syzbot

 sign-in | mailing list | source | docs
🐞 Open [106]
🐞 Fixed [1]
🐞 Invalid [166]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: stack-out-of-bounds Read in unwind_next_frame

Status: public: reported C repro on 2019/04/11 00:00
Reported-by: syzbot+a9b06fe7ffe73fed771b@syzkaller.appspotmail.com
First crash: 2272d, last: 1816d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: stack-out-of-bounds Read in unwind_next_frame C 1039 634d 1893d 0/1 upstream: reported C repro on 2019/09/18 00:47
android-54 KASAN: stack-out-of-bounds Read in unwind_next_frame C 49 1241d 1745d 0/2 auto-obsoleted due to no activity on 2023/04/20 07:24
android-49 KASAN: stack-out-of-bounds Read in unwind_next_frame 5 2300d 2535d 0/3 auto-closed as invalid on 2019/02/22 14:33
linux-4.19 KASAN: stack-out-of-bounds Read in unwind_next_frame C error 525 646d 1732d 0/1 upstream: reported C repro on 2020/02/26 18:51
upstream KASAN: stack-out-of-bounds Read in unwind_next_frame kernel C 929 612d 2348d 0/28 closed as dup on 2018/06/20 07:51
upstream KASAN: stack-out-of-bounds Read in unwind_next_frame (2) kernel 1 154d 150d 0/28 auto-obsoleted due to no activity on 2024/08/21 14:38

Sample crash report:
==================================================================
BUG: KASAN: stack-out-of-bounds in deref_stack_regs arch/x86/kernel/unwind_orc.c:308 [inline]
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1757/0x1810 arch/x86/kernel/unwind_orc.c:437
Read of size 8 at addr ffff888181fe79f0 by task syz-executor030/19726

CPU: 0 PID: 19726 Comm: syz-executor030 Not tainted 4.14.154+ #0
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xe5/0x154 lib/dump_stack.c:58
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
 deref_stack_regs arch/x86/kernel/unwind_orc.c:308 [inline]
 unwind_next_frame+0x1757/0x1810 arch/x86/kernel/unwind_orc.c:437
 perf_callchain_kernel+0x3a0/0x540 arch/x86/events/core.c:2338
 get_perf_callchain+0x2f5/0x770 kernel/events/callchain.c:217
 perf_callchain+0x147/0x190 kernel/events/callchain.c:190
 perf_prepare_sample+0x6a8/0x1360 kernel/events/core.c:6149
 __perf_event_output kernel/events/core.c:6265 [inline]
 perf_event_output_forward+0xdc/0x220 kernel/events/core.c:6283
 __perf_event_overflow+0x12d/0x340 kernel/events/core.c:7541
 perf_swevent_hrtimer+0x238/0x390 kernel/events/core.c:8746
 __run_hrtimer kernel/time/hrtimer.c:1259 [inline]
 __hrtimer_run_queues+0x28b/0xc40 kernel/time/hrtimer.c:1323
 hrtimer_interrupt+0x1bd/0x490 kernel/time/hrtimer.c:1357
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1075 [inline]
 smp_apic_timer_interrupt+0x147/0x650 arch/x86/kernel/apic/apic.c:1100
 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:792
 </IRQ>
RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:774 [inline]
RIP: 0010:arch_local_irq_save arch/x86/include/asm/paravirt.h:796 [inline]
RIP: 0010:lock_is_held_type+0x54/0x150 kernel/locking/lockdep.c:4028
RSP: 0018:ffff888181fe7880 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
RAX: 0000000000000000 RBX: ffff888181fd8000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff888181fd882c
RBP: ffffffff936d51a0 R08: 0000000000000001 R09: ffffed103aec44fa
R10: ffffed103aec44f9 R11: ffff8881d76227cf R12: ffffffff91c4b7f9
R13: 0000000000000000 R14: ffff888181fe7910 R15: dffffc0000000000
 security_free_mnt_opts include/linux/security.h:189 [inline]
 superblock_doinit+0x189/0x220 security/selinux/hooks.c:1220
 retint_kernel+0x2d/0x2d
RIP: 0010:0xffffffff00000001
RSP: 0018:ffff888181fe7a08 EFLAGS: 00000296 ORIG_RAX: ffffffffffffff10
RAX: ffffffff9346d427 RBX: ffff888181f0e000 RCX: ffffffff91c4b8b0
RDX: 0000000041b58ab3 RSI: ffffffff93447f2c RDI: ffffffff91402fa0
RBP: ffff888181f94400 R08: 0000000041b58ab3 R09: ffffffff91c4b951
R10: ffff888181dabc00 R11: 0000000000400000 R12: 1ffff110303fcf34
R13: 400834fc30512b00 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea000607f9c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea000607f9e0 ffffea000607f9e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888181fe7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
