| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bpf?] KASAN: stack-out-of-bounds Read in hash | 3 (4) | 2024/04/08 01:11 |
syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [1006] ≡ Subsystems 🐞 Fixed [5246] 🐞 Invalid [12543] ⬇ Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bpf?] KASAN: stack-out-of-bounds Read in hash | 3 (4) | 2024/04/08 01:11 |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2024/04/28 17:53 | 22m | retest repro | bpf-next | error OK | |
| 2024/04/02 18:04 | 47m | zokeefe@google.com | https://prodkernel.git.corp.google.com/kernel/release/11xx next | error OK |
================================================================== BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:128 [inline] BUG: KASAN: stack-out-of-bounds in hash+0x1bf/0x410 kernel/bpf/bloom_filter.c:29 Read of size 4 at addr ffffc900039f7c00 by task syz-executor297/5079 CPU: 0 PID: 5079 Comm: syz-executor297 Not tainted 6.8.0-syzkaller-05236-g443574b03387 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 jhash2 include/linux/jhash.h:128 [inline] hash+0x1bf/0x410 kernel/bpf/bloom_filter.c:29 bloom_map_peek_elem+0xb2/0x1b0 kernel/bpf/bloom_filter.c:43 bpf_prog_00798911c748094f+0x42/0x46 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x204/0x420 kernel/trace/bpf_trace.c:2420 __traceiter_ext4_drop_inode+0x76/0xd0 include/trace/events/ext4.h:265 trace_ext4_drop_inode include/trace/events/ext4.h:265 [inline] ext4_drop_inode+0x20a/0x270 fs/ext4/super.c:1450 iput_final fs/inode.c:1711 [inline] iput+0x45e/0x900 fs/inode.c:1767 d_delete_notify include/linux/fsnotify.h:301 [inline] vfs_rmdir+0x38f/0x4c0 fs/namei.c:4220 do_rmdir+0x3b5/0x580 fs/namei.c:4266 __do_sys_rmdir fs/namei.c:4285 [inline] __se_sys_rmdir fs/namei.c:4283 [inline] __x64_sys_rmdir+0x49/0x60 fs/namei.c:4283 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7fd25730cfb7 Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff78ca7198 EFLAGS: 00000207 ORIG_RAX: 0000000000000054 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd25730cfb7 RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007fff78ca82c0 RBP: 0000000000000065 R08: 0000555571b9a73b R09: 0000000000000000 R10: 0000000000000100 R11: 0000000000000207 R12: 00007fff78ca82c0 R13: 0000555571b9a6c0 R14: 00007fff78ca82c0 R15: 0000000000000001 </TASK> The buggy address belongs to stack of task syz-executor297/5079 and is located at offset 0 in frame: bpf_trace_run2+0x0/0x420 This frame has 1 object: [32, 48) 'args' The buggy address belongs to the virtual mapping at [ffffc900039f0000, ffffc900039f9000) created by: copy_process+0x5d1/0x3df0 kernel/fork.c:2219 The buggy address belongs to the physical page: page:ffffea00007f36c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fcdb flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5077, tgid 5077 (syz-executor297), ts 73887639293, free_ts 73091924927 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533 prep_new_page mm/page_alloc.c:1540 [inline] get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311 __alloc_pages+0x256/0x680 mm/page_alloc.c:4569 alloc_pages_mpol+0x3de/0x650 mm/mempolicy.c:2133 vm_area_alloc_pages mm/vmalloc.c:3135 [inline] __vmalloc_area_node mm/vmalloc.c:3211 [inline] __vmalloc_node_range+0x9a4/0x14a0 mm/vmalloc.c:3392 alloc_thread_stack_node kernel/fork.c:309 [inline] dup_task_struct+0x3e9/0x7d0 kernel/fork.c:1114 copy_process+0x5d1/0x3df0 kernel/fork.c:2219 kernel_clone+0x21e/0x8d0 kernel/fork.c:2796 __do_sys_clone kernel/fork.c:2939 [inline] __se_sys_clone kernel/fork.c:2923 [inline] __x64_sys_clone+0x258/0x2a0 kernel/fork.c:2923 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 page last free pid 5072 tgid 5072 stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1140 [inline] free_unref_page_prepare+0x968/0xa90 mm/page_alloc.c:2346 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2486 mm_free_pgd kernel/fork.c:803 [inline] __mmdrop+0xb9/0x3d0 kernel/fork.c:919 exec_mmap+0x69d/0x730 fs/exec.c:1051 begin_new_exec+0x119b/0x1ce0 fs/exec.c:1309 load_elf_binary+0x961/0x2590 fs/binfmt_elf.c:996 search_binary_handler fs/exec.c:1777 [inline] exec_binprm fs/exec.c:1819 [inline] bprm_execve+0xaf8/0x1790 fs/exec.c:1871 do_execveat_common+0x553/0x700 fs/exec.c:1978 do_execve fs/exec.c:2052 [inline] __do_sys_execve fs/exec.c:2128 [inline] __se_sys_execve fs/exec.c:2123 [inline] __x64_sys_execve+0x92/0xb0 fs/exec.c:2123 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Memory state around the buggy address: ffffc900039f7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc900039f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900039f7c00: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00 ^ ffffc900039f7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc900039f7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/04/02 14:54 | bpf | 443574b03387 | 6baf5069 | .config | strace log | report | syz | C | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | KASAN: stack-out-of-bounds Read in hash | |
| 2024/04/02 14:55 | net | f99c5f563c17 | 6baf5069 | .config | console log | report | syz | C | [disk image] [vmlinux] [kernel image] | ci-upstream-net-this-kasan-gce | BUG: unable to handle kernel paging request in hash | |
| 2024/04/02 14:20 | bpf-next | 14bb1e8c8d4a | 6baf5069 | .config | strace log | report | syz | C | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-next-kasan-gce | BUG: unable to handle kernel paging request in hash | |
| 2024/04/13 18:07 | bpf | 443574b03387 | c8349e48 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | KASAN: stack-out-of-bounds Read in hash | ||
| 2024/04/02 13:42 | bpf-next | 14bb1e8c8d4a | 6baf5069 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-next-kasan-gce | KASAN: stack-out-of-bounds Read in hash |