syzbot

 sign-in | mailing list | source | docs
🐞 Open [1640]
Subsystems
🐞 Fixed [6106]
🐞 Invalid [15302]
Missing Backports [172]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: stack-out-of-bounds Read in cpuacct_charge

Status: closed as invalid on 2018/07/07 19:58
Subsystems: cgroups
[Documentation on labels]
First crash: 2454d, last: 2454d

Sample crash report:
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
BUG: KASAN: stack-out-of-bounds in task_css include/linux/cgroup.h:477 [inline]
BUG: KASAN: stack-out-of-bounds in task_ca kernel/sched/cpuacct.c:43 [inline]
BUG: KASAN: stack-out-of-bounds in cpuacct_charge+0x533/0x5d0 kernel/sched/cpuacct.c:349
kasan: GPF could be caused by NULL-ptr deref or user memory access
Read of size 8 at addr ffff8801b19bc490 by task syz-executor4/4482
general protection fault: 0000 [#1] SMP KASAN

CPU: 0 PID: 22633 Comm: syz-executor4 Not tainted 4.18.0-rc3+ #48
CPU: 1 PID: 4482 Comm: syz-executor4 Not tainted 4.18.0-rc3+ #48
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:cgroup_rstat_cpu kernel/cgroup/rstat.c:12 [inline]
RIP: 0010:cgroup_rstat_updated+0x1c0/0x470 kernel/cgroup/rstat.c:54
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
Code: 
85 
84 
02 
00 00 
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
4c 
8b 34 
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
dd 
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
60 
 task_css include/linux/cgroup.h:477 [inline]
 task_ca kernel/sched/cpuacct.c:43 [inline]
 cpuacct_charge+0x533/0x5d0 kernel/sched/cpuacct.c:349
1e 
d1 
 cgroup_account_cputime include/linux/cgroup.h:724 [inline]
 update_curr+0x389/0xc00 kernel/sched/fair.c:832
88 
48 b8 
00 00 
00 00 
00 
fc ff 
df 
 dequeue_entity+0xd9/0x15e0 kernel/sched/fair.c:4288
4b 
8d 
14 
3e 
4d 8d 
bc 24 
78 
03 
00 
00 
4c 
89 fe 
48 
 dequeue_task_fair+0xf2/0x9e0 kernel/sched/fair.c:5455
c1 ee 
03 <80> 
3c 
06 
00 
0f 
85 7e 
 dequeue_task kernel/sched/core.c:762 [inline]
 deactivate_task+0xf3/0x330 kernel/sched/core.c:778
02 00 
 __schedule+0x9c9/0x1ed0 kernel/sched/core.c:3454
00 
48 
8d 
7a 
38 
49 
8b 
84 24 
78 
03 
00 
00 
 schedule+0xfb/0x450 kernel/sched/core.c:3548
RSP: 0018:ffff8801dae07900 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff11a23cc
RDX: ffff8801647d8638 RSI: 0000000020000091 RDI: ffff8801dae26680
RBP: ffff8801dae07948 R08: ffffed003b5c4cd1 R09: ffffed003b5c4cd0
R10: ffffed003b5c4cd0 R11: ffff8801dae26683 R12: 0000000100000110
R13: ffffffff8aa58410 R14: ffff8801dae00000 R15: 0000000100000488
 freezable_schedule include/linux/freezer.h:172 [inline]
 do_nanosleep+0x20e/0x750 kernel/time/hrtimer.c:1689
FS:  00007fcb65251700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001d0d978 CR3: 00000001ae435000 CR4: 00000000001406f0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 cgroup_base_stat_cputime_account_end kernel/cgroup/rstat.c:358 [inline]
 __cgroup_account_cputime_field+0xa4/0xf0 kernel/cgroup/rstat.c:392
 cgroup_account_cputime_field include/linux/cgroup.h:744 [inline]
 task_group_account_field kernel/sched/cputime.c:108 [inline]
 account_system_index_time+0x2fb/0x5c0 kernel/sched/cputime.c:171
 hrtimer_nanosleep+0x2d4/0x620 kernel/time/hrtimer.c:1743
 __do_sys_nanosleep kernel/time/hrtimer.c:1777 [inline]
 __se_sys_nanosleep kernel/time/hrtimer.c:1764 [inline]
 __x64_sys_nanosleep+0x1e7/0x280 kernel/time/hrtimer.c:1764
 account_system_time+0x7f/0xb0 kernel/sched/cputime.c:199
 account_process_tick+0x76/0x240 kernel/sched/cputime.c:498
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 update_process_times+0x21/0x70 kernel/time/timer.c:1634
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3eb/0x10c0 kernel/time/hrtimer.c:1460
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4812b0
Code: 
05 
48 
3d 
01 
f0 
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
ff ff 
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050
0f 
83 
0d 
03 
f9 
ff 
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
c3 66 
 </IRQ>
2e 
Modules linked in:
0f 
Dumping ftrace buffer:
1f 
---------------------------------
84 00 
syz-exec-8002    0...2 83169250us : 0: }D
00 
syz-exec-8002    0...2 83169257us : 0: }D
00 
syz-exec-8002    0...2 83169260us : 0: }D
00 
syz-exec-8002    0...2 83169263us : 0: }D
00 
syz-exec-8002    0...2 83169266us : 0: }D
66 
syz-exec-8002    0...2 83169268us : 0: }D
90 83 
syz-exec-8002    0...2 83169272us : 0: }D
3d 
syz-exec-8002    0...2 83169274us : 0: }D
a1 51 
syz-exec-8002    0...2 83169276us : 0: }D
5c 00 
syz-exec-8002    0...2 83169279us : 0: }D
00 
syz-exec-8002    0...2 83169282us : 0: }D
75 
syz-exec-8002    0...2 83169284us : 0: }D
14 
syz-exec-8002    0...2 83169287us : 0: }D
b8 
syz-exec-8002    0...2 83169290us : 0: }D
23 
syz-exec-8002    0...2 83169293us : 0: }D
00 
syz-exec-8002    0...2 83169295us : 0: }D
00 
syz-exec-8002    0...2 83169298us : 0: }D
00 
syz-exec-8002    0...2 83169301us : 0: }D
0f 
syz-exec-8002    0...2 83169305us : 0: }D
05 <48> 
syz-exec-8002    0...2 83169307us : 0: }D
3d 
syz-exec-8002    0...2 83169310us : 0: }D
01 
syz-exec-8002    0...2 83169313us : 0: }D
f0 
syz-exec-8002    0...2 83169316us : 0: }D
ff ff 
syz-exec-8002    0...2 83169318us : 0: }D
0f 
syz-exec-8002    0...2 83169321us : 0: }D
83 
syz-exec-8002    0...2 83169324us : 0: }D
e4 
syz-exec-8002    0...2 83169326us : 0: }D
02 
syz-exec-8002    0...2 83169329us : 0: }D
f9 
syz-exec-8002    0...2 83169332us : 0: }D
ff 
syz-exec-8002    0...2 83169334us : 0: }D
c3 48 
syz-exec-8002    0...2 83169336us : 0: }D
83 
syz-exec-8002    0...2 83169339us : 0: }D
ec 08 
syz-exec-8002    0...2 83169341us : 0: }D
e8 
syz-exec-8002    0...2 83169343us : 0: }D
6a 74 
syz-exec-8002    0...2 83169346us : 0: }D
fd 
syz-exec-8002    0...2 83169349us : 0: }D
ff 
syz-exec-8002    0...2 83169350us : 0: }D
syz-exec-8002    0...2 83169353us : 0: }D
RSP: 002b:00007ffc7ec39228 EFLAGS: 00000246
syz-exec-8002    0...2 83169355us : 0: }D
 ORIG_RAX: 0000000000000023
syz-exec-8002    0...2 83169357us : 0: }D
RAX: ffffffffffffffda RBX: 00000000000344df RCX: 00000000004812b0
syz-exec-8002    0...2 83169360us : 0: }D
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffc7ec39230
syz-exec-8002    0...2 83169362us : 0: }D
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000001f31940
syz-exec-8002    0...2 83169365us : 0: }D
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
syz-exec-8002    0...2 83169367us : 0: }D
R13: 00000000000006f3 R14: 00007ffc7ec398f0 R15: 0000000000034488
syz-exec-8002    0...2 83169369us : 0: }D

syz-exec-8002    0...2 83169372us : 0: }D
Allocated by task 0:
syz-exec-8002    0...2 83169374us : 0: }D
(stack is not available)
syz-exec-8002    0...2 83169377us : 0: }D

syz-exec-8002    0...2 83169379us : 0: }D
Freed by task 0:
syz-exec-8002    0...2 83169382us : 0: }D
(stack is not available)
syz-exec-8002    0...2 83169384us : 0: }D

syz-exec-8002    0...2 83169387us : 0: }D
The buggy address belongs to the object at ffff8801b19bc480
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 16 bytes inside of
 1024-byte region [ffff8801b19bc480, ffff8801b19bc880)
syz-exec-8002    0...2 83169389us : 0: }D
The buggy address belongs to the page:
syz-exec-8002    0...2 83169392us : 0: }D
page:ffffea0006c66f00 count:1 mapcount:0 mapping:ffff8801da800ac0 index:0x0
syz-exec-8002    0...2 83169395us : 0: }D
 compound_mapcount: 0
syz-exec-8002    0...2 83169397us : 0: }D
syz-exec-8002    0...2 83169400us : 0: }D
flags: 0x2fffc0000008100(slab|head)
syz-exec-8002    0...2 83169402us : 0: }D
raw: 02fffc0000008100 ffffea0006b66508 ffffea0006c65e88 ffff8801da800ac0
syz-exec-8002    0...2 83169405us : 0: }D
raw: 0000000000000000 ffff8801b19bc000 0000000100000007 0000000000000000
syz-exec-8002    0...2 83169407us : 0: }D
page dumped because: kasan: bad access detected
syz-exec-8002    0...2 83169410us : 0: }D

syz-exec-8002    0...2 83169413us : 0: }D
Memory state around the buggy address:
syz-exec-8002    0...2 83169415us : 0: }D
 ffff8801b19bc380: 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00
syz-exec-8002    0...2 83169418us : 0: }D
 ffff8801b19bc400: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8
syz-exec-8002    0...2 83169421us : 0: }D
>ffff8801b19bc480: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
syz-exec-8002    0...2 83169423us : 0: }D
                         ^
syz-exec-8002    0...2 83169426us : 0: }D
 ffff8801b19bc500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
syz-exec-8002    0...2 83169429us : 0: }D
 ffff8801b19bc580: f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
syz-exec-8002    0...2 83169431us : 0: }D
==================================================================
syz-exec-8002    0...2 83169434us : 0: }D

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/07 18:50 bpf-next d90c936fb318 ab89aea9 .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.