syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [977] ≡ Subsystems 🐞 Fixed [5235] 🐞 Invalid [12490] ⬇ Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
================================================================== BUG: KASAN: slab-out-of-bounds in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: slab-out-of-bounds in queued_spin_trylock include/asm-generic/qspinlock.h:69 [inline] BUG: KASAN: slab-out-of-bounds in do_raw_spin_trylock+0x6a/0x180 kernel/locking/spinlock_debug.c:119 Read of size 4 at addr ffff88808f90e674 by task syz-executor.3/7758 CPU: 0 PID: 7758 Comm: syz-executor.3 Not tainted 5.0.0-next-20190306 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x123/0x190 mm/kasan/generic.c:191 kasan_check_read+0x11/0x20 mm/kasan/common.c:102 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] queued_spin_trylock include/asm-generic/qspinlock.h:69 [inline] do_raw_spin_trylock+0x6a/0x180 kernel/locking/spinlock_debug.c:119 __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline] _raw_spin_trylock+0x1c/0x80 kernel/locking/spinlock.c:128 spin_trylock include/linux/spinlock.h:339 [inline] icmp_xmit_lock net/ipv4/icmp.c:219 [inline] __icmp_send+0x553/0x1400 net/ipv4/icmp.c:666 icmp_send include/net/icmp.h:47 [inline] __udp4_lib_rcv+0x1fb6/0x2c50 net/ipv4/udp.c:2323 udp_rcv+0x22/0x30 net/ipv4/udp.c:2482 ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208 ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:414 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:524 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083 process_backlog+0x206/0x750 net/core/dev.c:5923 napi_poll net/core/dev.c:6346 [inline] net_rx_action+0x4fa/0x1070 net/core/dev.c:6412 __do_softirq+0x266/0x95a kernel/softirq.c:293 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1027 </IRQ> do_softirq.part.0+0x11a/0x170 kernel/softirq.c:338 do_softirq kernel/softirq.c:330 [inline] __local_bh_enable_ip+0x211/0x270 kernel/softirq.c:190 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:684 [inline] ip_finish_output2+0x99c/0x1740 net/ipv4/ip_output.c:231 ip_finish_output+0x73c/0xd50 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_output+0x21f/0x670 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0xc4/0x1b0 net/ipv4/ip_output.c:124 iptunnel_xmit+0x58e/0x980 net/ipv4/ip_tunnel_core.c:91 udp_tunnel_xmit_skb+0x236/0x310 net/ipv4/udp_tunnel.c:191 tipc_udp_xmit.isra.0+0x805/0xcc0 net/tipc/udp_media.c:181 tipc_udp_send_msg+0x295/0x4a0 net/tipc/udp_media.c:247 tipc_bearer_xmit_skb+0x172/0x360 net/tipc/bearer.c:503 tipc_enable_bearer+0xac4/0xd20 net/tipc/bearer.c:328 __tipc_nl_bearer_enable+0x2d1/0x3b0 net/tipc/bearer.c:899 tipc_nl_bearer_enable+0x23/0x40 net/tipc/bearer.c:907 genl_family_rcv_msg+0x6e1/0xd90 net/netlink/genetlink.c:601 genl_rcv_msg+0xca/0x16c net/netlink/genetlink.c:626 netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485 genl_rcv+0x29/0x40 net/netlink/genetlink.c:637 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xdd/0x130 net/socket.c:632 ___sys_sendmsg+0x806/0x930 net/socket.c:2137 __sys_sendmsg+0x105/0x1d0 net/socket.c:2175 __do_sys_sendmsg net/socket.c:2184 [inline] __se_sys_sendmsg net/socket.c:2182 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2182 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457f29 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4d4a988c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457f29 RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4d4a9896d4 R13: 00000000004c537a R14: 00000000004d91c8 R15: 00000000ffffffff Allocated by task 7729: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_kmalloc mm/kasan/common.c:497 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505 slab_post_alloc_hook mm/slab.h:436 [inline] slab_alloc mm/slab.c:3392 [inline] kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3554 sk_prot_alloc+0x67/0x2e0 net/core/sock.c:1601 sk_alloc+0x39/0xf70 net/core/sock.c:1661 inet_create net/ipv4/af_inet.c:321 [inline] inet_create+0x36a/0xe10 net/ipv4/af_inet.c:247 __sock_create+0x3e6/0x750 net/socket.c:1298 sock_create_kern+0x3b/0x50 net/socket.c:1344 inet_ctl_sock_create+0x9d/0x1f0 net/ipv4/af_inet.c:1623 icmp_sk_init+0x11c/0x4c0 net/ipv4/icmp.c:1204 ops_init+0xb6/0x410 net/core/net_namespace.c:129 setup_net+0x2c5/0x730 net/core/net_namespace.c:314 copy_net_ns+0x1d9/0x340 net/core/net_namespace.c:437 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x440/0x980 kernel/fork.c:2550 __do_sys_unshare kernel/fork.c:2618 [inline] __se_sys_unshare kernel/fork.c:2616 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2616 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff88808f90e100 which belongs to the cache RAW of size 1328 The buggy address is located 68 bytes to the right of 1328-byte region [ffff88808f90e100, ffff88808f90e630) The buggy address belongs to the page: page:ffffea00023e4380 count:1 mapcount:0 mapping:ffff88821af36040 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea0002257a08 ffffea0002194588 ffff88821af36040 raw: 0000000000000000 ffff88808f90e100 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808f90e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88808f90e580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88808f90e600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff88808f90e680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff88808f90e700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2019/03/12 05:51 | linux-next | cf08baa29613 | 12365b99 | .config | console log | report | syz | ci-upstream-linux-next-kasan-gce-root |