From: syzbot <syzbot+10a7a8ca6e94600110ec@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] KASAN: use-after-free Read in netdev_core_pick_tx
Date: Wed, 16 Nov 2022 08:43:18 -0800 [thread overview]
Message-ID: <00000000000076a1d305ed992bfc@google.com> (raw)
In-Reply-To: <20221116084731.3123-1-hdanton@sina.com>
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
ice registered as radio22
[ 9.280484][ T1] vivid-011: V4L2 transmitter device registered as radio23
[ 9.281637][ T1] vivid-011: V4L2 metadata capture device registered as video53
[ 9.282665][ T1] vivid-011: V4L2 metadata output device registered as video54
[ 9.283695][ T1] vivid-011: V4L2 touch capture device registered as v4l-touch11
[ 9.284749][ T1] vivid-012: using single planar format API
[ 9.313834][ T1] vivid-012: CEC adapter cec24 registered for HDMI input 0
[ 9.314750][ T1] vivid-012: V4L2 capture device registered as video55
[ 9.315693][ T1] vivid-012: CEC adapter cec25 registered for HDMI output 0
[ 9.316677][ T1] vivid-012: V4L2 output device registered as video56
[ 9.317646][ T1] vivid-012: V4L2 capture device registered as vbi24, supports raw and sliced VBI
[ 9.318291][ T1] vivid-012: V4L2 output device registered as vbi25, supports raw and sliced VBI
[ 9.320037][ T1] vivid-012: V4L2 capture device registered as swradio12
[ 9.321192][ T1] vivid-012: V4L2 receiver device registered as radio24
[ 9.322138][ T1] vivid-012: V4L2 transmitter device registered as radio25
[ 9.323120][ T1] vivid-012: V4L2 metadata capture device registered as video57
[ 9.324128][ T1] vivid-012: V4L2 metadata output device registered as video58
[ 9.325064][ T1] vivid-012: V4L2 touch capture device registered as v4l-touch12
[ 9.326045][ T1] vivid-013: using multiplanar format API
[ 9.353487][ T1] vivid-013: CEC adapter cec26 registered for HDMI input 0
[ 9.354582][ T1] vivid-013: V4L2 capture device registered as video59
[ 9.355753][ T1] vivid-013: CEC adapter cec27 registered for HDMI output 0
[ 9.357436][ T1] vivid-013: V4L2 output device registered as video60
[ 9.358424][ T1] vivid-013: V4L2 capture device registered as vbi26, supports raw and sliced VBI
[ 9.359083][ T1] vivid-013: V4L2 output device registered as vbi27, supports raw and sliced VBI
[ 9.359853][ T1] vivid-013: V4L2 capture device registered as swradio13
[ 9.362214][ T1] vivid-013: V4L2 receiver device registered as radio26
[ 9.363251][ T1] vivid-013: V4L2 transmitter device registered as radio27
[ 9.364242][ T1] vivid-013: V4L2 metadata capture device registered as video61
[ 9.365221][ T1] vivid-013: V4L2 metadata output device registered as video62
[ 9.366272][ T1] vivid-013: V4L2 touch capture device registered as v4l-touch13
[ 9.367776][ T1] vivid-014: using single planar format API
[ 9.395970][ T1] vivid-014: CEC adapter cec28 registered for HDMI input 0
[ 9.397055][ T1] vivid-014: V4L2 capture device registered as video63
[ 9.398170][ T1] vivid-014: CEC adapter cec29 registered for HDMI output 0
[ 9.399246][ T1] vivid-014: V4L2 output device registered as video64
[ 9.400190][ T1] vivid-014: V4L2 capture device registered as vbi28, supports raw and sliced VBI
[ 9.400893][ T1] vivid-014: V4L2 output device registered as vbi29, supports raw and sliced VBI
[ 9.402605][ T1] vivid-014: V4L2 capture device registered as swradio14
[ 9.403517][ T1] vivid-014: V4L2 receiver device registered as radio28
[ 9.404644][ T1] vivid-014: V4L2 transmitter device registered as radio29
[ 9.406460][ T1] vivid-014: V4L2 metadata capture device registered as video65
[ 9.407559][ T1] vivid-014: V4L2 metadata output device registered as video66
[ 9.408605][ T1] vivid-014: V4L2 touch capture device registered as v4l-touch14
[ 9.409611][ T1] vivid-015: using multiplanar format API
[ 9.438655][ T1] vivid-015: CEC adapter cec30 registered for HDMI input 0
[ 9.439767][ T1] vivid-015: V4L2 capture device registered as video67
[ 9.440915][ T1] vivid-015: CEC adapter cec31 registered for HDMI output 0
[ 9.442045][ T1] vivid-015: V4L2 output device registered as video68
[ 9.443006][ T1] vivid-015: V4L2 capture device registered as vbi30, supports raw and sliced VBI
[ 9.443770][ T1] vivid-015: V4L2 output device registered as vbi31, supports raw and sliced VBI
[ 9.445343][ T1] vivid-015: V4L2 capture device registered as swradio15
[ 9.446659][ T1] vivid-015: V4L2 receiver device registered as radio30
[ 9.447727][ T1] vivid-015: V4L2 transmitter device registered as radio31
[ 9.449013][ T1] vivid-015: V4L2 metadata capture device registered as video69
[ 9.450180][ T1] vivid-015: V4L2 metadata output device registered as video70
[ 9.451250][ T1] vivid-015: V4L2 touch capture device registered as v4l-touch15
[ 9.453925][ T1] usbcore: registered new interface driver radioshark2
[ 9.454577][ T1] usbcore: registered new interface driver radioshark
[ 9.455355][ T1] usbcore: registered new interface driver radio-si470x
[ 9.456610][ T1] usbcore: registered new interface driver radio-usb-si4713
[ 9.457292][ T1] usbcore: registered new interface driver dsbr100
[ 9.462150][ T8] floppy0: no floppy controllers found
[ 9.462792][ T8] work still pending
[ 9.463392][ T983] floppy0: floppy_shutdown: timeout handler died.
[ 9.475753][ T1] usbcore: registered new interface driver radio-keene
[ 9.476503][ T1] usbcore: registered new interface driver radio-ma901
[ 9.477112][ T1] usbcore: registered new interface driver radio-mr800
[ 9.477798][ T1] usbcore: registered new interface driver radio-raremono
[ 9.481027][ T1] usbcore: registered new interface driver pcwd_usb
[ 9.494826][ T1] device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.
[ 9.495376][ T1] device-mapper: uevent: version 1.0.3
[ 9.497645][ T1] device-mapper: ioctl: 4.46.0-ioctl (2022-02-22) initialised: dm-devel@redhat.com
[ 9.501149][ T1] device-mapper: multipath round-robin: version 1.2.0 loaded
[ 9.501167][ T1] device-mapper: multipath queue-length: version 0.2.0 loaded
[ 9.501181][ T1] device-mapper: multipath service-time: version 0.3.0 loaded
[ 9.502267][ T1] device-mapper: raid: Loading target version 1.15.1
[ 9.505124][ T1] Bluetooth: HCI UART driver ver 2.3
[ 9.505144][ T1] Bluetooth: HCI UART protocol H4 registered
[ 9.505152][ T1] Bluetooth: HCI UART protocol BCSP registered
[ 9.505633][ T1] Bluetooth: HCI UART protocol LL registered
[ 9.506139][ T1] Bluetooth: HCI UART protocol Three-wire (H5) registered
[ 9.506647][ T1] Bluetooth: HCI UART protocol QCA registered
[ 9.506658][ T1] Bluetooth: HCI UART protocol AG6XX registered
[ 9.507116][ T1] Bluetooth: HCI UART protocol Marvell registered
[ 9.507954][ T1] usbcore: registered new interface driver bcm203x
[ 9.508662][ T1] usbcore: registered new interface driver bpa10x
[ 9.509399][ T1] usbcore: registered new interface driver bfusb
[ 9.510131][ T1] usbcore: registered new interface driver btusb
[ 9.511709][ T1] usbcore: registered new interface driver ath3k
[ 9.513851][ T1] CAPI 2.0 started up with major 68 (middleware)
[ 9.513866][ T1] Modular ISDN core version 1.1.29
[ 9.515537][ T1] NET: Registered PF_ISDN protocol family
[ 9.515549][ T1] DSP module 2.0
[ 9.515556][ T1] mISDN_dsp: DSP clocks every 80 samples. This equals 1 jiffies.
[ 9.522655][ T1] mISDN: Layer-1-over-IP driver Rev. 2.00
[ 9.523481][ T1] 0 virtual devices registered
[ 9.524502][ T1] usbcore: registered new interface driver HFC-S_USB
[ 9.524519][ T1] intel_pstate: CPU model not supported
[ 9.524530][ T1] VUB300 Driver rom wait states = 1C irqpoll timeout = 0400
[ 9.537137][ T1] usbcore: registered new interface driver vub300
[ 9.537472][ T1] usbcore: registered new interface driver ushc
[ 9.552092][ T1] iscsi: registered transport (iser)
[ 9.555962][ T1] SoftiWARP attached
[ 9.556710][ T1] Driver 'memconsole' was unable to register with bus_type 'coreboot' because the bus was not initialized.
[ 9.556724][ T1] Driver 'vpd' was unable to register with bus_type 'coreboot' because the bus was not initialized.
[ 9.577857][ T1] hid: raw HID events driver (C) Jiri Kosina
[ 9.659663][ T1] usbcore: registered new interface driver usbhid
[ 9.659678][ T1] usbhid: USB HID core driver
[ 9.670996][ T1] usbcore: registered new interface driver es2_ap_driver
[ 9.671013][ T1] comedi: version 0.7.76 - http://www.comedi.org
[ 9.672407][ T1] usbcore: registered new interface driver dt9812
[ 9.673045][ T1] usbcore: registered new interface driver ni6501
[ 9.673705][ T1] usbcore: registered new interface driver usbdux
[ 9.674341][ T1] usbcore: registered new interface driver usbduxfast
[ 9.675032][ T1] usbcore: registered new interface driver usbduxsigma
[ 9.675723][ T1] usbcore: registered new interface driver vmk80xx
[ 9.676478][ T1] usbcore: registered new interface driver prism2_usb
[ 9.677979][ T1] usbcore: registered new interface driver r8712u
[ 9.678861][ T1] greybus: registered new driver hid
[ 9.679716][ T1] greybus: registered new driver gbphy
[ 9.681416][ T1] gb_gbphy: registered new driver usb
[ 9.681426][ T1] asus_wmi: ASUS WMI generic driver loaded
[ 9.810733][ T1233] CPU: 0 PID: 1233 Comm: aoe_tx0 Not tainted 5.18.0-rc7-syzkaller-dirty #0
[ 9.810733][ T1233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 9.810733][ T1233] Call Trace:
[ 9.810733][ T1233] <TASK>
[ 9.810733][ T1233] dump_stack_lvl+0x1e3/0x2cb
[ 9.810733][ T1233] ? bfq_pos_tree_add_move+0x436/0x436
[ 9.810733][ T1233] ? panic+0x76e/0x76e
[ 9.810733][ T1233] ? vscnprintf+0x59/0x80
[ 9.810733][ T1233] ? refcount_warn_saturate+0x120/0x1a0
[ 9.810733][ T1233] panic+0x312/0x76e
[ 9.810733][ T1233] ? __warn+0x131/0x220
[ 9.810733][ T1233] ? fb_is_primary_device+0xcc/0xcc
[ 9.810733][ T1233] ? ret_from_fork+0x1f/0x30
[ 9.810733][ T1233] ? refcount_warn_saturate+0x17c/0x1a0
[ 9.810733][ T1233] __warn+0x1fa/0x220
[ 9.810733][ T1233] ? refcount_warn_saturate+0x17c/0x1a0
[ 9.845860][ T1] usbcore: registered new interface driver snd-usb-audio
[ 9.846654][ T1] usbcore: registered new interface driver snd-ua101
[ 9.847409][ T1] usbcore: registered new interface driver snd-usb-usx2y
[ 9.848855][ T1] usbcore: registered new interface driver snd-usb-us122l
[ 9.853684][ T1] usbcore: registered new interface driver snd-usb-caiaq
[ 9.856046][ T1] usbcore: registered new interface driver snd-usb-6fire
[ 9.860384][ T1] usbcore: registered new interface driver snd-usb-hiface
[ 9.863557][ T1] usbcore: registered new interface driver snd-bcd2000
[ 9.864161][ T1] usbcore: registered new interface driver snd_usb_pod
[ 9.864962][ T1] usbcore: registered new interface driver snd_usb_podhd
[ 9.865647][ T1] usbcore: registered new interface driver snd_usb_toneport
[ 9.866260][ T1] usbcore: registered new interface driver snd_usb_variax
[ 9.867610][ T1] drop_monitor: Initializing network drop monitor service
[ 9.868126][ T1] NET: Registered PF_LLC protocol family
[ 9.868421][ T1] GACT probability on
[ 9.868478][ T1] Mirror/redirect action on
[ 9.868814][ T1] Simple TC action Loaded
[ 9.860705][ T1233] report_bug+0x1b1/0x2e0
[ 9.860705][ T1233] handle_bug+0x3d/0x70
[ 9.860705][ T1233] exc_invalid_op+0x16/0x40
[ 9.860705][ T1233] asm_exc_invalid_op+0x12/0x20
[ 9.860705][ T1233] RIP: 0010:refcount_warn_saturate+0x17c/0x1a0
[ 9.860705][ T1233] Code: e8 8a 31 c0 e8 65 80 26 fd 0f 0b e9 64 ff ff ff e8 b9 14 5d fd c6 05 bc 02 c5 09 01 48 c7 c7 80 4b e8 8a 31 c0 e8 44 80 26 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff
[ 9.860705][ T1233] RSP: 0000:ffffc900050afc28 EFLAGS: 00010246
[ 9.860705][ T1233] RAX: f57a10d46fd60000 RBX: 0000000000000004 RCX: ffff88801e663b00
[ 9.860705][ T1233] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
[ 9.860705][ T1233] RBP: 0000000000000004 R08: ffffffff816ad552 R09: fffff52000a15ed5
[ 9.860705][ T1233] R10: fffff52000a15ed5 R11: 1ffff92000a15ed4 R12: ffff8881459f05b8
[ 9.860705][ T1233] R13: 1ffff92000a15f8c R14: ffff8881459f0600 R15: dffffc0000000000
[ 9.860705][ T1233] ? wake_up_klogd+0xb2/0xf0
[ 9.860705][ T1233] ? refcount_warn_saturate+0x17c/0x1a0
[ 9.860705][ T1233] ref_tracker_free+0x659/0x7a0
[ 9.860705][ T1233] ? refcount_inc+0x80/0x80
[ 9.860705][ T1233] ? do_raw_spin_unlock+0x134/0x8a0
[ 9.860705][ T1233] ? _raw_spin_unlock_irq+0x1f/0x40
[ 9.860705][ T1233] ? lockdep_hardirqs_on+0x95/0x140
[ 9.860705][ T1233] tx+0xc9/0x190
[ 9.860705][ T1233] ? aoenet_xmit+0x1a0/0x1a0
[ 9.860705][ T1233] kthread+0x241/0x450
[ 9.860705][ T1233] ? aoe_ktstart+0x130/0x130
[ 9.860705][ T1233] ? do_task_dead+0xc0/0xc0
[ 9.860705][ T1233] ? _raw_spin_unlock+0x40/0x40
[ 9.860705][ T1233] ? lockdep_hardirqs_on_prepare+0x448/0x7b0
[ 9.860705][ T1233] ? __kthread_parkme+0x166/0x1c0
[ 9.860705][ T1233] kthread+0x266/0x300
[ 9.860705][ T1233] ? aoe_ktstart+0x130/0x130
[ 9.860705][ T1233] ? kthread_blkcg+0xd0/0xd0
[ 9.860705][ T1233] ret_from_fork+0x1f/0x30
[ 9.860705][ T1233] </TASK>
[ 9.860705][ T1233] Kernel Offset: disabled
[ 9.860705][ T1233] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3020494642=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 744a39e22
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=744a39e220cece33e207035facce6c5ae161b775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220514-093120'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=744a39e220cece33e207035facce6c5ae161b775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220514-093120'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=744a39e220cece33e207035facce6c5ae161b775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220514-093120'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"744a39e220cece33e207035facce6c5ae161b775\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=125fadbe880000
Tested on:
commit: 42226c98 Linux 5.18-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d84df8e1a4c4d5a4
dashboard link: https://syzkaller.appspot.com/bug?extid=10a7a8ca6e94600110ec
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=161ac065880000
next parent reply other threads:[~2022-11-16 16:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20221116084731.3123-1-hdanton@sina.com>
2022-11-16 16:43 ` syzbot [this message]
[not found] <20221117095316.3682-1-hdanton@sina.com>
2022-11-17 10:53 ` [syzbot] KASAN: use-after-free Read in netdev_core_pick_tx syzbot
2022-11-15 17:29 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000076a1d305ed992bfc@google.com \
--to=syzbot+10a7a8ca6e94600110ec@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.