syzbot

 sign-in | mailing list | source | docs
🐞 Open [1651]
Subsystems
🐞 Fixed [6000]
🐞 Invalid [14793]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: stack-out-of-bounds Read in kernfs_refresh_inode

Status: closed as invalid on 2018/07/07 06:57
Subsystems: kernfs
[Documentation on labels]
Reported-by: syzbot+7b0bab68b79d8a1baf4b@syzkaller.appspotmail.com
First crash: 2396d, last: 2396d

Sample crash report:
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
BUG: KASAN: stack-out-of-bounds in kernfs_refresh_inode+0x420/0x4c0 fs/kernfs/inode.c:186
Read of size 8 at addr ffff8801c64bd098 by task syz-executor4/27897

kasan: GPF could be caused by NULL-ptr deref or user memory access
CPU: 1 PID: 27897 Comm: syz-executor4 Not tainted 4.18.0-rc3+ #48
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
BUG: unable to handle kernel paging request at ffff8801b0f3b678
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
PGD b4e1067 
P4D b4e1067 
PUD 1b1a1b063 
PMD 1c6637063 
PTE 1ffff10038cc6f4b
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
Oops: 0009 [#1] SMP KASAN
CPU: 0 PID: 27894 Comm: syz-executor5 Not tainted 4.18.0-rc3+ #48
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
RIP: 0010:task_cpu include/linux/sched.h:1738 [inline]
RIP: 0010:task_node include/linux/sched/topology.h:224 [inline]
RIP: 0010:account_numa_enqueue kernel/sched/fair.c:1186 [inline]
RIP: 0010:account_entity_enqueue+0x2b9/0x700 kernel/sched/fair.c:2692
 kernfs_refresh_inode+0x420/0x4c0 fs/kernfs/inode.c:186
Code: 3c 
 kernfs_iop_permission+0x70/0xb0 fs/kernfs/inode.c:302
48 
b8 
 do_inode_permission fs/namei.c:386 [inline]
 inode_permission+0x35e/0x560 fs/namei.c:451
00 00 
 may_lookup fs/namei.c:1661 [inline]
 link_path_walk+0xaca/0x1540 fs/namei.c:2041
00 
00 00 fc 
ff 
df 
48 
89 
fa 
48 c1 
ea 
03 0f 
 path_lookupat.isra.45+0x253/0xbf0 fs/namei.c:2286
b6 14 
02 
84 d2 
74 09 
80 
fa 03 
 do_o_path fs/namei.c:3499 [inline]
 path_openat+0x255b/0x4e10 fs/namei.c:3528
0f 
8e 9e 
03 
00 
00 
31 c0 
49 8d 
7c 
24 
bc 
<41> 83 
bc 
24 
f8 
10 
00 00 
ff 
0f 
95 c0 48 
 do_filp_open+0x255/0x380 fs/namei.c:3574
89 
fa 01 c8 
48 
c1 ea 03 
 do_sys_open+0x584/0x760 fs/open.c:1101
41 
RSP: 0018:ffff8801dae06f28 EFLAGS: 00010046
 __do_sys_openat fs/open.c:1128 [inline]
 __se_sys_openat fs/open.c:1122 [inline]
 __x64_sys_openat+0x9d/0x100 fs/open.c:1122
RAX: 0000000000000000 RBX: ffff8801dae2ca80 RCX: 0000000000000000
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801b0f3a53c
RBP: ffff8801dae06fc8 R08: ffff8801dae06fa0 R09: 1ffff100361e74e5
R10: 00000000000000f5 R11: 0000000000000000 R12: ffff8801b0f3a580
R13: 1ffff1003b5c0de8 R14: ffff8801dae06fa0 R15: ffff8801dae2c9c0
FS:  00007fdfdf644700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
CR2: ffff8801b0f3b678 CR3: 00000001ae91c000 CR4: 00000000001406f0
RIP: 0033:0x455ba9
DR0: 0000000000000000 DR1: 0000000000000000 DR2: ffffffffffffff00
Code: 
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
1d 
Call Trace:
ba 
 <IRQ>
fb 
ff c3 
 enqueue_entity+0x2af/0x2130 kernel/sched/fair.c:4217
66 2e 
0f 
1f 
84 00 
00 
00 
00 00 
66 
90 
48 89 
f8 
48 
89 
f7 48 
 enqueue_task_fair+0x22d/0x910 kernel/sched/fair.c:5408
89 
d6 
48 
89 ca 
4d 89 
 enqueue_task kernel/sched/core.c:751 [inline]
 activate_task+0x123/0x2e0 kernel/sched/core.c:770
c2 
 ttwu_activate kernel/sched/core.c:1659 [inline]
 ttwu_do_activate+0xd5/0x1f0 kernel/sched/core.c:1718
4d 
 ttwu_queue kernel/sched/core.c:1863 [inline]
 try_to_wake_up+0x948/0x12b0 kernel/sched/core.c:2076
89 
c8 4c 
8b 
4c 
24 08 
0f 
05 
<48> 3d 01 
 default_wake_function+0x30/0x50 kernel/sched/core.c:3742
f0 
 autoremove_wake_function+0x80/0x370 kernel/sched/wait.c:373
ff 
ff 
0f 
83 eb b9 
 __wake_up_common+0x191/0x740 kernel/sched/wait.c:90
fb ff 
c3 
66 
2e 
0f 1f 
 __wake_up_common_lock+0x1c2/0x330 kernel/sched/wait.c:119
84 
00 
00 00 
00 
RSP: 002b:00007f8ecfd51c68 EFLAGS: 00000246
 __wake_up+0xe/0x10 kernel/sched/wait.c:143
 ORIG_RAX: 0000000000000101
 wake_up_klogd_work_func+0x9a/0xb0 kernel/printk/printk.c:2863
RAX: ffffffffffffffda RBX: 00007f8ecfd526d4 RCX: 0000000000455ba9
 irq_work_run_list+0x1c0/0x290 kernel/irq_work.c:155
RDX: 0000000000200002 RSI: 0000000020000040 RDI: ffffffffffffff9c
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
 irq_work_tick+0x15d/0x1e0 kernel/irq_work.c:181
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c048d R14: 00000000004cfde0 R15: 0000000000000000

Allocated by task 4474:
 update_process_times+0x68/0x70 kernel/time/timer.c:1639
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3eb/0x10c0 kernel/time/hrtimer.c:1460
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
 kmem_cache_zalloc include/linux/slab.h:697 [inline]
 __kernfs_new_node+0xef/0x5a0 fs/kernfs/dir.c:633
 kernfs_create_root+0x248/0x4e0 fs/kernfs/dir.c:948
 cgroup_setup_root+0x408/0xd90 kernel/cgroup/cgroup.c:1931
 cgroup1_mount+0x842/0x1638 kernel/cgroup/cgroup-v1.c:1232
 cgroup_mount+0x1f1/0xd30 kernel/cgroup/cgroup.c:2069
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801c64bd000
 which belongs to the cache kernfs_node_cache of size 160
The buggy address is located 152 bytes inside of
 160-byte region [ffff8801c64bd000, ffff8801c64bd0a0)
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
The buggy address belongs to the page:
 </IRQ>
page:ffffea0007192f40 count:1 mapcount:0 mapping:ffff8801da987640 index:0xffff8801c64bdfee
Modules linked in:
flags: 0x2fffc0000000100(slab)
Dumping ftrace buffer:
---------------------------------
raw: 02fffc0000000100 ffffea0006bf9bc8 ffffea0007139f48 ffff8801da987640
raw: ffff8801c64bdfee ffff8801c64bd000 0000000100000012 0000000000000000
page dumped because: kasan: bad access detected

syz-exec-15311   0...2 143233059us : 0: }D
Memory state around the buggy address:
---------------------------------
CR2: ffff8801b0f3b678
 ffff8801c64bcf80: 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2
---[ end trace e1bae6ae6cae2f4f ]---
 ffff8801c64bd000: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2
RIP: 0010:task_cpu include/linux/sched.h:1738 [inline]
RIP: 0010:task_node include/linux/sched/topology.h:224 [inline]
RIP: 0010:account_numa_enqueue kernel/sched/fair.c:1186 [inline]
RIP: 0010:account_entity_enqueue+0x2b9/0x700 kernel/sched/fair.c:2692
>ffff8801c64bd080: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00
Code: 
                            ^
3c 48 
 ffff8801c64bd100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
b8 00 
 ffff8801c64bd180: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2
00 
==================================================================
00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 84 d2 74 09 80 fa 03 0f 8e 9e 03 00 00 31 c0 49 8d 7c 24 bc <41> 83 bc 24 f8 10 00 00 ff 0f 95 c0 48 89 fa 01 c8 48 c1 ea 03 41 
RSP: 0018:ffff8801dae06f28 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8801dae2ca80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801b0f3a53c
RBP: ffff8801dae06fc8 R08: ffff8801dae06fa0 R09: 1ffff100361e74e5
R10: 00000000000000f5 R11: 0000000000000000 R12: ffff8801b0f3a580
R13: 1ffff1003b5c0de8 R14: ffff8801dae06fa0 R15: ffff8801dae2c9c0
FS:  00007fdfdf644700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801b0f3b678 CR3: 00000001ae91c000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: ffffffffffffff00
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/07 02:23 bpf-next d90c936fb318 9636bc93 .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.