syzbot


KASAN: stack-out-of-bounds Read in profile_pc

Status: upstream: reported C repro on 2021/05/27 02:31
Reported-by: syzbot+0ca27feeb396418459ae@syzkaller.appspotmail.com
First crash: 560d, last: 23h37m
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in profile_pc C error 304 1d11h 556d 0/24 upstream: reported C repro on 2021/05/31 07:15

Sample crash report:
==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
Read of size 8 at addr ffff8881dd00f960 by task strace-static-x/301

CPU: 0 PID: 301 Comm: strace-static-x Not tainted 5.4.210-syzkaller-00006-gc80a5b2e7f63 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x630 mm/kasan/report.c:384
 __kasan_report+0xf6/0x130 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
 profile_tick+0xb0/0xf0 kernel/profile.c:409
 tick_sched_handle kernel/time/tick-sched.c:172 [inline]
 tick_sched_timer+0x269/0x410 kernel/time/tick-sched.c:1296
 __run_hrtimer+0x187/0x7c0 kernel/time/hrtimer.c:1581
 __hrtimer_run_queues kernel/time/hrtimer.c:1643 [inline]
 hrtimer_interrupt+0x5d1/0x1140 kernel/time/hrtimer.c:1705
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1123 [inline]
 smp_apic_timer_interrupt+0x109/0x440 arch/x86/kernel/apic/apic.c:1148
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:831
 </IRQ>
RIP: 0010:atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:181 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
RIP: 0010:_raw_spin_lock+0x89/0x1b0 kernel/locking/spinlock.c:151
Code: f3 4a 89 04 23 bf 01 00 00 00 e8 62 a4 01 fd 4d 89 fe 49 c1 ee 03 43 8a 04 26 84 c0 0f 85 b9 00 00 00 c7 44 24 20 00 00 00 00 <4c> 89 ef be 04 00 00 00 e8 ba 00 4f fd 4c 89 ff be 04 00 00 00 e8
RSP: 0018:ffff8881dd00f960 EFLAGS: 00000297 ORIG_RAX: ffffffffffffff13
RAX: 1ffff1103bb0c504 RBX: 1ffff1103ba01f2c RCX: 00000000dd00f903
RDX: ffff8881dd861f80 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881dd00f9e8 R08: ffffffff813b7278 R09: ffffed1039caba48
R10: ffffed1039caba48 R11: 1ffff11039caba47 R12: dffffc0000000000
R13: ffff8881e073c6d8 R14: 1ffff1103ba01f30 R15: ffff8881dd00f980
 spin_lock include/linux/spinlock.h:338 [inline]
 task_lock include/linux/sched/task.h:169 [inline]
 get_task_mm kernel/fork.c:1217 [inline]
 mm_access+0x7d/0x210 kernel/fork.c:1239
 process_vm_rw_core+0x2b5/0xb40 mm/process_vm_access.c:203
 process_vm_rw+0x276/0x380 mm/process_vm_access.c:284
 __do_sys_process_vm_readv mm/process_vm_access.c:298 [inline]
 __se_sys_process_vm_readv mm/process_vm_access.c:294 [inline]
 __x64_sys_process_vm_readv+0xdc/0xf0 mm/process_vm_access.c:294
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4e815a
Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 78 0c 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 36 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 b8 ff ff ff f7
RSP: 002b:00007ffc8d2209c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000136
RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 00000000004e815a
RDX: 0000000000000001 RSI: 00007ffc8d2209f0 RDI: 00000000000001db
RBP: 000000000063c8a0 R08: 0000000000000001 R09: 0000000000000000
R10: 00007ffc8d220a00 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000200001c0 R14: 0000000002243010 R15: 0000000002245030

The buggy address belongs to the page:
page:ffffea00077403c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 ffffea00077403c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x194/0x380 mm/page_alloc.c:2171
 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x372/0x860 mm/page_alloc.c:4857
 __alloc_pages include/linux/gfp.h:503 [inline]
 __alloc_pages_node include/linux/gfp.h:516 [inline]
 alloc_pages_node include/linux/gfp.h:530 [inline]
 alloc_thread_stack_node kernel/fork.c:259 [inline]
 dup_task_struct+0x85/0x5a0 kernel/fork.c:875
 copy_process+0x56e/0x3230 kernel/fork.c:1878
 _do_fork+0x196/0x8d0 kernel/fork.c:2391
 __do_sys_clone kernel/fork.c:2549 [inline]
 __se_sys_clone kernel/fork.c:2530 [inline]
 __x64_sys_clone+0x287/0x2f0 kernel/fork.c:2530
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x7fe/0x930 mm/page_alloc.c:1438
 put_page include/linux/mm.h:1151 [inline]
 do_exit+0x20b7/0x2d30 kernel/exit.c:852
 do_group_exit+0x136/0x300 kernel/exit.c:910
 __do_sys_exit_group kernel/exit.c:921 [inline]
 __se_sys_exit_group kernel/exit.c:919 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:919
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

addr ffff8881dd00f960 is located in stack of task strace-static-x/301 at offset 0 in frame:
 _raw_spin_lock+0x0/0x1b0 arch/x86/include/asm/atomic.h:200

this frame has 1 object:
 [32, 36) 'val.i.i.i'

Memory state around the buggy address:
 ffff8881dd00f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881dd00f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881dd00f900: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
                                                       ^
 ffff8881dd00f980: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881dd00fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	f3 4a 89 04 23       	xrelease mov %rax,(%rbx,%r12,1)
   5:	bf 01 00 00 00       	mov    $0x1,%edi
   a:	e8 62 a4 01 fd       	callq  0xfd01a471
   f:	4d 89 fe             	mov    %r15,%r14
  12:	49 c1 ee 03          	shr    $0x3,%r14
  16:	43 8a 04 26          	mov    (%r14,%r12,1),%al
  1a:	84 c0                	test   %al,%al
  1c:	0f 85 b9 00 00 00    	jne    0xdb
  22:	c7 44 24 20 00 00 00 	movl   $0x0,0x20(%rsp)
  29:	00
* 2a:	4c 89 ef             	mov    %r13,%rdi <-- trapping instruction
  2d:	be 04 00 00 00       	mov    $0x4,%esi
  32:	e8 ba 00 4f fd       	callq  0xfd4f00f1
  37:	4c 89 ff             	mov    %r15,%rdi
  3a:	be 04 00 00 00       	mov    $0x4,%esi
  3f:	e8                   	.byte 0xe8

Crashes (132):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-android-5-4-kasan 2022/11/26 18:58 android12-5.4 c80a5b2e7f63 f4470a7b .config log report syz C KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/15 01:16 android12-5.4 5a34019eb955 97de9cfc .config log report syz C KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/05/27 04:00 android12-5.4 1d3dcc209600 858ea628 .config log report syz C KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/12/07 17:50 android12-5.4 d7e5d5321233 d88f3abb .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/12/07 07:31 android12-5.4 d7e5d5321233 d88f3abb .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/12/04 04:36 android12-5.4 1c84384fbdc7 e080de16 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/29 10:15 android12-5.4 b8d81d8b94a5 ca9683b8 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/28 15:57 android12-5.4 c80a5b2e7f63 247de55b .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/28 03:21 android12-5.4 c80a5b2e7f63 f4470a7b .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/27 01:30 android12-5.4 c80a5b2e7f63 f4470a7b .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/26 10:13 android12-5.4 c80a5b2e7f63 f4470a7b .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/23 20:15 android12-5.4 c80a5b2e7f63 52fdf57a .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/21 06:42 android12-5.4 e9f865cb240f 5bb70014 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/19 04:06 android12-5.4 e9f865cb240f 5bb70014 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/18 18:23 android12-5.4 e9f865cb240f 5bb70014 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/15 17:35 android12-5.4 5a34019eb955 97de9cfc .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2022/11/15 00:19 android12-5.4 5a34019eb955 97de9cfc .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/21 00:02 android12-5.4 111d022d4e82 f111d03b .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/20 07:54 android12-5.4 5970ec26e0c8 466b7db1 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/20 01:42 android12-5.4 5970ec26e0c8 466b7db1 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/19 07:11 android12-5.4 5970ec26e0c8 24dc29db .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/17 01:28 android12-5.4 73e6d86c30ee 0c5d9412 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/16 04:55 android12-5.4 73e6d86c30ee 0c5d9412 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/15 18:55 android12-5.4 73e6d86c30ee 0c5d9412 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/13 06:50 android12-5.4 2ffb0acdabc5 08362356 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/12 19:02 android12-5.4 23c18f1ad0fc 08362356 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/12 04:51 android12-5.4 23c18f1ad0fc 838e7e2c .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/12 03:05 android12-5.4 23c18f1ad0fc 838e7e2c .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/11 10:10 android12-5.4 23c18f1ad0fc 838e7e2c .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/08 19:03 android12-5.4 23c18f1ad0fc efe0f24d .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/04 00:54 android12-5.4 1e429b8f9eb9 db0f5787 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/03 21:31 android12-5.4 1e429b8f9eb9 db0f5787 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/03 16:27 android12-5.4 1e429b8f9eb9 db0f5787 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/10/01 07:02 android12-5.4 1e429b8f9eb9 1d849ab4 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/30 03:58 android12-5.4 12806d81361b be530f6c .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/28 03:52 android12-5.4 d52ac987ad2a 78494d16 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/28 02:29 android12-5.4 d52ac987ad2a 78494d16 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/26 10:55 android12-5.4 d52ac987ad2a 8cac236e .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/24 16:38 android12-5.4 1a97657426d5 8cac236e .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/24 08:58 android12-5.4 546305780d82 8cac236e .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/20 06:05 android12-5.4 546305780d82 70b76c1d .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/20 01:03 android12-5.4 546305780d82 70b76c1d .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/17 20:31 android12-5.4 546305780d82 70b76c1d .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/17 16:36 android12-5.4 546305780d82 70b76c1d .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/16 10:29 android12-5.4 4614f5de0f95 07e953c1 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/09/16 03:01 android12-5.4 4614f5de0f95 07e953c1 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
ci2-android-5-4-kasan 2021/05/27 02:30 android12-5.4 1d3dcc209600 858ea628 .config log report info KASAN: stack-out-of-bounds Read in profile_pc
* Struck through repros no longer work on HEAD.