syzbot

 sign-in | mailing list | source | docs
🐞 Open [1645]
Subsystems
🐞 Fixed [6009]
🐞 Invalid [14804]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: stack-out-of-bounds Read in try_to_wake_up

Status: closed as invalid on 2018/07/05 16:25
Subsystems: kernel
[Documentation on labels]
First crash: 2399d, last: 2399d

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
==================================================================
BUG: KASAN: stack-out-of-bounds in perf_trace_lock_acquire+0x66f/0x9a0 include/trace/events/lock.h:13
Read of size 8 at addr ffff8801a7bfaa68 by task syz-executor6/18212

CPU: 0 PID: 18212 Comm: syz-executor6 Not tainted 4.18.0-rc3+ #46
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 perf_trace_lock_acquire+0x66f/0x9a0 include/trace/events/lock.h:13
 trace_lock_acquire include/trace/events/lock.h:13 [inline]
 lock_acquire+0x3a2/0x540 kernel/locking/lockdep.c:3923
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
 try_to_wake_up+0xd2/0x12b0 kernel/sched/core.c:1986
 default_wake_function+0x30/0x50 kernel/sched/core.c:3742
 autoremove_wake_function+0x80/0x370 kernel/sched/wait.c:373
 __wake_up_common+0x191/0x740 kernel/sched/wait.c:90
 __wake_up_common_lock+0x1c2/0x330 kernel/sched/wait.c:119
 __wake_up+0xe/0x10 kernel/sched/wait.c:143
 wake_up_klogd_work_func+0x9a/0xb0 kernel/printk/printk.c:2863
 irq_work_run_list+0x1c0/0x290 kernel/irq_work.c:155
 irq_work_tick+0x15d/0x1e0 kernel/irq_work.c:181
 update_process_times+0x68/0x70 kernel/time/timer.c:1639
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3eb/0x10c0 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783 [inline]
RIP: 0010:console_unlock+0xc84/0x10b0 kernel/printk/printk.c:2397
Code: c1 e8 03 42 80 3c 38 00 0f 85 bd 03 00 00 48 83 3d 08 f8 8e 07 00 0f 84 69 02 00 00 e8 65 53 19 00 48 8b bd b0 fe ff ff 57 9d <0f> 1f 44 00 00 e9 96 f5 ff ff e8 4d 53 19 00 48 8b 7d 08 e8 94 cf 
RSP: 0018:ffff8801983973a0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: ffff8801cad54780 RBX: 0000000000000200 RCX: ffffffff8162adc7
RDX: 0000000000000000 RSI: ffffffff8162b86b RDI: 0000000000000293
RBP: ffff880198397508 R08: ffff8801cad54780 R09: fffffbfff11f11e4
R10: fffffbfff11f11e4 R11: ffffffff88f88f23 R12: 0000000000000000
R13: ffffffff84ea90a0 R14: 0000000000000001 R15: dffffc0000000000
 vprintk_emit+0x6c6/0xdf0 kernel/printk/printk.c:1907
 vprintk_default+0x28/0x30 kernel/printk/printk.c:1948
 vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:382
 printk+0xa7/0xcf kernel/printk/printk.c:1981
 kasan_die_handler.cold.22+0x1d/0x30 arch/x86/mm/kasan_init_64.c:252
 notifier_call_chain+0x180/0x390 kernel/notifier.c:93
 __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
 atomic_notifier_call_chain+0x98/0x190 kernel/notifier.c:193
 notify_die+0x1be/0x2e0 kernel/notifier.c:549
 do_general_protection+0x248/0x2f0 arch/x86/kernel/traps.c:559
 general_protection+0x1e/0x30 arch/x86/entry/entry_64.S:1159
RIP: 0010:list_add_tail include/linux/list.h:93 [inline]
RIP: 0010:list_lru_add+0x2ae/0x930 mm/list_lru.c:119
Code: e8 d7 d8 d2 ff 4d 8d 6f 38 e8 ce d8 d2 ff 49 8d 45 08 48 89 c2 48 89 85 a8 fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 10 05 00 00 4d 8b 45 08 4c 89 ea 4c 89 e7 4c 89 
RSP: 0018:ffff880198397ac0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff10033072f5b RCX: 1ffff1003b2c01c8
RDX: 0000000000000001 RSI: ffffffff81a93302 RDI: ffff8801d9600e40
RBP: ffff880198397c20 R08: ffff8801cad54780 R09: ffffed0039a61418
R10: ffffed0039a61418 R11: ffff8801cd30a0c3 R12: ffff8801959c5ac0
R13: 0000000000000000 R14: ffff880198397bf8 R15: ffff8801cd30a0c0
 d_lru_add+0xc2/0x120 fs/dcache.c:399
 retain_dentry fs/dcache.c:642 [inline]
 dput.part.26+0x71b/0x7a0 fs/dcache.c:843
 dput+0x15/0x20 fs/dcache.c:830
 done_path_create+0x20/0x110 fs/namei.c:3693
 do_symlinkat+0x169/0x2d0 fs/namei.c:4165
 __do_sys_symlink fs/namei.c:4183 [inline]
 __se_sys_symlink fs/namei.c:4181 [inline]
 __x64_sys_symlink+0x59/0x80 fs/namei.c:4181
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4557e7
Code: 64 8b 5d 00 e9 14 fd ff ff 4c 8b 74 24 30 64 c7 45 00 22 00 00 00 bb 22 00 00 00 e9 fd fc ff ff 0f 1f 00 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 bd bc fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007ffe703977c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00000000004557e7
RDX: 0000000000000000 RSI: 00000000004bafb2 RDI: 00007ffe70398540
RBP: 0000000000000013 R08: 0000000000000000 R09: 0000000001736940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ffe70397e70 R15: 00000000007024c0

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801a7bfa2c0
 which belongs to the cache task_struct of size 5952
The buggy address is located 1960 bytes inside of
 5952-byte region [ffff8801a7bfa2c0, ffff8801a7bfba00)
The buggy address belongs to the page:
page:ffffea00069efe80 count:1 mapcount:0 mapping:ffff8801da94b200 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffffea00070cb208 ffffea0006b97408 ffff8801da94b200
raw: 0000000000000000 ffff8801a7bfa2c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801a7bfa900: f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00 00
 ffff8801a7bfa980: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffff8801a7bfaa00: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
                                                          ^
 ffff8801a7bfaa80: 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2
 ffff8801a7bfab00: 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/05 14:25 bpf-next 6fcf9b1d4d6c f525fd72 .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.