From: syzbot <syzbot+0806291048161061627c@syzkaller.appspotmail.com>
To: 0x7f454c46@gmail.com, akpm@linux-foundation.org,
aou@eecs.berkeley.edu, chenhuang5@huawei.com,
linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org,
palmer@dabbelt.com, paul.walmsley@sifive.com,
syzkaller-bugs@googlegroups.com, wangkefeng.wang@huawei.com
Subject: [syzbot] KASAN: use-after-free Read in get_wchan
Date: Tue, 13 Apr 2021 22:52:20 -0700 [thread overview]
Message-ID: <0000000000009862e005bfe859c8@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: b2b3d18f riscv: Make NUMA depend on MMU
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=12b59d16d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=81b3e7c68dad6e
dashboard link: https://syzkaller.appspot.com/bug?extid=0806291048161061627c
userspace arch: riscv64
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0806291048161061627c@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
BUG: KASAN: use-after-free in get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
Read of size 8 at addr ffffffe0058e3d90 by task syz-executor.0/4667
CPU: 1 PID: 4667 Comm: syz-executor.0 Not tainted 5.12.0-rc5-syzkaller-00721-gb2b3d18fc20e #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffe000009706>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
[<ffffffe002a5f182>] dump_backtrace+0x40/0x4e arch/riscv/kernel/stacktrace.c:113
[<ffffffe002a5f1b2>] show_stack+0x22/0x2e arch/riscv/kernel/stacktrace.c:118
[<ffffffe002a68a3e>] __dump_stack lib/dump_stack.c:79 [inline]
[<ffffffe002a68a3e>] dump_stack+0x148/0x1d8 lib/dump_stack.c:120
[<ffffffe0003bc802>] print_address_description.constprop.0+0x52/0x31e mm/kasan/report.c:232
[<ffffffe0003bcd24>] __kasan_report mm/kasan/report.c:399 [inline]
[<ffffffe0003bcd24>] kasan_report+0x16e/0x18c mm/kasan/report.c:416
[<ffffffe0003bd588>] check_region_inline mm/kasan/generic.c:180 [inline]
[<ffffffe0003bd588>] __asan_load8+0x6e/0x80 mm/kasan/generic.c:253
[<ffffffe000009a98>] walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
[<ffffffe000009a98>] get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
[<ffffffe000553364>] proc_pid_wchan+0x48/0xa4 fs/proc/base.c:390
[<ffffffe000554458>] proc_single_show+0x9c/0x13c fs/proc/base.c:774
[<ffffffe00045000c>] seq_read_iter+0x2e0/0x8f2 fs/seq_file.c:227
[<ffffffe00045081e>] seq_read+0x200/0x298 fs/seq_file.c:159
[<ffffffe0003f9210>] vfs_read+0x108/0x2ac fs/read_write.c:494
[<ffffffe0003f9724>] ksys_read+0xb4/0x1b8 fs/read_write.c:634
[<ffffffe0003f9850>] __do_sys_read fs/read_write.c:644 [inline]
[<ffffffe0003f9850>] sys_read+0x28/0x36 fs/read_write.c:642
[<ffffffe000005572>] ret_from_syscall+0x0/0x2
The buggy address belongs to the page:
page:ffffffcf0216b8c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x85ae3
flags: 0xffe000000000000()
raw: 0ffe000000000000 ffffffcf0216b8c8 ffffffcf0216b8c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffffe0058e3c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffffe0058e3d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffffe0058e3d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffffffe0058e3e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffffe0058e3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+0806291048161061627c@syzkaller.appspotmail.com>
To: 0x7f454c46@gmail.com, akpm@linux-foundation.org,
aou@eecs.berkeley.edu, chenhuang5@huawei.com,
linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org,
palmer@dabbelt.com, paul.walmsley@sifive.com,
syzkaller-bugs@googlegroups.com, wangkefeng.wang@huawei.com
Subject: [syzbot] KASAN: use-after-free Read in get_wchan
Date: Tue, 13 Apr 2021 22:52:20 -0700 [thread overview]
Message-ID: <0000000000009862e005bfe859c8@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: b2b3d18f riscv: Make NUMA depend on MMU
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=12b59d16d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=81b3e7c68dad6e
dashboard link: https://syzkaller.appspot.com/bug?extid=0806291048161061627c
userspace arch: riscv64
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0806291048161061627c@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
BUG: KASAN: use-after-free in get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
Read of size 8 at addr ffffffe0058e3d90 by task syz-executor.0/4667
CPU: 1 PID: 4667 Comm: syz-executor.0 Not tainted 5.12.0-rc5-syzkaller-00721-gb2b3d18fc20e #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffe000009706>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
[<ffffffe002a5f182>] dump_backtrace+0x40/0x4e arch/riscv/kernel/stacktrace.c:113
[<ffffffe002a5f1b2>] show_stack+0x22/0x2e arch/riscv/kernel/stacktrace.c:118
[<ffffffe002a68a3e>] __dump_stack lib/dump_stack.c:79 [inline]
[<ffffffe002a68a3e>] dump_stack+0x148/0x1d8 lib/dump_stack.c:120
[<ffffffe0003bc802>] print_address_description.constprop.0+0x52/0x31e mm/kasan/report.c:232
[<ffffffe0003bcd24>] __kasan_report mm/kasan/report.c:399 [inline]
[<ffffffe0003bcd24>] kasan_report+0x16e/0x18c mm/kasan/report.c:416
[<ffffffe0003bd588>] check_region_inline mm/kasan/generic.c:180 [inline]
[<ffffffe0003bd588>] __asan_load8+0x6e/0x80 mm/kasan/generic.c:253
[<ffffffe000009a98>] walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
[<ffffffe000009a98>] get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
[<ffffffe000553364>] proc_pid_wchan+0x48/0xa4 fs/proc/base.c:390
[<ffffffe000554458>] proc_single_show+0x9c/0x13c fs/proc/base.c:774
[<ffffffe00045000c>] seq_read_iter+0x2e0/0x8f2 fs/seq_file.c:227
[<ffffffe00045081e>] seq_read+0x200/0x298 fs/seq_file.c:159
[<ffffffe0003f9210>] vfs_read+0x108/0x2ac fs/read_write.c:494
[<ffffffe0003f9724>] ksys_read+0xb4/0x1b8 fs/read_write.c:634
[<ffffffe0003f9850>] __do_sys_read fs/read_write.c:644 [inline]
[<ffffffe0003f9850>] sys_read+0x28/0x36 fs/read_write.c:642
[<ffffffe000005572>] ret_from_syscall+0x0/0x2
The buggy address belongs to the page:
page:ffffffcf0216b8c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x85ae3
flags: 0xffe000000000000()
raw: 0ffe000000000000 ffffffcf0216b8c8 ffffffcf0216b8c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffffe0058e3c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffffe0058e3d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffffe0058e3d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffffffe0058e3e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffffe0058e3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
next reply other threads:[~2021-04-14 5:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-14 5:52 syzbot [this message]
2021-04-14 5:52 ` [syzbot] KASAN: use-after-free Read in get_wchan syzbot
2021-04-14 5:56 ` Dmitry Vyukov
2021-04-14 5:56 ` Dmitry Vyukov
2021-05-06 6:14 ` Palmer Dabbelt
2021-05-06 6:14 ` Palmer Dabbelt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000009862e005bfe859c8@google.com \
--to=syzbot+0806291048161061627c@syzkaller.appspotmail.com \
--cc=0x7f454c46@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=aou@eecs.berkeley.edu \
--cc=chenhuang5@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.