[v5.15] KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
0 views
Skip to first unread message
syzbot
Mar 16, 2023, 1:02:49 AM3/16/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2ddbd0f967b3 Linux 5.15.102
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11225556c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d6af46e4bd7d6a2f
dashboard link: https://syzkaller.appspot.com/bug?extid=7f3880bcabffacd625d8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d46a989959b6/disk-2ddbd0f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4d06a9b2ddaf/vmlinux-2ddbd0f9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0921009430c0/Image-2ddbd0f9.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f3880...@syzkaller.appspotmail.com
loop3: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff0000cef69218 by task syz-executor.3/27760
CPU: 0 PID: 27760 Comm: syz-executor.3 Not tainted 5.15.102-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load2_noabort+0x44/0x50 mm/kasan/report_generic.c:307
hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
hfsplus_listxattr+0x5bc/0xc9c fs/hfsplus/xattr.c:736
vfs_listxattr fs/xattr.c:448 [inline]
listxattr+0x29c/0x3e4 fs/xattr.c:783
path_listxattr fs/xattr.c:807 [inline]
__do_sys_llistxattr fs/xattr.c:825 [inline]
__se_sys_llistxattr fs/xattr.c:822 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:822
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
Allocated by task 27760:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc+0x26c/0x404 mm/slub.c:4407
kmalloc include/linux/slab.h:596 [inline]
hfsplus_find_init+0x84/0x1bc fs/hfsplus/bfind.c:21
hfsplus_listxattr+0x31c/0xc9c fs/hfsplus/xattr.c:696
vfs_listxattr fs/xattr.c:448 [inline]
listxattr+0x29c/0x3e4 fs/xattr.c:783
path_listxattr fs/xattr.c:807 [inline]
__do_sys_llistxattr fs/xattr.c:825 [inline]
__se_sys_llistxattr fs/xattr.c:822 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:822
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
Last potentially related work creation:
kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
kasan_record_aux_stack+0xd4/0x11c mm/kasan/generic.c:348
kvfree_call_rcu+0xb8/0x684 kernel/rcu/tree.c:3559
batadv_hardif_release net/batman-adv/hard-interface.c:54 [inline]
kref_put include/linux/kref.h:65 [inline]
batadv_hardif_put+0x100/0x19c net/batman-adv/hard-interface.h:95
batadv_hard_if_event+0x650/0xde8 net/batman-adv/hard-interface.c:996
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:1998 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2010 [inline]
call_netdevice_notifiers net/core/dev.c:2024 [inline]
unregister_netdevice_many+0xec4/0x189c net/core/dev.c:11065
ip_tunnel_delete_nets+0x2b4/0x308 net/ipv4/ip_tunnel.c:1123
erspan_exit_batch_net+0x30/0x40 net/ipv4/ip_gre.c:1721
ops_exit_list net/core/net_namespace.c:174 [inline]
cleanup_net+0x5e0/0x9bc net/core/net_namespace.c:596
process_one_work+0x84c/0x14b8 kernel/workqueue.c:2306
worker_thread+0x910/0x1034 kernel/workqueue.c:2453
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 <unknown>:870
Second to last potentially related work creation:
kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
kasan_record_aux_stack+0xd4/0x11c mm/kasan/generic.c:348
kvfree_call_rcu+0xb8/0x684 kernel/rcu/tree.c:3559
drop_sysctl_table+0x274/0x3a0 fs/proc/proc_sysctl.c:1680
unregister_sysctl_table+0x94/0x130 fs/proc/proc_sysctl.c:1718
unregister_net_sysctl_table+0x20/0x30 net/sysctl_net.c:175
neigh_sysctl_unregister+0x78/0x9c net/core/neighbour.c:3754
addrconf_sysctl_unregister net/ipv6/addrconf.c:7117 [inline]
addrconf_ifdown+0x14ec/0x1814 net/ipv6/addrconf.c:3904
addrconf_notify+0x350/0xc58
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:1998 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2010 [inline]
call_netdevice_notifiers net/core/dev.c:2024 [inline]
unregister_netdevice_many+0xec4/0x189c net/core/dev.c:11065
ip_tunnel_delete_nets+0x2b4/0x308 net/ipv4/ip_tunnel.c:1123
erspan_exit_batch_net+0x30/0x40 net/ipv4/ip_gre.c:1721
ops_exit_list net/core/net_namespace.c:174 [inline]
cleanup_net+0x5e0/0x9bc net/core/net_namespace.c:596
process_one_work+0x84c/0x14b8 kernel/workqueue.c:2306
worker_thread+0x910/0x1034 kernel/workqueue.c:2453
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 <unknown>:870
The buggy address belongs to the object at ffff0000cef69000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 536 bytes inside of
1024-byte region [ffff0000cef69000, ffff0000cef69400)
The buggy address belongs to the page:
page:00000000e51fdd25 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ef68
head:00000000e51fdd25 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc00035ad400 0000000400000004 ffff0000c0002780
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000cef69100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000cef69180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cef69200: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000cef69280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000cef69300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
hfsplus: unicode conversion failed
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 2ddbd0f967b3 Linux 5.15.102
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11225556c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d6af46e4bd7d6a2f
dashboard link: https://syzkaller.appspot.com/bug?extid=7f3880bcabffacd625d8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d46a989959b6/disk-2ddbd0f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4d06a9b2ddaf/vmlinux-2ddbd0f9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0921009430c0/Image-2ddbd0f9.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f3880...@syzkaller.appspotmail.com
loop3: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff0000cef69218 by task syz-executor.3/27760
CPU: 0 PID: 27760 Comm: syz-executor.3 Not tainted 5.15.102-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load2_noabort+0x44/0x50 mm/kasan/report_generic.c:307
hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
hfsplus_listxattr+0x5bc/0xc9c fs/hfsplus/xattr.c:736
vfs_listxattr fs/xattr.c:448 [inline]
listxattr+0x29c/0x3e4 fs/xattr.c:783
path_listxattr fs/xattr.c:807 [inline]
__do_sys_llistxattr fs/xattr.c:825 [inline]
__se_sys_llistxattr fs/xattr.c:822 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:822
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
Allocated by task 27760:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc+0x26c/0x404 mm/slub.c:4407
kmalloc include/linux/slab.h:596 [inline]
hfsplus_find_init+0x84/0x1bc fs/hfsplus/bfind.c:21
hfsplus_listxattr+0x31c/0xc9c fs/hfsplus/xattr.c:696
vfs_listxattr fs/xattr.c:448 [inline]
listxattr+0x29c/0x3e4 fs/xattr.c:783
path_listxattr fs/xattr.c:807 [inline]
__do_sys_llistxattr fs/xattr.c:825 [inline]
__se_sys_llistxattr fs/xattr.c:822 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:822
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
Last potentially related work creation:
kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
kasan_record_aux_stack+0xd4/0x11c mm/kasan/generic.c:348
kvfree_call_rcu+0xb8/0x684 kernel/rcu/tree.c:3559
batadv_hardif_release net/batman-adv/hard-interface.c:54 [inline]
kref_put include/linux/kref.h:65 [inline]
batadv_hardif_put+0x100/0x19c net/batman-adv/hard-interface.h:95
batadv_hard_if_event+0x650/0xde8 net/batman-adv/hard-interface.c:996
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:1998 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2010 [inline]
call_netdevice_notifiers net/core/dev.c:2024 [inline]
unregister_netdevice_many+0xec4/0x189c net/core/dev.c:11065
ip_tunnel_delete_nets+0x2b4/0x308 net/ipv4/ip_tunnel.c:1123
erspan_exit_batch_net+0x30/0x40 net/ipv4/ip_gre.c:1721
ops_exit_list net/core/net_namespace.c:174 [inline]
cleanup_net+0x5e0/0x9bc net/core/net_namespace.c:596
process_one_work+0x84c/0x14b8 kernel/workqueue.c:2306
worker_thread+0x910/0x1034 kernel/workqueue.c:2453
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 <unknown>:870
Second to last potentially related work creation:
kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
kasan_record_aux_stack+0xd4/0x11c mm/kasan/generic.c:348
kvfree_call_rcu+0xb8/0x684 kernel/rcu/tree.c:3559
drop_sysctl_table+0x274/0x3a0 fs/proc/proc_sysctl.c:1680
unregister_sysctl_table+0x94/0x130 fs/proc/proc_sysctl.c:1718
unregister_net_sysctl_table+0x20/0x30 net/sysctl_net.c:175
neigh_sysctl_unregister+0x78/0x9c net/core/neighbour.c:3754
addrconf_sysctl_unregister net/ipv6/addrconf.c:7117 [inline]
addrconf_ifdown+0x14ec/0x1814 net/ipv6/addrconf.c:3904
addrconf_notify+0x350/0xc58
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:1998 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2010 [inline]
call_netdevice_notifiers net/core/dev.c:2024 [inline]
unregister_netdevice_many+0xec4/0x189c net/core/dev.c:11065
ip_tunnel_delete_nets+0x2b4/0x308 net/ipv4/ip_tunnel.c:1123
erspan_exit_batch_net+0x30/0x40 net/ipv4/ip_gre.c:1721
ops_exit_list net/core/net_namespace.c:174 [inline]
cleanup_net+0x5e0/0x9bc net/core/net_namespace.c:596
process_one_work+0x84c/0x14b8 kernel/workqueue.c:2306
worker_thread+0x910/0x1034 kernel/workqueue.c:2453
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 <unknown>:870
The buggy address belongs to the object at ffff0000cef69000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 536 bytes inside of
1024-byte region [ffff0000cef69000, ffff0000cef69400)
The buggy address belongs to the page:
page:00000000e51fdd25 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ef68
head:00000000e51fdd25 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc00035ad400 0000000400000004 ffff0000c0002780
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000cef69100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000cef69180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cef69200: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000cef69280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000cef69300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
hfsplus: unicode conversion failed
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 19, 2023, 3:39:48 PM3/19/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7eaef76fbc46 Linux 6.1.20
syzbot found the following issue on:
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11a2a131c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=28c36fe4d02f8c88
dashboard link: https://syzkaller.appspot.com/bug?extid=6ec6424561c8244a8407
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/610a00ba4375/disk-7eaef76f.raw.xz
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/57c1310f9a30/vmlinux-7eaef76f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/81999f717d3b/bzImage-7eaef76f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
loop3: detected capacity change from 0 to 1024
==================================================================
Read of size 2 at addr ffff88807b77b40c by task syz-executor.3/29285
CPU: 0 PID: 29285 Comm: syz-executor.3 Not tainted 6.1.20-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
hfsplus_uni2asc+0x576/0x11f0 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x922/0x12c0 fs/hfsplus/dir.c:207
iterate_dir+0x224/0x560
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x209/0x4f0 fs/readdir.c:354
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0dcec8c0f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0dcfa09168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f0dcedabf80 RCX: 00007f0dcec8c0f9
RDX: 0000000000000067 RSI: 0000000020000540 RDI: 0000000000000003
RBP: 00007f0dcece7b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fffac9c1bcf R14: 00007f0dcfa09300 R15: 0000000000022000
</TASK>
Allocated by task 29285:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xaf/0x1a0 mm/slab_common.c:968
kmalloc include/linux/slab.h:558 [inline]
hfsplus_find_init+0x81/0x1c0 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x207/0x12c0 fs/hfsplus/dir.c:144
iterate_dir+0x224/0x560
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x209/0x4f0 fs/readdir.c:354
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486
call_rcu+0x163/0xa10 kernel/rcu/tree.c:2798
netlink_release+0x1384/0x17f0 net/netlink/af_netlink.c:817
__sock_release net/socket.c:652 [inline]
sock_close+0xcd/0x230 net/socket.c:1370
__fput+0x3b7/0x890 fs/file_table.c:320
task_work_run+0x246/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xd9/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x60/0x2d0 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486
call_rcu+0x163/0xa10 kernel/rcu/tree.c:2798
netlink_release+0x1384/0x17f0 net/netlink/af_netlink.c:817
__sock_release net/socket.c:652 [inline]
sock_close+0xcd/0x230 net/socket.c:1370
__fput+0x3b7/0x890 fs/file_table.c:320
task_work_run+0x246/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xd9/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x60/0x2d0 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88807b77b000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1036 bytes inside of
