syzbot


KASAN: out-of-bounds Read in csd_lock_record

Status: closed as dup on 2020/07/07 07:10
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+98af0465c818c8b093e9@syzkaller.appspotmail.com
First crash: 1328d, last: 1323d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: stack-out-of-bounds Read in csd_lock_record kernel C 226 1323d 1328d
Discussions (1)
Title Replies (including bot) Last reply
KASAN: out-of-bounds Read in csd_lock_record 1 (2) 2020/07/07 07:10

Sample crash report:
==================================================================
BUG: KASAN: out-of-bounds in csd_lock_record+0xcb/0xe0 kernel/smp.c:118
Read of size 8 at addr ffffc90001cc7bd0 by task syz-executor262/6818

CPU: 0 PID: 6818 Comm: syz-executor262 Not tainted 5.8.0-rc3-next-20200703-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 csd_lock_record+0xcb/0xe0 kernel/smp.c:118
 flush_smp_call_function_queue+0x285/0x730 kernel/smp.c:391
 __sysvec_call_function_single+0x98/0x490 arch/x86/kernel/smp.c:248
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 sysvec_call_function_single+0xe0/0x120 arch/x86/kernel/smp.c:243
 asm_sysvec_call_function_single+0x12/0x20 arch/x86/include/asm/idtentry.h:604
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:765 [inline]
RIP: 0010:lock_acquire+0x270/0xad0 kernel/locking/lockdep.c:4962
Code: 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 f8 06 00 00 48 83 3d 6d c1 5a 08 00 0f 84 a6 05 00 00 48 8b 7c 24 08 57 9d <0f> 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 48 03 44 24 10 48 c7
RSP: 0018:ffffc90000ea7a48 EFLAGS: 00000282
RAX: 1ffffffff1369fe0 RBX: ffff88809096e100 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: e668264dc84383e6 RDI: 0000000000000282
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8c5a7a27
R10: fffffbfff18b4f44 R11: 0000000000000000 R12: 0000000000000002
R13: ffffffff89bc3040 R14: 0000000000000000 R15: ffff88809096e100
 rcu_lock_acquire include/linux/rcupdate.h:241 [inline]
 rcu_read_lock include/linux/rcupdate.h:634 [inline]
 copy_namespaces+0x68/0x470 kernel/nsproxy.c:154
 copy_process+0x2921/0x6b90 kernel/fork.c:2083
 _do_fork+0x12c/0xa70 kernel/fork.c:2425
 __do_sys_clone+0xef/0x150 kernel/fork.c:2581
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:367
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44510a
Code: Bad RIP value.
RSP: 002b:00007ffe4f21aa00 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007ffe4f21aa00 RCX: 000000000044510a
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007ffe4f21aa40 R08: 0000000000001aa2 R09: 0000000000cf1880
R10: 0000000000cf1b50 R11: 0000000000000246 R12: 0000000000001aa2
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000


Memory state around the buggy address:
 ffffc90001cc7a80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
 ffffc90001cc7b00: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90001cc7b80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
                                                    ^
 ffffc90001cc7c00: 00 f2 f2 f2 00 f2 f2 f2 00 00 f3 f3 00 00 00 00
 ffffc90001cc7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (306):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/06 13:22 linux-next 9e50b94b3eb0 51095195 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/04 01:04 linux-next 9e50b94b3eb0 51095195 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/08 19:48 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/08 10:40 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/07 20:05 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/07 04:26 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/07 02:24 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/06 20:18 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/06 15:58 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/06 07:57 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/05 20:05 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/04 06:04 linux-next 9e50b94b3eb0 51095195 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/07/08 19:39 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 19:22 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 18:09 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 14:52 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 13:20 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 12:07 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 10:54 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 08:46 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 06:09 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 04:04 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 02:17 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 01:41 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/08 00:29 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 23:04 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 21:56 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 20:51 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 19:33 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 18:02 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 16:19 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 14:12 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 11:47 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 06:05 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/07 01:47 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 22:37 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 22:23 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 19:50 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 18:46 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 17:05 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 14:17 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 12:18 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 11:00 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 09:55 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 07:53 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 06:43 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 05:19 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 04:23 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 02:49 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/06 01:10 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/05 23:24 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/05 21:55 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/05 21:07 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/03 22:41 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/03 21:27 linux-next 9e50b94b3eb0 51095195 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.