From: syzbot <syzbot+9459b5d7fab774cf182f@syzkaller.appspotmail.com>
To: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, eddyz87@gmail.com, haoluo@google.com,
john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
linux-kernel@vger.kernel.org, martin.lau@linux.dev,
netdev@vger.kernel.org, sdf@google.com, song@kernel.org,
syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: [syzbot] [bpf?] KASAN: stack-out-of-bounds Read in hash
Date: Sat, 06 Apr 2024 06:44:33 -0700 [thread overview]
Message-ID: <000000000000b97fba06156dc57b@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 443574b03387 riscv, bpf: Fix kfunc parameters incompatibil..
git tree: bpf
console+strace: https://syzkaller.appspot.com/x/log.txt?x=148ad855180000
kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=9459b5d7fab774cf182f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d86795180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143eff76180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3f355021a085/disk-443574b0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/44cf4de7472a/vmlinux-443574b0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a99a36c7ad65/bzImage-443574b0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9459b5d7fab774cf182f@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:128 [inline]
BUG: KASAN: stack-out-of-bounds in hash+0x1bf/0x410 kernel/bpf/bloom_filter.c:29
Read of size 4 at addr ffffc900039f7c00 by task syz-executor297/5079
CPU: 0 PID: 5079 Comm: syz-executor297 Not tainted 6.8.0-syzkaller-05236-g443574b03387 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
jhash2 include/linux/jhash.h:128 [inline]
hash+0x1bf/0x410 kernel/bpf/bloom_filter.c:29
bloom_map_peek_elem+0xb2/0x1b0 kernel/bpf/bloom_filter.c:43
bpf_prog_00798911c748094f+0x42/0x46
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
bpf_trace_run2+0x204/0x420 kernel/trace/bpf_trace.c:2420
__traceiter_ext4_drop_inode+0x76/0xd0 include/trace/events/ext4.h:265
trace_ext4_drop_inode include/trace/events/ext4.h:265 [inline]
ext4_drop_inode+0x20a/0x270 fs/ext4/super.c:1450
iput_final fs/inode.c:1711 [inline]
iput+0x45e/0x900 fs/inode.c:1767
d_delete_notify include/linux/fsnotify.h:301 [inline]
vfs_rmdir+0x38f/0x4c0 fs/namei.c:4220
do_rmdir+0x3b5/0x580 fs/namei.c:4266
__do_sys_rmdir fs/namei.c:4285 [inline]
__se_sys_rmdir fs/namei.c:4283 [inline]
__x64_sys_rmdir+0x49/0x60 fs/namei.c:4283
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fd25730cfb7
Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff78ca7198 EFLAGS: 00000207
ORIG_RAX: 0000000000000054
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd25730cfb7
RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007fff78ca82c0
RBP: 0000000000000065 R08: 0000555571b9a73b R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000207 R12: 00007fff78ca82c0
R13: 0000555571b9a6c0 R14: 00007fff78ca82c0 R15: 0000000000000001
</TASK>
The buggy address belongs to stack of task syz-executor297/5079
and is located at offset 0 in frame:
bpf_trace_run2+0x0/0x420
This frame has 1 object:
[32, 48) 'args'
The buggy address belongs to the virtual mapping at
[ffffc900039f0000, ffffc900039f9000) created by:
copy_process+0x5d1/0x3df0 kernel/fork.c:2219
The buggy address belongs to the physical page:
page:ffffea00007f36c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fcdb
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5077, tgid 5077 (syz-executor297), ts 73887639293, free_ts 73091924927
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
__alloc_pages+0x256/0x680 mm/page_alloc.c:4569
alloc_pages_mpol+0x3de/0x650 mm/mempolicy.c:2133
vm_area_alloc_pages mm/vmalloc.c:3135 [inline]
__vmalloc_area_node mm/vmalloc.c:3211 [inline]
__vmalloc_node_range+0x9a4/0x14a0 mm/vmalloc.c:3392
alloc_thread_stack_node kernel/fork.c:309 [inline]
dup_task_struct+0x3e9/0x7d0 kernel/fork.c:1114
copy_process+0x5d1/0x3df0 kernel/fork.c:2219
kernel_clone+0x21e/0x8d0 kernel/fork.c:2796
__do_sys_clone kernel/fork.c:2939 [inline]
__se_sys_clone kernel/fork.c:2923 [inline]
__x64_sys_clone+0x258/0x2a0 kernel/fork.c:2923
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
page last free pid 5072 tgid 5072 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x968/0xa90 mm/page_alloc.c:2346
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2486
mm_free_pgd kernel/fork.c:803 [inline]
__mmdrop+0xb9/0x3d0 kernel/fork.c:919
exec_mmap+0x69d/0x730 fs/exec.c:1051
begin_new_exec+0x119b/0x1ce0 fs/exec.c:1309
load_elf_binary+0x961/0x2590 fs/binfmt_elf.c:996
search_binary_handler fs/exec.c:1777 [inline]
exec_binprm fs/exec.c:1819 [inline]
bprm_execve+0xaf8/0x1790 fs/exec.c:1871
do_execveat_common+0x553/0x700 fs/exec.c:1978
do_execve fs/exec.c:2052 [inline]
__do_sys_execve fs/exec.c:2128 [inline]
__se_sys_execve fs/exec.c:2123 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2123
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Memory state around the buggy address:
ffffc900039f7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900039f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900039f7c00: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
^
ffffc900039f7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900039f7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2024-04-06 13:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-06 13:44 syzbot [this message]
2024-04-07 9:09 ` [syzbot] [bpf?] KASAN: stack-out-of-bounds Read in hash Hou Tao
2024-04-07 14:24 ` Alexei Starovoitov
2024-04-08 1:11 ` Hou Tao
2024-05-15 15:29 ` syzbot
2024-05-16 1:35 ` Hou Tao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000b97fba06156dc57b@google.com \
--to=syzbot+9459b5d7fab774cf182f@syzkaller.appspotmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).