[syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
66 views
Skip to first unread message
syzbot
Nov 5, 2024, 10:28:28 AM11/5/24
to dan.j.w...@intel.com, dave....@intel.com, ira....@intel.com, le...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, nvd...@lists.linux.dev, raf...@kernel.org, syzkall...@googlegroups.com, vishal....@intel.com
Hello,
syzbot found the following issue on:
HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb399ccda79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc90000e0e000, ffffc90000e10000) created by:
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880401b9a80 pfn:0x401b9
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316 (syz-executor229), ts 69039468240, free_ts 68666765389
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5312 tgid 5312 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__folio_put+0x2c7/0x440 mm/swap.c:126
pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
pipe_update_tail fs/pipe.c:224 [inline]
pipe_read+0x6ed/0x13e0 fs/pipe.c:344
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x991/0xb70 fs/read_write.c:569
ksys_read+0x183/0x2b0 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb399ccda79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc90000e0e000, ffffc90000e10000) created by:
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880401b9a80 pfn:0x401b9
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316 (syz-executor229), ts 69039468240, free_ts 68666765389
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5312 tgid 5312 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__folio_put+0x2c7/0x440 mm/swap.c:126
pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
pipe_update_tail fs/pipe.c:224 [inline]
pipe_read+0x6ed/0x13e0 fs/pipe.c:344
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x991/0xb70 fs/read_write.c:569
ksys_read+0x183/0x2b0 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 6, 2024, 9:50:52 AM11/6/24
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: aha3...@gmail.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
drivers/acpi/nfit/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 5429ec9ef06f..863b59210664 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -412,6 +412,7 @@ static int cmd_to_func(struct nfit_mem *nfit_mem, unsigned int cmd,
if (nfit_mem && nfit_mem->family != call_pkg->nd_family)
return -ENOTTY;
+ printk(KERN_INFO "%lx", ARRAY_SIZE(call_pkg->nd_reserved2));
for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
if (call_pkg->nd_reserved2[i])
return -EINVAL;
--
syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: aha3...@gmail.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
drivers/acpi/nfit/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 5429ec9ef06f..863b59210664 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -412,6 +412,7 @@ static int cmd_to_func(struct nfit_mem *nfit_mem, unsigned int cmd,
if (nfit_mem && nfit_mem->family != call_pkg->nd_family)
return -ENOTTY;
+ printk(KERN_INFO "%lx", ARRAY_SIZE(call_pkg->nd_reserved2));
for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
if (call_pkg->nd_reserved2[i])
return -EINVAL;
--
syzbot
Nov 6, 2024, 10:06:06 AM11/6/24
to aha3...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:417 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x2061/0x2440 drivers/acpi/nfit/core.c:460
Read of size 4 at addr ffffc9000166e038 by task syz.0.15/5815
CPU: 0 UID: 0 PID: 5815 Comm: syz.0.15 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0
acpi_nfit_ctl+0x2061/0x2440 drivers/acpi/nfit/core.c:460
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f768b263038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f768a535f80 RCX: 00007f768a37e719
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f768a535f80 R15: 00007ffec5fc1248
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
ffffc9000166df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9000166e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000166e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000166e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Tested on:
commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16808d87980000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl
9
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:417 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x2061/0x2440 drivers/acpi/nfit/core.c:460
Read of size 4 at addr ffffc9000166e038 by task syz.0.15/5815
CPU: 0 UID: 0 PID: 5815 Comm: syz.0.15 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:417 [inline]
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
acpi_nfit_ctl+0x2061/0x2440 drivers/acpi/nfit/core.c:460
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f768a37e719
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f768b263038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f768a535f80 RCX: 00007f768a37e719
RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
RBP: 00007f768a3f139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f768a535f80 R15: 00007ffec5fc1248
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc9000166e000, ffffc90001670000) created by:
The buggy address belongs to the virtual mapping at
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888040f74360 pfn:0x40f74
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff888040f74360 0000000000000000 00000001ffffffff 0000000000000000
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5815, tgid 5814 (syz.0.15), ts 117205092748, free_ts 117198254028
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5612 tgid 5612 stack trace:
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4490
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000166df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000166df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9000166e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000166e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000166e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Tested on:
commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16808d87980000
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1109b6a7980000
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 7, 2024, 2:41:52 AM11/7/24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
syzbot
Nov 7, 2024, 2:56:07 AM11/7/24
to linux-...@vger.kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
Read of size 4 at addr ffffc9000169e038 by task syz.0.15/5821
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
CPU: 0 UID: 0 PID: 5821 Comm: syz.0.15 Not tainted 6.12.0-rc6-syzkaller-00110-gff7afaeca1a1-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7eff6877e719
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007eff6951b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007eff68935f80 RCX: 00007eff6877e719
RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
RBP: 00007eff687f139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007eff68935f80 R15: 00007ffc0d47a418
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc9000169e000, ffffc900016a0000) created by:
The buggy address belongs to the virtual mapping at
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888040b49700 pfn:0x40b49
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff888040b49700 0000000000000000 00000001ffffffff 0000000000000000
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5821, tgid 5820 (syz.0.15), ts 123316051472, free_ts 123283007135
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5712 tgid 5712 stack trace:
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4490
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_kernel+0x59/0x2f0 fs/namei.c:234
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
kern_path+0x1d/0x50 fs/namei.c:2716
tomoyo_mount_acl security/tomoyo/mount.c:136 [inline]
tomoyo_mount_permission+0x8db/0xb80 security/tomoyo/mount.c:237
security_sb_mount+0xe0/0x2f0 security/security.c:1565
path_mount+0xb9/0xfa0 fs/namespace.c:3776
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000169df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000169df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9000169e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000169e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000169e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Tested on:
commit: ff7afaec Merge tag 'nfs-for-6.12-3' of git://git.linux..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1504ae30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14d2df40580000
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 7, 2024, 2:56:33 PM11/7/24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
syzbot
Nov 7, 2024, 3:18:06 PM11/7/24
to linux-...@vger.kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
nx6: QNX6 filesystem 1.0.0 registered.
[ 8.170952][ T1] fuse: init (API version 7.41)
[ 8.177946][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 8.183363][ T1] orangefs_init: module version upstream loaded
[ 8.187965][ T1] JFS: nTxBlock = 6193, nTxLock = 49545
[ 8.208314][ T1] SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
[ 8.216600][ T1] 9p: Installing v9fs 9p2000 file system support
[ 8.220716][ T1] NILFS version 2 loaded
[ 8.223207][ T1] befs: version: 0.9.3
[ 8.226735][ T1] ocfs2: Registered cluster interface o2cb
[ 8.231974][ T1] ocfs2: Registered cluster interface user
[ 8.236251][ T1] OCFS2 User DLM kernel interface loaded
[ 8.249844][ T1] gfs2: GFS2 installed
[ 8.263620][ T1] ceph: loaded (mds proto 32)
[ 8.291737][ T1] NET: Registered PF_ALG protocol family
[ 8.295731][ T1] xor: automatically using best checksumming function avx
[ 8.301190][ T1] async_tx: api initialized (async)
[ 8.304560][ T1] Key type asymmetric registered
[ 8.308011][ T1] Asymmetric key parser 'x509' registered
[ 8.311630][ T1] Asymmetric key parser 'pkcs8' registered
[ 8.315349][ T1] Key type pkcs7_test registered
[ 8.319667][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 238)
[ 8.325838][ T1] io scheduler mq-deadline registered
[ 8.329570][ T1] io scheduler kyber registered
[ 8.332988][ T1] io scheduler bfq registered
[ 8.359110][ T1] ACPI: \_SB_.GSIE: Enabled at IRQ 20
[ 8.370806][ T1] pcieport 0000:00:04.0: PME: Signaling with IRQ 25
[ 8.379322][ T1] pcieport 0000:00:04.0: AER: enabled with IRQ 26
[ 8.391225][ T140] kworker/u4:2 (140) used greatest stack depth: 25104 bytes left
[ 8.398097][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 8.436998][ T1] ACPI: button: Power Button [PWRF]
[ 8.637134][ T1] ==================================================================
[ 8.642545][ T1] BUG: KASAN: stack-out-of-bounds in acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] Read of size 4 at addr ffffc900003371e0 by task swapper/0/1
[ 8.646090][ T1]
[ 8.646090][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc6-syzkaller-00114-g80fb25341631-dirty #0
[ 8.646090][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 8.646090][ T1] Call Trace:
[ 8.646090][ T1] <TASK>
[ 8.646090][ T1] dump_stack_lvl+0x241/0x360
[ 8.646090][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 8.646090][ T1] ? __pfx__printk+0x10/0x10
[ 8.646090][ T1] ? _printk+0xd5/0x120
[ 8.646090][ T1] print_report+0x169/0x550
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __virt_addr_valid+0xbd/0x530
[ 8.646090][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] kasan_report+0x143/0x180
[ 8.646090][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] ? mark_lock+0x9a/0x360
[ 8.646090][ T1] ? __pfx_acpi_nfit_ctl+0x10/0x10
[ 8.646090][ T1] ? nfit_spa_type+0x81/0x410
[ 8.646090][ T1] ? nfit_spa_type+0x378/0x410
[ 8.646090][ T1] ? __pfx_nfit_spa_type+0x10/0x10
[ 8.646090][ T1] ? mark_lock+0x9a/0x360
[ 8.646090][ T1] acpi_nfit_register_regions+0x2ae/0xf50
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __pfx_acpi_nfit_register_regions+0x10/0x10
[ 8.646090][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 8.646090][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 8.646090][ T1] ? __kmalloc_node_track_caller_noprof+0x242/0x440
[ 8.646090][ T1] acpi_nfit_init+0x6fd0/0x7060
[ 8.646090][ T1] ? __pfx_acpi_nfit_init+0x10/0x10
[ 8.646090][ T1] ? acpi_evaluate_object+0x9a3/0xaf0
[ 8.646090][ T1] ? acpi_nfit_add+0x2f3/0x620
[ 8.646090][ T1] acpi_nfit_add+0x469/0x620
[ 8.646090][ T1] ? __pfx_acpi_nfit_add+0x10/0x10
[ 8.646090][ T1] ? kernfs_put+0x315/0x370
[ 8.646090][ T1] acpi_device_probe+0xa5/0x2b0
[ 8.646090][ T1] ? really_probe+0x274/0xad0
[ 8.646090][ T1] ? __pfx_acpi_device_probe+0x10/0x10
[ 8.646090][ T1] really_probe+0x2b8/0xad0
[ 8.646090][ T1] __driver_probe_device+0x1a2/0x390
[ 8.646090][ T1] driver_probe_device+0x50/0x430
[ 8.646090][ T1] __driver_attach+0x45f/0x710
[ 8.646090][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.646090][ T1] bus_for_each_dev+0x239/0x2b0
[ 8.646090][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.646090][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 8.646090][ T1] bus_add_driver+0x346/0x670
[ 8.646090][ T1] driver_register+0x23a/0x320
[ 8.646090][ T1] nfit_init+0x166/0x1b0
[ 8.646090][ T1] ? __pfx_nfit_init+0x10/0x10
[ 8.646090][ T1] do_one_initcall+0x248/0x880
[ 8.646090][ T1] ? __pfx_nfit_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 8.646090][ T1] ? __pfx_parse_args+0x10/0x10
[ 8.646090][ T1] ? rcu_is_watching+0x15/0xb0
[ 8.646090][ T1] do_initcall_level+0x157/0x210
[ 8.646090][ T1] do_initcalls+0x3f/0x80
[ 8.646090][ T1] kernel_init_freeable+0x435/0x5d0
[ 8.646090][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] kernel_init+0x1d/0x2b0
[ 8.646090][ T1] ret_from_fork+0x4b/0x80
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ret_from_fork_asm+0x1a/0x30
[ 8.646090][ T1] </TASK>
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to stack of task swapper/0/1
[ 8.646090][ T1] and is located at offset 160 in frame:
[ 8.646090][ T1] acpi_nfit_register_regions+0x0/0xf50
[ 8.646090][ T1]
[ 8.646090][ T1] This frame has 4 objects:
[ 8.646090][ T1] [32, 36) 'cmd_rc.i.i87'
[ 8.646090][ T1] [48, 80) 'ars_start.i.i'
[ 8.646090][ T1] [112, 116) 'cmd_rc.i.i'
[ 8.646090][ T1] [128, 160) 'ars_cap.i'
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to the virtual mapping at
[ 8.646090][ T1] [ffffc90000330000, ffffc90000339000) created by:
[ 8.646090][ T1] copy_process+0x5d1/0x3d50
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to the physical page:
[ 8.646090][ T1] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x312a4
[ 8.646090][ T1] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 8.646090][ T1] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
[ 8.646090][ T1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 8.646090][ T1] page dumped because: kasan: bad access detected
[ 8.646090][ T1] page_owner tracks the page as allocated
[ 8.646090][ T1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2102(__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 0, tgid 0 (swapper/0), ts 2318285947, free_ts 0
[ 8.646090][ T1] post_alloc_hook+0x1f3/0x230
[ 8.646090][ T1] get_page_from_freelist+0x303f/0x3190
[ 8.646090][ T1] __alloc_pages_noprof+0x292/0x710
[ 8.646090][ T1] alloc_pages_mpol_noprof+0x3e8/0x680
[ 8.646090][ T1] __vmalloc_node_range_noprof+0xa2b/0x13f0
[ 8.646090][ T1] dup_task_struct+0x444/0x8c0
[ 8.646090][ T1] copy_process+0x5d1/0x3d50
[ 8.646090][ T1] kernel_clone+0x226/0x8f0
[ 8.646090][ T1] user_mode_thread+0x132/0x1a0
[ 8.646090][ T1] rest_init+0x23/0x300
[ 8.646090][ T1] start_kernel+0x47f/0x500
[ 8.646090][ T1] x86_64_start_reservations+0x2a/0x30
[ 8.646090][ T1] x86_64_start_kernel+0x9f/0xa0
[ 8.646090][ T1] common_startup_64+0x13e/0x147
[ 8.646090][ T1] page_owner free stack trace missing
[ 8.646090][ T1]
[ 8.646090][ T1] Memory state around the buggy address:
[ 8.646090][ T1] ffffc90000337080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ffffc90000337100: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 00
[ 8.646090][ T1] >ffffc90000337180: 00 00 f2 f2 f2 f2 04 f2 00 00 00 00 f3 f3 f3 f3
[ 8.646090][ T1] ^
[ 8.646090][ T1] ffffc90000337200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ffffc90000337280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ==================================================================
[ 9.044043][ T1] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 9.048635][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc6-syzkaller-00114-g80fb25341631-dirty #0
[ 9.053640][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 9.053640][ T1] Call Trace:
[ 9.053640][ T1] <TASK>
[ 9.053640][ T1] dump_stack_lvl+0x241/0x360
[ 9.053640][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 9.053640][ T1] ? __pfx__printk+0x10/0x10
[ 9.053640][ T1] ? preempt_schedule+0xe1/0xf0
[ 9.053640][ T1] ? vscnprintf+0x5d/0x90
[ 9.053640][ T1] panic+0x349/0x880
[ 9.053640][ T1] ? check_panic_on_warn+0x21/0xb0
[ 9.053640][ T1] ? __pfx_panic+0x10/0x10
[ 9.053640][ T1] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 9.053640][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 9.053640][ T1] ? print_report+0x502/0x550
[ 9.053640][ T1] check_panic_on_warn+0x86/0xb0
[ 9.053640][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] end_report+0x77/0x160
[ 9.053640][ T1] kasan_report+0x154/0x180
[ 9.053640][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] ? mark_lock+0x9a/0x360
[ 9.053640][ T1] ? __pfx_acpi_nfit_ctl+0x10/0x10
[ 9.053640][ T1] ? nfit_spa_type+0x81/0x410
[ 9.053640][ T1] ? nfit_spa_type+0x378/0x410
[ 9.053640][ T1] ? __pfx_nfit_spa_type+0x10/0x10
[ 9.053640][ T1] ? mark_lock+0x9a/0x360
[ 9.053640][ T1] acpi_nfit_register_regions+0x2ae/0xf50
[ 9.053640][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.053640][ T1] ? __pfx_acpi_nfit_register_regions+0x10/0x10
[ 9.053640][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 9.053640][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 9.053640][ T1] ? __kmalloc_node_track_caller_noprof+0x242/0x440
[ 9.053640][ T1] acpi_nfit_init+0x6fd0/0x7060
[ 9.053640][ T1] ? __pfx_acpi_nfit_init+0x10/0x10
[ 9.053640][ T1] ? acpi_evaluate_object+0x9a3/0xaf0
[ 9.053640][ T1] ? acpi_nfit_add+0x2f3/0x620
[ 9.053640][ T1] acpi_nfit_add+0x469/0x620
[ 9.053640][ T1] ? __pfx_acpi_nfit_add+0x10/0x10
[ 9.053640][ T1] ? kernfs_put+0x315/0x370
[ 9.053640][ T1] acpi_device_probe+0xa5/0x2b0
[ 9.053640][ T1] ? really_probe+0x274/0xad0
[ 9.053640][ T1] ? __pfx_acpi_device_probe+0x10/0x10
[ 9.053640][ T1] really_probe+0x2b8/0xad0
[ 9.053640][ T1] __driver_probe_device+0x1a2/0x390
[ 9.053640][ T1] driver_probe_device+0x50/0x430
[ 9.053640][ T1] __driver_attach+0x45f/0x710
[ 9.053640][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.053640][ T1] bus_for_each_dev+0x239/0x2b0
[ 9.053640][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.053640][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 9.053640][ T1] bus_add_driver+0x346/0x670
[ 9.053640][ T1] driver_register+0x23a/0x320
[ 9.053640][ T1] nfit_init+0x166/0x1b0
[ 9.053640][ T1] ? __pfx_nfit_init+0x10/0x10
[ 9.053640][ T1] do_one_initcall+0x248/0x880
[ 9.053640][ T1] ? __pfx_nfit_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 9.053640][ T1] ? __pfx_parse_args+0x10/0x10
[ 9.053640][ T1] ? rcu_is_watching+0x15/0xb0
[ 9.053640][ T1] do_initcall_level+0x157/0x210
[ 9.053640][ T1] do_initcalls+0x3f/0x80
[ 9.053640][ T1] kernel_init_freeable+0x435/0x5d0
[ 9.053640][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 9.053640][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] kernel_init+0x1d/0x2b0
[ 9.053640][ T1] ret_from_fork+0x4b/0x80
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ret_from_fork_asm+0x1a/0x30
[ 9.053640][ T1] </TASK>
[ 9.053640][ T1] Kernel Offset: disabled
[ 9.053640][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build70911805=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at da38b4c931f
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=da38b4c931f2882f34163d41ac10bfc78112afc8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241105-104654'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"da38b4c931f2882f34163d41ac10bfc78112afc8\"
/usr/bin/ld: /tmp/cco8PKHf.o: in function `test_cover_filter()':
executor.cc:(.text+0x1426b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/cco8PKHf.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15fb3f40580000
Tested on:
commit: 80fb2534 Merge tag 'pwm/for-6.12-rc7-fixes' of git://g..
git tree: upstream
syzbot tried to test the proposed patch but the build/boot failed:
nx6: QNX6 filesystem 1.0.0 registered.
[ 8.170952][ T1] fuse: init (API version 7.41)
[ 8.177946][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 8.183363][ T1] orangefs_init: module version upstream loaded
[ 8.187965][ T1] JFS: nTxBlock = 6193, nTxLock = 49545
[ 8.208314][ T1] SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
[ 8.216600][ T1] 9p: Installing v9fs 9p2000 file system support
[ 8.220716][ T1] NILFS version 2 loaded
[ 8.223207][ T1] befs: version: 0.9.3
[ 8.226735][ T1] ocfs2: Registered cluster interface o2cb
[ 8.231974][ T1] ocfs2: Registered cluster interface user
[ 8.236251][ T1] OCFS2 User DLM kernel interface loaded
[ 8.249844][ T1] gfs2: GFS2 installed
[ 8.263620][ T1] ceph: loaded (mds proto 32)
[ 8.291737][ T1] NET: Registered PF_ALG protocol family
[ 8.295731][ T1] xor: automatically using best checksumming function avx
[ 8.301190][ T1] async_tx: api initialized (async)
[ 8.304560][ T1] Key type asymmetric registered
[ 8.308011][ T1] Asymmetric key parser 'x509' registered
[ 8.311630][ T1] Asymmetric key parser 'pkcs8' registered
[ 8.315349][ T1] Key type pkcs7_test registered
[ 8.319667][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 238)
[ 8.325838][ T1] io scheduler mq-deadline registered
[ 8.329570][ T1] io scheduler kyber registered
[ 8.332988][ T1] io scheduler bfq registered
[ 8.359110][ T1] ACPI: \_SB_.GSIE: Enabled at IRQ 20
[ 8.370806][ T1] pcieport 0000:00:04.0: PME: Signaling with IRQ 25
[ 8.379322][ T1] pcieport 0000:00:04.0: AER: enabled with IRQ 26
[ 8.391225][ T140] kworker/u4:2 (140) used greatest stack depth: 25104 bytes left
[ 8.398097][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 8.436998][ T1] ACPI: button: Power Button [PWRF]
[ 8.637134][ T1] ==================================================================
[ 8.642545][ T1] BUG: KASAN: stack-out-of-bounds in acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] Read of size 4 at addr ffffc900003371e0 by task swapper/0/1
[ 8.646090][ T1]
[ 8.646090][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc6-syzkaller-00114-g80fb25341631-dirty #0
[ 8.646090][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 8.646090][ T1] Call Trace:
[ 8.646090][ T1] <TASK>
[ 8.646090][ T1] dump_stack_lvl+0x241/0x360
[ 8.646090][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 8.646090][ T1] ? __pfx__printk+0x10/0x10
[ 8.646090][ T1] ? _printk+0xd5/0x120
[ 8.646090][ T1] print_report+0x169/0x550
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __virt_addr_valid+0xbd/0x530
[ 8.646090][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] kasan_report+0x143/0x180
[ 8.646090][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] ? mark_lock+0x9a/0x360
[ 8.646090][ T1] ? __pfx_acpi_nfit_ctl+0x10/0x10
[ 8.646090][ T1] ? nfit_spa_type+0x81/0x410
[ 8.646090][ T1] ? nfit_spa_type+0x378/0x410
[ 8.646090][ T1] ? __pfx_nfit_spa_type+0x10/0x10
[ 8.646090][ T1] ? mark_lock+0x9a/0x360
[ 8.646090][ T1] acpi_nfit_register_regions+0x2ae/0xf50
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __pfx_acpi_nfit_register_regions+0x10/0x10
[ 8.646090][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 8.646090][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 8.646090][ T1] ? __kmalloc_node_track_caller_noprof+0x242/0x440
[ 8.646090][ T1] acpi_nfit_init+0x6fd0/0x7060
[ 8.646090][ T1] ? __pfx_acpi_nfit_init+0x10/0x10
[ 8.646090][ T1] ? acpi_evaluate_object+0x9a3/0xaf0
[ 8.646090][ T1] ? acpi_nfit_add+0x2f3/0x620
[ 8.646090][ T1] acpi_nfit_add+0x469/0x620
[ 8.646090][ T1] ? __pfx_acpi_nfit_add+0x10/0x10
[ 8.646090][ T1] ? kernfs_put+0x315/0x370
[ 8.646090][ T1] acpi_device_probe+0xa5/0x2b0
[ 8.646090][ T1] ? really_probe+0x274/0xad0
[ 8.646090][ T1] ? __pfx_acpi_device_probe+0x10/0x10
[ 8.646090][ T1] really_probe+0x2b8/0xad0
[ 8.646090][ T1] __driver_probe_device+0x1a2/0x390
[ 8.646090][ T1] driver_probe_device+0x50/0x430
[ 8.646090][ T1] __driver_attach+0x45f/0x710
[ 8.646090][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.646090][ T1] bus_for_each_dev+0x239/0x2b0
[ 8.646090][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.646090][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 8.646090][ T1] bus_add_driver+0x346/0x670
[ 8.646090][ T1] driver_register+0x23a/0x320
[ 8.646090][ T1] nfit_init+0x166/0x1b0
[ 8.646090][ T1] ? __pfx_nfit_init+0x10/0x10
[ 8.646090][ T1] do_one_initcall+0x248/0x880
[ 8.646090][ T1] ? __pfx_nfit_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 8.646090][ T1] ? __pfx_parse_args+0x10/0x10
[ 8.646090][ T1] ? rcu_is_watching+0x15/0xb0
[ 8.646090][ T1] do_initcall_level+0x157/0x210
[ 8.646090][ T1] do_initcalls+0x3f/0x80
[ 8.646090][ T1] kernel_init_freeable+0x435/0x5d0
[ 8.646090][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] kernel_init+0x1d/0x2b0
[ 8.646090][ T1] ret_from_fork+0x4b/0x80
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ret_from_fork_asm+0x1a/0x30
[ 8.646090][ T1] </TASK>
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to stack of task swapper/0/1
[ 8.646090][ T1] and is located at offset 160 in frame:
[ 8.646090][ T1] acpi_nfit_register_regions+0x0/0xf50
[ 8.646090][ T1]
[ 8.646090][ T1] This frame has 4 objects:
[ 8.646090][ T1] [32, 36) 'cmd_rc.i.i87'
[ 8.646090][ T1] [48, 80) 'ars_start.i.i'
[ 8.646090][ T1] [112, 116) 'cmd_rc.i.i'
[ 8.646090][ T1] [128, 160) 'ars_cap.i'
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to the virtual mapping at
[ 8.646090][ T1] [ffffc90000330000, ffffc90000339000) created by:
[ 8.646090][ T1] copy_process+0x5d1/0x3d50
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to the physical page:
[ 8.646090][ T1] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x312a4
[ 8.646090][ T1] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 8.646090][ T1] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
[ 8.646090][ T1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 8.646090][ T1] page dumped because: kasan: bad access detected
[ 8.646090][ T1] page_owner tracks the page as allocated
[ 8.646090][ T1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2102(__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 0, tgid 0 (swapper/0), ts 2318285947, free_ts 0
[ 8.646090][ T1] post_alloc_hook+0x1f3/0x230
[ 8.646090][ T1] get_page_from_freelist+0x303f/0x3190
[ 8.646090][ T1] __alloc_pages_noprof+0x292/0x710
[ 8.646090][ T1] alloc_pages_mpol_noprof+0x3e8/0x680
[ 8.646090][ T1] __vmalloc_node_range_noprof+0xa2b/0x13f0
[ 8.646090][ T1] dup_task_struct+0x444/0x8c0
[ 8.646090][ T1] copy_process+0x5d1/0x3d50
[ 8.646090][ T1] kernel_clone+0x226/0x8f0
[ 8.646090][ T1] user_mode_thread+0x132/0x1a0
[ 8.646090][ T1] rest_init+0x23/0x300
[ 8.646090][ T1] start_kernel+0x47f/0x500
[ 8.646090][ T1] x86_64_start_reservations+0x2a/0x30
[ 8.646090][ T1] x86_64_start_kernel+0x9f/0xa0
[ 8.646090][ T1] common_startup_64+0x13e/0x147
[ 8.646090][ T1] page_owner free stack trace missing
[ 8.646090][ T1]
[ 8.646090][ T1] Memory state around the buggy address:
[ 8.646090][ T1] ffffc90000337080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ffffc90000337100: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 00
[ 8.646090][ T1] >ffffc90000337180: 00 00 f2 f2 f2 f2 04 f2 00 00 00 00 f3 f3 f3 f3
[ 8.646090][ T1] ^
[ 8.646090][ T1] ffffc90000337200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ffffc90000337280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ==================================================================
[ 9.044043][ T1] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 9.048635][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc6-syzkaller-00114-g80fb25341631-dirty #0
[ 9.053640][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 9.053640][ T1] Call Trace:
[ 9.053640][ T1] <TASK>
[ 9.053640][ T1] dump_stack_lvl+0x241/0x360
[ 9.053640][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 9.053640][ T1] ? __pfx__printk+0x10/0x10
[ 9.053640][ T1] ? preempt_schedule+0xe1/0xf0
[ 9.053640][ T1] ? vscnprintf+0x5d/0x90
[ 9.053640][ T1] panic+0x349/0x880
[ 9.053640][ T1] ? check_panic_on_warn+0x21/0xb0
[ 9.053640][ T1] ? __pfx_panic+0x10/0x10
[ 9.053640][ T1] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 9.053640][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 9.053640][ T1] ? print_report+0x502/0x550
[ 9.053640][ T1] check_panic_on_warn+0x86/0xb0
[ 9.053640][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] end_report+0x77/0x160
[ 9.053640][ T1] kasan_report+0x154/0x180
[ 9.053640][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] ? mark_lock+0x9a/0x360
[ 9.053640][ T1] ? __pfx_acpi_nfit_ctl+0x10/0x10
[ 9.053640][ T1] ? nfit_spa_type+0x81/0x410
[ 9.053640][ T1] ? nfit_spa_type+0x378/0x410
[ 9.053640][ T1] ? __pfx_nfit_spa_type+0x10/0x10
[ 9.053640][ T1] ? mark_lock+0x9a/0x360
[ 9.053640][ T1] acpi_nfit_register_regions+0x2ae/0xf50
[ 9.053640][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.053640][ T1] ? __pfx_acpi_nfit_register_regions+0x10/0x10
[ 9.053640][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 9.053640][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 9.053640][ T1] ? __kmalloc_node_track_caller_noprof+0x242/0x440
[ 9.053640][ T1] acpi_nfit_init+0x6fd0/0x7060
[ 9.053640][ T1] ? __pfx_acpi_nfit_init+0x10/0x10
[ 9.053640][ T1] ? acpi_evaluate_object+0x9a3/0xaf0
[ 9.053640][ T1] ? acpi_nfit_add+0x2f3/0x620
[ 9.053640][ T1] acpi_nfit_add+0x469/0x620
[ 9.053640][ T1] ? __pfx_acpi_nfit_add+0x10/0x10
[ 9.053640][ T1] ? kernfs_put+0x315/0x370
[ 9.053640][ T1] acpi_device_probe+0xa5/0x2b0
[ 9.053640][ T1] ? really_probe+0x274/0xad0
[ 9.053640][ T1] ? __pfx_acpi_device_probe+0x10/0x10
[ 9.053640][ T1] really_probe+0x2b8/0xad0
[ 9.053640][ T1] __driver_probe_device+0x1a2/0x390
[ 9.053640][ T1] driver_probe_device+0x50/0x430
[ 9.053640][ T1] __driver_attach+0x45f/0x710
[ 9.053640][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.053640][ T1] bus_for_each_dev+0x239/0x2b0
[ 9.053640][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.053640][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 9.053640][ T1] bus_add_driver+0x346/0x670
[ 9.053640][ T1] driver_register+0x23a/0x320
[ 9.053640][ T1] nfit_init+0x166/0x1b0
[ 9.053640][ T1] ? __pfx_nfit_init+0x10/0x10
[ 9.053640][ T1] do_one_initcall+0x248/0x880
[ 9.053640][ T1] ? __pfx_nfit_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 9.053640][ T1] ? __pfx_parse_args+0x10/0x10
[ 9.053640][ T1] ? rcu_is_watching+0x15/0xb0
[ 9.053640][ T1] do_initcall_level+0x157/0x210
[ 9.053640][ T1] do_initcalls+0x3f/0x80
[ 9.053640][ T1] kernel_init_freeable+0x435/0x5d0
[ 9.053640][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 9.053640][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] kernel_init+0x1d/0x2b0
[ 9.053640][ T1] ret_from_fork+0x4b/0x80
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ret_from_fork_asm+0x1a/0x30
[ 9.053640][ T1] </TASK>
[ 9.053640][ T1] Kernel Offset: disabled
[ 9.053640][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build70911805=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at da38b4c931f
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=da38b4c931f2882f34163d41ac10bfc78112afc8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241105-104654'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"da38b4c931f2882f34163d41ac10bfc78112afc8\"
/usr/bin/ld: /tmp/cco8PKHf.o: in function `test_cover_filter()':
executor.cc:(.text+0x1426b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/cco8PKHf.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15fb3f40580000
Tested on:
commit: 80fb2534 Merge tag 'pwm/for-6.12-rc7-fixes' of git://g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=100b2d87980000
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 8, 2024, 9:59:09 AM11/8/24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
syzbot
Nov 8, 2024, 10:19:06 AM11/8/24
to linux-...@vger.kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
commit: 906bd684 Merge tag 'spi-fix-v6.12-rc6' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1207ee30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=64aa0d9945bd5c1
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
commit: 906bd684 Merge tag 'spi-fix-v6.12-rc6' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1207ee30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=64aa0d9945bd5c1
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=174220c0580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Suraj Sonawane
Nov 10, 2024, 5:35:37 AM11/10/24
to syzbot, dan.j.w...@intel.com, dave....@intel.com, ira....@intel.com, le...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, nvd...@lists.linux.dev, raf...@kernel.org, syzkall...@googlegroups.com, vishal....@intel.com
syzbot
Nov 10, 2024, 5:55:04 AM11/10/24
to dan.j.w...@intel.com, dave....@intel.com, ira....@intel.com, le...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, nvd...@lists.linux.dev, raf...@kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com, vishal....@intel.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
commit: de2f378f Merge tag 'nfsd-6.12-4' of git://git.kernel.o..
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=102594e8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=64aa0d9945bd5c1
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11629ea7980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Suraj Sonawane
Nov 13, 2024, 7:07:44 AM11/13/24
to syzbot, dan.j.w...@intel.com, dave....@intel.com, ira....@intel.com, le...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, nvd...@lists.linux.dev, raf...@kernel.org, syzkall...@googlegroups.com, vishal....@intel.com
syzbot
Nov 13, 2024, 7:27:04 AM11/13/24
to dan.j.w...@intel.com, dave....@intel.com, ira....@intel.com, le...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, nvd...@lists.linux.dev, raf...@kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com, vishal....@intel.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
commit: f1b785f4 Merge tag 'for_linus' of git://git.kernel.org..
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17ca8df7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11d20b5f980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 15, 2024, 10:26:41 AM11/15/24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
syzbot
Nov 15, 2024, 10:46:04 AM11/15/24
to linux-...@vger.kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
commit: cfaaa7d0 Merge tag 'net-6.12-rc8' of git://git.kernel...
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13845130580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=172adcc0580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Suraj Sonawane
Nov 16, 2024, 5:18:33 AM11/16/24
to syzbot, dan.j.w...@intel.com, dave....@intel.com, ira....@intel.com, le...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, nvd...@lists.linux.dev, raf...@kernel.org, syzkall...@googlegroups.com, vishal....@intel.com
syzbot
Nov 16, 2024, 5:38:04 AM11/16/24
to dan.j.w...@intel.com, dave....@intel.com, ira....@intel.com, le...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, nvd...@lists.linux.dev, raf...@kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com, vishal....@intel.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
commit: e8bdb3c8 Merge tag 'riscv-for-linus-6.12-rc8' of git:/..
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12a112c0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=109e12c0580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 18, 2024, 7:30:56 AM11/18/24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
syzbot
Nov 18, 2024, 7:45:05 AM11/18/24
to linux-...@vger.kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
Read of size 4 at addr ffffc90001106038 by task syz.0.15/5811
CPU: 0 UID: 0 PID: 5811 Comm: syz.0.15 Not tainted 6.12.0-syzkaller-dirty #0
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f51e61fb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f51e5535f80 RCX: 00007f51e537e719
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3474
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
alloc_pages_bulk_noprof+0x70b/0xcc0 mm/page_alloc.c:4699
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_folios+0xf37/0x1a20 mm/page_alloc.c:2704
folios_put_refs+0x76c/0x860 mm/swap.c:993
free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
exit_mmap+0x496/0xc40 mm/mmap.c:1936
__mmput+0x115/0x390 kernel/fork.c:1348
exec_mmap+0x680/0x710 fs/exec.c:1014
begin_new_exec+0x12c0/0x2050 fs/exec.c:1280
load_elf_binary+0x966/0x2710 fs/binfmt_elf.c:996
search_binary_handler fs/exec.c:1752 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve+0xaf8/0x1770 fs/exec.c:1845
do_execveat_common+0x55f/0x6f0 fs/exec.c:1952
do_execve fs/exec.c:2026 [inline]
__do_sys_execve fs/exec.c:2102 [inline]
__se_sys_execve fs/exec.c:2097 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2097
ffffc90001105f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90001106000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90001106080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90001106100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Tested on:
commit: adc21867 Linux 6.12
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15488ac0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e31661728c1a4027
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:465
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
Read of size 4 at addr ffffc90001106038 by task syz.0.15/5811
CPU: 0 UID: 0 PID: 5811 Comm: syz.0.15 Not tainted 6.12.0-syzkaller-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:465
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f51e537e719
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f51e61fb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f51e5535f80 RCX: 00007f51e537e719
RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
RBP: 00007f51e53f139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f51e5535f80 R15: 00007ffe9dc12f58
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc90001106000, ffffc90001108000) created by:
The buggy address belongs to the virtual mapping at
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803f405500 pfn:0x3f405
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88803f405500 0000000000000000 00000001ffffffff 0000000000000000
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5811, tgid 5810 (syz.0.15), ts 121385960669, free_ts 121037718009
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3474
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
alloc_pages_bulk_noprof+0x70b/0xcc0 mm/page_alloc.c:4699
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5804 tgid 5804 stack trace:
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_folios+0xf37/0x1a20 mm/page_alloc.c:2704
folios_put_refs+0x76c/0x860 mm/swap.c:993
free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
exit_mmap+0x496/0xc40 mm/mmap.c:1936
__mmput+0x115/0x390 kernel/fork.c:1348
exec_mmap+0x680/0x710 fs/exec.c:1014
begin_new_exec+0x12c0/0x2050 fs/exec.c:1280
load_elf_binary+0x966/0x2710 fs/binfmt_elf.c:996
search_binary_handler fs/exec.c:1752 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve+0xaf8/0x1770 fs/exec.c:1845
do_execveat_common+0x55f/0x6f0 fs/exec.c:1952
do_execve fs/exec.c:2026 [inline]
__do_sys_execve fs/exec.c:2102 [inline]
__se_sys_execve fs/exec.c:2097 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2097
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc90001105f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc90001105f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90001106000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90001106080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90001106100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Tested on:
commit: adc21867 Linux 6.12
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15488ac0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e31661728c1a4027
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=162ecbf7980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 18, 2024, 8:21:32 AM11/18/24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
syzbot
Nov 18, 2024, 8:41:05 AM11/18/24
to linux-...@vger.kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
console output: https://syzkaller.appspot.com/x/log.txt?x=1189bb5f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=e31661728c1a4027
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
commit: adc21867 Linux 6.12
git tree: upstream
commit: adc21867 Linux 6.12
console output: https://syzkaller.appspot.com/x/log.txt?x=1189bb5f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=e31661728c1a4027
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12086ac0580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 18, 2024, 11:01:42 AM11/18/24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajson...@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f0...@syzkaller.appspotmail.com> wrote:
syzbot
Nov 18, 2024, 11:22:05 AM11/18/24
to linux-...@vger.kernel.org, surajson...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
commit: adc21867 Linux 6.12
git tree: upstream
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested-by: syzbot+7534f0...@syzkaller.appspotmail.com
Tested on:
commit: adc21867 Linux 6.12
console output: https://syzkaller.appspot.com/x/log.txt?x=14664930580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e31661728c1a4027
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10e16ac0580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Reply all
Reply to author
Forward
0 new messages