syzbot


KASAN: stack-out-of-bounds Read in __handle_mm_fault (2)

Status: fixed on 2018/08/07 13:43
Subsystems: kernel
[Documentation on labels]
Fix commit: 99ba2b5aba24 bpf: sockhash, disallow bpf_tcp_close and update in parallel
First crash: 2276d, last: 2274d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in __handle_mm_fault mm C 2 2287d 2287d 0/28 closed as invalid on 2018/07/08 13:28

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: stack-out-of-bounds in create_huge_pud mm/memory.c:3893 [inline]
BUG: KASAN: stack-out-of-bounds in __handle_mm_fault+0x3aa3/0x4460 mm/memory.c:4041
------------[ cut here ]------------
Read of size 8 at addr ffff8801bc61c010 by task syz-executor300/4452

do_IRQ(): syz-executor300 has overflown the kernel stack (cur:ffff8801be608000,sp:ffff8801ba769dd8,irq stk top-bottom:ffff8801daf00080-ffff8801daf08000,exception stk top-bottom:fffffe0000038080-fffffe0000042000,ip:lock_release+0x4f5/0xa30)
CPU: 0 PID: 4452 Comm: syz-executor300 Not tainted 4.18.0-rc3+ #58
WARNING: CPU: 1 PID: 4519 at arch/x86/kernel/irq_64.c:63 stack_overflow_check arch/x86/kernel/irq_64.c:60 [inline]
WARNING: CPU: 1 PID: 4519 at arch/x86/kernel/irq_64.c:63 handle_irq+0x1fb/0x2e7 arch/x86/kernel/irq_64.c:72
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Kernel panic - not syncing: panic_on_warn set ...

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 create_huge_pud mm/memory.c:3893 [inline]
 __handle_mm_fault+0x3aa3/0x4460 mm/memory.c:4041
 handle_mm_fault+0x53e/0xc80 mm/memory.c:4133
 __do_page_fault+0x620/0xe50 arch/x86/mm/fault.c:1396
 do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1471
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160
RIP: 0033:0x4762d0
Code: Bad RIP value.
RSP: 002b:00007ffe1c597258 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000030 RCX: 00000000004762d0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffe1c597260
RBP: 0000000000000030 R08: 0000000000000001 R09: 0000000000f4b940
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a
R13: 000000000000aa6a R14: 0000000000000000 R15: 0000000000000000

CPU: 1 PID: 4519 Comm: syz-executor300 Not tainted 4.18.0-rc3+ #58
The buggy address belongs to the page:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
page:ffffea0006f18700 count:1 mapcount:0 mapping:0000000000000000 index:0x0
Call Trace:
 <IRQ>
flags: 0x2fffc0000000000()
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
raw: 02fffc0000000000 dead000000000100 0000000000000000 0000000000000000
raw: 0000000000000000 ffff8801cd6259a0 00000001ffffffff 0000000000000000
 panic+0x238/0x4e7 kernel/panic.c:184
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801bc61bf00: f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00
 ffff8801bc61bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 __warn.cold.8+0x163/0x1ba kernel/panic.c:536
>ffff8801bc61c000: 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2
                         ^
 ffff8801bc61c080: f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2
 report_bug+0x252/0x2d0 lib/bug.c:186
 ffff8801bc61c100: f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
CPU: 0 PID: 4452 Comm: syz-executor300 Tainted: G    B             4.18.0-rc3+ #58
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:stack_overflow_check arch/x86/kernel/irq_64.c:60 [inline]
RIP: 0010:handle_irq+0x1fb/0x2e7 arch/x86/kernel/irq_64.c:72
RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:142 [inline]
RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline]
RIP: 0010:pmd_trans_migrating+0x13f/0x250 mm/migrate.c:1940
Code: 00 
Code: 
00 ff 
ff 
b6 
48 b8 
80 00 
00 
00 00 
00 00 
48 
00 00 
c7 
ea ff 
c7 
ff 4c 
80 bc 
21 f3 
e4 87 
48 c1 
41 54 
eb 06 
41 
48 01 
55 65 
c3 48 
48 8b 
b8 00 
04 25 
00 
40 ee 
00 00 
01 00 
00 fc 
48 
ff df 
05 
48 8d 
68 06 
7b 
00 
08 
00 48 
48 89 
89 c6 
fa 
e8 85 
48 c1 
b3 
ea 03 
1c 
<80> 3c 
00 <0f> 
02 00 
0b 
0f 85 
48 83 
e1 00 
c4 
00 00 
18 e9 
4d 8d 
3f ff 
75 c0 
ff ff 
4c 8b 
48 
7b 08 
89 75 
48 
e0 
b8 
e8 41 
00 00 
ba 8f 
00 48 
RSP: 0000:ffff8801ad4b7538 EFLAGS: 00010202
8b 
RAX: dffffc0000000000 RBX: 000029fffe228000 RCX: ffffffff81bb92f6
RDX: 0000053fffc45001 RSI: ffffffff81bb9316 RDI: 000029fffe228008
RSP: 0018:ffff8801daf07f58 EFLAGS: 00010082
RBP: ffff8801ad4b7600 R08: ffff8801ad556040 R09: ffffed0039ac4b34
R10: ffffed0039ac4b34 R11: ffff8801cd6259a3 R12: 1ffff10035a96ea7
RAX: 0000000000000000 RBX: ffff8801ce23e900 RCX: 0000000000000000
RDX: 0000000000010000 RSI: ffffffff81631851 RDI: 0000000000000001
R13: ffff8801ad4b75d8 R14: ffffffff88beff90 R15: 0000000000000000
RBP: ffff8801daf07fb0 R08: ffff8801d8d4c780 R09: ffffed003b5e3ec2
FS:  0000000000f4b940(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
R10: ffffed003b5e3ec2 R11: ffff8801daf1f617 R12: fffffe0000042000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004762a6 CR3: 00000001c69b0000 CR4: 00000000001406f0
R13: fffffe0000038080 R14: 0000000000000026 R15: 0000000000000000
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 do_IRQ+0x78/0x190 arch/x86/kernel/irq.c:245
 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:642
 </IRQ>
 do_huge_pmd_numa_page+0x3d3/0x1c30 mm/huge_memory.c:1481
 __handle_mm_fault+0x1b82/0x4460 mm/memory.c:4083
 handle_mm_fault+0x53e/0xc80 mm/memory.c:4133
 __do_page_fault+0x620/0xe50 arch/x86/mm/fault.c:1396
 do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1471
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160
RIP: 0033:0x4762d0
Code: Bad RIP value.
RSP: 002b:00007ffe1c597258 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000030 RCX: 00000000004762d0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffe1c597260
RBP: 0000000000000030 R08: 0000000000000001 R09: 0000000000f4b940
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a
R13: 000000000000aa6a R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/21 01:09 bpf-next 8ae71e76cf1f af255b09 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/20 16:03 net-next-old a3eed83a1895 49f35839 .config console log report syz C ci-upstream-net-kasan-gce
2018/07/18 20:02 bpf-next 8ae71e76cf1f 809256c3 .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.