syzbot

 sign-in | mailing list | source | docs
🐞 Open [1158] 🐞 Fixed [4320] 🐞 Invalid [9657] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

kernel BUG at mm/slab.c:LINE! (3)

Status: fixed on 2019/03/21 17:09
Reported-by: syzbot+2182db487a523d86bf34@syzkaller.appspotmail.com
Fix commit: bc6e019b6ee6 fou: Prevent unbounded recursion in GUE error handler also with UDP-Lite
First crash: 1542d, last: 1415d

Cause bisection: introduced by (bisect log) :
commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e
Author: Stefano Brivio <sbrivio@redhat.com>
Date: Thu Nov 8 11:19:23 2018 +0000

  fou, fou6: ICMP error handlers for FoU and GUE

Crash: BUG: unable to handle kernel paging request in corrupted (log)
Repro: C syz .config
similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream kernel BUG at mm/slab.c:LINE! (4) 12 1341d 1409d 13/24 fixed on 2019/06/14 18:22
upstream kernel BUG at mm/slab.c:LINE! (2) C 701 1655d 1670d 9/24 fixed on 2018/08/07 13:43
upstream kernel BUG at mm/slab.c:LINE! C 860 1975d 1979d 3/24 fixed on 2017/10/24 06:54
linux-4.14 kernel BUG at mm/slab.c:LINE! C inconclusive 23 652d 1278d 0/1 upstream: reported C repro on 2019/08/04 15:26

Sample crash report:
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(depth >= MAX_LOCK_DEPTH)
------------[ cut here ]------------
kernel BUG at mm/slab.c:4425!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: -642842048 Comm: ksoftirqd/0 Not tainted 4.20.0-rc6+ #342
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__check_heap_object+0xa7/0xb5 mm/slab.c:4450
Code: 48 c7 c7 7d 01 15 89 e8 f7 e1 0a 00 5d c3 41 8b 91 04 01 00 00 48 29 c7 48 39 d7 77 be 48 01 d0 48 29 c8 48 39 f0 72 b3 5d c3 <0f> 0b 48 c7 c7 7d 01 15 89 e8 5d ea 0a 00 44 89 e9 48 c7 c7 38 02
RSP: 0018:ffff8881d9af0030 EFLAGS: 00010093
RAX: 00000000000a57eb RBX: 1ffff1103b35e00d RCX: 000000000000000c
RDX: ffff8881d9af0240 RSI: 0000000000000002 RDI: ffff8881d9af01d8
RBP: ffff8881d9af0030 R08: ffff8881d9af0240 R09: ffff8881da970180
R10: 000000004afd69e7 R11: 0000000000000000 R12: ffff8881d9af01d8
R13: 0000000000000002 R14: ffffea000766bc00 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000068 CR3: 00000001b5d1f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace 114b0f862f7337d5 ]---
RIP: 0010:__check_heap_object+0xa7/0xb5 mm/slab.c:4450
Code: 48 c7 c7 7d 01 15 89 e8 f7 e1 0a 00 5d c3 41 8b 91 04 01 00 00 48 29 c7 48 39 d7 77 be 48 01 d0 48 29 c8 48 39 f0 72 b3 5d c3 <0f> 0b 48 c7 c7 7d 01 15 89 e8 5d ea 0a 00 44 89 e9 48 c7 c7 38 02
RSP: 0018:ffff8881d9af0030 EFLAGS: 00010093
RAX: 00000000000a57eb RBX: 1ffff1103b35e00d RCX: 000000000000000c
RDX: ffff8881d9af0240 RSI: 0000000000000002 RDI: ffff8881d9af01d8
RBP: ffff8881d9af0030 R08: ffff8881d9af0240 R09: ffff8881da970180
R10: 000000004afd69e7 R11: 0000000000000000 R12: ffff8881d9af01d8
R13: 0000000000000002 R14: ffffea000766bc00 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000068 CR3: 00000001b5d1f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (14):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-net-kasan-gce 2018/12/13 16:33 net-next 95302c394c3d f3d9d594 .config console log report syz C
ci-upstream-net-kasan-gce 2018/12/04 21:28 net-next d9bbd6a1a56e 6ad0ae61 .config console log report syz C
ci-upstream-net-kasan-gce 2018/11/15 04:25 net-next 15cef30974c5 5f5f6d14 .config console log report syz C
ci-upstream-net-kasan-gce 2018/11/14 02:18 net-next 3e536cff3424 5f5f6d14 .config console log report syz C
ci-upstream-net-kasan-gce 2018/11/14 01:54 net-next 3e536cff3424 5f5f6d14 .config console log report syz C
ci-upstream-kasan-gce 2019/02/27 11:11 upstream 7d762d69145a 083cfd0e .config console log report
ci-upstream-net-this-kasan-gce 2019/02/08 07:52 net ec7fd009e87c aa4feb03 .config console log report
ci-upstream-net-kasan-gce 2019/03/21 11:45 net-next a534ea30e70f 427ea487 .config console log report
ci-upstream-net-kasan-gce 2019/03/18 18:45 net-next 3b319ee220a8 4656beca .config console log report
ci-upstream-net-kasan-gce 2019/03/16 06:27 net-next 3b319ee220a8 bab43553 .config console log report
ci-upstream-net-kasan-gce 2019/03/04 01:48 net-next 41bc0ddb80e0 1c0e457a .config console log report
ci-upstream-net-kasan-gce 2019/02/26 15:58 net-next c14f7e1efcbf a36ecd98 .config console log report
ci-upstream-net-kasan-gce 2019/02/25 04:40 net-next 45c0e7b25ab2 7a06e792 .config console log report
ci-upstream-net-kasan-gce 2019/02/05 01:36 net-next cc7335786f72 d672172c .config console log report
* Struck through repros no longer work on HEAD.