* [syzbot] [kvm?] KASAN: wild-memory-access Read in __timer_delete_sync
@ 2024-05-27 7:24 syzbot
2024-08-16 18:31 ` Sean Christopherson
0 siblings, 1 reply; 2+ messages in thread
From: syzbot @ 2024-05-27 7:24 UTC (permalink / raw)
To: bfoster, kent.overstreet, kvm, linux-bcachefs, linux-kernel,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 1613e604df0c Linux 6.10-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10672b3f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=733cc7a95171d8e7
dashboard link: https://syzkaller.appspot.com/bug?extid=d74d6f2cf5cb486c708f
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-1613e604.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdfe02141e4c/vmlinux-1613e604.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9e655c2629f1/bzImage-1613e604.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d74d6f2cf5cb486c708f@syzkaller.appspotmail.com
bcachefs (loop0): shutting down
bcachefs (loop0): shutdown complete
==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: wild-memory-access in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: wild-memory-access in __lock_acquire+0xeba/0x3b30 kernel/locking/lockdep.c:5107
Read of size 8 at addr 1fffffff8763e898 by task syz-executor.0/11675
CPU: 0 PID: 11675 Comm: syz-executor.0 Not tainted 6.10.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
kasan_report+0xd9/0x110 mm/kasan/report.c:601
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
__lock_acquire+0xeba/0x3b30 kernel/locking/lockdep.c:5107
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
__timer_delete_sync+0x152/0x1b0 kernel/time/timer.c:1647
del_timer_sync include/linux/timer.h:185 [inline]
cleanup_srcu_struct+0x124/0x520 kernel/rcu/srcutree.c:659
bch2_fs_btree_iter_exit+0x46e/0x630 fs/bcachefs/btree_iter.c:3410
__bch2_fs_free fs/bcachefs/super.c:556 [inline]
bch2_fs_release+0x11b/0x810 fs/bcachefs/super.c:603
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1fa/0x5b0 lib/kobject.c:737
deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
deactivate_super+0xde/0x100 fs/super.c:506
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14e/0x250 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
__do_fast_syscall_32+0x80/0x120 arch/x86/entry/common.c:389
do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf731b579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000ffc4e538 EFLAGS: 00000292 ORIG_RAX: 0000000000000034
RAX: 0000000000000000 RBX: 00000000ffc4e5e0 RCX: 0000000000000009
RDX: 00000000f7471ff4 RSI: 00000000f73c2361 RDI: 00000000ffc4f684
RBP: 00000000ffc4e5e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
==================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 10 06 adc %al,(%rsi)
2: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
6: 10 07 adc %al,(%rdi)
8: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
c: 10 08 adc %cl,(%rax)
e: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1e: 00 51 52 add %dl,0x52(%rcx)
21: 55 push %rbp
22: 89 e5 mov %esp,%ebp
24: 0f 34 sysenter
26: cd 80 int $0x80
* 28: 5d pop %rbp <-- trapping instruction
29: 5a pop %rdx
2a: 59 pop %rcx
2b: c3 ret
2c: 90 nop
2d: 90 nop
2e: 90 nop
2f: 90 nop
30: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
37: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [syzbot] [kvm?] KASAN: wild-memory-access Read in __timer_delete_sync
2024-05-27 7:24 [syzbot] [kvm?] KASAN: wild-memory-access Read in __timer_delete_sync syzbot
@ 2024-08-16 18:31 ` Sean Christopherson
0 siblings, 0 replies; 2+ messages in thread
From: Sean Christopherson @ 2024-08-16 18:31 UTC (permalink / raw)
To: syzbot
Cc: bfoster, kent.overstreet, kvm, linux-bcachefs, linux-kernel,
syzkaller-bugs
On Mon, May 27, 2024, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 1613e604df0c Linux 6.10-rc1
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10672b3f180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=733cc7a95171d8e7
> dashboard link: https://syzkaller.appspot.com/bug?extid=d74d6f2cf5cb486c708f
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: i386
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-1613e604.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/bdfe02141e4c/vmlinux-1613e604.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/9e655c2629f1/bzImage-1613e604.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d74d6f2cf5cb486c708f@syzkaller.appspotmail.com
>
> bcachefs (loop0): shutting down
> bcachefs (loop0): shutdown complete
> ==================================================================
> BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
> BUG: KASAN: wild-memory-access in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
> BUG: KASAN: wild-memory-access in __lock_acquire+0xeba/0x3b30 kernel/locking/lockdep.c:5107
> Read of size 8 at addr 1fffffff8763e898 by task syz-executor.0/11675
>
> CPU: 0 PID: 11675 Comm: syz-executor.0 Not tainted 6.10.0-rc1-syzkaller #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
> kasan_report+0xd9/0x110 mm/kasan/report.c:601
> check_region_inline mm/kasan/generic.c:183 [inline]
> kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
> instrument_atomic_read include/linux/instrumented.h:68 [inline]
> _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
> __lock_acquire+0xeba/0x3b30 kernel/locking/lockdep.c:5107
> lock_acquire kernel/locking/lockdep.c:5754 [inline]
> lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
> __timer_delete_sync+0x152/0x1b0 kernel/time/timer.c:1647
> del_timer_sync include/linux/timer.h:185 [inline]
> cleanup_srcu_struct+0x124/0x520 kernel/rcu/srcutree.c:659
> bch2_fs_btree_iter_exit+0x46e/0x630 fs/bcachefs/btree_iter.c:3410
> __bch2_fs_free fs/bcachefs/super.c:556 [inline]
> bch2_fs_release+0x11b/0x810 fs/bcachefs/super.c:603
> kobject_cleanup lib/kobject.c:689 [inline]
> kobject_release lib/kobject.c:720 [inline]
> kref_put include/linux/kref.h:65 [inline]
> kobject_put+0x1fa/0x5b0 lib/kobject.c:737
> deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
> deactivate_super+0xde/0x100 fs/super.c:506
> cleanup_mnt+0x222/0x450 fs/namespace.c:1267
> task_work_run+0x14e/0x250 kernel/task_work.c:180
> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
> exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
> syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
> __do_fast_syscall_32+0x80/0x120 arch/x86/entry/common.c:389
> do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
> entry_SYSENTER_compat_after_hwframe+0x84/0x8e
> RIP: 0023:0xf731b579
> Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> RSP: 002b:00000000ffc4e538 EFLAGS: 00000292 ORIG_RAX: 0000000000000034
> RAX: 0000000000000000 RBX: 00000000ffc4e5e0 RCX: 0000000000000009
> RDX: 00000000f7471ff4 RSI: 00000000f73c2361 RDI: 00000000ffc4f684
> RBP: 00000000ffc4e5e0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> </TASK>
> ==================================================================
Re-labeling this to bcachefs, as only one of the splats directly involves KVM,
there were past failures in KVM that were likely caused by bcachesfs, and in the
one splat that hit KVM, squashfs complained about possible data corruption between
bcachefs unmounting and KVM dying (see below).
#syz set subsystems: bcachefs
[ 212.712001][ T5229] bcachefs (loop2): shutting down
[ 212.714390][ T5229] bcachefs (loop2): going read-only
[ 212.716673][ T5229] bcachefs (loop2): finished waiting for writes to stop
[ 212.724653][ T5229] bcachefs (loop2): flushing journal and stopping allocators, journal seq 12
[ 212.740723][ T5229] bcachefs (loop2): flushing journal and stopping allocators complete, journal seq 14
[ 212.746964][ T5229] bcachefs (loop2): shutdown complete, journal seq 15
[ 212.750429][ T5229] bcachefs (loop2): marking filesystem clean
...
[ 212.875663][ T9117] loop1: detected capacity change from 0 to 8
[ 212.899637][ T9117] SQUASHFS error: zlib decompression failed, data probably corrupt
[ 212.903051][ T9117] SQUASHFS error: Failed to read block 0x4e8: -5
[ 213.053013][ T9115] ==================================================================
[ 213.056197][ T9115] BUG: KASAN: wild-memory-access in __lock_acquire+0xeba/0x3b30
[ 213.059059][ T9115] Read of size 8 at addr 1fffffff905a0b18 by task syz-executor.1/9115
[ 213.061962][ T9115]
[ 213.062917][ T9115] CPU: 2 PID: 9115 Comm: syz-executor.1 Not tainted 6.10.0-rc5-syzkaller-00012-g626737a5791b #0
[ 213.068867][ T9115] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 213.072893][ T9115] Call Trace:
[ 213.074033][ T9115] <TASK>
[ 213.075190][ T9115] dump_stack_lvl+0x116/0x1f0
[ 213.076947][ T9115] kasan_report+0xd9/0x110
[ 213.082231][ T9115] kasan_check_range+0xef/0x1a0
[ 213.083875][ T9115] __lock_acquire+0xeba/0x3b30
[ 213.089050][ T9115] lock_acquire+0x1b1/0x560
[ 213.096435][ T9115] __timer_delete_sync+0x152/0x1b0
[ 213.100058][ T9115] cleanup_srcu_struct+0x124/0x520
[ 213.102146][ T9115] kvm_put_kvm+0x8d3/0xb80
[ 213.105999][ T9115] kvm_vm_release+0x42/0x60
[ 213.107840][ T9115] __fput+0x408/0xbb0
[ 213.109579][ T9115] __fput_sync+0x47/0x50
[ 213.111404][ T9115] __ia32_sys_close+0x86/0x100
[ 213.113458][ T9115] __do_fast_syscall_32+0x73/0x120
[ 213.115472][ T9115] do_fast_syscall_32+0x32/0x80
[ 213.117549][ T9115] entry_SYSENTER_compat_after_hwframe+0x84/0x8e
[ 213.146118][ T9115] </TASK>
[ 213.147157][ T9115] ==================================================================
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-08-16 18:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-27 7:24 [syzbot] [kvm?] KASAN: wild-memory-access Read in __timer_delete_sync syzbot
2024-08-16 18:31 ` Sean Christopherson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox