From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) by kanga.kvack.org (Postfix) with ESMTP id 2B94A8E005B for ; Mon, 31 Dec 2018 01:38:09 -0500 (EST) Received: by mail-io1-f72.google.com with SMTP id d63so31315748iog.4 for ; Sun, 30 Dec 2018 22:38:09 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id t17sor74888016jad.10.2018.12.30.22.38.08 for (Google Transport Security); Sun, 30 Dec 2018 22:38:08 -0800 (PST) MIME-Version: 1.0 References: <0000000000009e1fa9057c5fd1ae@google.com> In-Reply-To: <0000000000009e1fa9057c5fd1ae@google.com> From: Dmitry Vyukov Date: Mon, 31 Dec 2018 07:37:56 +0100 Message-ID: Subject: Re: KASAN: stack-out-of-bounds Read in __schedule (2) Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: syzbot Cc: LKML , syzkaller-bugs , Linux-MM On Thu, Dec 6, 2018 at 8:51 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: d08970904582 Merge tag 'for-4.20-rc5-tag' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=106a5dd5400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=b9cc5a440391cbfd > dashboard link: https://syzkaller.appspot.com/bug?extid=df28818b7ebe8e7d704e > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > userspace arch: i386 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12940cfb400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16fb5e25400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+df28818b7ebe8e7d704e@syzkaller.appspotmail.com Since this involves OOMs: #syz dup: kernel panic: corrupted stack end in wb_workfn > kmem_cache 161KB 165KB > Out of memory: Kill process 7764 (syz-executor613) score 0 or sacrifice > child > Killed process 7770 (syz-executor613) total-vm:18964kB, anon-rss:2124kB, > file-rss:4kB, shmem-rss:0kB > oom_reaper: reaped process 7770 (syz-executor613), now anon-rss:0kB, > file-rss:0kB, shmem-rss:0kB > ================================================================== > BUG: KASAN: stack-out-of-bounds in schedule_debug kernel/sched/core.c:3284 > [inline] > BUG: KASAN: stack-out-of-bounds in __schedule+0x1c1b/0x21d0 > kernel/sched/core.c:3394 > Read of size 8 at addr ffff8881ce710000 by task kworker/u4:4/2620 > > CPU: 1 PID: 2620 Comm: kworker/u4:4 Not tainted 4.20.0-rc5+ #266 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: writeback wb_workfn (flush-8:0) > Call Trace: > > The buggy address belongs to the page: > page:ffffea000739c400 count:1 mapcount:0 mapping:0000000000000000 index:0x0 > flags: 0x2fffc0000000000() > raw: 02fffc0000000000 dead000000000100 dead000000000200 0000000000000000 > raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff8881ce70ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 > ffff8881ce70ff80: f1 00 00 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 > > ffff8881ce710000: f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 > ^ > ffff8881ce710080: f2 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 > ffff8881ce710100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ================================================================== > Kernel panic - not syncing: panic_on_warn set ... > CPU: 1 PID: 2620 Comm: kworker/u4:4 Tainted: G B 4.20.0-rc5+ > #266 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: writeback wb_workfn (flush-8:0) > Call Trace: > oom_reaper: reaped process 7789 (syz-executor613), now anon-rss:0kB, > file-rss:0kB, shmem-rss:0kB > rsyslogd invoked oom-killer: gfp_mask=0x6200ca(GFP_HIGHUSER_MOVABLE), > nodemask=(null), order=0, oom_score_adj=0 > rsyslogd cpuset=/ mems_allowed=0 > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33C4BC43387 for ; Mon, 31 Dec 2018 06:38:10 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id