From: Arnd Bergmann <arnd@arndb.de>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzbot <syzbot+0b06ef9b44d00d600183@syzkaller.appspotmail.com>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Linus Walleij <linus.walleij@linaro.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: [syzbot] kernel panic: corrupted stack end in openat
Date: Tue, 16 Mar 2021 11:02:29 +0100 [thread overview]
Message-ID: <CAK8P3a1qtHVBY47FfCa6R9+sObzMCwxkREii+O2g8PPopw87eQ@mail.gmail.com> (raw)
In-Reply-To: <CACT4Y+Yaq-zDh5FAzHt4g-5jXrXC3rSLw6CM=kjcfR6oxJ1+CA@mail.gmail.com>
On Tue, Mar 16, 2021 at 8:59 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Tue, Mar 16, 2021 at 8:18 AM syzbot
> <syzbot+0b06ef9b44d00d600183@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 1e28eed1 Linux 5.12-rc3
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=167535e6d00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=e0cee1f53de33ca3
> > dashboard link: https://syzkaller.appspot.com/bug?extid=0b06ef9b44d00d600183
> > userspace arch: arm
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+0b06ef9b44d00d600183@syzkaller.appspotmail.com
>
> +arm32 maintainer
> I think this is a real stack overflow on arm32, the stack is indeed deep.
Nice find. I see there was already a second report, so it seems to be
reproducible as well.
If you are able to trigger this reliably, you could try printing the frame
pointer while unwinding to see what is actually going on:
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -68,8 +68,8 @@ void dump_backtrace_entry(unsigned long where,
unsigned long from,
unsigned long end = frame + 4 + sizeof(struct pt_regs);
#ifdef CONFIG_KALLSYMS
- printk("%s[<%08lx>] (%ps) from [<%08lx>] (%pS)\n",
- loglvl, where, (void *)where, from, (void *)from);
+ printk("%s[<%08lx>] (%ps) from [<%08lx>] (%pS), frame %08lx\n",
+ loglvl, where, (void *)where, from, (void *)from, frame);
#else
printk("%sFunction entered at [<%08lx>] from [<%08lx>]\n",
loglvl, where, from);
If that doesn't help, I could have a look at the binary to see which
functions in the call chain take a lot of stack space, if any.
Which exact compiler version do you use for building these
kernels? I can try doing a build with the same commit and config.
This one function is one that I have seen before when looking at build
warnings with KASAN:
> > [<8073772c>] (integrity_kernel_read) from [<8073a904>] (ima_calc_file_hash_tfm+0x178/0x228 security/integrity/ima/ima_crypto.c:484)
> > [<8073a78c>] (ima_calc_file_hash_tfm) from [<8073ae2c>] (ima_calc_file_shash security/integrity/ima/ima_crypto.c:515 [inline])
> > [<8073a78c>] (ima_calc_file_hash_tfm) from [<8073ae2c>] (ima_calc_file_hash+0x124/0x8b8 security/integrity/ima/ima_crypto.c:572)
ima_calc_file_hash_tfm() has a SHASH_DESC_ON_STACK(), which by itself can
use up 512 bytes, but KASAN sometimes triples this number. However, I see
you do not actually have KASAN enabled, so there is probably more to it.
Arnd
next prev parent reply other threads:[~2021-03-16 10:02 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 7:18 syzbot
2021-03-16 7:59 ` Dmitry Vyukov
2021-03-16 9:24 ` Russell King - ARM Linux admin
2021-03-16 9:51 ` Dmitry Vyukov
2021-03-16 10:02 ` Arnd Bergmann [this message]
2021-03-16 10:17 ` Dmitry Vyukov
2021-03-16 15:44 ` Arnd Bergmann
2021-03-16 15:51 ` Russell King - ARM Linux admin
2021-03-16 16:03 ` Dmitry Vyukov
2021-03-16 16:03 ` Arnd Bergmann
2021-03-16 16:13 ` Dmitry Vyukov
2021-03-16 16:28 ` Arnd Bergmann
2021-03-17 7:47 ` Dmitry Vyukov
2021-03-17 8:31 ` Arnd Bergmann
2021-03-17 8:50 ` Dmitry Vyukov
2021-03-16 10:37 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK8P3a1qtHVBY47FfCa6R9+sObzMCwxkREii+O2g8PPopw87eQ@mail.gmail.com \
--to=arnd@arndb.de \
--cc=akpm@linux-foundation.org \
--cc=dvyukov@google.com \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux@armlinux.org.uk \
--cc=syzbot+0b06ef9b44d00d600183@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox