From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,PDS_SHORTFWD_URISHRT_QP, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 783E5C433DB for ; Tue, 16 Mar 2021 15:45:10 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E8B66650F2 for ; Tue, 16 Mar 2021 15:45:09 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E8B66650F2 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arndb.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8635F6B0082; Tue, 16 Mar 2021 11:45:09 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 826AD6B0083; Tue, 16 Mar 2021 11:45:09 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6C7CD6B0085; Tue, 16 Mar 2021 11:45:09 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0155.hostedemail.com [216.40.44.155]) by kanga.kvack.org (Postfix) with ESMTP id 4DCB06B0082 for ; Tue, 16 Mar 2021 11:45:09 -0400 (EDT) Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 00A6B824999B for ; Tue, 16 Mar 2021 15:45:08 +0000 (UTC) X-FDA: 77926161138.24.39AC79F Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) by imf23.hostedemail.com (Postfix) with ESMTP id B2411A0009EB for ; Tue, 16 Mar 2021 15:45:06 +0000 (UTC) Received: from mail-oi1-f180.google.com ([209.85.167.180]) by mrelayeu.kundenserver.de (mreue011 [213.165.67.97]) with ESMTPSA (Nemesis) id 1MFKX3-1lT5kc3qMj-00Fk6K for ; Tue, 16 Mar 2021 16:45:04 +0100 Received: by mail-oi1-f180.google.com with SMTP id w125so9985850oib.13 for ; Tue, 16 Mar 2021 08:45:03 -0700 (PDT) X-Gm-Message-State: AOAM533SjL5ilCwZsuPl8YO2ZlysJnnD+8NF4snMYZ6N7M0Ffmq29sJ8 OTI9KI3WNEMtBaKM8mC0hAUZySOcv7NwQF7ICXg= X-Google-Smtp-Source: ABdhPJwQtyvp/sivr2QftEdYH8SddtCyezCo0jNI+ji3RO8XF8COcyvnD4V9nkGi2N3qLDq3+QnLIzsSmIgVRDXYLGQ= X-Received: by 2002:a05:6808:313:: with SMTP id i19mr132835oie.67.1615909502415; Tue, 16 Mar 2021 08:45:02 -0700 (PDT) MIME-Version: 1.0 References: <00000000000069802205bda22b7f@google.com> In-Reply-To: From: Arnd Bergmann Date: Tue, 16 Mar 2021 16:44:45 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [syzbot] kernel panic: corrupted stack end in openat To: Dmitry Vyukov Cc: syzbot , Russell King - ARM Linux , Linus Walleij , Linux ARM , Andrew Morton , LKML , Linux-MM , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:uvM1cRYWg+oIZ1dZ/S0gRKdsPoTDHK04RqQ3Mdv8bYE7OW/hOJw 6xCOcdaQLSs+6VKKE5y1rBCY3fbXHjeSs3i6qoiMimRIyCDN6fMqlmq7gDBY27oNpYpzZ+c AQJ1XIGeCKo/ulpdfWDGmV6qt7Gg/hZBG7yWTpNSFhD1j+yxT2nF5/TOwr1+oS4Q06urG7S SEBdeo+oTmf76Qkr0bQ3g== X-UI-Out-Filterresults: notjunk:1;V03:K0:Ay/l1N692x0=:ByWE/7IKTKpJcNqUsfXHww 5TcHHzzHQTRASPCO0nSG+6O2+GeMCYDNhso8sSs9TjN7kLEUEUM7vbUXgsTGgrftnmCmQZO0r 2h2aSmYp8nFxVwXUAKD7Yo+qlhJxWMpPDeH6lSvyt+M7glwjKOCelvy7C/m3oZF8ikOh8rCK/ dk4iDCHT8LJaKVW+FbCflNQkXVvrwdN8OW8uJMsCX+gtDa2jvEAaQ6s8ECg8bKeJ6l0CcW+IR YWC9JeEAf4Wl6q0DkhayaqL/8Fwfo1sYcUNW8nHBHgbZyRSodotpbOrqh3FghW/MN3Qaw5bqi Ix/OC6t5Do4d3xbihGWTuAypDjnFzCWHGMJai+jE3U39Nv023BPzMRk/GCVqxhAABlqWmLwzO jHpuLP3qUYiL8WYj70XSsv7JOckR/FcaL/6qs3nbYz65YCwIhg8ektqCY51YhGwmxNtBCTwDj UdKiQ81prrCi1dOBw30NRvOCSw45BYgJaUjFrs/SPQRok7imatEtGGnnlrtxjMm5oJh4q1EQ0 6yRf0g4sN9hnzo1czNHaqslr90NQJIpLZwFTddIUH/AytCKayvjz1e6HP7T2PrxB/UpqAtKA5 UKHQwSybyKDiI= X-Stat-Signature: fz3sz856xcjma4wh6s9qwpmj9aa38ozb