[v6.1] KASAN: slab-out-of-bounds Write in shmem_file_read_iter
0 views
Skip to first unread message
syzbot
Feb 1, 2024, 1:28:25 AMFeb 1
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e5c3b988b827 Linux 6.1.76
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=105d3090180000
kernel config: https://syzkaller.appspot.com/x/.config?x=907f7acef7540378
dashboard link: https://syzkaller.appspot.com/bug?extid=9ecd279148f3382f7bea
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fd64649e0495/disk-e5c3b988.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/257d7545589e/vmlinux-e5c3b988.xz
kernel image: https://storage.googleapis.com/syzbot-assets/25a59d22a12c/Image-e5c3b988.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ecd27...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
Write of size 1024 at addr ffff00011a4cdc00 by task kworker/u4:12/5551
CPU: 1 PID: 5551 Comm: kworker/u4:12 Not tainted 6.1.76-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: loop0 loop_workfn
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x60/0x90 mm/kasan/shadow.c:66
_copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
copy_page_to_iter+0x218/0x344 lib/iov_iter.c:725
shmem_file_read_iter+0x4d0/0xa04 mm/shmem.c:2692
do_iter_read+0x578/0x998 fs/read_write.c:796
vfs_iter_read+0x88/0xac fs/read_write.c:838
lo_read_simple drivers/block/loop.c:288 [inline]
do_req_filebacked drivers/block/loop.c:498 [inline]
loop_handle_cmd drivers/block/loop.c:1909 [inline]
loop_process_work+0xe7c/0x24a4 drivers/block/loop.c:1944
loop_workfn+0x54/0x68 drivers/block/loop.c:1968
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
Allocated by task 5541:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
kmalloc include/linux/slab.h:558 [inline]
hfsplus_read_wrapper+0x46c/0xfcc fs/hfsplus/wrapper.c:181
hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:413
mount_bdev+0x274/0x370 fs/super.c:1432
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1562
do_new_mount+0x278/0x8fc fs/namespace.c:3051
path_mount+0x590/0xe5c fs/namespace.c:3381
do_mount fs/namespace.c:3394 [inline]
__do_sys_mount fs/namespace.c:3602 [inline]
__se_sys_mount fs/namespace.c:3579 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3579
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff00011a4cdc00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
512-byte region [ffff00011a4cdc00, ffff00011a4cde00)
The buggy address belongs to the physical page:
page:00000000897c3258 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x15a4cc
head:00000000897c3258 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002600
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff00011a4cdd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff00011a4cdd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff00011a4cde00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff00011a4cde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff00011a4cdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: e5c3b988b827 Linux 6.1.76
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=105d3090180000
kernel config: https://syzkaller.appspot.com/x/.config?x=907f7acef7540378
dashboard link: https://syzkaller.appspot.com/bug?extid=9ecd279148f3382f7bea
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fd64649e0495/disk-e5c3b988.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/257d7545589e/vmlinux-e5c3b988.xz
kernel image: https://storage.googleapis.com/syzbot-assets/25a59d22a12c/Image-e5c3b988.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ecd27...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
Write of size 1024 at addr ffff00011a4cdc00 by task kworker/u4:12/5551
CPU: 1 PID: 5551 Comm: kworker/u4:12 Not tainted 6.1.76-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: loop0 loop_workfn
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x60/0x90 mm/kasan/shadow.c:66
_copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
copy_page_to_iter+0x218/0x344 lib/iov_iter.c:725
shmem_file_read_iter+0x4d0/0xa04 mm/shmem.c:2692
do_iter_read+0x578/0x998 fs/read_write.c:796
vfs_iter_read+0x88/0xac fs/read_write.c:838
lo_read_simple drivers/block/loop.c:288 [inline]
do_req_filebacked drivers/block/loop.c:498 [inline]
loop_handle_cmd drivers/block/loop.c:1909 [inline]
loop_process_work+0xe7c/0x24a4 drivers/block/loop.c:1944
loop_workfn+0x54/0x68 drivers/block/loop.c:1968
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
Allocated by task 5541:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
kmalloc include/linux/slab.h:558 [inline]
hfsplus_read_wrapper+0x46c/0xfcc fs/hfsplus/wrapper.c:181
hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:413
mount_bdev+0x274/0x370 fs/super.c:1432
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1562
do_new_mount+0x278/0x8fc fs/namespace.c:3051
path_mount+0x590/0xe5c fs/namespace.c:3381
do_mount fs/namespace.c:3394 [inline]
__do_sys_mount fs/namespace.c:3602 [inline]
__se_sys_mount fs/namespace.c:3579 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3579
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff00011a4cdc00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
512-byte region [ffff00011a4cdc00, ffff00011a4cde00)
The buggy address belongs to the physical page:
page:00000000897c3258 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x15a4cc
head:00000000897c3258 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002600
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff00011a4cdd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff00011a4cdd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff00011a4cde00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff00011a4cde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff00011a4cdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Feb 2, 2024, 9:56:23 AMFeb 2
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6139f2a02fe0 Linux 5.15.148
syzbot found the following issue on:
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1028071fe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c3cfb017ec09dfb8
dashboard link: https://syzkaller.appspot.com/bug?extid=ddf6dde5891b1a39037b
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11513328180000
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118ac988180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/863dea226ad0/disk-6139f2a0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/db1a0715548e/vmlinux-6139f2a0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/edd9bd0f16ff/Image-6139f2a0.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/01146f529d44/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
==================================================================
BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x5f4/0xd04 lib/iov_iter.c:669
Write of size 2048 at addr ffff0000c7f88800 by task kworker/u4:2/148
CPU: 0 PID: 148 Comm: kworker/u4:2 Not tainted 5.15.148-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: loop4 loop_rootcg_workfn
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
kasan_check_range+0x274/0x2b4 mm/kasan/generic.c:189
memcpy+0xb4/0xe8 mm/kasan/shadow.c:66
_copy_to_iter+0x5f4/0xd04 lib/iov_iter.c:669
__copy_page_to_iter lib/iov_iter.c:864 [inline]
copy_page_to_iter+0x850/0xf84 lib/iov_iter.c:889
shmem_file_read_iter+0x52c/0x7b8 mm/shmem.c:2623
do_iter_readv_writev+0x420/0x5f8
do_iter_read+0x1c4/0x67c fs/read_write.c:790
vfs_iter_read+0x88/0xac fs/read_write.c:832
lo_read_simple drivers/block/loop.c:392 [inline]
do_req_filebacked drivers/block/loop.c:663 [inline]
loop_handle_cmd drivers/block/loop.c:2234 [inline]
loop_process_work+0x19f0/0x2798 drivers/block/loop.c:2274
loop_rootcg_workfn+0x28/0x38 drivers/block/loop.c:2305
process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
worker_thread+0x910/0x1034 kernel/workqueue.c:2457
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Allocated by task 4058:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc+0x29c/0x4c8 mm/slub.c:4407
kmalloc include/linux/slab.h:596 [inline]
hfsplus_read_wrapper+0x494/0xfc8 fs/hfsplus/wrapper.c:183
hfsplus_fill_super+0x2f0/0x167c fs/hfsplus/super.c:413
mount_bdev+0x274/0x370 fs/super.c:1387
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:611
vfs_get_tree+0x90/0x274 fs/super.c:1517
do_new_mount+0x278/0x8fc fs/namespace.c:3005
path_mount+0x594/0x101c fs/namespace.c:3335
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount fs/namespace.c:3533 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3533
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000c7f88800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
512-byte region [ffff0000c7f88800, ffff0000c7f88a00)
The buggy address is located 0 bytes inside of
The buggy address belongs to the page:
page:000000001b9d517e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000c7f8ac00 pfn:0x107f88
head:000000001b9d517e order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc000336a600 0000000300000003 ffff0000c0002600
raw: ffff0000c7f8a800 0000000080100004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c7f88900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff0000c7f88980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000c7f88a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000c7f88a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c7f88b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
hfsplus: b-tree write err: -5, ino 4
hfsplus: b-tree write err: -5, ino 4
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Apr 1, 2024, 6:07:24 PMApr 1
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: e5cd595e23c1 Linux 6.1.83
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13f24ffd180000
kernel config: https://syzkaller.appspot.com/x/.config?x=638c7154137d2582
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1439c3b1180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a9b3de36bd43/disk-e5cd595e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2af9bc6e6ea4/vmlinux-e5cd595e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7f58381bafc0/Image-e5cd595e.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a2426cc801b0/mount_2.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ecd27...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
Write of size 2048 at addr ffff0000c3080800 by task kworker/u4:1/11
CPU: 0 PID: 11 Comm: kworker/u4:1 Not tainted 6.1.83-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: loop0 loop_rootcg_workfn
The buggy address belongs to the physical page:
page:00000000bcf74046 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103080
head:00000000bcf74046 order:2 compound_mapcount:0 compound_pincount:0
ffff0000c3080980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000c3080a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000c3080a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c3080b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
HEAD commit: e5cd595e23c1 Linux 6.1.83
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13f24ffd180000
kernel config: https://syzkaller.appspot.com/x/.config?x=638c7154137d2582
dashboard link: https://syzkaller.appspot.com/bug?extid=9ecd279148f3382f7bea
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161fa795180000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1439c3b1180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a9b3de36bd43/disk-e5cd595e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2af9bc6e6ea4/vmlinux-e5cd595e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7f58381bafc0/Image-e5cd595e.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a2426cc801b0/mount_2.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ecd27...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
CPU: 0 PID: 11 Comm: kworker/u4:1 Not tainted 6.1.83-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: loop0 loop_rootcg_workfn
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x60/0x90 mm/kasan/shadow.c:66
_copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
copy_page_to_iter+0x218/0x344 lib/iov_iter.c:725
shmem_file_read_iter+0x4d0/0xa04 mm/shmem.c:2692
do_iter_read+0x578/0x998 fs/read_write.c:796
vfs_iter_read+0x88/0xac fs/read_write.c:838
lo_read_simple drivers/block/loop.c:288 [inline]
do_req_filebacked drivers/block/loop.c:498 [inline]
loop_handle_cmd drivers/block/loop.c:1909 [inline]
loop_process_work+0xe7c/0x24a4 drivers/block/loop.c:1944
loop_rootcg_workfn+0x28/0x38 drivers/block/loop.c:1975
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x60/0x90 mm/kasan/shadow.c:66
_copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
copy_page_to_iter+0x218/0x344 lib/iov_iter.c:725
shmem_file_read_iter+0x4d0/0xa04 mm/shmem.c:2692
do_iter_read+0x578/0x998 fs/read_write.c:796
vfs_iter_read+0x88/0xac fs/read_write.c:838
lo_read_simple drivers/block/loop.c:288 [inline]
do_req_filebacked drivers/block/loop.c:498 [inline]
loop_handle_cmd drivers/block/loop.c:1909 [inline]
loop_process_work+0xe7c/0x24a4 drivers/block/loop.c:1944
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
Allocated by task 4228:
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
kmalloc include/linux/slab.h:561 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
hfsplus_read_wrapper+0x46c/0xfcc fs/hfsplus/wrapper.c:181
hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:413
mount_bdev+0x274/0x370 fs/super.c:1432
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1562
do_new_mount+0x278/0x8fc fs/namespace.c:3051
path_mount+0x590/0xe5c fs/namespace.c:3381
do_mount fs/namespace.c:3394 [inline]
__do_sys_mount fs/namespace.c:3602 [inline]
__se_sys_mount fs/namespace.c:3579 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3579
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000c3080800
hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:413
mount_bdev+0x274/0x370 fs/super.c:1432
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1562
do_new_mount+0x278/0x8fc fs/namespace.c:3051
path_mount+0x590/0xe5c fs/namespace.c:3381
do_mount fs/namespace.c:3394 [inline]
__do_sys_mount fs/namespace.c:3602 [inline]
__se_sys_mount fs/namespace.c:3579 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3579
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
512-byte region [ffff0000c3080800, ffff0000c3080a00)
The buggy address is located 0 bytes inside of
The buggy address belongs to the physical page:
head:00000000bcf74046 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002600
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002600
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c3080900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff0000c3080980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000c3080a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000c3080a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c3080b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
Reply all
Reply to author
Forward
0 new messages