From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2801CC3064D
	for <linux-mm@archiver.kernel.org>; Tue,  2 Jul 2024 15:21:38 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8DE256B0083; Tue,  2 Jul 2024 11:21:37 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 866A06B0096; Tue,  2 Jul 2024 11:21:37 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 72D5A6B009C; Tue,  2 Jul 2024 11:21:37 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 52C766B0083
	for <linux-mm@kvack.org>; Tue,  2 Jul 2024 11:21:37 -0400 (EDT)
Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id 0B0BF1402DA
	for <linux-mm@kvack.org>; Tue,  2 Jul 2024 15:21:37 +0000 (UTC)
X-FDA: 82295177034.08.E784F83
Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72])
	by imf20.hostedemail.com (Postfix) with ESMTP id 320631C0021
	for <linux-mm@kvack.org>; Tue,  2 Jul 2024 15:21:33 +0000 (UTC)
Authentication-Results: imf20.hostedemail.com;
	dkim=none;
	dmarc=none;
	spf=pass (imf20.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp designates 202.181.97.72 as permitted sender) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1719933673;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2Yku3KEdt2E+QBgpAr0o2bHQ4OlzwbC2rf0Va4//w3I=;
	b=kNoDNSTdSjztp+SoSi97iQ4JJs27EUFy44T4Uy1GMFw3GSz6J5v7EOIRa/9Bxgn85PYTst
	OFv6kPWc7/Efr6l13m789FgKx56qzxJGCiPgLc/Wr/IjrlGsWBbA1N6xfcq0W9nwLRHsMt
	3SJ7LPWyqbw3mSaWmL2SHo+Hc6ufsjI=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1719933673; a=rsa-sha256;
	cv=none;
	b=W7ypDRqOmSznZXOdTweb4wlgZD96ifFVC780z11zyiQ9TX0O89sB8+2GNTRbQFeZycD/8j
	ZD3FCziAgkRNz5ypJzTskHSv4+cSqJP86GVJ1pI2RbzVqpzqjsCO7df7IGPSM3jIE2azUv
	Ivo4APaUQAbHmTyTku5RTeD3qYuQIEs=
ARC-Authentication-Results: i=1;
	imf20.hostedemail.com;
	dkim=none;
	dmarc=none;
	spf=pass (imf20.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp designates 202.181.97.72 as permitted sender) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp
Received: from fsav414.sakura.ne.jp (fsav414.sakura.ne.jp [133.242.250.113])
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 462FL8IA090276;
	Wed, 3 Jul 2024 00:21:08 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav414.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav414.sakura.ne.jp);
 Wed, 03 Jul 2024 00:21:08 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav414.sakura.ne.jp)
Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
	(authenticated bits=0)
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 462FL8AB090273
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
	Wed, 3 Jul 2024 00:21:08 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Message-ID: <1df448bd-7e22-408a-807a-4f4a6c679915@I-love.SAKURA.ne.jp>
Date: Wed, 3 Jul 2024 00:21:08 +0900
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs
 (2)
To: Andrey Konovalov <andreyknvl@gmail.com>
Cc: syzbot <syzbot+e9be5674af5e3a0b9ecc@syzkaller.appspotmail.com>,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
        kasan-dev <kasan-dev@googlegroups.com>, linux-mm <linux-mm@kvack.org>,
        bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com,
        mingo@redhat.com, tglx@linutronix.de, x86@kernel.org
References: <000000000000a8c856061ae85e20@google.com>
 <82cf2f25-fd3b-40a2-8d2b-a6385a585601@I-love.SAKURA.ne.jp>
 <daad75ac-9fd5-439a-b04b-235152bea222@I-love.SAKURA.ne.jp>
 <CA+fCnZdg=o3bA-kBM4UKEftiGfBffWXbqSapje8w25aKUk_4Nw@mail.gmail.com>
 <ec7411af-01ac-4ebd-99ad-98019ff355bf@I-love.SAKURA.ne.jp>
 <CA+fCnZfxCWZYX-7vJzMcwN4vKguuskk5rGYA2Ntotw=owOZ6Sg@mail.gmail.com>
Content-Language: en-US
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
In-Reply-To: <CA+fCnZfxCWZYX-7vJzMcwN4vKguuskk5rGYA2Ntotw=owOZ6Sg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 320631C0021
X-Stat-Signature: k717ey5sum3x3fk51h5tcs4s45xbfqsh
X-Rspamd-Server: rspam09
X-Rspam-User: 
X-HE-Tag: 1719933693-160515
X-HE-Meta: U2FsdGVkX1+CEvh/mfY1gnRI9ADdQG0a2WJtiujCz4UMK79jtN/EeyfbIz48EWkReuKJtscfdUimm0bGom2fUKfyu58YAALfygI9v/02clWEK2TMZqgbWIRySjt3gnQbXoW1cWSznByFL4aSrmj9Y72h1C58Lol6l9j1TuwyhTfA30JfEuEOuahPzlU+rjzfaVqReVQD6ELtVgofShWD8aipAHLLWpaRRpUpy9akIxlArzZXW477wMpqPf+JU6y89cYwgumuiAgK16g7pB6Nckq0gsyqlSdJgi3JYt7FANwj5BQF8dvpo1pzxWP2CjLPH+BuoEW4eKV7gnu/DQpHiM9oP1n7uRv3RBS2kuG0nc9sCqJ9VmSQ+dwBFIn2W/B3swSK4yJsYM1T3mhQWNIshEiBg3NMCsB3N2w8NTUeUkohCu6+2HTJ/HgrLdeU3qQasNUFA2TXOO79r6Y/gM0X3w/xJX+Uwhebj7ww36yPxr8VyEusHnsaeZnWHTjmyapy+txrF5+lsPbHJKHJgigDLT36WzrPov+8W+qnh+077segT95r6/XkpdXs5++Kfl/kPcRKQTsUXNDmoNkw2EEriwuL/8skbUB9s3nuNFDYaF38T1Pp3Gk1HZSxYxMNyDbmBVruQ+TZqfFeWyAmbuYV/9XqHJ2mYleu+kSionTs3bPlkzlAjwz26V+ACQZ7O67abQ8QDoTWsV/3Z4vBeBTi0rFUrDES80W/IhNC0hHtiUW/CXRrV2ESJhxbAIAbHKOCrCGC93HWffYryKKgD9r6G+9k85P9PXabGqUWJ04migeJs5WQie8B2uFjgBPyHOaqVX9IiKwKuSAd+DwUjZftqfve7VHNH5vXbrdylwkLHWgiyZOmY5qM/6eBgCo1N2W6iwUkD5VwJX/56CFnP/FYFgbc7ydGLcNChEPoBM0HWBHg5xOSkZft4U1bBhJm8/PETaSHMoD4vBw5XjUUFts
 YRHPmW5c
 h3NsUO9TLtuSLFLcb36MTXNbBY0cK+yXU3PokRhytiJ94IXxJFj4dSUlmHBvFdeLP1Qi1z6FlhBKVK9/FzncG628VyHr90bThrv/Wvw8RguuXcA2xY60i2ozn3swi49r2Ncy6Izir8nQfADdI7IkSNrgOQztNJ9I83SDQDjs1AI1KNOaZphcLrJNbkSUSL4mQpBEBM5HYaKocreGvl5vFrnfQFJa9h6HPr3NKzEAuc+p+dF3HuocB6VyLV9mul2TOx86v6ZyKMHN2Gv49c+5hO+CL/v0u03H9OQY10ARRvvmoSq4qeAx98nByw3x8QF0BdxMDEsIuPvSn38/Gbw5/K+AFcXjtT3be98KKb5uAFGgtkB3JyO43+EFhPEim2MCjn3EEkVJjpIqkEEPfMWOdYbNEpLU9gj4BRW2/OBjGOeP4w7ILbKSN5hKC8BYdrfa5e2c6XLhMVx/blYzdjVlBRxqygR8QoOpWUz0ue4I3p+H2TiGF1BS/XYaqLQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 2024/07/02 23:29, Andrey Konovalov wrote:
> One other thing that comes to mind with regards to your patch: if the
> task is still executing, the location of things on its stack might
> change due to CONFIG_RANDOMIZE_KSTACK_OFFSET while you're printing the
> task info. However, if the task is sleeping on a lock, this shouldn't
> happen... But maybe a task can wake up during sched_show_task() and
> start handling a new syscall? Just some guesses.

https://syzkaller.appspot.com/bug?extid=d7491e9e156404745fbb says that
this bug happens without my patch. It seems that this bug happens when
printing registers of a preempted thread. 5.15 kernel does not have
CONFIG_RANDOMIZE_KSTACK_OFFSET config option, but

  __schedule()
  preempt_schedule_irq()
  irqentry_exit_cond_resched()
  irqentry_exit()

pattern in 5.15 resembles

  __schedule()
  preempt_schedule_irq()
  irqentry_exit()

pattern in linux-next.

[ 1008.224617][T14487] task:syz-executor.1  state:R  running task     stack:22256 pid:14483 ppid:   434 flags:0x00004000
[ 1008.224656][T14487] Call Trace:
[ 1008.224661][T14487]  <TASK>
[ 1008.224669][T14487]  __schedule+0xcbe/0x1580
[ 1008.224689][T14487]  ? __sched_text_start+0x8/0x8
[ 1008.224709][T14487]  ? ttwu_do_activate+0x15d/0x280
[ 1008.224732][T14487]  ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 1008.224758][T14487]  preempt_schedule_irq+0xc7/0x140
[ 1008.224781][T14487]  ? __cond_resched+0x20/0x20
[ 1008.224802][T14487]  ? try_invoke_on_locked_down_task+0x2a0/0x2a0
[ 1008.224829][T14487]  irqentry_exit_cond_resched+0x2a/0x30
[ 1008.224851][T14487]  irqentry_exit+0x30/0x40
[ 1008.224874][T14487]  sysvec_apic_timer_interrupt+0x55/0xc0
[ 1008.224900][T14487]  asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 1008.224923][T14487] RIP: 0010:preempt_schedule_thunk+0x5/0x18
[ 1008.224950][T14487] Code: fd 85 db 0f 84 98 00 00 00 44 8d 73 01 44 89 f6 09 de bf ff ff ff ff e8 47 e4 8f fd 41 09 de 0f 88 88 00 00 00 e8 89 e0 8f fd <4c> 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84
[ 1008.224970][T14487] RSP: 0000:0000000000000001 EFLAGS: 00000000 ORIG_RAX: 0000000000000000
[ 1008.224991][T14487] RAX: ffff88811532d948 RBX: ffffc900072ef560 RCX: ffffc900077e7680
[ 1008.225009][T14487] RDX: ffffc900072ef5b0 RSI: ffffffff8100817a RDI: dffffc0000000001
[ 1008.225027][T14487] RBP: 0000000000000001 R08: ffff88811532d948 R09: ffffc900077e7690
[ 1008.225043][T14487] R10: 1ffff92000efced2 R11: ffffffff84bfe126 R12: ffffc900077e7680
[ 1008.225062][T14487] ==================================================================
[ 1008.225071][T14487] BUG: KASAN: stack-out-of-bounds in __show_regs+0x252/0x4d0
[ 1008.225098][T14487] Read of size 8 at addr ffffc900072ef4f8 by task syz-executor.3/14487
[ 1008.225117][T14487] 
[ 1008.225123][T14487] CPU: 0 PID: 14487 Comm: syz-executor.3 Not tainted 5.15.118-syzkaller-01748-g241da2ad5601 #0