IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame.part.7+0x6c7/0x9e0 arch/x86/kernel/unwind_frame.c:308
Read of size 8 at addr ffff8801b2467fe0 by task kworker/u4:10/4741
CPU: 1 PID: 4741 Comm: kworker/u4:10 Not tainted 4.18.0-rc4+ #145
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
kasan: CONFIG_KASAN_INLINE enabled
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
unwind_next_frame.part.7+0x6c7/0x9e0 arch/x86/kernel/unwind_frame.c:308
unwind_next_frame+0x3e/0x50 arch/x86/kernel/unwind_frame.c:287
__save_stack_trace+0x7d/0xf0 arch/x86/kernel/stacktrace.c:44
save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
slab_post_alloc_hook mm/slab.h:444 [inline]
slab_alloc mm/slab.c:3392 [inline]
kmem_cache_alloc+0x11b/0x760 mm/slab.c:3552
prepare_kernel_cred+0x79/0x550 kernel/cred.c:600
call_usermodehelper_exec_async+0x124/0xa80 kernel/umh.c:82
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
RIP: 0286:0xffff8801b2468118
Code: 95 06 10 74 a5 8a ff ff ff ff 10 74 a5 8a ff ff ff ff 00 b1 44 a7 01 88 ff ff 20 b1 44 a7 01 88 ff ff 00 00 00 00 00 00 00 00 <00> 83 46 b2 01 88 ff ff d5 e8 90 81 ff ff ff ff 00 00 00 00 00 00
RSP: ab63a8f0:ffff880100000002 EFLAGS: 00000000 ORIG_RAX: ffff8801b2468030
RAX: ffff8801b2468030 RBX: ffffffff88f92620 RCX: 1ffff1003648d002
RDX: ffff8801b24680f0 RSI: ffffffff88f92620 RDI: ffff8801ab63a0c0
RBP: ffff8801d7c1ac00 R08: ffffffff8190dbb0 R09: ffffffff88bee050
R10: 0000000041b58ab3 R11: 0000000000000000 R12: ffff8801ab63a920
R13: 1ffff1003648d002 R14: 1ffff1003648cff2 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0006c919c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
flags: 0x2fffc0000000000()
CPU: 0 PID: 4693 Comm: syz-executor124 Not tainted 4.18.0-rc4+ #145
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
raw: 02fffc0000000000 0000000000000000 ffffffff06c90101 0000000000000000
RIP: 0010:timerqueue_add+0xc6/0x2b0 lib/timerqueue.c:52
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
Code: 00
page dumped because: kasan: bad access detected
4d 8b
Memory state around the buggy address:
ffff8801b2467e80: f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
2f 4d
ffff8801b2467f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
85 ed
>ffff8801b2467f80: 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2
74 4b
^
ffff8801b2468000: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2
e8 96
ffff8801b2468080: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00
07
==================================================================
ec f9
kasan: CONFIG_KASAN_INLINE enabled
48 8b
kasan: GPF could be caused by NULL-ptr deref or user memory access
45 d0 80 38 00 0f 85 97 01 00 00 49 8d 7d 18 4c 8b 7b 18 48 89 f9 48 c1 e9 03 <42> 80 3c 21 00 0f 85 73 01 00 00 4d 8b 75 18 4c 89 ff 4c 89 f6 e8
RSP: 0018:ffff8801dae07a20 EFLAGS: 00010006
RAX: ffffed003b5c4caf RBX: ffff8801dae26560 RCX: 000000000836b159
RDX: 0000000000010000 RSI: ffffffff8790040a RDI: 0000000041b58acb
RBP: ffff8801dae07a60 R08: ffff8801ab63a0c0 R09: ffffed003b5c46d6
R10: ffffed003b5c46d6 R11: ffff8801dae236b3 R12: dffffc0000000000
R13: 0000000041b58ab3 R14: ffff8801ae7f7ce0 R15: 000000079a35fb00
FS: 00000000018c5880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff2e76c3af0 CR3: 00000001adeb1000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
enqueue_hrtimer+0x18e/0x540 kernel/time/hrtimer.c:960
__run_hrtimer kernel/time/hrtimer.c:1413 [inline]
__hrtimer_run_queues+0xc07/0x10c0 kernel/time/hrtimer.c:1460
hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
======================================================
WARNING: possible circular locking dependency detected
4.18.0-rc4+ #145 Not tainted
------------------------------------------------------
syz-executor124/4693 is trying to acquire lock:
(____ptrval____) ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 kernel/locking/semaphore.c:136
but task is already holding lock:
(____ptrval____) (hrtimer_bases.lock){-.-.}, at: __run_hrtimer kernel/time/hrtimer.c:1400 [inline]
(____ptrval____) (hrtimer_bases.lock){-.-.}, at: __hrtimer_run_queues+0x43c/0x10c0 kernel/time/hrtimer.c:1460
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 (hrtimer_bases.lock){-.-.}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
lock_hrtimer_base.isra.18+0x75/0x130 kernel/time/hrtimer.c:174
hrtimer_start_range_ns+0x128/0xd20 kernel/time/hrtimer.c:1113
hrtimer_start_expires include/linux/hrtimer.h:412 [inline]
start_rt_bandwidth kernel/sched/rt.c:68 [inline]
inc_rt_group kernel/sched/rt.c:1145 [inline]
inc_rt_tasks kernel/sched/rt.c:1189 [inline]
__enqueue_rt_entity kernel/sched/rt.c:1259 [inline]
enqueue_rt_entity kernel/sched/rt.c:1303 [inline]
enqueue_task_rt+0x96a/0xfd0 kernel/sched/rt.c:1333
enqueue_task+0xa2/0x1d0 kernel/sched/core.c:750
__sched_setscheduler+0xe80/0x20b0 kernel/sched/core.c:4365
_sched_setscheduler+0x20c/0x370 kernel/sched/core.c:4402
sched_setscheduler+0xe/0x10 kernel/sched/core.c:4417
watchdog_set_prio kernel/watchdog.c:455 [inline]
watchdog_enable+0x12d/0x1a0 kernel/watchdog.c:477
smpboot_thread_fn+0x4c0/0x870 kernel/smpboot.c:145
kthread+0x345/0x410 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
-> #3 (&rt_b->rt_runtime_lock){-.-.}:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
start_rt_bandwidth kernel/sched/rt.c:56 [inline]
inc_rt_group kernel/sched/rt.c:1145 [inline]
inc_rt_tasks kernel/sched/rt.c:1189 [inline]
__enqueue_rt_entity kernel/sched/rt.c:1259 [inline]
enqueue_rt_entity kernel/sched/rt.c:1303 [inline]
enqueue_task_rt+0x618/0xfd0 kernel/sched/rt.c:1333
enqueue_task+0xa2/0x1d0 kernel/sched/core.c:750
__sched_setscheduler+0xe80/0x20b0 kernel/sched/core.c:4365
_sched_setscheduler+0x20c/0x370 kernel/sched/core.c:4402
sched_setscheduler+0xe/0x10 kernel/sched/core.c:4417
watchdog_set_prio kernel/watchdog.c:455 [inline]
watchdog_enable+0x12d/0x1a0 kernel/watchdog.c:477
smpboot_thread_fn+0x4c0/0x870 kernel/smpboot.c:145
kthread+0x345/0x410 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
-> #2 (&rq->lock){-.-.}:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
rq_lock kernel/sched/sched.h:1812 [inline]
task_fork_fair+0x93/0x680 kernel/sched/fair.c:9952
sched_fork+0x446/0xb40 kernel/sched/core.c:2381
copy_process.part.39+0x1c09/0x7220 kernel/fork.c:1773
copy_process kernel/fork.c:1616 [inline]
_do_fork+0x291/0x12a0 kernel/fork.c:2099
kernel_thread+0x34/0x40 kernel/fork.c:2158
rest_init+0x22/0xe4 init/main.c:408
start_kernel+0x90e/0x949 init/main.c:738
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:452
x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:433
secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242
-> #1 (&p->pi_lock){-.-.}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
try_to_wake_up+0xd2/0x12b0 kernel/sched/core.c:1985
wake_up_process+0x10/0x20 kernel/sched/core.c:2148
__up.isra.1+0x1c0/0x2a0 kernel/locking/semaphore.c:262
up+0x13c/0x1c0 kernel/locking/semaphore.c:187
__up_console_sem+0xbe/0x1b0 kernel/printk/printk.c:242
console_unlock+0x7a2/0x10b0 kernel/printk/printk.c:2411
vprintk_emit+0x6c6/0xdf0 kernel/printk/printk.c:1907
vprintk_default+0x28/0x30 kernel/printk/printk.c:1948
vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:382
printk+0xa7/0xcf kernel/printk/printk.c:1981
load_umh+0x51/0xbd net/bpfilter/bpfilter_kern.c:98
do_one_initcall+0x127/0x913 init/main.c:884
do_initcall_level init/main.c:952 [inline]
do_initcalls init/main.c:960 [inline]
do_basic_setup init/main.c:978 [inline]
kernel_init_freeable+0x49b/0x58e init/main.c:1135
kernel_init+0x11/0x1b3 init/main.c:1061
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
-> #0 ((console_sem).lock){-...}:
lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
down_trylock+0x13/0x70 kernel/locking/semaphore.c:136
__down_trylock_console_sem+0xae/0x200 kernel/printk/printk.c:225
console_trylock+0x15/0xa0 kernel/printk/printk.c:2230
console_trylock_spinning kernel/printk/printk.c:1643 [inline]
vprintk_emit+0x6ad/0xdf0 kernel/printk/printk.c:1906
vprintk_default+0x28/0x30 kernel/printk/printk.c:1948
vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:382
printk+0xa7/0xcf kernel/printk/printk.c:1981
kasan_die_handler.cold.22+0x11/0x30 arch/x86/mm/kasan_init_64.c:251
notifier_call_chain+0x180/0x390 kernel/notifier.c:93
__atomic_notifier_call_chain kernel/notifier.c:183 [inline]
atomic_notifier_call_chain+0x98/0x190 kernel/notifier.c:193
notify_die+0x1be/0x2e0 kernel/notifier.c:549
do_general_protection+0x248/0x2f0 arch/x86/kernel/traps.c:559
general_protection+0x1e/0x30 arch/x86/entry/entry_64.S:1159
timerqueue_add+0xc6/0x2b0 lib/timerqueue.c:52
enqueue_hrtimer+0x18e/0x540 kernel/time/hrtimer.c:960
__run_hrtimer kernel/time/hrtimer.c:1413 [inline]
__hrtimer_run_queues+0xc07/0x10c0 kernel/time/hrtimer.c:1460
hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> &rt_b->rt_runtime_lock --> hrtimer_bases.lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(hrtimer_bases.lock);
lock(&rt_b->rt_runtime_lock);
lock(hrtimer_bases.lock);
lock((console_sem).lock);
*** DEADLOCK ***
4 locks held by syz-executor124/4693:
#0: (____ptrval____) (&sb->s_type->i_mutex_key#11){+.+.}, at: inode_lock include/linux/fs.h:715 [inline]
#0: (____ptrval____) (&sb->s_type->i_mutex_key#11){+.+.}, at: __sock_release+0x8b/0x260 net/socket.c:598
#1: (____ptrval____) (rcu_read_lock){....}, at: bpf_tcp_close+0x0/0x1050 kernel/bpf/sockmap.c:2195
#2: (____ptrval____) (hrtimer_bases.lock){-.-.}, at: __run_hrtimer kernel/time/hrtimer.c:1400 [inline]
#2: (____ptrval____) (hrtimer_bases.lock){-.-.}, at: __hrtimer_run_queues+0x43c/0x10c0 kernel/time/hrtimer.c:1460
#3: (____ptrval____) (rcu_read_lock){....}, at: atomic_notifier_call_chain+0x0/0x190 kernel/notifier.c:329
stack backtrace:
CPU: 0 PID: 4693 Comm: syz-executor124 Not tainted 4.18.0-rc4+ #145
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
print_circular_bug.isra.36.cold.57+0x1bd/0x27d kernel/locking/lockdep.c:1227
check_prev_add kernel/locking/lockdep.c:1867 [inline]
check_prevs_add kernel/locking/lockdep.c:1980 [inline]
validate_chain kernel/locking/lockdep.c:2421 [inline]
__lock_acquire+0x3449/0x5020 kernel/locking/lockdep.c:3435
lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
