syzbot

 sign-in | mailing list | source | docs
🐞 Open [1032] ≡ Subsystems 🐞 Fixed [5264] 🐞 Invalid [12583] ⬇ Missing Backports [85] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: stack-out-of-bounds Read in rb_insert_color

Status: closed as invalid on 2018/07/08 20:58
Subsystems: kernel
[Documentation on labels]
First crash: 2129d, last: 2129d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in rb_insert_color (2) kernel 1 2123d 2123d 8/26 fixed on 2018/08/07 13:43

Sample crash report:
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
BUG: KASAN: stack-out-of-bounds in __rb_insert lib/rbtree.c:126 [inline]
BUG: KASAN: stack-out-of-bounds in rb_insert_color+0xac7/0x1480 lib/rbtree.c:452
kasan: GPF could be caused by NULL-ptr deref or user memory access
Read of size 8 at addr ffff8801b930fce0 by task syz-executor5/5953
general protection fault: 0000 [#1] SMP KASAN

CPU: 0 PID: 5953 Comm: syz-executor5 Not tainted 4.18.0-rc3-next-20180706+ #1
CPU: 1 PID: -2124464624 Comm: łŠľA Not tainted 4.18.0-rc3-next-20180706+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
RIP: 0010:task_css include/linux/cgroup.h:477 [inline]
RIP: 0010:task_ca kernel/sched/cpuacct.c:43 [inline]
RIP: 0010:cpuacct_account_field+0x13c/0x3b0 kernel/sched/cpuacct.c:365
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
Code: 
9a 
53 
08 
00 
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
85 
c0 
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
74 
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
0d 80 
 __rb_insert lib/rbtree.c:126 [inline]
 rb_insert_color+0xac7/0x1480 lib/rbtree.c:452
3d 
5e 
51 
3c 
08 00 
0f 
84 79 
01 
00 
00 
48 
b8 
00 00 
00 
00 
00 
fc 
ff 
df 49 
8d 
7d 
10 
48 
89 
fa 
48 
 timerqueue_add+0x173/0x2b0 lib/timerqueue.c:58
c1 
 enqueue_hrtimer+0x18e/0x540 kernel/time/hrtimer.c:960
ea 03 
<80> 
3c 
02 00 
0f 85 
49 
 __hrtimer_start_range_ns kernel/time/hrtimer.c:1089 [inline]
 hrtimer_start_range_ns+0x616/0xd20 kernel/time/hrtimer.c:1115
02 
00 
00 
4d 
8b 
65 
10 
 hrtimer_start_expires include/linux/hrtimer.h:412 [inline]
 do_nanosleep+0x1b0/0x750 kernel/time/hrtimer.c:1686
49 
81 
fc 
c0 a6 
f7 
88 
0f 
 hrtimer_nanosleep+0x2d4/0x620 kernel/time/hrtimer.c:1743
RSP: 0018:ffff8801daf078e8 EFLAGS: 00010806
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
 __do_sys_nanosleep kernel/time/hrtimer.c:1777 [inline]
 __se_sys_nanosleep kernel/time/hrtimer.c:1764 [inline]
 __x64_sys_nanosleep+0x1e7/0x280 kernel/time/hrtimer.c:1764
RDX: 13756fc937a87382 RSI: 0000000000000000 RDI: 9bab7e49bd439c10
RBP: ffff8801daf07978 R08: 0000000000000000 R09: 0000000000000001
R10: ffff8801daf07950 R11: dffffc0000000000 R12: ffff8801b92b6600
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
R13: 9bab7e49bd439c00 R14: 1ffff1003b5e0f1e R15: 00000000000f4240
FS:  00007f8873e60700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc5ea8ed000 CR3: 00000001bf06c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
 <IRQ>
RIP: 0033:0x4812d1
Code: 
75 
14 
b8 
 cgroup_account_cputime_field include/linux/cgroup.h:739 [inline]
 task_group_account_field kernel/sched/cputime.c:108 [inline]
 account_system_index_time+0x1dc/0x5c0 kernel/sched/cputime.c:171
23 
00 
00 00 
0f 05 
48 
 account_system_time+0x7f/0xb0 kernel/sched/cputime.c:199
3d 
 account_process_tick+0x76/0x240 kernel/sched/cputime.c:498
01 f0 
 update_process_times+0x21/0x70 kernel/time/timer.c:1634
ff ff 
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
0f 
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3eb/0x10c0 kernel/time/hrtimer.c:1460
83 
e4 02 
f9 ff 
c3 48 
83 ec 
08 
e8 
6a 74 
fd 
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
ff 
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050
48 
89 04 
24 
b8 
23 00 
00 
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:867
00 0f 
 </IRQ>
05 
Modules linked in:
<48> 
8b 
Dumping ftrace buffer:
3c 24 
---------------------------------
48 89 
syz-exec-24965   1...2 247453289us : 0: }D
c2 
syz-exec-24965   1...2 247453296us : 0: }D
e8 
syz-exec-24965   1...2 247453299us : 0: }D
b3 
syz-exec-24965   1...2 247453301us : 0: }D
74 
syz-exec-24965   1...2 247453304us : 0: }D
fd 
syz-exec-24965   1...2 247453306us : 0: }D
ff 48 
syz-exec-24965   1...2 247453309us : 0: }D
89 d0 
syz-exec-24965   1...2 247453311us : 0: }D
48 
syz-exec-24965   1...2 247453314us : 0: }D
83 
syz-exec-24965   1...2 247453316us : 0: }D
c4 
syz-exec-24965   1...2 247453319us : 0: }D
08 48 
syz-exec-24965   1...2 247453321us : 0: }D
3d 
syz-exec-24965   1...2 247453324us : 0: }D
01 
syz-exec-24965   1...2 247453326us : 0: }D
syz-exec-24965   1...2 247453329us : 0: }D
RSP: 002b:00007fff7c19a590 EFLAGS: 00000293 ORIG_RAX: 0000000000000023
syz-exec-24965   1...2 247453331us : 0: }D
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004812d1
syz-exec-24965   1...2 247453333us : 0: }D
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff7c19a5a0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
syz-exec-24965   1...2 247453336us : 0: }D
R10: 00007fff7c19a580 R11: 0000000000000293 R12: 000000000017b37a
R13: 0000000000000002 R14: 000000000072bea0 R15: 0000000000000001
syz-exec-24965   1...2 247453338us : 0: }D

syz-exec-24965   1...2 247453341us : 0: }D
The buggy address belongs to the page:
syz-exec-24965   1...2 247453343us : 0: }D
page:ffffea0006e4c3c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
syz-exec-24965   1...2 247453346us : 0: }D
syz-exec-24965   1...2 247453348us : 0: }D
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 ffffea0006e4c708 ffffea0006e4c388 0000000000000000
syz-exec-24965   1...2 247453351us : 0: }D
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
syz-exec-24965   1...2 247453353us : 0: }D
page dumped because: kasan: bad access detected
syz-exec-24965   1...2 247453356us : 0: }D

Memory state around the buggy address:
syz-exec-24965   1...2 247453358us : 0: }D
 ffff8801b930fb80: 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2
syz-exec-24965   1...2 247453361us : 0: }D
 ffff8801b930fc00: f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2
syz-exec-24965   1...2 247453363us : 0: }D
>ffff8801b930fc80: f2 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00
syz-exec-24965   1...2 247453365us : 0: }D
                                                       ^
syz-exec-24965   1...2 247453368us : 0: }D
 ffff8801b930fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
syz-exec-24965   1...2 247453371us : 0: }D
 ffff8801b930fd80: 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2
syz-exec-24965   1...2 247453373us : 0: }D
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/08 18:42 linux-next 526674536360 c9a7a4dc .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.