syzbot


kernel panic: corrupted stack end in dput

Status: fixed on 2019/08/27 17:15
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+d88a977731a9888db7ba@syzkaller.appspotmail.com
Fix commit: 95fa145479fb bpf: sockmap/tls, close can race with map free
First crash: 1732d, last: 1732d
Cause bisection: introduced by (bisect log) :
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config
  
Duplicate bugs (2)
duplicates (2):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
kernel panic: stack is corrupted in pointer kernel syz done 1 1717d 1716d 0/26 closed as dup on 2019/07/23 07:39
BUG: unable to handle kernel paging request in corrupted (2) syz done 1 1714d 1714d 0/26 closed as dup on 2019/07/23 07:35
Discussions (3)
Title Replies (including bot) Last reply
Re: kernel panic: corrupted stack end in dput 4 (4) 2019/07/03 16:14
Reminder: 36 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/07/03 06:01
kernel panic: corrupted stack end in dput 1 (3) 2019/07/02 13:21
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream kernel panic: corrupted stack end in dput (2) ext4 1 497d 497d 22/26 fixed on 2023/02/24 13:50

Sample crash report:
Kernel panic - not syncing: corrupted stack end detected inside scheduler
CPU: 1 PID: 8936 Comm: syz-executor.3 Not tainted 5.2.0-rc6+ #69
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 panic+0x2cb/0x744 kernel/panic.c:219
 schedule_debug kernel/sched/core.c:3272 [inline]
 __schedule+0x155d/0x1560 kernel/sched/core.c:3381
 preempt_schedule_notrace kernel/sched/core.c:3664 [inline]
 preempt_schedule_notrace+0xa0/0x130 kernel/sched/core.c:3635
 ___preempt_schedule_notrace+0x16/0x2f
 rcu_is_watching+0x23/0x30 kernel/rcu/tree.c:873
 rcu_read_lock include/linux/rcupdate.h:594 [inline]
 dput+0x41e/0x690 fs/dcache.c:845
 __fput+0x424/0x890 fs/file_table.c:293
 ____fput+0x16/0x20 fs/file_table.c:313
 task_work_run+0x145/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:185 [inline]
 exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
 do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x413201
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffcee6f8e20 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413201
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffcee6f8f00 R11: 0000000000000293 R12: 000000000075c9a0
R13: 000000000075c9a0 R14: 00000000000127ed R15: ffffffffffffffff
Shutting down cpus with NMI
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/01 06:42 net-old 7b75e49de424 699d6448 .config console log report syz ci-upstream-net-this-kasan-gce
* Struck through repros no longer work on HEAD.