Re: KASAN: soft lockup in paste_selection

From: andriy.shevchenko@xxxxxxxxxxxxxxx
Date: Fri May 12 2023 - 07:08:46 EST

Next message: Michal Simek: "Re: [PATCH] driver: soc: xilinx: use _safe loop iterator to avoid a use after free"
Previous message: Roger Quadros: "Re: [PATCH v2 1/2] dt-bindings: cdns,usb3: Add clock and reset"
Next in thread: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: KASAN: soft lockup in paste_selection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

+Cc: Ilpo (not sure if you can do anything about that, so JFYI)

On Fri, May 12, 2023 at 08:28:26AM +0000, zhangqiumiao wrote:
> Hello,
>
> We found the following issue using syzkaller on Linux v5.10.0.
> A similar issue was found in function `paste_selection` before and
> I believe they are the same.
> (https://lore.kernel.org/all/000000000000fe769905d315a1b7@xxxxxxxxxx/)
>
> Unfortunately, no one seems to be paying attention to this issue.
>
> The brief report is below:
> ========================================================
> kasan
>
> RBP: 00007fcdf2facd75 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007fff5a65520f R14: 00007fff5a6553b0 R15: 00007fcdf14acd80
> watchdog: BUG: soft lockup - CPU#1 stuck for 123s! [syz-executor.3:23295]
> Modules linked in:
>
> Sample time: 21774237378 ns(HZ: 1000)
> Sample stat:
> curr: user: 39128997021, nice: 0, sys: 466294657699, idle: 246835945000, iowait: 5392968000, irq: 19049308342, softirq: 7849858971, st: 1336816062
> deta: user: 0, nice: 0, sys: 21408617598, idle: 0, iowait: 0, irq: 588225776, softirq: 0, st: 255856
> Sample softirq:
> Sample irqstat:
> irq 15: delta 22, curr: 1301, ata_piix
> CPU: 1 PID: 23295 Comm: syz-executor.3 Not tainted 5.10.0 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:check_kcov_mode kernel/kcov.c:163 [inline]
> RIP: 0010:__sanitizer_cov_trace_pc+0x14/0x60 kernel/kcov.c:197
> Code: 80 ee 02 00 48 8b 80 68 14 00 00 c3 cc cc cc cc 66 0f 1f 44 00 00 48 8b 34 24 65 48 8b 04 25 80 ee 02 00 65 8b 15 8c 69 8c 7e <f7> c2 00 01 ff 00 74 0f 80 e6 01 74 35 8b 90 74 14 00 00 85 d2 74
> RSP: 0018:ffff88812919fa90 EFLAGS: 00000286
>
> RAX: ffff888084ced100 RBX: ffff888084ced100 RCX: ffffc90008523000
> RDX: 0000000000000000 RSI: ffffffff83696570 RDI: ffff888112c729e8
> RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102258e538
> R10: ffff888112c729bf R11: ffffed102258e537 R12: ffff888112c72800
> R13: ffffed101099da20 R14: dffffc0000000000 R15: ffff888103922ec0
> FS: 00007fcdf14ad700(0000) GS:ffff888134c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020000000 CR3: 0000000100af4000 CR4: 0000000000150ee0
> Call Trace:
> paste_selection+0x170/0x3e0 drivers/tty/vt/selection.c:401
> tioclinux+0x3c3/0x480 drivers/tty/vt/vt.c:3208
> vt_ioctl+0x114d/0x1b90 drivers/tty/vt/vt_ioctl.c:762
> tty_ioctl+0x6d2/0x14a0 drivers/tty/tty_io.c:2757
> vfs_ioctl fs/ioctl.c:48 [inline]
> __do_sys_ioctl fs/ioctl.c:753 [inline]
> __se_sys_ioctl+0x112/0x150 fs/ioctl.c:739
> do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x61/0xc6
> RIP: 0033:0x7fcdf2f3f6cd
> Code: c3 e8 17 32 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fcdf14acbf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fcdf307af80 RCX: 00007fcdf2f3f6cd
> RDX: 0000000020000100 RSI: 000000000000541c RDI: 0000000000000004
> RBP: 00007fcdf2facd75 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007fff5a65520f R14: 00007fff5a6553b0 R15: 00007fcdf14acd80
> Sending NMI from CPU 1 to CPUs 0,2-3:
> NMI backtrace for cpu 0 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
> NMI backtrace for cpu 0 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
> NMI backtrace for cpu 0 skipped: idling at default_idle+0x13/0x20 arch/x86/kernel/process.c:713
> NMI backtrace for cpu 2 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
> NMI backtrace for cpu 2 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
> NMI backtrace for cpu 2 skipped: idling at default_idle+0x13/0x20 arch/x86/kernel/process.c:713
> NMI backtrace for cpu 3 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
> NMI backtrace for cpu 3 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
> NMI backtrace for cpu 3 skipped: idling at default_idle+0x13/0x20 arch/x86/kernel/process.c:713
>
> ========================================================

--
With Best Regards,
Andy Shevchenko

Next message: Michal Simek: "Re: [PATCH] driver: soc: xilinx: use _safe loop iterator to avoid a use after free"
Previous message: Roger Quadros: "Re: [PATCH v2 1/2] dt-bindings: cdns,usb3: Add clock and reset"
Next in thread: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: KASAN: soft lockup in paste_selection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]