DB77821019 for ; Mon, 31 Dec 2018 06:38:09 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="EbdmMJwb" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DB77821019 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 6FF128E007C; Mon, 31 Dec 2018 01:38:09 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6859F8E005B; Mon, 31 Dec 2018 01:38:09 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 54EC88E007C; Mon, 31 Dec 2018 01:38:09 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) by kanga.kvack.org (Postfix) with ESMTP id 2B94A8E005B for ; Mon, 31 Dec 2018 01:38:09 -0500 (EST) Received: by mail-io1-f72.google.com with SMTP id d63so31315748iog.4 for ; Sun, 30 Dec 2018 22:38:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:mime-version:references :in-reply-to:from:date:message-id:subject:to:cc; bh=WDxHip/cwTK/RC79Rk7b22Sk/Z//HYyi4QdNtJqW8W4=; b=nXE0QAf9z6NofKb/gB9h3IYsad6YedgRy935eW1x3lSCv221veHPnCMeH2pi2CoYl9 ADRgdLJwtKj3x8ihH7jraMIw68WzFJe0ZNw44M2N6wO/Af+k/x4HAm0ix9+rVeA6oU5D qPEISal2UKZDtF8ED7MwZ1OOCTchcNZLInzEfYPTj1C3G5MWjB8f3j1zJSWahWhjJats 2rEiIqgZI/4JVWwEEu0hilZjal9SPdOxPtd0kJGrGf11sIbUJ/m+iiTc0UAPZWsE3/kq UD6YDNurerHhqZt+fACA9XSQj3T+3xoWnNEiiULsXlWStis9KufHCt32FYZKm4JTYgRw ZFYA== X-Gm-Message-State: AA+aEWa+tL3fIQgDipXLRU4NxlRLRYnCT0AadLR+eC/HArMQ7z7MFQfM w2t3srZvlx9a0ApGyR3IH3YzS9K4GyAJNwhZsAe+dRFUxVEu8wDWgux0KPr1tGz6wpd51v/04hm ypCCpCgYDIHtB9Te2l5s8sHS9VCo6lBURElBDUzD59rTklKO46Ijs0BVFf0apTT6Lt4m1hayL28 FzpMi6tp2XDWtMsNkrWqNqXCtI5u7ey7CzqSPYy3sRW/RxQ/UJq5nBoYlFzFuwXiMYmsY1NQEEF tEp6QLb38hgNLZa0m+Q4i/+FSLFB9IyGhOFUtEKmkkUMZ31QSguATp2m/9UDKZkokuxd5QO5zdu tuYUZ7LRJjsF0gojNcau+ZVnlcgLqKTpUDjc7SAKZBPwTRowvQboYzpaorPsWYDqKJadm64xpdf V X-Received: by 2002:a02:7b09:: with SMTP id q9mr24095983jac.39.1546238288915; Sun, 30 Dec 2018 22:38:08 -0800 (PST) X-Received: by 2002:a02:7b09:: with SMTP id q9mr24095968jac.39.1546238288192; Sun, 30 Dec 2018 22:38:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546238288; cv=none; d=google.com; s=arc-20160816; b=npmCgOnZKfhf3roKW7m6PIdEcTrwxO2/Ja71N8iOkiI6YVeFyaVe8W5jzl5fcYVp7z yd4f18nf5NScFVXXKgSdFpRQc9MtRrKc9FRX7ZI/+InXFtVcmhqjCVO2AgG1u5Hdkw+t hBU0I90OjK6fY2I3Ke+yCbZZiRROrU9sZcN1J6C4Pf1v6f3c0AV0MkETIu7Y5g5F2/Vk E3RxF2C3GAVyDv8JHivBaTO3ywTdWH335k+mXoqZlE5bK0Wtc1pflWUJZnaY8xI8BPFO isF8JvJ/QaQoHJWrA555Fv70iMYXZf4p499BG5ow915cxkjTB4sJSc3V0lPoMiWZe8m/ 3J3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=WDxHip/cwTK/RC79Rk7b22Sk/Z//HYyi4QdNtJqW8W4=; b=GW8isOar6VY+8Lp+17yCesCmwqzp/vBdUc0xONsiv/5FaYt/YQTmnohfkmC7xjVmls Jpsn8Efhpe0lnakLliTH54671RX38tnszgzeVBmJcOIofcWWpmbXI0URhOIFENqKh/iV 5ICHAY51s0/ve7MA0lNUgsCJ6bIn081tMqtXx3i59elxWOrGsjPoEW7oWAzMTq7k7229 vZpglEh7ZyJ0GF3KitT+YjAbSr9lv5dbxhUUAO8ysN/ijrrR68FKZH+Ebb50I7WgifMk cji6/ykcjG0eCgYBxCFEIEMqoGUyGSMbhNy4Lpwa8wAax5NNnbobVxhxaaAd4X+bZbyi SMDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EbdmMJwb; spf=pass (google.com: domain of dvyukov@google.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=dvyukov@google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id t17sor74888016jad.10.2018.12.30.22.38.08 for (Google Transport Security); Sun, 30 Dec 2018 22:38:08 -0800 (PST) Received-SPF: pass (google.com: domain of dvyukov@google.com designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EbdmMJwb; spf=pass (google.com: domain of dvyukov@google.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=dvyukov@google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WDxHip/cwTK/RC79Rk7b22Sk/Z//HYyi4QdNtJqW8W4=; b=EbdmMJwbtX2MHM/ZVBrS3AyDWHDL9+ZRIUzzjHhTQ+D3IhYclCQhkcV0BcvtxM3X8p lV5OpjfdVUqDzKM9QjNv6z0h8u1VMqFQ1OnT4i8NGsdzC3jBiVY3WFllcEXZxb7w1V2F 0GnEY79GgA5mU8Pd8kafWOkwyxzlbIWcJZe6CKW+yLfNBSagHIn2SEPAXuDqQ5GM7g7K NyTDb68sGhHruoR0tmDXASHQgeAiuztavJMypoZ1sH7F2jStVkEVd6WbJ7KeQvaBj0z3 GQztK2DA9soM1embLo9EeXHgYh9+Z3TMS3wMYuGBluOMg9wTwf6hV6XvlD5B3OpdycOS qYyw== X-Google-Smtp-Source: AFSGD/UuoyzyBlb2+vpgpuj0E6nfWustF69TXMCApFHgdcAUw1EgD8I14jfQDzS8o80Lsla90BhN67xs2KUJQ9o4vcs= X-Received: by 2002:a02:8904:: with SMTP id o4mr23277296jaj.35.1546238287664; Sun, 30 Dec 2018 22:38:07 -0800 (PST) MIME-Version: 1.0 References: <0000000000009e1fa9057c5fd1ae@google.com> In-Reply-To: <0000000000009e1fa9057c5fd1ae@google.com> From: Dmitry Vyukov Date: Mon, 31 Dec 2018 07:37:56 +0100 Message-ID: Subject: Re: KASAN: stack-out-of-bounds Read in __schedule (2) To: syzbot Cc: LKML , syzkaller-bugs , Linux-MM Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Message-ID: <20181231063756.CRAGhrtcXRFhKL1XxwYBxkMtmqjfISHOiwXYxRC6z-U@z> On Thu, Dec 6, 2018 at 8:51 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: d08970904582 Merge tag 'for-4.20-rc5-tag' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=106a5dd5400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=b9cc5a440391cbfd > dashboard link: https://syzkaller.appspot.com/bug?extid=df28818b7ebe8e7d704e > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > userspace arch: i386 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12940cfb400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16fb5e25400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+df28818b7ebe8e7d704e@syzkaller.appspotmail.com Since this involves OOMs: #syz dup: kernel panic: corrupted stack end in wb_workfn > kmem_cache 161KB 165KB > Out of memory: Kill process 7764 (syz-executor613) score 0 or sacrifice > child > Killed process 7770 (syz-executor613) total-vm:18964kB, anon-rss:2124kB, > file-rss:4kB, shmem-rss:0kB > oom_reaper: reaped process 7770 (syz-executor613), now anon-rss:0kB, > file-rss:0kB, shmem-rss:0kB > ================================================================== > BUG: KASAN: stack-out-of-bounds in schedule_debug kernel/sched/core.c:3284 > [inline] > BUG: KASAN: stack-out-of-bounds in __schedule+0x1c1b/0x21d0 > kernel/sched/core.c:3394 > Read of size 8 at addr ffff8881ce710000 by task kworker/u4:4/2620 > > CPU: 1 PID: 2620 Comm: kworker/u4:4 Not tainted 4.20.0-rc5+ #266 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: writeback wb_workfn (flush-8:0) > Call Trace: > > The buggy address belongs to the page: > page:ffffea000739c400 count:1 mapcount:0 mapping:0000000000000000 index:0x0 > flags: 0x2fffc0000000000() > raw: 02fffc0000000000 dead000000000100 dead000000000200 0000000000000000 > raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff8881ce70ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 > ffff8881ce70ff80: f1 00 00 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 > > ffff8881ce710000: f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 > ^ > ffff8881ce710080: f2 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 > ffff8881ce710100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ================================================================== > Kernel panic - not syncing: panic_on_warn set ... > CPU: 1 PID: 2620 Comm: kworker/u4:4 Tainted: G B 4.20.0-rc5+ > #266 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: writeback wb_workfn (flush-8:0) > Call Trace: > oom_reaper: reaped process 7789 (syz-executor613), now anon-rss:0kB, > file-rss:0kB, shmem-rss:0kB > rsyslogd invoked oom-killer: gfp_mask=0x6200ca(GFP_HIGHUSER_MOVABLE), > nodemask=(null), order=0, oom_score_adj=0 > rsyslogd cpuset=/ mems_allowed=0 > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches