syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: stack-out-of-bounds in lookup_object lib/debugobjects.c:157 [inline] BUG: KASAN: stack-out-of-bounds in debug_object_activate+0x641/0x690 lib/debugobjects.c:472 Read of size 8 at addr ffff88018aa58a98 by task syz-executor0/4444 CPU: 0 PID: 4444 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #48 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 lookup_object lib/debugobjects.c:157 [inline] debug_object_activate+0x641/0x690 lib/debugobjects.c:472 debug_rcu_head_queue kernel/rcu/rcu.h:135 [inline] __call_rcu.constprop.68+0xc8/0xc00 kernel/rcu/tree.c:2906 call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:2985 ext4_destroy_inode+0xf3/0x250 fs/ext4/super.c:1057 destroy_inode+0x159/0x200 fs/inode.c:267 evict+0x5d5/0x990 fs/inode.c:575 iput_final fs/inode.c:1506 [inline] iput+0x635/0xaa0 fs/inode.c:1532 do_unlinkat+0x733/0xa30 fs/namei.c:4079 __do_sys_unlink fs/namei.c:4120 [inline] __se_sys_unlink fs/namei.c:4118 [inline] __x64_sys_unlink+0x42/0x50 fs/namei.c:4118 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4558f7 Code: 0f 1f 00 b8 58 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 bd bc fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 9d bc fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffd82cb40f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000057 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004558f7 RDX: 00000000026749d3 RSI: 00007ffd82cb4190 RDI: 00007ffd82cb4190 RBP: 00007ffd82cb5ea0 R08: 0000000000000000 R09: 0000000000000011 R10: 000000000000000a R11: 0000000000000202 R12: 0000000002674940 R13: 0000000000000000 R14: 00007ffd82cb5870 R15: 0000000000702140 Allocated by task 29476: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 kmem_cache_zalloc include/linux/slab.h:697 [inline] fill_pool lib/debugobjects.c:134 [inline] __debug_object_init+0xbe1/0x12e0 lib/debugobjects.c:377 debug_object_init lib/debugobjects.c:429 [inline] debug_object_activate+0x32e/0x690 lib/debugobjects.c:510 debug_rcu_head_queue kernel/rcu/rcu.h:135 [inline] __call_rcu.constprop.68+0xc8/0xc00 kernel/rcu/tree.c:2906 kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3027 __free_vmap_area+0x34b/0x4e0 mm/vmalloc.c:585 __purge_vmap_area_lazy+0x175/0x270 mm/vmalloc.c:682 vm_unmap_aliases+0x4a1/0x610 mm/vmalloc.c:1108 change_page_attr_set_clr+0x82b/0x11d0 arch/x86/mm/pageattr.c:1473 change_page_attr_clear arch/x86/mm/pageattr.c:1533 [inline] set_memory_ro+0x7b/0xa0 arch/x86/mm/pageattr.c:1762 bpf_jit_binary_lock_ro include/linux/filter.h:690 [inline] bpf_int_jit_compile+0xbba/0xe96 arch/x86/net/bpf_jit_comp.c:1168 bpf_prog_select_runtime+0x46d/0x650 kernel/bpf/core.c:1487 bpf_migrate_filter net/core/filter.c:1263 [inline] bpf_prepare_filter+0xbd6/0x1100 net/core/filter.c:1311 __get_filter+0x1e0/0x280 net/core/filter.c:1504 sk_attach_filter+0x1d/0x90 net/core/filter.c:1519 tun_attach_filter drivers/net/tun.c:2786 [inline] __tun_chr_ioctl+0xbcd/0x4570 drivers/net/tun.c:3130 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:3178 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff88018aa58a80 which belongs to the cache debug_objects_cache of size 40 The buggy address is located 24 bytes inside of 40-byte region [ffff88018aa58a80, ffff88018aa58aa8) The buggy address belongs to the page: page:ffffea00062a9600 count:1 mapcount:0 mapping:ffff8801da810dc0 index:0xffff88018aa58fb9 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0006a60888 ffffea00070821c8 ffff8801da810dc0 raw: ffff88018aa58fb9 ffff88018aa58000 0000000100000046 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88018aa58980: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 ffff88018aa58a00: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 >ffff88018aa58a80: f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 ^ ffff88018aa58b00: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88018aa58b80: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/07/07 12:24 | bpf-next | d90c936fb318 | 6c0c0099 | .config | console log | report | ci-upstream-bpf-next-kasan-gce |