2048-byte region [ffff88807b77b000, ffff88807b77b800)
The buggy address belongs to the physical page:
page:ffffea0001edde00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b778
head:ffffea0001edde00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000745a00 dead000000000002 ffff888012442000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 3775, tgid 3775 (kworker/0:10), ts 259649723665, free_ts 259616366060
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x3573/0x3700 mm/page_alloc.c:4291
__alloc_pages+0x28d/0x7e0 mm/page_alloc.c:5558
alloc_slab_page+0x6a/0x150 mm/slub.c:1794
allocate_slab mm/slub.c:1939 [inline]
new_slab+0x84/0x2d0 mm/slub.c:1992
___slab_alloc+0xa71/0x1080 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
__kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437
__do_kmalloc_node mm/slab_common.c:954 [inline]
__kmalloc_node_track_caller+0x9c/0x190 mm/slab_common.c:975
kmalloc_reserve net/core/skbuff.c:437 [inline]
__alloc_skb+0x126/0x620 net/core/skbuff.c:509
alloc_skb include/linux/skbuff.h:1267 [inline]
alloc_skb_with_frags+0xa4/0x740 net/core/skbuff.c:6128
sock_alloc_send_pskb+0x915/0xa50 net/core/sock.c:2721
sock_alloc_send_skb include/net/sock.h:1884 [inline]
mld_newpack+0x1c0/0xa90 net/ipv6/mcast.c:1748
add_grhead net/ipv6/mcast.c:1851 [inline]
add_grec+0x1492/0x19a0 net/ipv6/mcast.c:1989
mld_send_initial_cr+0x20f/0x3a0 net/ipv6/mcast.c:2236
ipv6_mc_dad_complete+0x84/0x390 net/ipv6/mcast.c:2247
addrconf_dad_completed+0x678/0xca0 net/ipv6/addrconf.c:4233
addrconf_dad_work+0xd8e/0x16b0
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0xfe1/0x1190 mm/page_alloc.c:3387
free_unref_page+0x98/0x570 mm/page_alloc.c:3483
free_slab mm/slub.c:2031 [inline]
discard_slab mm/slub.c:2037 [inline]
__unfreeze_partials+0x1b7/0x210 mm/slub.c:2586
put_cpu_partial+0x116/0x180 mm/slub.c:2662
qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x50/0x370 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
kmem_cache_alloc_node+0x142/0x2a0 mm/slub.c:3443
__alloc_skb+0xde/0x620 net/core/skbuff.c:497
alloc_skb include/linux/skbuff.h:1267 [inline]
alloc_skb_with_frags+0xa4/0x740 net/core/skbuff.c:6128
sock_alloc_send_pskb+0x915/0xa50 net/core/sock.c:2721
sock_alloc_send_skb include/net/sock.h:1884 [inline]
mld_newpack+0x1c0/0xa90 net/ipv6/mcast.c:1748
add_grhead net/ipv6/mcast.c:1851 [inline]
add_grec+0x1492/0x19a0 net/ipv6/mcast.c:1989
mld_send_initial_cr+0x20f/0x3a0 net/ipv6/mcast.c:2236
mld_dad_work+0x40/0x400 net/ipv6/mcast.c:2262
Memory state around the buggy address:
ffff88807b77b380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807b77b400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88807b77b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807b77b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
syzbot
May 6, 2023, 3:17:49 AM5/6/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 8a7f2a5c5aa1 Linux 5.15.110
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=134bf00a280000
kernel config: https://syzkaller.appspot.com/x/.config?x=7e93d602da27af41
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149e3424280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/16bea75b636d/disk-8a7f2a5c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3b169e33dcf2/vmlinux-8a7f2a5c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/190d08a00950/Image-8a7f2a5c.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b9225a277b11/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f3880...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
CPU: 0 PID: 3961 Comm: syz-executor619 Not tainted 5.15.110-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Allocated by task 3961:
The buggy address belongs to the object at ffff0000dbffb800
head:000000007ca059d1 order:3 compound_mapcount:0 compound_pincount:0
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
ffff0000dbffb980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000dbffba00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000dbffba80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000dbffbb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 8a7f2a5c5aa1 Linux 5.15.110
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=134bf00a280000
kernel config: https://syzkaller.appspot.com/x/.config?x=7e93d602da27af41