X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: B2411A0009EB Received-SPF: none (arndb.de>: No applicable sender policy available) receiver=imf23; identity=mailfrom; envelope-from=""; helo=mout.kundenserver.de; client-ip=212.227.126.130 X-HE-DKIM-Result: none/none X-HE-Tag: 1615909506-471080 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Mar 16, 2021 at 11:17 AM Dmitry Vyukov wrote: > On Tue, Mar 16, 2021 at 11:02 AM Arnd Bergmann wrote: > > > On Tue, Mar 16, 2021 at 8:18 AM syzbot > > > > > [<8073772c>] (integrity_kernel_read) from [<8073a904>] (ima_calc_fi= le_hash_tfm+0x178/0x228 security/integrity/ima/ima_crypto.c:484) > > > > [<8073a78c>] (ima_calc_file_hash_tfm) from [<8073ae2c>] (ima_calc_f= ile_shash security/integrity/ima/ima_crypto.c:515 [inline]) > > > > [<8073a78c>] (ima_calc_file_hash_tfm) from [<8073ae2c>] (ima_calc_f= ile_hash+0x124/0x8b8 security/integrity/ima/ima_crypto.c:572) > > > > ima_calc_file_hash_tfm() has a SHASH_DESC_ON_STACK(), which by itself c= an > > use up 512 bytes, but KASAN sometimes triples this number. However, I s= ee > > you do not actually have KASAN enabled, so there is probably more to it= . > > The compiler is gcc version 10.2.1 20210110 (Debian 10.2.1-6) Ok, building with Ubuntu 10.2.1-1ubuntu1 20201207 locally, that's the closest I have installed, and I think the Debian and Ubuntu versions are generally quite close in case of gcc since they are maintained by the same packagers. I see ima_calc_field_array_hash_tfm() shows up as one of the larger stack users, but not alarmingly high: ../security/integrity/ima/ima_crypto.c: In function =E2=80=98ima_calc_field_array_hash_tfm=E2=80=99: ../security/integrity/ima/ima_crypto.c:624:1: warning: the frame size of 664 bytes is larger than 600 bytes [-Wframe-larger-than=3D] none of the other functions from the call chain have more than 600 bytes in this combination of config/compiler/sourcetree. In combination, I don't get to more than ~2300 bytes: [<818033d8>] (panic) 52 [<8181f5b8>] (__schedule) 0 [<81820430>] (preempt_schedule_common) 0 [<818204dc>] (preempt_schedule) 0 [<8048c7c0>] (kernel_init_free_pages) 148 [<804916ac>] (get_page_from_freelist 212 [<80493264>] (__alloc_pages_nodemask) 44 [<8042f034>] (page_cache_ra_unbounded) 36 [<8042f2c8>] (do_page_cache_ra) 28 [<8042f418>] (ondemand_readahead) 0 [<8042f894>] (page_cache_async_ra) 68 [<80420ac8>] (filemap_get_pages) 120 [<80421110>] (filemap_read) 36 [<804215f0>] (generic_file_read_iter) 8 [<805ff430>] (ext4_file_read_iter) 96 [<804da3cc>] (__kernel_read) 8 [<8073772c>] (integrity_kernel_read) 412 [<8073a78c>] (ima_calc_file_hash_tfm) 164 [<8073ad08>] (ima_calc_file_hash) 106 [<8073bf84>] (ima_collect_measurement) 332 [<80738fec>] (process_measurement) 24 [<8073979c>] (ima_file_check) 172 [<804ec66c>] (path_openat) 152 [<804ef670>] (do_filp_open) 40 [<804d79c4>] (do_sys_openat2) > Re printing FP, syzbot does not use custom patches: > http://bit.do/syzbot#no-custom-patches > But this does not seem to be syzbot-specific. It seems that any arm32 > stack overflow report will be unactionable, so I think it would be > useful to include this into the mainline kernel to make overflow > reports useful for everybody (and for syzbot as a side effect). ok. Arnd