[syzbot] upstream test error: BUG: stack guard page was hit in corrupted

[syzbot] upstream test error: BUG: stack guard page was hit in corrupted

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    4a39ac5b7d62 Merge tag 'random-6.12-rc1-for-linus' of git:..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=153e7fc7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c78e7c8f41d443e6
dashboard link: https://syzkaller.appspot.com/bug?extid=d5db198a0f40411f24c3
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f4127f9a9466/disk-4a39ac5b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/23dcf778c269/vmlinux-4a39ac5b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/386c61739e91/bzImage-4a39ac5b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d5db198a0f40411f24c3@syzkaller.appspotmail.com

BUG: TASK stack guard page was hit at ffffc9000005fff8 (stack is ffffc90000060000..ffffc90000068000)
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-syzkaller-05319-g4a39ac5b7d62 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:error_entry+0xd/0x140 arch/x86/entry/entry_64.S:1007
Code: fd ff ff 85 db 0f 85 8e fd ff ff 0f 01 f8 e9 86 fd ff ff 66 2e 0f 1f 84 00 00 00 00 00 56 48 8b 74 24 08 48 89 7c 24 08 52 51 <50> 41 50 41 51 41 52 41 53 53 55 41 54 41 55 41 56 41 57 56 31 f6
RSP: 0000:ffffc90000060000 EFLAGS: 00010046
RAX: 0000000000000002 RBX: ffffc90000060088 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8b20128d RDI: ffffffff8bb130e0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000005fff8 CR3: 000000000dd7c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <#DF>
 </#DF>
 <TASK>
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:error_entry+0xd/0x140 arch/x86/entry/entry_64.S:1007
Code: fd ff ff 85 db 0f 85 8e fd ff ff 0f 01 f8 e9 86 fd ff ff 66 2e 0f 1f 84 00 00 00 00 00 56 48 8b 74 24 08 48 89 7c 24 08 52 51 <50> 41 50 41 51 41 52 41 53 53 55 41 54 41 55 41 56 41 57 56 31 f6
RSP: 0000:ffffc90000060000 EFLAGS: 00010046
RAX: 0000000000000002 RBX: ffffc90000060088 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8b20128d RDI: ffffffff8bb130e0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000005fff8 CR3: 000000000dd7c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	85 db                	test   %ebx,%ebx
   2:	0f 85 8e fd ff ff    	jne    0xfffffd96
   8:	0f 01 f8             	swapgs
   b:	e9 86 fd ff ff       	jmp    0xfffffd96
  10:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  17:	00 00 00
  1a:	56                   	push   %rsi
  1b:	48 8b 74 24 08       	mov    0x8(%rsp),%rsi
  20:	48 89 7c 24 08       	mov    %rdi,0x8(%rsp)
  25:	52                   	push   %rdx
  26:	51                   	push   %rcx
* 27:	50                   	push   %rax <-- trapping instruction
  28:	41 50                	push   %r8
  2a:	41 51                	push   %r9
  2c:	41 52                	push   %r10
  2e:	41 53                	push   %r11
  30:	53                   	push   %rbx
  31:	55                   	push   %rbp
  32:	41 54                	push   %r12
  34:	41 55                	push   %r13
  36:	41 56                	push   %r14
  38:	41 57                	push   %r15
  3a:	56                   	push   %rsi
  3b:	31 f6                	xor    %esi,%esi


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] upstream test error: BUG: stack guard page was hit in corrupted

[Tetsuo Handa]

This bug suggests code added by commit 6cd0dd934b03 ("kcov: Add interrupt handling self test").

The location that triggers page fault looks like

  pos = READ_ONCE(area[0]) + 1;

in __sanitizer_cov_trace_pc().
When is t->kcov_area initialized with appropriate buffer
after selftest() does current->kcov_mode = KCOV_MODE_TRACE_PC ?

At commit de5cb0dcb74c ("Merge branch 'address-masking'"):
$ ./scripts/faddr2line vmlinux-de5cb0dc asm_exc_page_fault+0x26/0x30 sched_clock+0xb/0x60 __sanitizer_cov_trace_pc+0x53/0x70 sched_clock+0xb/0x60 lock_pin_lock+0x1a9/0x2d0 preempt_schedule_irq+0x51/0x90 __schedule+0x2f2/0x5920 lockdep_hardirqs_on+0x7c/0x110 preempt_schedule_thunk+0x1a/0x30 preempt_schedule_common+0x44/0xc0 preempt_schedule_thunk+0x1a/0x30 __pfx___schedule+0x10/0x10 vprintk_emit+0x39e/0x6f0 __pfx_vprintk_emit+0x10/0x10 __debugfs_create_file+0x40e/0x660 __pfx_lock_release+0x10/0x10 preempt_schedule_irq+0x51/0x90 irqentry_exit+0x36/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __wake_up_klogd.part.0+0x99/0xf0 vprintk+0x86/0xa0 kcov_init+0xcc/0x120 kcov_init+0xb3/0x120
asm_exc_page_fault+0x26/0x30:
asm_exc_page_fault at arch/x86/include/asm/idtentry.h:623

sched_clock+0xb/0x60:
__preempt_count_add at arch/x86/include/asm/preempt.h:79
(inlined by) sched_clock at arch/x86/kernel/tsc.c:283

__sanitizer_cov_trace_pc+0x53/0x70:
__sanitizer_cov_trace_pc at kernel/kcov.c:222

sched_clock+0xb/0x60:
__preempt_count_add at arch/x86/include/asm/preempt.h:79
(inlined by) sched_clock at arch/x86/kernel/tsc.c:283

lock_pin_lock+0x1a9/0x2d0:
__lock_pin_lock at kernel/locking/lockdep.c:5593
(inlined by) lock_pin_lock at kernel/locking/lockdep.c:5915

preempt_schedule_irq+0x51/0x90:
native_save_fl at arch/x86/include/asm/irqflags.h:26
(inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
(inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
(inlined by) preempt_schedule_irq at kernel/sched/core.c:6997

__schedule+0x2f2/0x5920:
__schedule at kernel/sched/core.c:6579

lockdep_hardirqs_on+0x7c/0x110:
lockdep_hardirqs_on at kernel/locking/lockdep.c:4465

preempt_schedule_thunk+0x1a/0x30:
preempt_schedule_thunk at arch/x86/entry/thunk.S:12

preempt_schedule_common+0x44/0xc0:
__preempt_count_sub at arch/x86/include/asm/preempt.h:84
(inlined by) preempt_schedule_common at kernel/sched/core.c:6855

preempt_schedule_thunk+0x1a/0x30:
preempt_schedule_thunk at arch/x86/entry/thunk.S:12

__pfx___schedule+0x10/0x10:
__schedule at kernel/sched/core.c:6533

vprintk_emit+0x39e/0x6f0:
vprintk_emit at kernel/printk/printk.c:2356

__pfx_vprintk_emit+0x10/0x10:
vprintk_emit at kernel/printk/printk.c:2356

__debugfs_create_file+0x40e/0x660:
end_creating at fs/debugfs/inode.c:409
(inlined by) __debugfs_create_file at fs/debugfs/inode.c:450

__pfx_lock_release+0x10/0x10:
lock_release at kernel/locking/lockdep.c:5830

preempt_schedule_irq+0x51/0x90:
native_save_fl at arch/x86/include/asm/irqflags.h:26
(inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
(inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
(inlined by) preempt_schedule_irq at kernel/sched/core.c:6997

irqentry_exit+0x36/0x90:
irqentry_exit at kernel/entry/common.c:357

asm_sysvec_apic_timer_interrupt+0x1a/0x20:
asm_sysvec_apic_timer_interrupt at arch/x86/include/asm/idtentry.h:702

__wake_up_klogd.part.0+0x99/0xf0:
__wake_up_klogd at kernel/printk/printk.c:4495

vprintk+0x86/0xa0:
vprintk at kernel/printk/printk_safe.c:69

kcov_init+0xcc/0x120:
selftest at kernel/kcov.c:1090
(inlined by) kcov_init at kernel/kcov.c:1117

kcov_init+0xb3/0x120:
selftest at kernel/kcov.c:1088
(inlined by) kcov_init at kernel/kcov.c:1117

On 2024/09/19 7:23, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    4a39ac5b7d62 Merge tag 'random-6.12-rc1-for-linus' of git:..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=153e7fc7980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c78e7c8f41d443e6
> dashboard link: https://syzkaller.appspot.com/bug?extid=d5db198a0f40411f24c3
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Re: [syzbot] upstream test error: BUG: stack guard page was hit in corrupted

[Dmitry Vyukov]

On Mon, 23 Sept 2024 at 16:04, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> This bug suggests code added by commit 6cd0dd934b03 ("kcov: Add interrupt handling self test").
>
> The location that triggers page fault looks like
>
>   pos = READ_ONCE(area[0]) + 1;
>
> in __sanitizer_cov_trace_pc().
> When is t->kcov_area initialized with appropriate buffer
> after selftest() does current->kcov_mode = KCOV_MODE_TRACE_PC ?
>
> At commit de5cb0dcb74c ("Merge branch 'address-masking'"):
> $ ./scripts/faddr2line vmlinux-de5cb0dc asm_exc_page_fault+0x26/0x30 sched_clock+0xb/0x60 __sanitizer_cov_trace_pc+0x53/0x70 sched_clock+0xb/0x60 lock_pin_lock+0x1a9/0x2d0 preempt_schedule_irq+0x51/0x90 __schedule+0x2f2/0x5920 lockdep_hardirqs_on+0x7c/0x110 preempt_schedule_thunk+0x1a/0x30 preempt_schedule_common+0x44/0xc0 preempt_schedule_thunk+0x1a/0x30 __pfx___schedule+0x10/0x10 vprintk_emit+0x39e/0x6f0 __pfx_vprintk_emit+0x10/0x10 __debugfs_create_file+0x40e/0x660 __pfx_lock_release+0x10/0x10 preempt_schedule_irq+0x51/0x90 irqentry_exit+0x36/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __wake_up_klogd.part.0+0x99/0xf0 vprintk+0x86/0xa0 kcov_init+0xcc/0x120 kcov_init+0xb3/0x120
> asm_exc_page_fault+0x26/0x30:
> asm_exc_page_fault at arch/x86/include/asm/idtentry.h:623
>
> sched_clock+0xb/0x60:
> __preempt_count_add at arch/x86/include/asm/preempt.h:79
> (inlined by) sched_clock at arch/x86/kernel/tsc.c:283
>
> __sanitizer_cov_trace_pc+0x53/0x70:
> __sanitizer_cov_trace_pc at kernel/kcov.c:222
>
> sched_clock+0xb/0x60:
> __preempt_count_add at arch/x86/include/asm/preempt.h:79
> (inlined by) sched_clock at arch/x86/kernel/tsc.c:283
>
> lock_pin_lock+0x1a9/0x2d0:
> __lock_pin_lock at kernel/locking/lockdep.c:5593
> (inlined by) lock_pin_lock at kernel/locking/lockdep.c:5915
>
> preempt_schedule_irq+0x51/0x90:
> native_save_fl at arch/x86/include/asm/irqflags.h:26
> (inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
> (inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
> (inlined by) preempt_schedule_irq at kernel/sched/core.c:6997
>
> __schedule+0x2f2/0x5920:
> __schedule at kernel/sched/core.c:6579
>
> lockdep_hardirqs_on+0x7c/0x110:
> lockdep_hardirqs_on at kernel/locking/lockdep.c:4465
>
> preempt_schedule_thunk+0x1a/0x30:
> preempt_schedule_thunk at arch/x86/entry/thunk.S:12
>
> preempt_schedule_common+0x44/0xc0:
> __preempt_count_sub at arch/x86/include/asm/preempt.h:84
> (inlined by) preempt_schedule_common at kernel/sched/core.c:6855
>
> preempt_schedule_thunk+0x1a/0x30:
> preempt_schedule_thunk at arch/x86/entry/thunk.S:12
>
> __pfx___schedule+0x10/0x10:
> __schedule at kernel/sched/core.c:6533
>
> vprintk_emit+0x39e/0x6f0:
> vprintk_emit at kernel/printk/printk.c:2356
>
> __pfx_vprintk_emit+0x10/0x10:
> vprintk_emit at kernel/printk/printk.c:2356
>
> __debugfs_create_file+0x40e/0x660:
> end_creating at fs/debugfs/inode.c:409
> (inlined by) __debugfs_create_file at fs/debugfs/inode.c:450
>
> __pfx_lock_release+0x10/0x10:
> lock_release at kernel/locking/lockdep.c:5830
>
> preempt_schedule_irq+0x51/0x90:
> native_save_fl at arch/x86/include/asm/irqflags.h:26
> (inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
> (inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
> (inlined by) preempt_schedule_irq at kernel/sched/core.c:6997
>
> irqentry_exit+0x36/0x90:
> irqentry_exit at kernel/entry/common.c:357
>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20:
> asm_sysvec_apic_timer_interrupt at arch/x86/include/asm/idtentry.h:702
>
> __wake_up_klogd.part.0+0x99/0xf0:
> __wake_up_klogd at kernel/printk/printk.c:4495
>
> vprintk+0x86/0xa0:
> vprintk at kernel/printk/printk_safe.c:69
>
> kcov_init+0xcc/0x120:
> selftest at kernel/kcov.c:1090
> (inlined by) kcov_init at kernel/kcov.c:1117
>
> kcov_init+0xb3/0x120:
> selftest at kernel/kcov.c:1088
> (inlined by) kcov_init at kernel/kcov.c:1117


The call chain here seems to be:

asm_sysvec_apic_timer_interrupt

irqentry_exit (calls next function inside of instrumentation_begin/end
thus undetected statically)
irqentry_exit_cond_resched
raw_irqentry_exit_cond_resched
preempt_schedule_irq
[some locking function]
lock_pin_lock
sched_clock
__sanitizer_cov_trace_pc
[BOOM]

All functions in the scheduler and lockdep (preempt_schedule_irq,
lock_pin_lock) are not instrumented due to KCOV_INSTRUMENT := n in
Makefiles.

But sched_clock is instrumented. It has notrace, but no noinstr.

Should notrace imply noinstr? Or should we mark  sched_clock as noinstr as well?



> On 2024/09/19 7:23, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    4a39ac5b7d62 Merge tag 'random-6.12-rc1-for-linus' of git:..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=153e7fc7980000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=c78e7c8f41d443e6
> > dashboard link: https://syzkaller.appspot.com/bug?extid=d5db198a0f40411f24c3
> > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Re: [syzbot] upstream test error: BUG: stack guard page was hit in corrupted

[Dmitry Vyukov]

On Thu, 26 Sept 2024 at 08:48, Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Mon, 23 Sept 2024 at 16:04, Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >
> > This bug suggests code added by commit 6cd0dd934b03 ("kcov: Add interrupt handling self test").
> >
> > The location that triggers page fault looks like
> >
> >   pos = READ_ONCE(area[0]) + 1;
> >
> > in __sanitizer_cov_trace_pc().
> > When is t->kcov_area initialized with appropriate buffer
> > after selftest() does current->kcov_mode = KCOV_MODE_TRACE_PC ?
> >
> > At commit de5cb0dcb74c ("Merge branch 'address-masking'"):
> > $ ./scripts/faddr2line vmlinux-de5cb0dc asm_exc_page_fault+0x26/0x30 sched_clock+0xb/0x60 __sanitizer_cov_trace_pc+0x53/0x70 sched_clock+0xb/0x60 lock_pin_lock+0x1a9/0x2d0 preempt_schedule_irq+0x51/0x90 __schedule+0x2f2/0x5920 lockdep_hardirqs_on+0x7c/0x110 preempt_schedule_thunk+0x1a/0x30 preempt_schedule_common+0x44/0xc0 preempt_schedule_thunk+0x1a/0x30 __pfx___schedule+0x10/0x10 vprintk_emit+0x39e/0x6f0 __pfx_vprintk_emit+0x10/0x10 __debugfs_create_file+0x40e/0x660 __pfx_lock_release+0x10/0x10 preempt_schedule_irq+0x51/0x90 irqentry_exit+0x36/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __wake_up_klogd.part.0+0x99/0xf0 vprintk+0x86/0xa0 kcov_init+0xcc/0x120 kcov_init+0xb3/0x120
> > asm_exc_page_fault+0x26/0x30:
> > asm_exc_page_fault at arch/x86/include/asm/idtentry.h:623
> >
> > sched_clock+0xb/0x60:
> > __preempt_count_add at arch/x86/include/asm/preempt.h:79
> > (inlined by) sched_clock at arch/x86/kernel/tsc.c:283
> >
> > __sanitizer_cov_trace_pc+0x53/0x70:
> > __sanitizer_cov_trace_pc at kernel/kcov.c:222
> >
> > sched_clock+0xb/0x60:
> > __preempt_count_add at arch/x86/include/asm/preempt.h:79
> > (inlined by) sched_clock at arch/x86/kernel/tsc.c:283
> >
> > lock_pin_lock+0x1a9/0x2d0:
> > __lock_pin_lock at kernel/locking/lockdep.c:5593
> > (inlined by) lock_pin_lock at kernel/locking/lockdep.c:5915
> >
> > preempt_schedule_irq+0x51/0x90:
> > native_save_fl at arch/x86/include/asm/irqflags.h:26
> > (inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
> > (inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