 ffff888181fe7900: f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00
>ffff888181fe7980: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f3 f3 f3 f3
                                                             ^
 ffff888181fe7a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888181fe7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (2192):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/19 11:50 android-4.14 460dc7c31cef 5bc70212 .config console log report syz C ci-android-414-kasan-gce-root
2019/11/17 09:29 android-4.14 460dc7c31cef d5696d51 .config console log report syz C ci-android-414-kasan-gce-root
2019/11/13 14:02 android-4.14 0ac69147fd8c 048f2d49 .config console log report syz C ci-android-414-kasan-gce-root
2019/11/01 09:40 android-4.14 6409e7e01d11 a41ca8fa .config console log report syz C ci-android-414-kasan-gce-root
2019/10/22 13:45 android-4.14 7d642373db4c c59a7cd8 .config console log report syz C ci-android-414-kasan-gce-root
2019/10/14 17:31 android-4.14 1d75f58e4e19 05ad7292 .config console log report syz C ci-android-414-kasan-gce-root
2019/10/12 22:23 android-4.14 1d75f58e4e19 426631dd .config console log report syz C ci-android-414-kasan-gce-root
2019/10/12 01:52 android-4.14 5faab626bf1f 426631dd .config console log report syz C ci-android-414-kasan-gce-root
2019/10/10 18:04 android-4.14 3150b5bf7ab8 a4efa8c0 .config console log report syz C ci-android-414-kasan-gce-root
2019/10/02 21:04 android-4.14 80b0c73216f5 2e29b534 .config console log report syz C ci-android-414-kasan-gce-root
2019/09/24 09:07 android-4.14 8ae37de3fa03 c68252d2 .config console log report syz C ci-android-414-kasan-gce-root
2019/09/23 15:51 android-4.14 8ae37de3fa03 1e9788a0 .config console log report syz C ci-android-414-kasan-gce-root
2019/09/13 02:46 android-4.14 f02af7b02c26 40fa42bc .config console log report syz C ci-android-414-kasan-gce-root
2019/09/07 17:57 android-4.14 4eccd8013349 a60cb4cd .config console log report syz C ci-android-414-kasan-gce-root
2019/08/03 10:05 android-4.14 2ea8815046b7 6affd8e8 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/31 08:13 android-4.14 63d1657d00e0 aa432daf .config console log report syz C ci-android-414-kasan-gce-root
2018/12/28 04:19 android-4.14 815e34f802d8 af317504 .config console log report syz C ci-android-414-kasan-gce-root
2018/12/26 13:06 android-4.14 815e34f802d8 8a41a0ad .config console log report syz C ci-android-414-kasan-gce-root
2018/10/29 01:03 android-4.14 4ed22187defd 9ca2afa1 .config console log report syz C ci-android-414-kasan-gce-root
2018/09/04 17:29 android-4.14 47350a9f13c6 a4718693 .config console log report syz C ci-android-414-kasan-gce-root
2019/11/19 18:50 android-4.14 460dc7c31cef 5bc70212 .config console log report syz ci-android-414-kasan-gce-root
2019/10/20 02:17 android-4.14 234de92896af 8c88c9c1 .config console log report syz ci-android-414-kasan-gce-root
2019/10/18 12:28 android-4.14 234de92896af 8c88c9c1 .config console log report syz ci-android-414-kasan-gce-root
2019/09/09 23:05 android-4.14 4eccd8013349 a60cb4cd .config console log report syz ci-android-414-kasan-gce-root
2019/09/08 18:56 android-4.14 4eccd8013349 a60cb4cd .config console log report syz ci-android-414-kasan-gce-root
2019/09/07 09:19 android-4.14 4eccd8013349 a60cb4cd .config console log report syz ci-android-414-kasan-gce-root
2019/09/07 04:50 android-4.14 4eccd8013349 a60cb4cd .config console log report syz ci-android-414-kasan-gce-root
2019/09/06 07:37 android-4.14 38733badc0e6 040fda58 .config console log report syz ci-android-414-kasan-gce-root
2019/09/06 00:41 android-4.14 38733badc0e6 040fda58 .config console log report syz ci-android-414-kasan-gce-root
2019/09/05 01:56 android-4.14 38733badc0e6 040fda58 .config console log report syz ci-android-414-kasan-gce-root
2019/12/04 13:04 android-4.14 b7f8d9ba4f3e 0ecb9746 .config console log report ci-android-414-kasan-gce-root
2019/12/04 10:20 android-4.14 b7f8d9ba4f3e 0ecb9746 .config console log report ci-android-414-kasan-gce-root
2019/12/04 02:52 android-4.14 e6b1fb0e83b2 ae13a849 .config console log report ci-android-414-kasan-gce-root
2019/12/03 23:55 android-4.14 e6b1fb0e83b2 ae13a849 .config console log report ci-android-414-kasan-gce-root
2019/12/03 16:36 android-4.14 e6b1fb0e83b2 ab342da3 .config console log report ci-android-414-kasan-gce-root
2019/12/03 15:35 android-4.14 e6b1fb0e83b2 ab342da3 .config console log report ci-android-414-kasan-gce-root
2019/12/03 12:38 android-4.14 e6b1fb0e83b2 ab342da3 .config console log report ci-android-414-kasan-gce-root
2019/12/03 08:47 android-4.14 e6b1fb0e83b2 ab342da3 .config console log report ci-android-414-kasan-gce-root
2019/12/03 07:15 android-4.14 e6b1fb0e83b2 ab342da3 .config console log report ci-android-414-kasan-gce-root
2019/12/03 01:33 android-4.14 e6b1fb0e83b2 ab342da3 .config console log report ci-android-414-kasan-gce-root
2019/12/02 17:09 android-4.14 13855a652bd5 f879db37 .config console log report ci-android-414-kasan-gce-root
2019/12/02 12:00 android-4.14 13855a652bd5 f879db37 .config console log report ci-android-414-kasan-gce-root
2019/12/02 09:58 android-4.14 13855a652bd5 f879db37 .config console log report ci-android-414-kasan-gce-root
2019/12/02 08:38 android-4.14 13855a652bd5 f879db37 .config console log report ci-android-414-kasan-gce-root
2019/12/02 03:52 android-4.14 13855a652bd5 f879db37 .config console log report ci-android-414-kasan-gce-root
2019/12/01 19:49 android-4.14 13855a652bd5 a76bf83f .config console log report ci-android-414-kasan-gce-root
2019/12/01 18:38 android-4.14 13855a652bd5 a76bf83f .config console log report ci-android-414-kasan-gce-root
2019/12/01 17:37 android-4.14 13855a652bd5 a76bf83f .config console log report ci-android-414-kasan-gce-root
2019/12/01 13:06 android-4.14 13855a652bd5 a76bf83f .config console log report ci-android-414-kasan-gce-root
2019/12/01 11:56 android-4.14 714ada7cabc7 a76bf83f .config console log report ci-android-414-kasan-gce-root
2019/11/30 17:20 android-4.14 714ada7cabc7 3a75be00 .config console log report ci-android-414-kasan-gce-root
2019/11/30 15:40 android-4.14 714ada7cabc7 3a75be00 .config console log report ci-android-414-kasan-gce-root
2019/11/30 07:41 android-4.14 714ada7cabc7 3a75be00 .config console log report ci-android-414-kasan-gce-root
2019/11/30 04:53 android-4.14 714ada7cabc7 3a75be00 .config console log report ci-android-414-kasan-gce-root
2019/11/29 18:09 android-4.14 714ada7cabc7 d29b9e84 .config console log report ci-android-414-kasan-gce-root
2019/11/29 11:02 android-4.14 714ada7cabc7 76357d6f .config console log report ci-android-414-kasan-gce-root
2019/11/29 08:52 android-4.14 714ada7cabc7 76357d6f .config console log report ci-android-414-kasan-gce-root
2019/11/29 07:32 android-4.14 714ada7cabc7 76357d6f .config console log report ci-android-414-kasan-gce-root
2019/11/29 02:32 android-4.14 714ada7cabc7 76357d6f .config console log report ci-android-414-kasan-gce-root
2019/11/28 20:34 android-4.14 714ada7cabc7 46869e3e .config console log report ci-android-414-kasan-gce-root
2019/11/28 16:35 android-4.14 714ada7cabc7 46869e3e .config console log report ci-android-414-kasan-gce-root
2019/11/28 14:02 android-4.14 714ada7cabc7 46869e3e .config console log report ci-android-414-kasan-gce-root
2019/11/28 01:40 android-4.14 714ada7cabc7 0d63f89c .config console log report ci-android-414-kasan-gce-root
2019/11/27 12:15 android-4.14 f9b4ab5c8e99 1048481f .config console log report ci-android-414-kasan-gce-root
2019/11/27 08:49 android-4.14 f9b4ab5c8e99 1048481f .config console log report ci-android-414-kasan-gce-root
2019/11/26 18:48 android-4.14 f9b4ab5c8e99 1048481f .config console log report ci-android-414-kasan-gce-root
2019/11/26 13:57 android-4.14 f9b4ab5c8e99 f746151a .config console log report ci-android-414-kasan-gce-root
2019/11/25 22:31 android-4.14 f9b4ab5c8e99 371caf77 .config console log report ci-android-414-kasan-gce-root
2019/11/25 19:07 android-4.14 f9b4ab5c8e99 371caf77 .config console log report ci-android-414-kasan-gce-root
2019/11/25 10:20 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/25 09:04 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/25 03:36 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.