* [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq
@ 2021-03-14 10:14 syzbot
2021-03-14 10:47 ` Dmitry Vyukov
0 siblings, 1 reply; 6+ messages in thread
From: syzbot @ 2021-03-14 10:14 UTC (permalink / raw)
To: aou, linux-kernel, linux-riscv, maz, palmer, paul.walmsley,
syzkaller-bugs, tglx
Hello,
syzbot found the following issue on:
HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
userspace arch: riscv64
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388
CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
Hardware name: riscv-virtio,qemu (DT)
Workqueue: events nsim_dev_trap_report_work
Call Trace:
[<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
Allocated by task 76347056:
(stack is not available)
Last potentially related work creation:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq
2021-03-14 10:14 [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq syzbot
@ 2021-03-14 10:47 ` Dmitry Vyukov
2021-03-18 12:21 ` Kefeng Wang
0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Vyukov @ 2021-03-14 10:47 UTC (permalink / raw)
To: syzbot
Cc: Albert Ou, LKML, linux-riscv, Marc Zyngier, Palmer Dabbelt,
Paul Walmsley, syzkaller-bugs, Thomas Gleixner
On Sun, Mar 14, 2021 at 11:14 AM syzbot
<syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
> dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
> userspace arch: riscv64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
> Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388
>
> CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
> Hardware name: riscv-virtio,qemu (DT)
> Workqueue: events nsim_dev_trap_report_work
> Call Trace:
> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
>
> Allocated by task 76347056:
> (stack is not available)
>
> Last potentially related work creation:
There seems to be some issue with riscv stack unwinder.
This does not have stacks.
"BUG: unable to handle kernel access to user memory in schedule_tail"
does not have proper stacks:
https://syzkaller.appspot.com/bug?id=9de8c24d24004fd5e482555f5ad8314da2fb1cee
I also found 2 riscv reports in "KASAN: use-after-free Read in
idr_for_each (2)":
https://syzkaller.appspot.com/bug?id=7f84dfc3902878befc22e52eb5c7298d0ad70cf3
both don't have any stacks:
==================================================================
BUG: KASAN: use-after-free in radix_tree_next_slot
include/linux/radix-tree.h:422 [inline]
BUG: KASAN: use-after-free in idr_for_each+0xf4/0x160 lib/idr.c:202
Read of size 8 at addr ffffffe010c00878 by task syz-executor.1/4828
CPU: 0 PID: 4828 Comm: syz-executor.1 Not tainted
5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
Allocated by task 4828:
(stack is not available)
Freed by task 4473:
(stack is not available)
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq
2021-03-14 10:47 ` Dmitry Vyukov
@ 2021-03-18 12:21 ` Kefeng Wang
2021-03-18 14:11 ` Dmitry Vyukov
0 siblings, 1 reply; 6+ messages in thread
From: Kefeng Wang @ 2021-03-18 12:21 UTC (permalink / raw)
To: Dmitry Vyukov, syzbot
Cc: Albert Ou, LKML, linux-riscv, Marc Zyngier, Palmer Dabbelt,
Paul Walmsley, syzkaller-bugs, Thomas Gleixner
On 2021/3/14 18:47, Dmitry Vyukov wrote:
> On Sun, Mar 14, 2021 at 11:14 AM syzbot
> <syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
>> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
>> console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
>> dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
>> userspace arch: riscv64
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
>> Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388
>>
>> CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
>> Hardware name: riscv-virtio,qemu (DT)
>> Workqueue: events nsim_dev_trap_report_work
>> Call Trace:
>> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
>>
>> Allocated by task 76347056:
>> (stack is not available)
>>
>> Last potentially related work creation:
> There seems to be some issue with riscv stack unwinder.
> This does not have stacks.
Hi, could you test with the following patch about the no stack
issue(from v5.11-rc4), I made a mistake when do some cleanup...
https://lore.kernel.org/linux-riscv/ce5b3533-b75d-c31c-4319-9d29769bbbd5@huawei.com/T/#t
> "BUG: unable to handle kernel access to user memory in schedule_tail"
> does not have proper stacks:
> https://syzkaller.appspot.com/bug?id=9de8c24d24004fd5e482555f5ad8314da2fb1cee
>
> I also found 2 riscv reports in "KASAN: use-after-free Read in
> idr_for_each (2)":
> https://syzkaller.appspot.com/bug?id=7f84dfc3902878befc22e52eb5c7298d0ad70cf3
>
> both don't have any stacks:
>
> ==================================================================
> BUG: KASAN: use-after-free in radix_tree_next_slot
> include/linux/radix-tree.h:422 [inline]
> BUG: KASAN: use-after-free in idr_for_each+0xf4/0x160 lib/idr.c:202
> Read of size 8 at addr ffffffe010c00878 by task syz-executor.1/4828
>
> CPU: 0 PID: 4828 Comm: syz-executor.1 Not tainted
> 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
> Hardware name: riscv-virtio,qemu (DT)
> Call Trace:
> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
>
> Allocated by task 4828:
> (stack is not available)
>
> Freed by task 4473:
> (stack is not available)
>
>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
> .
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq
2021-03-18 12:21 ` Kefeng Wang
@ 2021-03-18 14:11 ` Dmitry Vyukov
2021-03-18 14:49 ` Kefeng Wang
0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Vyukov @ 2021-03-18 14:11 UTC (permalink / raw)
To: Kefeng Wang
Cc: syzbot, Albert Ou, LKML, linux-riscv, Marc Zyngier,
Palmer Dabbelt, Paul Walmsley, syzkaller-bugs, Thomas Gleixner
On Thu, Mar 18, 2021 at 1:21 PM Kefeng Wang <wangkefeng.wang@huawei.com> wrote:
> On 2021/3/14 18:47, Dmitry Vyukov wrote:
> > On Sun, Mar 14, 2021 at 11:14 AM syzbot
> > <syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com> wrote:
> >> Hello,
> >>
> >> syzbot found the following issue on:
> >>
> >> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
> >> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
> >> userspace arch: riscv64
> >>
> >> Unfortunately, I don't have any reproducer for this issue yet.
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com
> >>
> >> ==================================================================
> >> BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
> >> Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388
> >>
> >> CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
> >> Hardware name: riscv-virtio,qemu (DT)
> >> Workqueue: events nsim_dev_trap_report_work
> >> Call Trace:
> >> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
> >>
> >> Allocated by task 76347056:
> >> (stack is not available)
> >>
> >> Last potentially related work creation:
> > There seems to be some issue with riscv stack unwinder.
> > This does not have stacks.
>
> Hi, could you test with the following patch about the no stack
> issue(from v5.11-rc4), I made a mistake when do some cleanup...
>
> https://lore.kernel.org/linux-riscv/ce5b3533-b75d-c31c-4319-9d29769bbbd5@huawei.com/T/#t
Hi Kefeng,
Please see:
http://bit.do/syzbot#no-custom-patches
Is a unit-test for this possible? Fuzzing is not a replacement for unit testing.
> > "BUG: unable to handle kernel access to user memory in schedule_tail"
> > does not have proper stacks:
> > https://syzkaller.appspot.com/bug?id=9de8c24d24004fd5e482555f5ad8314da2fb1cee
> >
> > I also found 2 riscv reports in "KASAN: use-after-free Read in
> > idr_for_each (2)":
> > https://syzkaller.appspot.com/bug?id=7f84dfc3902878befc22e52eb5c7298d0ad70cf3
> >
> > both don't have any stacks:
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in radix_tree_next_slot
> > include/linux/radix-tree.h:422 [inline]
> > BUG: KASAN: use-after-free in idr_for_each+0xf4/0x160 lib/idr.c:202
> > Read of size 8 at addr ffffffe010c00878 by task syz-executor.1/4828
> >
> > CPU: 0 PID: 4828 Comm: syz-executor.1 Not tainted
> > 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
> > Hardware name: riscv-virtio,qemu (DT)
> > Call Trace:
> > [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
> >
> > Allocated by task 4828:
> > (stack is not available)
> >
> > Freed by task 4473:
> > (stack is not available)
> >
> >
> >> ---
> >> This report is generated by a bot. It may contain errors.
> >> See https://goo.gl/tpsmEJ for more information about syzbot.
> >> syzbot engineers can be reached at syzkaller@googlegroups.com.
> >>
> >> syzbot will keep track of this issue. See:
> >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > _______________________________________________
> > linux-riscv mailing list
> > linux-riscv@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq
2021-03-18 14:11 ` Dmitry Vyukov
@ 2021-03-18 14:49 ` Kefeng Wang
2021-03-18 15:00 ` Dmitry Vyukov
0 siblings, 1 reply; 6+ messages in thread
From: Kefeng Wang @ 2021-03-18 14:49 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: syzbot, Albert Ou, LKML, linux-riscv, Marc Zyngier,
Palmer Dabbelt, Paul Walmsley, syzkaller-bugs, Thomas Gleixner
On 2021/3/18 22:11, Dmitry Vyukov wrote:
> On Thu, Mar 18, 2021 at 1:21 PM Kefeng Wang <wangkefeng.wang@huawei.com> wrote:
>> On 2021/3/14 18:47, Dmitry Vyukov wrote:
>>> On Sun, Mar 14, 2021 at 11:14 AM syzbot
>>> <syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com> wrote:
>>>> Hello,
>>>>
>>>> syzbot found the following issue on:
>>>>
>>>> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
>>>> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
>>>> userspace arch: riscv64
>>>>
>>>> Unfortunately, I don't have any reproducer for this issue yet.
>>>>
>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>>> Reported-by: syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com
>>>>
>>>> ==================================================================
>>>> BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
>>>> Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388
>>>>
>>>> CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
>>>> Hardware name: riscv-virtio,qemu (DT)
>>>> Workqueue: events nsim_dev_trap_report_work
>>>> Call Trace:
>>>> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
>>>>
>>>> Allocated by task 76347056:
>>>> (stack is not available)
>>>>
>>>> Last potentially related work creation:
>>> There seems to be some issue with riscv stack unwinder.
>>> This does not have stacks.
>> Hi, could you test with the following patch about the no stack
>> issue(from v5.11-rc4), I made a mistake when do some cleanup...
>>
>> https://lore.kernel.org/linux-riscv/ce5b3533-b75d-c31c-4319-9d29769bbbd5@huawei.com/T/#t
> Hi Kefeng,
>
> Please see:
> http://bit.do/syzbot#no-custom-patches
>
> Is a unit-test for this possible? Fuzzing is not a replacement for unit testing.
ok, I mean that the issue about stack unwinder which may cause by my
previous patch,
if some one want the stack back, it could try the bugfix.
> .
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq
2021-03-18 14:49 ` Kefeng Wang
@ 2021-03-18 15:00 ` Dmitry Vyukov
0 siblings, 0 replies; 6+ messages in thread
From: Dmitry Vyukov @ 2021-03-18 15:00 UTC (permalink / raw)
To: Kefeng Wang
Cc: syzbot, Albert Ou, LKML, linux-riscv, Marc Zyngier,
Palmer Dabbelt, Paul Walmsley, syzkaller-bugs, Thomas Gleixner
On Thu, Mar 18, 2021 at 3:50 PM Kefeng Wang <wangkefeng.wang@huawei.com> wrote:
> >> On 2021/3/14 18:47, Dmitry Vyukov wrote:
> >>> On Sun, Mar 14, 2021 at 11:14 AM syzbot
> >>> <syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com> wrote:
> >>>> Hello,
> >>>>
> >>>> syzbot found the following issue on:
> >>>>
> >>>> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
> >>>> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
> >>>> kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
> >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
> >>>> userspace arch: riscv64
> >>>>
> >>>> Unfortunately, I don't have any reproducer for this issue yet.
> >>>>
> >>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >>>> Reported-by: syzbot+005654dd9b8f26bd4c07@syzkaller.appspotmail.com
> >>>>
> >>>> ==================================================================
> >>>> BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
> >>>> Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388
> >>>>
> >>>> CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
> >>>> Hardware name: riscv-virtio,qemu (DT)
> >>>> Workqueue: events nsim_dev_trap_report_work
> >>>> Call Trace:
> >>>> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
> >>>>
> >>>> Allocated by task 76347056:
> >>>> (stack is not available)
> >>>>
> >>>> Last potentially related work creation:
> >>> There seems to be some issue with riscv stack unwinder.
> >>> This does not have stacks.
> >> Hi, could you test with the following patch about the no stack
> >> issue(from v5.11-rc4), I made a mistake when do some cleanup...
> >>
> >> https://lore.kernel.org/linux-riscv/ce5b3533-b75d-c31c-4319-9d29769bbbd5@huawei.com/T/#t
> > Hi Kefeng,
> >
> > Please see:
> > http://bit.do/syzbot#no-custom-patches
> >
> > Is a unit-test for this possible? Fuzzing is not a replacement for unit testing.
>
> ok, I mean that the issue about stack unwinder which may cause by my
> previous patch,
>
> if some one want the stack back, it could try the bugfix.
Everybody wants the stack back!
Good, let's wait when it's merged and we will see stacks in all kernel
testing systems.
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/093ff4d1-3977-1085-404f-ec46a3b1d8f0%40huawei.com.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-03-18 15:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-14 10:14 [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq syzbot
2021-03-14 10:47 ` Dmitry Vyukov
2021-03-18 12:21 ` Kefeng Wang
2021-03-18 14:11 ` Dmitry Vyukov
2021-03-18 14:49 ` Kefeng Wang
2021-03-18 15:00 ` Dmitry Vyukov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).