down_trylock+0x13/0x70 kernel/locking/semaphore.c:136
__down_trylock_console_sem+0xae/0x200 kernel/printk/printk.c:225
console_trylock+0x15/0xa0 kernel/printk/printk.c:2230
console_trylock_spinning kernel/printk/printk.c:1643 [inline]
vprintk_emit+0x6ad/0xdf0 kernel/printk/printk.c:1906
vprintk_default+0x28/0x30 kernel/printk/printk.c:1948
vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:382
printk+0xa7/0xcf kernel/printk/printk.c:1981
kasan_die_handler.cold.22+0x11/0x30 arch/x86/mm/kasan_init_64.c:251
notifier_call_chain+0x180/0x390 kernel/notifier.c:93
__atomic_notifier_call_chain kernel/notifier.c:183 [inline]
atomic_notifier_call_chain+0x98/0x190 kernel/notifier.c:193
notify_die+0x1be/0x2e0 kernel/notifier.c:549
do_general_protection+0x248/0x2f0 arch/x86/kernel/traps.c:559
general_protection+0x1e/0x30 arch/x86/entry/entry_64.S:1159
RIP: 0010:timerqueue_add+0xc6/0x2b0 lib/timerqueue.c:52
Code: 00 4d 8b 2f 4d 85 ed 74 4b e8 96 07 ec f9 48 8b 45 d0 80 38 00 0f 85 97 01 00 00 49 8d 7d 18 4c 8b 7b 18 48 89 f9 48 c1 e9 03 <42> 80 3c 21 00 0f 85 73 01 00 00 4d 8b 75 18 4c 89 ff 4c 89 f6 e8
RSP: 0018:ffff8801dae07a20 EFLAGS: 00010006
RAX: ffffed003b5c4caf RBX: ffff8801dae26560 RCX: 000000000836b159
RDX: 0000000000010000 RSI: ffffffff8790040a RDI: 0000000041b58acb
RBP: ffff8801dae07a60 R08: ffff8801ab63a0c0 R09: ffffed003b5c46d6
R10: ffffed003b5c46d6 R11: ffff8801dae236b3 R12: dffffc0000000000
R13: 0000000041b58ab3 R14: ffff8801ae7f7ce0 R15: 000000079a35fb00
enqueue_hrtimer+0x18e/0x540 kernel/time/hrtimer.c:960
__run_hrtimer kernel/time/hrtimer.c:1413 [inline]
__hrtimer_run_queues+0xc07/0x10c0 kernel/time/hrtimer.c:1460
hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
---[ end trace dc466ab5d068ecad ]---
general protection fault: 0000 [#2] SMP KASAN
CPU: 1 PID: 4741 Comm: kworker/u4:10 Tainted: G B D 4.18.0-rc4+ #145
RIP: 0010:timerqueue_add+0xc6/0x2b0 lib/timerqueue.c:52
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Code: 00
RIP: 0010:__x86_indirect_thunk_rax+0x10/0x20 arch/x86/lib/retpoline.S:32
4d 8b
Code:
2f
90
4d 85
90 90
ed 74
90
4b e8
90
96 07
90 90
ec
90
f9
90 90
48
90
8b
90
45
90 90
d0
90 90
80 38
90
00
90 90
0f
90
85
90 90
97
90 90
01 00
90
00
90 e8
49
07 00
8d
00
7d
00 f3
18
90
4c 8b
0f
7b 18
ae e8
48 89
eb
f9 48
f9 48
c1 e9
89 04
03 <42>
24
80
3c
0f 1f
21
44
00 0f
00
85 73
00 66
01 00
2e 0f
00
1f
4d 8b
84
75 18
00 00
4c
00
89 ff
00
4c 89
00 e8
f6 e8
07 00
00 00
RSP: 0018:ffff8801dae07a20 EFLAGS: 00010006
f3
RSP: 0018:ffff8801daf07740 EFLAGS: 00010046
RAX: ffffed003b5c4caf RBX: ffff8801dae26560 RCX: 000000000836b159
RDX: 0000000000010000 RSI: ffffffff8790040a RDI: 0000000041b58acb
RAX: 1ffff10035de4f64 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801aef27a68
RBP: ffff8801dae07a60 R08: ffff8801ab63a0c0 R09: ffffed003b5c46d6
R10: ffffed003b5c46d6 R11: ffff8801dae236b3 R12: dffffc0000000000
RBP: ffff8801daf07858 R08: ffff8801aef27a68 R09: ffff8801daf078a8
R13: 0000000041b58ab3 R14: ffff8801ae7f7ce0 R15: 000000079a35fb00
R10: fffffbfff11f1210 R11: ffffffff88f89083 R12: ffffffff88f890b8
FS: 00000000018c5880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
R13: ffff8801ab63a908 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff2e76c3af0 CR3: 00000001adeb1000 CR4: 00000000001406f0
CR2: 00007fc94317f760 CR3: 00000001d91d5000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400