> > (inlined by) preempt_schedule_irq at kernel/sched/core.c:6997
> >
> > __schedule+0x2f2/0x5920:
> > __schedule at kernel/sched/core.c:6579
> >
> > lockdep_hardirqs_on+0x7c/0x110:
> > lockdep_hardirqs_on at kernel/locking/lockdep.c:4465
> >
> > preempt_schedule_thunk+0x1a/0x30:
> > preempt_schedule_thunk at arch/x86/entry/thunk.S:12
> >
> > preempt_schedule_common+0x44/0xc0:
> > __preempt_count_sub at arch/x86/include/asm/preempt.h:84
> > (inlined by) preempt_schedule_common at kernel/sched/core.c:6855
> >
> > preempt_schedule_thunk+0x1a/0x30:
> > preempt_schedule_thunk at arch/x86/entry/thunk.S:12
> >
> > __pfx___schedule+0x10/0x10:
> > __schedule at kernel/sched/core.c:6533
> >
> > vprintk_emit+0x39e/0x6f0:
> > vprintk_emit at kernel/printk/printk.c:2356
> >
> > __pfx_vprintk_emit+0x10/0x10:
> > vprintk_emit at kernel/printk/printk.c:2356
> >
> > __debugfs_create_file+0x40e/0x660:
> > end_creating at fs/debugfs/inode.c:409
> > (inlined by) __debugfs_create_file at fs/debugfs/inode.c:450
> >
> > __pfx_lock_release+0x10/0x10:
> > lock_release at kernel/locking/lockdep.c:5830
> >
> > preempt_schedule_irq+0x51/0x90:
> > native_save_fl at arch/x86/include/asm/irqflags.h:26
> > (inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
> > (inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
> > (inlined by) preempt_schedule_irq at kernel/sched/core.c:6997
> >
> > irqentry_exit+0x36/0x90:
> > irqentry_exit at kernel/entry/common.c:357
> >
> > asm_sysvec_apic_timer_interrupt+0x1a/0x20:
> > asm_sysvec_apic_timer_interrupt at arch/x86/include/asm/idtentry.h:702
> >
> > __wake_up_klogd.part.0+0x99/0xf0:
> > __wake_up_klogd at kernel/printk/printk.c:4495
> >
> > vprintk+0x86/0xa0:
> > vprintk at kernel/printk/printk_safe.c:69
> >
> > kcov_init+0xcc/0x120:
> > selftest at kernel/kcov.c:1090
> > (inlined by) kcov_init at kernel/kcov.c:1117
> >
> > kcov_init+0xb3/0x120:
> > selftest at kernel/kcov.c:1088
> > (inlined by) kcov_init at kernel/kcov.c:1117
>
>
> The call chain here seems to be:
>
> asm_sysvec_apic_timer_interrupt
>
> irqentry_exit (calls next function inside of instrumentation_begin/end
> thus undetected statically)
> irqentry_exit_cond_resched
> raw_irqentry_exit_cond_resched
> preempt_schedule_irq
> [some locking function]
> lock_pin_lock
> sched_clock
> __sanitizer_cov_trace_pc
> [BOOM]
>
> All functions in the scheduler and lockdep (preempt_schedule_irq,
> lock_pin_lock) are not instrumented due to KCOV_INSTRUMENT := n in
> Makefiles.
>
> But sched_clock is instrumented. It has notrace, but no noinstr.
>
> Should notrace imply noinstr? Or should we mark sched_clock as noinstr as well?

We shouldn't mark sched_clock as noinstr b/c there is already
sched_clock_noinstr.
So another option is to call sched_clock_noinstr from lock_pin_lock,
which looks reasonable.

So far I can't reproduce this locally.


> > On 2024/09/19 7:23, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    4a39ac5b7d62 Merge tag 'random-6.12-rc1-for-linus' of git:..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=153e7fc7980000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=c78e7c8f41d443e6
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=d5db198a0f40411f24c3
> > > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40