[BUG] general protection fault in sock_map_link_update_prog - Reproducible with Syzkaller

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,

 

I used Syzkaller and found that there is KASAN: null-ptr-deref (general protection fault in sock_map_link_update_prog) in net/core/sock_map.c in v6.12.0-rc2, which also causes a KASAN: slab-use-after-free at the same time. It looks like a concurrency bug in the BPF related subsystems. The reproducer is available, and I have reproduced this bug with it manually. Currently I can only reproduce this bug with root privilege.

 

The detailed reports, config file, and reproducer program are attached in this e-mail. If you need further details, please let me know.

 

Bug report message:

 

```

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI

KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]

CPU: 0 UID: 0 PID: 640 Comm: syz-executor229 Not tainted 6.12.0-rc2-00667-g53bac8330865 #6

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014

RIP: 0010:sock_map_progs net/core/sock_map.c:1449 [inline]

RIP: 0010:sock_map_prog_link_lookup net/core/sock_map.c:1464 [inline]

RIP: 0010:sock_map_link_update_prog+0x17a/0x450 net/core/sock_map.c:1756

Code: 8b 6c 24 68 49 8d 5c 24 70 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 a3 02 00 00 8b 2b 49 8d 5d 18 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 a6 02 00 00 8b 1b 48 89 df 48 c7 c6 10

RSP: 0018:ffff888003837cc8 EFLAGS: 00010206

RAX: 0000000000000003 RBX: 0000000000000018 RCX: 0000000000000000

RDX: ffff888006b95400 RSI: 000000000000000d RDI: ffff888005f91a68

RBP: 0000000000000005 R08: ffffffff99e031af R09: 1ffffffff33c0635

R10: dffffc0000000000 R11: fffffbfff33c0636 R12: ffff888005f91a00

R13: 0000000000000000 R14: ffffc90000e55000 R15: dffffc0000000000

FS:  00007f4f04921640(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000

CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f4f049bf7a0 CR3: 0000000006446000 CR4: 0000000000750ef0

PKRU: 55555554

Call Trace:

<TASK>

link_update+0x726/0x8a0 kernel/bpf/syscall.c:5328

__sys_bpf+0x5d5/0x7f0 kernel/bpf/syscall.c:5707

__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]

__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]

__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5739

do_syscall_x64 arch/x86/entry/common.c:52 [inline]

do_syscall_64+0xe4/0x1c0 arch/x86/entry/common.c:83

entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f4f0497d73d

Code: c3 e8 37 20 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f4f049211a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141

RAX: ffffffffffffffda RBX: 00007f4f04a18228 RCX: 00007f4f0497d73d

RDX: 0000000000000010 RSI: 00000000200004c0 RDI: 000000000000001d

RBP: 00007f4f04a18220 R08: 00007f4f04921640 R09: 00007f4f04921640

R10: 00007f4f04921640 R11: 0000000000000246 R12: 00007f4f04a1822c

R13: 00007f4f049e3074 R14: 656c6c616b7a7973 R15: 00007f4f04901000

</TASK>

Modules linked in:

---[ end trace 0000000000000000 ]---

RIP: 0010:sock_map_progs net/core/sock_map.c:1449 [inline]

RIP: 0010:sock_map_prog_link_lookup net/core/sock_map.c:1464 [inline]

RIP: 0010:sock_map_link_update_prog+0x17a/0x450 net/core/sock_map.c:1756

Code: 8b 6c 24 68 49 8d 5c 24 70 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 a3 02 00 00 8b 2b 49 8d 5d 18 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 a6 02 00 00 8b 1b 48 89 df 48 c7 c6 10

RSP: 0018:ffff888003837cc8 EFLAGS: 00010206

RAX: 0000000000000003 RBX: 0000000000000018 RCX: 0000000000000000

RDX: ffff888006b95400 RSI: 000000000000000d RDI: ffff888005f91a68

RBP: 0000000000000005 R08: ffffffff99e031af R09: 1ffffffff33c0635

R10: dffffc0000000000 R11: fffffbfff33c0636 R12: ffff888005f91a00

R13: 0000000000000000 R14: ffffc90000e55000 R15: dffffc0000000000

FS:  00007f4f04921640(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000

CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f4f049bf7a0 CR3: 0000000006446000 CR4: 0000000000750ef0

PKRU: 55555554

==================================================================

BUG: KASAN: slab-use-after-free in owner_on_cpu include/linux/sched.h:2171 [inline]

BUG: KASAN: slab-use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:409 [inline]

BUG: KASAN: slab-use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:452 [inline]

BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:612 [inline]

BUG: KASAN: slab-use-after-free in __mutex_lock+0xc63/0xcd0 kernel/locking/mutex.c:752

Read of size 4 at addr ffff888006b95434 by task syz-executor229/644

 

CPU: 0 UID: 0 PID: 644 Comm: syz-executor229 Tainted: G      D            6.12.0-rc2-00667-g53bac8330865 #6

Tainted: [D]=DIE

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014

Call Trace:

<TASK>

__dump_stack lib/dump_stack.c:94 [inline]

dump_stack_lvl+0x14b/0x1c0 lib/dump_stack.c:120

print_address_description mm/kasan/report.c:377 [inline]

print_report+0x171/0x750 mm/kasan/report.c:488

kasan_report+0xd2/0x110 mm/kasan/report.c:601

owner_on_cpu include/linux/sched.h:2171 [inline]

mutex_can_spin_on_owner kernel/locking/mutex.c:409 [inline]

mutex_optimistic_spin kernel/locking/mutex.c:452 [inline]

__mutex_lock_common kernel/locking/mutex.c:612 [inline]

__mutex_lock+0xc63/0xcd0 kernel/locking/mutex.c:752

sock_map_link_create+0x2b6/0x5b0 net/core/sock_map.c:1861

link_create+0x513/0x890 kernel/bpf/syscall.c:5215

__sys_bpf+0x49c/0x7f0 kernel/bpf/syscall.c:5704

__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]

__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]

__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5739

do_syscall_x64 arch/x86/entry/common.c:52 [inline]

do_syscall_64+0xe4/0x1c0 arch/x86/entry/common.c:83

entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f4f0497d73d

Code: c3 e8 37 20 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f4f049211a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141

RAX: ffffffffffffffda RBX: 00007f4f04a18228 RCX: 00007f4f0497d73d

RDX: 0000000000000010 RSI: 0000000020000200 RDI: 000000000000001c

RBP: 00007f4f04a18220 R08: 00007f4f04921640 R09: 00007f4f04921640

R10: 00007f4f04921640 R11: 0000000000000246 R12: 00007f4f04a1822c

R13: 00007f4f049e3074 R14: 656c6c616b7a7973 R15: 00007f4f04901000

</TASK>

 

Allocated by task 639:

kasan_save_stack mm/kasan/common.c:47 [inline]

kasan_save_track+0x2f/0x70 mm/kasan/common.c:68

unpoison_slab_object mm/kasan/common.c:319 [inline]

__kasan_slab_alloc+0x4b/0x60 mm/kasan/common.c:345

kasan_slab_alloc include/linux/kasan.h:247 [inline]

slab_post_alloc_hook mm/slub.c:4085 [inline]

slab_alloc_node mm/slub.c:4134 [inline]

kmem_cache_alloc_node_noprof+0x139/0x2e0 mm/slub.c:4186

alloc_task_struct_node kernel/fork.c:180 [inline]

dup_task_struct+0xb2/0x7d0 kernel/fork.c:1107

copy_process+0x5fa/0x3c30 kernel/fork.c:2203

kernel_clone+0x20c/0x800 kernel/fork.c:2784

__do_sys_clone3 kernel/fork.c:3088 [inline]

__se_sys_clone3 kernel/fork.c:3067 [inline]

__x64_sys_clone3+0x2e2/0x360 kernel/fork.c:3067

do_syscall_x64 arch/x86/entry/common.c:52 [inline]

do_syscall_64+0xe4/0x1c0 arch/x86/entry/common.c:83

entry_SYSCALL_64_after_hwframe+0x77/0x7f

 

Freed by task 0:

kasan_save_stack mm/kasan/common.c:47 [inline]

kasan_save_track+0x2f/0x70 mm/kasan/common.c:68

kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579

poison_slab_object mm/kasan/common.c:247 [inline]

__kasan_slab_free+0x37/0x50 mm/kasan/common.c:264

kasan_slab_free include/linux/kasan.h:230 [inline]

slab_free_hook mm/slub.c:2342 [inline]

slab_free mm/slub.c:4579 [inline]

kmem_cache_free+0x179/0x3e0 mm/slub.c:4681

put_task_struct include/linux/sched/task.h:144 [inline]

delayed_put_task_struct+0x114/0x2c0 kernel/exit.c:228

rcu_do_batch kernel/rcu/tree.c:2567 [inline]

rcu_core+0xcb1/0x19d0 kernel/rcu/tree.c:2823

handle_softirqs+0x24e/0x840 kernel/softirq.c:554

__do_softirq kernel/softirq.c:588 [inline]

invoke_softirq kernel/softirq.c:428 [inline]

__irq_exit_rcu+0xc2/0x160 kernel/softirq.c:637

irq_exit_rcu+0x9/0x20 kernel/softirq.c:649

instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline]

sysvec_apic_timer_interrupt+0x6e/0x80 arch/x86/kernel/apic/apic.c:1037

asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

 

Last potentially related work creation:

kasan_save_stack+0x2f/0x50 mm/kasan/common.c:47

__kasan_record_aux_stack mm/kasan/generic.c:541 [inline]

kasan_record_aux_stack_noalloc+0x99/0xb0 mm/kasan/generic.c:551

__call_rcu_common kernel/rcu/tree.c:3086 [inline]

call_rcu+0xd9/0xab0 kernel/rcu/tree.c:3190

context_switch kernel/sched/core.c:5325 [inline]

__schedule+0x189e/0x25c0 kernel/sched/core.c:6682

schedule_idle+0x52/0x90 kernel/sched/core.c:6800

do_idle+0x533/0x590 kernel/sched/idle.c:354

cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:424

rest_init+0x2e1/0x300 init/main.c:747

start_kernel+0x47b/0x510 init/main.c:1105

x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:507

x86_64_start_kernel+0x79/0x80 arch/x86/kernel/head64.c:488

common_startup_64+0x12c/0x137

 

The buggy address belongs to the object at ffff888006b95400

which belongs to the cache task_struct of size 6856

The buggy address is located 52 bytes inside of

freed 6856-byte region [ffff888006b95400, ffff888006b96ec8)

 

The buggy address belongs to the physical page:

page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6b90

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

memcg:ffff88800a08f201

flags: 0x100000000000040(head|node=0|zone=1)

page_type: f5(slab)

raw: 0100000000000040 ffff8880011a03c0 dead000000000122 0000000000000000

raw: 0000000000000000 0000000000040004 00000001f5000000 ffff88800a08f201

head: 0100000000000040 ffff8880011a03c0 dead000000000122 0000000000000000

head: 0000000000000000 0000000000040004 00000001f5000000 ffff88800a08f201

head: 0100000000000003 ffffea00001ae401 ffffffffffffffff 0000000000000000

head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000

page dumped because: kasan: bad access detected

 

Memory state around the buggy address:

ffff888006b95300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff888006b95380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

>ffff888006b95400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

                                     ^

ffff888006b95480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff888006b95500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================

----------------

Code disassembly (best guess):

   0: 8b 6c 24 68          mov    0x68(%rsp),%ebp

   4: 49 8d 5c 24 70       lea    0x70(%r12),%rbx

   9: 48 89 d8             mov    %rbx,%rax

   c: 48 c1 e8 03          shr    $0x3,%rax

  10: 42 0f b6 04 38       movzbl (%rax,%r15,1),%eax

  15: 84 c0                test   %al,%al

  17: 0f 85 a3 02 00 00    jne    0x2c0

  1d: 8b 2b                mov    (%rbx),%ebp

  1f: 49 8d 5d 18          lea    0x18(%r13),%rbx

  23: 48 89 d8             mov    %rbx,%rax

  26: 48 c1 e8 03          shr    $0x3,%rax

* 2a: 42 0f b6 04 38       movzbl (%rax,%r15,1),%eax <-- trapping instruction

  2f: 84 c0                test   %al,%al

  31: 0f 85 a6 02 00 00    jne    0x2dd

  37: 8b 1b                mov    (%rbx),%ebx

  39: 48 89 df             mov    %rbx,%rdi

  3c: 48                   rex.W

  3d: c7                   .byte 0xc7

  3e: c6                   (bad)

  3f: 10                   .byte 0x10

```

 

Thanks and best regards,

Bonan

Attachment: repro.cprog
Description: repro.cprog

Attachment: repro_config
Description: repro_config

syzkaller login: [   34.349749] scp (242) used greatest stack depth: 21656 bytes left
Warning: Permanently added '[localhost]:60994' (ED25519) to the list of known hosts.
[   35.193484] audit: type=1400 audit(1729461617.203:8): avc:  denied  { execmem } for  pid=257 comm="syz-executor229" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   36.616039] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
[   36.617735] KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
[   36.618365] CPU: 0 UID: 0 PID: 640 Comm: syz-executor229 Not tainted 6.12.0-rc2-00667-g53bac8330865 #6
[   36.619141] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   36.620015] RIP: 0010:sock_map_link_update_prog+0x17a/0x450
[   36.620548] Code: 8b 6c 24 68 49 8d 5c 24 70 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 a3 02 00 00 8b 2b 49 8d 5d 18 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 a6 02 00 00 8b 1b 48 89 df 48 c7 c6 10
[   36.622218] RSP: 0018:ffff888003837cc8 EFLAGS: 00010206
[   36.622690] RAX: 0000000000000003 RBX: 0000000000000018 RCX: 0000000000000000
[   36.623291] RDX: ffff888006b95400 RSI: 000000000000000d RDI: ffff888005f91a68
[   36.623923] RBP: 0000000000000005 R08: ffffffff99e031af R09: 1ffffffff33c0635
[   36.625691] R10: dffffc0000000000 R11: fffffbfff33c0636 R12: ffff888005f91a00
[   36.626306] R13: 0000000000000000 R14: ffffc90000e55000 R15: dffffc0000000000
[   36.626954] FS:  00007f4f04921640(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000
[   36.627672] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.628196] CR2: 00007f4f049bf7a0 CR3: 0000000006446000 CR4: 0000000000750ef0
[   36.634985] PKRU: 55555554
[   36.635242] Call Trace:
[   36.635487]  <TASK>
[   36.635696]  ? __die_body+0x65/0xb0
[   36.636042]  ? die_addr+0xb1/0xe0
[   36.636359]  ? exc_general_protection+0x333/0x4e0
[   36.636799]  ? asm_exc_general_protection+0x26/0x30
[   36.637277]  ? sock_map_link_update_prog+0x17a/0x450
[   36.637890]  ? sock_map_link_update_prog+0x12f/0x450
[   36.638378]  ? __pfx_sock_map_link_update_prog+0x10/0x10
[   36.638866]  link_update+0x726/0x8a0
[   36.639205]  __sys_bpf+0x5d5/0x7f0
[   36.639559]  ? __might_fault+0xb0/0x130
[   36.639948]  ? __pfx___sys_bpf+0x10/0x10
[   36.640335]  ? __rseq_handle_notify_resume+0x360/0x13b0
[   36.640849]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   36.641366]  __x64_sys_bpf+0x7c/0x90
[   36.641744]  do_syscall_64+0xe4/0x1c0
[   36.642107]  ? exc_page_fault+0xa3/0x2b0
[   36.642505]  ? clear_bhb_loop+0x55/0xb0
[   36.642884]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   36.643357] RIP: 0033:0x7f4f0497d73d
[   36.643737] Code: c3 e8 37 20 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[   36.645563] RSP: 002b:00007f4f049211a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
[   36.646289] RAX: ffffffffffffffda RBX: 00007f4f04a18228 RCX: 00007f4f0497d73d
[   36.646972] RDX: 0000000000000010 RSI: 00000000200004c0 RDI: 000000000000001d
[   36.647658] RBP: 00007f4f04a18220 R08: 00007f4f04921640 R09: 00007f4f04921640
[   36.648329] R10: 00007f4f04921640 R11: 0000000000000246 R12: 00007f4f04a1822c
[   36.649029] R13: 00007f4f049e3074 R14: 656c6c616b7a7973 R15: 00007f4f04901000
[   36.649718]  </TASK>
[   36.649934] Modules linked in:
[   36.650462] ---[ end trace 0000000000000000 ]---
[   36.650931] RIP: 0010:sock_map_link_update_prog+0x17a/0x450
[   36.651478] Code: 8b 6c 24 68 49 8d 5c 24 70 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 a3 02 00 00 8b 2b 49 8d 5d 18 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 a6 02 00 00 8b 1b 48 89 df 48 c7 c6 10
[   36.653403] RSP: 0018:ffff888003837cc8 EFLAGS: 00010206
[   36.654053] RAX: 0000000000000003 RBX: 0000000000000018 RCX: 0000000000000000
[   36.654767] RDX: ffff888006b95400 RSI: 000000000000000d RDI: ffff888005f91a68
[   36.655632] RBP: 0000000000000005 R08: ffffffff99e031af R09: 1ffffffff33c0635
[   36.656424] R10: dffffc0000000000 R11: fffffbfff33c0636 R12: ffff888005f91a00
[   36.657372] R13: 0000000000000000 R14: ffffc90000e55000 R15: dffffc0000000000
[   36.658222] FS:  00007f4f04921640(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000
[   36.659192] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.659775] CR2: 00007f4f049bf7a0 CR3: 0000000006446000 CR4: 0000000000750ef0
[   36.660570] PKRU: 55555554
executing program
[   36.775826] ==================================================================
[   36.776560] BUG: KASAN: slab-use-after-free in __mutex_lock+0xc63/0xcd0
[   36.777226] Read of size 4 at addr ffff888006b95434 by task syz-executor229/644
[   36.778048] 
[   36.778258] CPU: 0 UID: 0 PID: 644 Comm: syz-executor229 Tainted: G      D            6.12.0-rc2-00667-g53bac8330865 #6
[   36.779504] Tainted: [D]=DIE
[   36.779857] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   36.780805] Call Trace:
[   36.781113]  <TASK>
[   36.781383]  dump_stack_lvl+0x14b/0x1c0
[   36.781864]  ? __pfx_dump_stack_lvl+0x10/0x10
[   36.782372]  ? __pfx_lock_release+0x10/0x10
[   36.782842]  ? __virt_addr_valid+0x1a5/0x5a0
[   36.783323]  ? __virt_addr_valid+0x49c/0x5a0
[   36.783811]  print_report+0x171/0x750
[   36.784225]  ? __virt_addr_valid+0x1a5/0x5a0
[   36.784799]  ? __virt_addr_valid+0x49c/0x5a0
[   36.785309]  ? __mutex_lock+0xc63/0xcd0
[   36.785773]  kasan_report+0xd2/0x110
[   36.786213]  ? __mutex_lock+0xc63/0xcd0
[   36.786665]  __mutex_lock+0xc63/0xcd0
[   36.787104]  ? __pfx_alloc_file_pseudo+0x10/0x10
[   36.787663]  ? bpf_link_prime+0x79/0x410
[   36.788137]  ? sock_map_link_create+0x2b6/0x5b0
[   36.788687]  ? __pfx___mutex_lock+0x10/0x10
[   36.789180]  ? anon_inode_getfile+0x106/0x1a0
[   36.789714]  ? bpf_link_prime+0x25f/0x410
[   36.790190]  sock_map_link_create+0x2b6/0x5b0
[   36.790727]  ? __pfx_sock_map_link_create+0x10/0x10
[   36.791304]  ? __fget_files+0x29/0x490
[   36.791779]  ? __fget_files+0x29/0x490
[   36.792236]  ? attach_type_to_prog_type+0x331/0x470
[   36.792819]  ? bpf_prog_attach_check_attach_type+0x2db/0x4b0
[   36.793486]  link_create+0x513/0x890
[   36.793924]  __sys_bpf+0x49c/0x7f0
[   36.794337]  ? __might_fault+0xb0/0x130
[   36.794802]  ? __pfx___sys_bpf+0x10/0x10
[   36.795275]  ? __rseq_handle_notify_resume+0x360/0x13b0
[   36.795899]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   36.796544]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   36.797180]  __x64_sys_bpf+0x7c/0x90
[   36.797618]  do_syscall_64+0xe4/0x1c0
[   36.798071]  ? exc_page_fault+0xa3/0x2b0
[   36.798551]  ? clear_bhb_loop+0x55/0xb0
[   36.799014]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   36.799614] RIP: 0033:0x7f4f0497d73d
[   36.800043] Code: c3 e8 37 20 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[   36.802111] RSP: 002b:00007f4f049211a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
[   36.802988] RAX: ffffffffffffffda RBX: 00007f4f04a18228 RCX: 00007f4f0497d73d
[   36.803807] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 000000000000001c
[   36.804623] RBP: 00007f4f04a18220 R08: 00007f4f04921640 R09: 00007f4f04921640
[   36.805438] R10: 00007f4f04921640 R11: 0000000000000246 R12: 00007f4f04a1822c
[   36.806260] R13: 00007f4f049e3074 R14: 656c6c616b7a7973 R15: 00007f4f04901000
[   36.807094]  </TASK>
[   36.807366] 
[   36.807573] Allocated by task 639:
[   36.807978]  kasan_save_track+0x2f/0x70
[   36.808436]  __kasan_slab_alloc+0x4b/0x60
[   36.808924]  kmem_cache_alloc_node_noprof+0x139/0x2e0
[   36.809530]  dup_task_struct+0xb2/0x7d0
[   36.809991]  copy_process+0x5fa/0x3c30
[   36.810450]  kernel_clone+0x20c/0x800
[   36.810895]  __x64_sys_clone3+0x2e2/0x360
[   36.811371]  do_syscall_64+0xe4/0x1c0
[   36.811824]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   36.812423] 
[   36.812635] Freed by task 0:
[   36.812992]  kasan_save_track+0x2f/0x70
[   36.813441]  kasan_save_free_info+0x40/0x50
[   36.813946]  __kasan_slab_free+0x37/0x50
[   36.814414]  kmem_cache_free+0x179/0x3e0
[   36.814881]  delayed_put_task_struct+0x114/0x2c0
[   36.815417]  rcu_core+0xcb1/0x19d0
[   36.815838]  handle_softirqs+0x24e/0x840
[   36.816307]  __irq_exit_rcu+0xc2/0x160
[   36.816763]  irq_exit_rcu+0x9/0x20
[   36.817179]  sysvec_apic_timer_interrupt+0x6e/0x80
[   36.817754]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   36.818354] 
[   36.818560] Last potentially related work creation:
[   36.819115]  kasan_save_stack+0x2f/0x50
[   36.819582]  kasan_record_aux_stack_noalloc+0x99/0xb0
[   36.820178]  call_rcu+0xd9/0xab0
[   36.820583]  __schedule+0x189e/0x25c0
[   36.821018]  schedule_idle+0x52/0x90
[   36.821456]  do_idle+0x533/0x590
[   36.821856]  cpu_startup_entry+0x44/0x60
[   36.822326]  rest_init+0x2e1/0x300
[   36.822752]  start_kernel+0x47b/0x510
[   36.823192]  x86_64_start_reservations+0x24/0x30
[   36.823743]  x86_64_start_kernel+0x79/0x80
[   36.824225]  common_startup_64+0x12c/0x137
[   36.824711] 
[   36.824910] The buggy address belongs to the object at ffff888006b95400
[   36.824910]  which belongs to the cache task_struct of size 6856
[   36.826304] The buggy address is located 52 bytes inside of
[   36.826304]  freed 6856-byte region [ffff888006b95400, ffff888006b96ec8)
[   36.827678] 
[   36.827878] The buggy address belongs to the physical page:
[   36.828518] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6b90
[   36.829397] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   36.830265] memcg:ffff88800a08f201
[   36.830683] flags: 0x100000000000040(head|node=0|zone=1)
[   36.831300] page_type: f5(slab)
[   36.831689] raw: 0100000000000040 ffff8880011a03c0 dead000000000122 0000000000000000
[   36.832574] raw: 0000000000000000 0000000000040004 00000001f5000000 ffff88800a08f201
[   36.833460] head: 0100000000000040 ffff8880011a03c0 dead000000000122 0000000000000000
[   36.834324] head: 0000000000000000 0000000000040004 00000001f5000000 ffff88800a08f201
[   36.835218] head: 0100000000000003 ffffea00001ae401 ffffffffffffffff 0000000000000000
[   36.836108] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[   36.837005] page dumped because: kasan: bad access detected
[   36.837664] 
[   36.837863] Memory state around the buggy address:
[   36.838413]  ffff888006b95300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.839229]  ffff888006b95380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.840058] >ffff888006b95400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.840888]                                      ^
[   36.841460]  ffff888006b95480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.842280]  ffff888006b95500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.843110] ==================================================================

VM DIAGNOSIS:
06:00:19  Registers:
info registers vcpu 0
RAX=0000000000000033 RBX=0000000000000033 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000000000 RDI=ffffffff9be03dd9 RBP=00000000000003f8 RSP=ffff8880038373b8
R8 =ffff8880050b0237 R9 =1ffff11000a16046 R10=dffffc0000000000 R11=ffffffff959f2890
R12=ffffffff9bd9d805 R13=0000000000000005 R14=ffffffff9be03d20 R15=dffffc0000000000
RIP=ffffffff959f28f3 RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 00007f4f04921640 ffffffff 00c00000
GS =0000 ffff88806cc00000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0412395000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0412393000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007f4f049bf7a0 CR3=0000000006446000 CR4=00750ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
YMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM02=0000000000000000 0000000000000000 0000000000008eae 0000000000000000
YMM03=0000000000000000 0000000000000000 00007ffc8fe4ae64 000000000000027c
YMM04=0000000000000000 0000000000000000 00007f4f04a1f3c0 0000000000000000
YMM05=0000000000000000 0000000000000000 00007ffc8fe4aea0 00007ffc8fe4af40
YMM06=0000000000000000 0000000000000000 0000000000000000 00007ffc8fe4ae98
YMM07=0000000000000000 0000000000000000 d7cbf1ba56492400 0000000000000000
YMM08=0000000000000000 0000000000000000 2f666c65732f636f 72702f0030303031
YMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000
info registers vcpu 1
RAX=eb428fa70b6e5c00 RBX=ffffffff942f1bf4 RCX=ffffffff97d02e2b RDX=0000000000000001
RSI=0000000000000004 RDI=ffffffff942f1bf4 RBP=ffff8880013b7f20 RSP=ffff8880013b7dc8
R8 =ffff88806cd3824b R9 =1ffff1100d9a7049 R10=dffffc0000000000 R11=ffffed100d9a704a
R12=1ffff11000271a80 R13=ffffffff99e031a8 R14=1ffff11000276fd2 R15=dffffc0000000000
RIP=ffffffff97d03aa3 RFL=00000286 [--S--P-] CPL=0 II=0 A20=1 SMM=0 HLT=1
ES =0000 0000000000000000 ffffffff 00c00100
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00100
FS =0000 0000000000000000 ffffffff 00c00100
GS =0000 ffff88806cd00000 ffffffff 00c00100
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe5362322000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe5362320000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=0000000020000ec0 CR3=000000001ca84000 CR4=00750ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
YMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM02=0000000000000000 0000000000000000 0000000000008ea3 0000000000000000
YMM03=0000000000000000 0000000000000000 00007ffc8fe4ae64 0000000000000279
YMM04=0000000000000000 0000000000000000 00007f4f04a1f3c0 0000000000000000
YMM05=0000000000000000 0000000000000000 00007ffc8fe4aea0 00007ffc8fe4af40
YMM06=0000000000000000 0000000000000000 0000000000000000 00007ffc8fe4ae98
YMM07=0000000000000000 0000000000000000 d7cbf1ba56492400 0000000000000000
YMM08=0000000000000000 0000000000000000 2f666c65732f636f 72702f0030303031
YMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000
YMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000

Attachment: repro.prog
Description: repro.prog

Attachment: repro.report
Description: repro.report

<<attachment: other_details.zip>>

[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux