-
-
Save xrivendell7/15d43946c73aa13247b4b20b68798aaa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
------------[ cut here ]------------ | |
WARNING: CPU: 0 PID: 83417 at mm/util.c:622 kvmalloc_node+0x19f/0x1b0 mm/util.c:622 | |
Modules linked in: | |
CPU: 0 PID: 83417 Comm: syz-executor.3 Not tainted 6.7.0-rc1-g7475e51b8796-dirty #2 | |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 | |
RIP: 0010:kvmalloc_node+0x19f/0x1b0 mm/util.c:622 | |
Code: 00 eb aa e8 d3 9d c3 ff 41 81 e4 00 20 00 00 31 ff 44 89 e6 e8 32 99 c3 ff 45 85 e4 0f 85 17 ff ff ff 31 ff e8 b2 9d c3 ff 90 <0f> 0b 90 31 ed e9 d9 fe ff ff 0f 1f 80 00 00 00 00 f3 0f 1e fa 41 | |
RSP: 0018:ffffc90004a07b70 EFLAGS: 00010246 | |
RAX: 0000000000001ad4 RBX: 00000037ffffcec8 RCX: 0000000000040000 | |
RDX: ffffffff81c85fde RSI: ffffc9001273a000 RDI: 0000000000000000 | |
RBP: 0000000000000400 R08: 0000000000000005 R09: 0000000000000000 | |
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 | |
R13: 00000000ffffffff R14: 00000000ffffff1f R15: ffff88812269cf50 | |
FS: 00007fb6461c66c0(0000) GS:ffff888063800000(0000) knlGS:0000000000000000 | |
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
CR2: 0000001b318ce000 CR3: 0000000109a49000 CR4: 0000000000750ef0 | |
PKRU: 55555554 | |
Call Trace: | |
<TASK> | |
kvmalloc include/linux/slab.h:738 [inline] | |
kvmalloc_array include/linux/slab.h:756 [inline] | |
kvcalloc include/linux/slab.h:761 [inline] | |
bpf_uprobe_multi_link_attach+0x447/0x1020 kernel/trace/bpf_trace.c:3239 | |
link_create kernel/bpf/syscall.c:5012 [inline] | |
__sys_bpf+0x256e/0x4cb0 kernel/bpf/syscall.c:5453 | |
__do_sys_bpf kernel/bpf/syscall.c:5487 [inline] | |
__se_sys_bpf kernel/bpf/syscall.c:5485 [inline] | |
__x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:5485 | |
do_syscall_x64 arch/x86/entry/common.c:51 [inline] | |
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 | |
entry_SYSCALL_64_after_hwframe+0x63/0x6b | |
RIP: 0033:0x7fb6476cc559 | |
Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 77 08 0d 00 f7 d8 64 89 01 48 | |
RSP: 002b:00007fb6461c5d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 | |
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007fb6476cc559 | |
RDX: 0000000000000040 RSI: 0000000020000340 RDI: 000000000000001c | |
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 | |
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbf8c | |
R13: 000000000000000b R14: 00000000004bbf80 R15: 00007fb6461a6000 | |
</TASK> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// autogenerated by syzkaller (https://github.com/google/syzkaller) | |
#define _GNU_SOURCE | |
#include <endian.h> | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <sys/syscall.h> | |
#include <sys/types.h> | |
#include <unistd.h> | |
#ifndef __NR_bpf | |
#define __NR_bpf 321 | |
#endif | |
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) | |
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ | |
*(type*)(addr) = \ | |
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ | |
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) | |
uint64_t r[1] = {0xffffffffffffffff}; | |
int main(void) { | |
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, | |
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); | |
intptr_t res = 0; | |
*(uint32_t*)0x20000140 = 2; | |
*(uint32_t*)0x20000144 = 3; | |
*(uint64_t*)0x20000148 = 0x20000200; | |
*(uint8_t*)0x20000200 = 0x18; | |
STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 0, 4); | |
STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 4, 4); | |
*(uint16_t*)0x20000202 = 0; | |
*(uint32_t*)0x20000204 = 0; | |
*(uint8_t*)0x20000208 = 0; | |
*(uint8_t*)0x20000209 = 0; | |
*(uint16_t*)0x2000020a = 0; | |
*(uint32_t*)0x2000020c = 0; | |
*(uint8_t*)0x20000210 = 0x95; | |
*(uint8_t*)0x20000211 = 0; | |
*(uint16_t*)0x20000212 = 0; | |
*(uint32_t*)0x20000214 = 0; | |
*(uint64_t*)0x20000150 = 0x20000240; | |
memcpy((void*)0x20000240, "GPL\000", 4); | |
*(uint32_t*)0x20000158 = 0; | |
*(uint32_t*)0x2000015c = 0; | |
*(uint64_t*)0x20000160 = 0; | |
*(uint32_t*)0x20000168 = 0; | |
*(uint32_t*)0x2000016c = 0; | |
memset((void*)0x20000170, 0, 16); | |
*(uint32_t*)0x20000180 = 0; | |
*(uint32_t*)0x20000184 = 0x30; | |
*(uint32_t*)0x20000188 = 0; | |
*(uint32_t*)0x2000018c = 0; | |
*(uint64_t*)0x20000190 = 0; | |
*(uint32_t*)0x20000198 = 0; | |
*(uint32_t*)0x2000019c = 0; | |
*(uint64_t*)0x200001a0 = 0; | |
*(uint32_t*)0x200001a8 = 0; | |
*(uint32_t*)0x200001ac = 0; | |
*(uint32_t*)0x200001b0 = 0; | |
*(uint32_t*)0x200001b4 = 0; | |
*(uint64_t*)0x200001b8 = 0; | |
*(uint64_t*)0x200001c0 = 0; | |
*(uint32_t*)0x200001c8 = 0; | |
*(uint32_t*)0x200001cc = 0; | |
res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000140ul, /*size=*/0x90ul); | |
if (res != -1) r[0] = res; | |
memcpy((void*)0x20000000, "./file0\000", 8); | |
syscall(__NR_creat, /*file=*/0x20000000ul, /*mode=*/0ul); | |
*(uint32_t*)0x20000340 = r[0]; | |
*(uint32_t*)0x20000344 = 0; | |
*(uint32_t*)0x20000348 = 0x30; | |
*(uint32_t*)0x2000034c = 0; | |
*(uint64_t*)0x20000350 = 0x20000080; | |
memcpy((void*)0x20000080, "./file0\000", 8); | |
*(uint64_t*)0x20000358 = 0x200000c0; | |
*(uint64_t*)0x200000c0 = 0; | |
*(uint64_t*)0x20000360 = 0; | |
*(uint64_t*)0x20000368 = 0; | |
*(uint32_t*)0x20000370 = 0xffffff1f; | |
*(uint32_t*)0x20000374 = 0; | |
*(uint32_t*)0x20000378 = 0; | |
syscall(__NR_bpf, /*cmd=*/0x1cul, /*arg=*/0x20000340ul, /*size=*/0x40ul); | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=@framed, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) | |
creat(&(0x7f0000000000)='./file0\x00', 0x0) | |
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r0, 0x0, 0x30, 0x0, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=[0x0], 0x0, 0x0, 0xffffff1f}}, 0x40) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment