Re: WARNING in kmalloc_slab (4)
From: Steffen Klassert
Date: Tue Mar 13 2018 - 03:51:51 EST
On Tue, Mar 13, 2018 at 12:33:02AM -0700, syzbot wrote:
> Hello,
>
> syzbot hit the following crash on net-next commit
> f44b1886a5f876c87b5889df463ad7b97834ba37 (Fri Mar 9 18:10:06 2018 +0000)
> Merge branch 's390-qeth-next'
>
> Unfortunately, I don't have any reproducer for this crash yet.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+6a7e7ed886bde43469c4@xxxxxxxxxxxxxxxxxxxxxxxxx
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> WARNING: CPU: 1 PID: 27333 at mm/slab_common.c:1012 kmalloc_slab+0x5d/0x70
> mm/slab_common.c:1012
> Kernel panic - not syncing: panic_on_warn set ...
>
> syz-executor0: vmalloc: allocation failure: 17045651456 bytes,
> mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
> CPU: 1 PID: 27333 Comm: syz-executor2 Not tainted 4.16.0-rc4+ #260
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x24d lib/dump_stack.c:53
> panic+0x1e4/0x41c kernel/panic.c:183
> syz-executor0 cpuset=
> __warn+0x1dc/0x200 kernel/panic.c:547
> /
> mems_allowed=0
> report_bug+0x211/0x2d0 lib/bug.c:184
> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
> fixup_bug arch/x86/kernel/traps.c:247 [inline]
> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
> invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
> RIP: 0010:kmalloc_slab+0x5d/0x70 mm/slab_common.c:1012
> RSP: 0018:ffff8801ccfc72f0 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000010000018 RCX: ffffffff84ec4fc8
> RDX: 0000000000000ba7 RSI: 0000000000000000 RDI: 0000000010000018
> RBP: ffff8801ccfc72f0 R08: 0000000000000000 R09: 1ffff100399f8e21
> R10: ffff8801ccfc7040 R11: 0000000000000001 R12: 0000000000000018
> R13: ffff8801ccfc7598 R14: 00000000014080c0 R15: ffff8801aebaad80
> __do_kmalloc mm/slab.c:3700 [inline]
> __kmalloc+0x25/0x760 mm/slab.c:3714
> kmalloc include/linux/slab.h:517 [inline]
> kzalloc include/linux/slab.h:701 [inline]
> xfrm_alloc_replay_state_esn net/xfrm/xfrm_user.c:442 [inline]
This is likely fixed with:
commit d97ca5d714a5334aecadadf696875da40f1fbf3e
xfrm_user: uncoditionally validate esn replay attribute struct
The patch is included in the ipsec pull request for the net
tree I've sent this morning.