syzbot


KASAN: stack-out-of-bounds Read in csd_lock_record

Status: fixed on 2020/11/16 12:12
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+0f719294463916a3fc0e@syzkaller.appspotmail.com
Fix commit: 35feb60474bf kernel/smp: Provide CSD lock timeout diagnostics
First crash: 1439d, last: 1434d
Duplicate bugs (3)
duplicates (3):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: stack-out-of-bounds Read in smp_call_function_single kernel 1 1435d 1435d 0/28 closed as dup on 2020/07/08 07:31
KASAN: vmalloc-out-of-bounds Read in csd_lock_record kernel 1 1436d 1436d 0/28 closed as dup on 2020/07/07 07:10
KASAN: out-of-bounds Read in csd_lock_record kernel C 306 1434d 1439d 0/28 closed as dup on 2020/07/07 07:10
Discussions (4)
Title Replies (including bot) Last reply
KASAN: stack-out-of-bounds Read in csd_lock_record 7 (9) 2020/10/09 06:35
[PATCH tip/core/rcu 0/4] Add smp_call_function() debugging for v5.10 10 (10) 2020/09/04 18:09
[PATCH smp 0/2] Provide CSD lock timeout diagnostics 13 (13) 2020/07/27 23:55
[kernel/smp] 5408b78b7a: BUG:KASAN:out-of-bounds_in_c 4 (4) 2020/07/06 23:12

Sample crash report:
==================================================================
BUG: KASAN: stack-out-of-bounds in csd_lock_record+0xd2/0xe0 kernel/smp.c:119
Read of size 8 at addr ffffc900021f7ad8 by task syz-executor259/6813

CPU: 1 PID: 6813 Comm: syz-executor259 Not tainted 5.8.0-rc3-next-20200703-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 csd_lock_record+0xd2/0xe0 kernel/smp.c:119
 flush_smp_call_function_queue+0x285/0x730 kernel/smp.c:391
 __sysvec_call_function_single+0x98/0x490 arch/x86/kernel/smp.c:248
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 sysvec_call_function_single+0xe0/0x120 arch/x86/kernel/smp.c:243
 asm_sysvec_call_function_single+0x12/0x20 arch/x86/include/asm/idtentry.h:604
RIP: 0010:__free_object+0x0/0xdd0 lib/debugobjects.c:342
Code: 78 16 fe e9 4f fd ff ff 48 c7 c7 00 ff b4 89 e8 86 77 16 fe e9 5c fe ff ff 48 c7 c7 00 ff b4 89 e8 75 77 16 fe e9 da fc ff ff <48> ba 00 00 00 00 00 fc ff df 41 57 41 56 41 55 41 54 55 53 48 81
RSP: 0018:ffffc90001657d60 EFLAGS: 00000286
RAX: 0000000080000000 RBX: ffff88808ff1e348 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8880a7906f18
RBP: ffff8880a7906f18 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff8cb44cf8
R13: ffffffff89bd2c80 R14: ffffc90001657de0 R15: ffffffff8cb44d00
 free_object lib/debugobjects.c:429 [inline]
 debug_object_free lib/debugobjects.c:828 [inline]
 debug_object_free+0x1c8/0x350 lib/debugobjects.c:800
 destroy_hrtimer_on_stack kernel/time/hrtimer.c:453 [inline]
 hrtimer_nanosleep+0x228/0x430 kernel/time/hrtimer.c:1947
 __do_sys_nanosleep kernel/time/hrtimer.c:1966 [inline]
 __se_sys_nanosleep kernel/time/hrtimer.c:1953 [inline]
 __x64_sys_nanosleep+0x1dc/0x260 kernel/time/hrtimer.c:1953
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:367
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44e130
Code: Bad RIP value.
RSP: 002b:00007fff66af1958 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
RAX: ffffffffffffffda RBX: 0000000000190195 RCX: 000000000044e130
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff66af1960
RBP: 00000000000023e4 R08: 0000000000000001 R09: 0000000001c64940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000dec
R13: 000000000040c8a0 R14: 0000000000000000 R15: 0000000000000000


Memory state around the buggy address:
 ffffc900021f7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900021f7a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900021f7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                    ^
 ffffc900021f7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900021f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (226):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/08 17:54 linux-next 9e50b94b3eb0 51095195 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/07 01:27 linux-next 9e50b94b3eb0 51095195 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/06 11:44 linux-next 9e50b94b3eb0 51095195 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/06 01:22 linux-next 9e50b94b3eb0 51095195 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/04 12:55 linux-next 9e50b94b3eb0 51095195 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/04 00:47 linux-next 9e50b94b3eb0 51095195 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/05 14:21 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/05 12:23 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/05 02:08 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/04 11:09 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/03 23:03 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/08 19:20 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 17:49 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 16:30 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 16:04 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 11:35 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 10:32 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 09:16 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 07:19 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 04:22 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 03:19 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 02:03 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 01:55 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 00:41 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 23:11 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 21:19 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 20:01 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 19:00 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 17:54 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 16:59 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 15:44 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 14:34 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 13:33 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 10:36 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 06:04 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 02:30 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 00:40 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 22:46 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 21:06 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 19:43 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 16:33 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 15:15 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 14:15 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 13:08 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 10:50 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 08:53 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 07:20 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 06:11 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 05:08 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 04:55 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 02:31 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 01:22 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/05 23:30 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/05 21:46 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/03 21:25 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.