkmann
Cc: Greg Kroah-Hartman, H. Peter Anvin, Kate Stewart, LKML,
Andy Lutomirski, Ingo Molnar, nstange, syzkaller-bugs,
Thomas Gleixner, the arch/x86 maintainers
On 08/30/2018 08:39 AM, Dmitry Vyukov wrote:
> On Thu, Aug 30, 2018 at 8:31 AM, syzbot
> <syzbot+a58b558e3e62d0604e5c@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 58c3f14f86c9 Merge tag 'riscv-for-linus-4.19-rc2' of git:/..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=10be176a400000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=531a917630d2a492
>> dashboard link: https://syzkaller.appspot.com/bug?extid=a58b558e3e62d0604e5c
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>
>> Unfortunately, I don't have any reproducer for this crash yet.
>
> +bpf maintainers
>
> Looks suspiciously similar to:
> https://groups.google.com/d/msg/syzkaller-bugs/4v7MtbIT1hY/A87hInzyAwAJ
>
> Note this commit seems to already have "bpf, sockmap: fix
> sock_hash_alloc and reject zero-sized keys ".
>
> Tentative reproducer from the log is:
>
> 14:08:59 executing program 5:
> socketpair(0x20000, 0x0, 0x0, &(0x7f0000000140))
> r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
> r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
> bind$inet6(r1, &(0x7f00000000c0)={0xa, 0x4e22}, 0x1c)
> listen(r1, 0x0)
> sendto$inet6(r0, &(0x7f0000000140), 0x2d6, 0x20000004,
> &(0x7f0000000080)={0xa, 0x100000004e22, 0x0, @loopback}, 0x1c)
> setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000080)='tls\x00', 0x152)
> r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0xf, 0x4, 0x4, 0x70}, 0x2c)
> bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000180)={r2, &(0x7f0000000000),
> &(0x7f0000000140)}, 0x20)
>
> Which does not create a 0-key map.
>
>
Hi Dmitry,
Testing a fix for this now, we have an error path that can
call module_put and/or null the ulp ops erroneously. Should
have something out later tonight or worst case early tomorrow.
Thanks for the snippet.
Thanks,
John
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-08-30 23:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-30 15:31 WARNING in handle_irq (3) syzbot
2018-08-30 15:39 ` Dmitry Vyukov
2018-08-30 23:05 ` John Fastabend
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).