dashboard link: https://syzkaller.appspot.com/bug?extid=7f3880bcabffacd625d8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17933522280000
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149e3424280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/16bea75b636d/disk-8a7f2a5c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3b169e33dcf2/vmlinux-8a7f2a5c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/190d08a00950/Image-8a7f2a5c.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b9225a277b11/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f3880...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff0000dbffba18 by task syz-executor619/3961
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
CPU: 0 PID: 3961 Comm: syz-executor619 Not tainted 5.15.110-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load2_noabort+0x44/0x50 mm/kasan/report_generic.c:307
hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
hfsplus_listxattr+0x5bc/0xc9c fs/hfsplus/xattr.c:736
vfs_listxattr fs/xattr.c:448 [inline]
listxattr+0x29c/0x3e4 fs/xattr.c:783
path_listxattr fs/xattr.c:807 [inline]
__do_sys_llistxattr fs/xattr.c:825 [inline]
__se_sys_llistxattr fs/xattr.c:822 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:822
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load2_noabort+0x44/0x50 mm/kasan/report_generic.c:307
hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
hfsplus_listxattr+0x5bc/0xc9c fs/hfsplus/xattr.c:736
vfs_listxattr fs/xattr.c:448 [inline]
listxattr+0x29c/0x3e4 fs/xattr.c:783
path_listxattr fs/xattr.c:807 [inline]
__do_sys_llistxattr fs/xattr.c:825 [inline]
__se_sys_llistxattr fs/xattr.c:822 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:822
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
Allocated by task 3961:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc+0x29c/0x4c8 mm/slub.c:4407
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
kmalloc include/linux/slab.h:596 [inline]
hfsplus_find_init+0x84/0x1bc fs/hfsplus/bfind.c:21
hfsplus_listxattr+0x31c/0xc9c fs/hfsplus/xattr.c:696
vfs_listxattr fs/xattr.c:448 [inline]
listxattr+0x29c/0x3e4 fs/xattr.c:783
path_listxattr fs/xattr.c:807 [inline]
__do_sys_llistxattr fs/xattr.c:825 [inline]
__se_sys_llistxattr fs/xattr.c:822 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:822
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
hfsplus_find_init+0x84/0x1bc fs/hfsplus/bfind.c:21
hfsplus_listxattr+0x31c/0xc9c fs/hfsplus/xattr.c:696
vfs_listxattr fs/xattr.c:448 [inline]
listxattr+0x29c/0x3e4 fs/xattr.c:783
path_listxattr fs/xattr.c:807 [inline]
__do_sys_llistxattr fs/xattr.c:825 [inline]
__se_sys_llistxattr fs/xattr.c:822 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:822
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
The buggy address belongs to the object at ffff0000dbffb800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 536 bytes inside of
1024-byte region [ffff0000dbffb800, ffff0000dbffbc00)
The buggy address is located 536 bytes inside of
The buggy address belongs to the page:
page:000000007ca059d1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11bff8
head:000000007ca059d1 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dbffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff0000dbffb980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000dbffba00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000dbffba80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000dbffbb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
hfsplus: unicode conversion failed
---
If you want syzbot to run the reproducer, reply with:
hfsplus: unicode conversion failed
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
May 7, 2023, 3:57:56 AM5/7/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: ca48fc16c493 Linux 6.1.27
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=144c8f22280000
kernel config: https://syzkaller.appspot.com/x/.config?x=aea4bb7802570997
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d43518280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10db1790280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ec11c1903c52/disk-ca48fc16.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8ce41c1ad391/vmlinux-ca48fc16.xz
kernel image: https://storage.googleapis.com/syzbot-assets/affba5631cad/Image-ca48fc16.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/eead37a74f80/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6ec642...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff0000de891a18 by task syz-executor952/4217
CPU: 1 PID: 4217 Comm: syz-executor952 Not tainted 6.1.27-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report_generic.c:349
listxattr+0x29c/0x3cc fs/xattr.c:804
path_listxattr fs/xattr.c:828 [inline]
__do_sys_llistxattr fs/xattr.c:846 [inline]
__se_sys_llistxattr fs/xattr.c:843 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:843
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Allocated by task 4217:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kmalloc include/linux/slab.h:558 [inline]
listxattr+0x29c/0x3cc fs/xattr.c:804
path_listxattr fs/xattr.c:828 [inline]
__do_sys_llistxattr fs/xattr.c:846 [inline]
__se_sys_llistxattr fs/xattr.c:843 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:843
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the object at ffff0000de891800
The buggy address belongs to the physical page:
page:00000000b37f6ffc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e890
head:00000000b37f6ffc order:3 compound_mapcount:0 compound_pincount:0
ffff0000de891980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000de891a00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000de891a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000de891b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
=========================
HEAD commit: ca48fc16c493 Linux 6.1.27
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=144c8f22280000
kernel config: https://syzkaller.appspot.com/x/.config?x=aea4bb7802570997
dashboard link: https://syzkaller.appspot.com/bug?extid=6ec6424561c8244a8407
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d43518280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10db1790280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ec11c1903c52/disk-ca48fc16.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8ce41c1ad391/vmlinux-ca48fc16.xz
kernel image: https://storage.googleapis.com/syzbot-assets/affba5631cad/Image-ca48fc16.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/eead37a74f80/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6ec642...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff0000de891a18 by task syz-executor952/4217
CPU: 1 PID: 4217 Comm: syz-executor952 Not tainted 6.1.27-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report_generic.c:349
hfsplus_uni2asc+0x624/0x1018 fs/hfsplus/unicode.c:179
hfsplus_listxattr+0x5bc/0xc9c fs/hfsplus/xattr.c:736
vfs_listxattr fs/xattr.c:457 [inline]
hfsplus_listxattr+0x5bc/0xc9c fs/hfsplus/xattr.c:736
listxattr+0x29c/0x3cc fs/xattr.c:804
path_listxattr fs/xattr.c:828 [inline]
__do_sys_llistxattr fs/xattr.c:846 [inline]
__se_sys_llistxattr fs/xattr.c:843 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:843
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Allocated by task 4217:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
__do_kmalloc_node mm/slab_common.c:955 [inline]
kmalloc include/linux/slab.h:558 [inline]
hfsplus_find_init+0x84/0x1bc fs/hfsplus/bfind.c:21
hfsplus_listxattr+0x31c/0xc9c fs/hfsplus/xattr.c:696
vfs_listxattr fs/xattr.c:457 [inline]
hfsplus_listxattr+0x31c/0xc9c fs/hfsplus/xattr.c:696
listxattr+0x29c/0x3cc fs/xattr.c:804
path_listxattr fs/xattr.c:828 [inline]
__do_sys_llistxattr fs/xattr.c:846 [inline]
__se_sys_llistxattr fs/xattr.c:843 [inline]
__arm64_sys_llistxattr+0x13c/0x21c fs/xattr.c:843
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the object at ffff0000de891800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 536 bytes inside of
1024-byte region [ffff0000de891800, ffff0000de891c00)
The buggy address is located 536 bytes inside of
The buggy address belongs to the physical page:
head:00000000b37f6ffc order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002780
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000de891900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000de891980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000de891a00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000de891a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000de891b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
=========================
Reply all
Reply to author
Forward
0 new messages