[v5.15] KASAN: use-after-free Read in sysv_new_inode
0 views
Skip to first unread message
syzbot
Apr 14, 2024, 9:45:25 AMApr 14
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: fa3df276cd36 Linux 5.15.155
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16efac7d180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fa45dfd65a261480
dashboard link: https://syzkaller.appspot.com/bug?extid=3d6b2fd70949d09bcec7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0dc19fc63531/disk-fa3df276.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fae4c89e243a/vmlinux-fa3df276.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a5c832fcb939/Image-fa3df276.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3d6b2f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in sysv_new_inode+0xd74/0xeec fs/sysv/ialloc.c:153
Read of size 2 at addr ffff0000ec7bb1ce by task syz-executor.3/4322
CPU: 1 PID: 4322 Comm: syz-executor.3 Not tainted 5.15.155-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load2_noabort+0x44/0x50 mm/kasan/report_generic.c:307
sysv_new_inode+0xd74/0xeec fs/sysv/ialloc.c:153
sysv_mknod+0x5c/0x100 fs/sysv/namei.c:53
sysv_create+0x38/0x4c fs/sysv/namei.c:67
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3532 [inline]
path_openat+0xf18/0x26cc fs/namei.c:3739
do_filp_open+0x1a8/0x3b4 fs/namei.c:3769
do_sys_openat2+0x128/0x3d8 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1280
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the page:
page:00000000fe51f729 refcount:0 mapcount:0 mapping:0000000000000000 index:0x100 pfn:0x12c7bb
flags: 0x5ffe00000000000(node=0|zone=2|lastcpupid=0xfff)
raw: 05ffe00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000100 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000ec7bb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ec7bb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000ec7bb180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000ec7bb200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ec7bb280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
attempt to access beyond end of device
loop3: rw=0, want=6491538, limit=128
Buffer I/O error on dev loop3, logical block 3245768, async page read
attempt to access beyond end of device
loop3: rw=0, want=17666808, limit=128
Buffer I/O error on dev loop3, logical block 8833403, async page read
attempt to access beyond end of device
loop3: rw=0, want=26539620, limit=128
Buffer I/O error on dev loop3, logical block 13269809, async page read
attempt to access beyond end of device
loop3: rw=0, want=16147214, limit=128
Buffer I/O error on dev loop3, logical block 8073606, async page read
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_inode: inode 0,1,2 or nonexistent inode
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fa3df276cd36 Linux 5.15.155
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16efac7d180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fa45dfd65a261480
dashboard link: https://syzkaller.appspot.com/bug?extid=3d6b2fd70949d09bcec7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0dc19fc63531/disk-fa3df276.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fae4c89e243a/vmlinux-fa3df276.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a5c832fcb939/Image-fa3df276.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3d6b2f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in sysv_new_inode+0xd74/0xeec fs/sysv/ialloc.c:153
Read of size 2 at addr ffff0000ec7bb1ce by task syz-executor.3/4322
CPU: 1 PID: 4322 Comm: syz-executor.3 Not tainted 5.15.155-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load2_noabort+0x44/0x50 mm/kasan/report_generic.c:307
sysv_new_inode+0xd74/0xeec fs/sysv/ialloc.c:153
sysv_mknod+0x5c/0x100 fs/sysv/namei.c:53
sysv_create+0x38/0x4c fs/sysv/namei.c:67
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3532 [inline]
path_openat+0xf18/0x26cc fs/namei.c:3739
do_filp_open+0x1a8/0x3b4 fs/namei.c:3769
do_sys_openat2+0x128/0x3d8 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1280
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the page:
page:00000000fe51f729 refcount:0 mapcount:0 mapping:0000000000000000 index:0x100 pfn:0x12c7bb
flags: 0x5ffe00000000000(node=0|zone=2|lastcpupid=0xfff)
raw: 05ffe00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000100 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000ec7bb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ec7bb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000ec7bb180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000ec7bb200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ec7bb280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
attempt to access beyond end of device
loop3: rw=0, want=6491538, limit=128
Buffer I/O error on dev loop3, logical block 3245768, async page read
attempt to access beyond end of device
loop3: rw=0, want=17666808, limit=128
Buffer I/O error on dev loop3, logical block 8833403, async page read
attempt to access beyond end of device
loop3: rw=0, want=26539620, limit=128
Buffer I/O error on dev loop3, logical block 13269809, async page read
attempt to access beyond end of device
loop3: rw=0, want=16147214, limit=128
Buffer I/O error on dev loop3, logical block 8073606, async page read
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_inode: inode 0,1,2 or nonexistent inode
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Apr 22, 2024, 1:59:30 PMApr 22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6741e066ec76 Linux 6.1.87
syzbot found the following issue on:
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14307f67180000
kernel config: https://syzkaller.appspot.com/x/.config?x=3fc2f61bd0ae457
dashboard link: https://syzkaller.appspot.com/bug?extid=bdff56916773908c2fcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b606a22ddf4b/disk-6741e066.raw.xz
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/e31c21737449/vmlinux-6741e066.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ee0cb8c049e9/bzImage-6741e066.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
==================================================================
BUG: KASAN: use-after-free in sysv_new_inode+0x107e/0x1210 fs/sysv/ialloc.c:153
Read of size 2 at addr ffff888056c091ce by task syz-executor.4/4171
CPU: 0 PID: 4171 Comm: syz-executor.4 Not tainted 6.1.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
sysv_new_inode+0x107e/0x1210 fs/sysv/ialloc.c:153
sysv_mknod+0x4a/0xe0 fs/sysv/namei.c:53
lookup_open fs/namei.c:3484 [inline]
open_last_lookups fs/namei.c:3552 [inline]
path_openat+0x12f1/0x2e60 fs/namei.c:3782
do_filp_open+0x230/0x480 fs/namei.c:3812
do_sys_openat2+0x13b/0x500 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_creat fs/open.c:1410 [inline]
__se_sys_creat fs/open.c:1404 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1404
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f70d0e7dea9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f70d1ba10c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007f70d0fabf80 RCX: 00007f70d0e7dea9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200001c0
RBP: 00007f70d0eca4a4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f70d0fabf80 R15: 00007ffeeb07db18
</TASK>
Allocated by task 3563:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xb2/0x230 mm/slab_common.c:968
kmalloc include/linux/slab.h:561 [inline]
kzalloc include/linux/slab.h:692 [inline]
fib6_info_alloc+0x2c/0xd0 net/ipv6/ip6_fib.c:156
ip6_route_info_create+0x446/0x12c0 net/ipv6/route.c:3750
ip6_route_add+0x22/0x120 net/ipv6/route.c:3844
addrconf_add_mroute net/ipv6/addrconf.c:2506 [inline]
addrconf_add_dev+0x350/0x500 net/ipv6/addrconf.c:2524
addrconf_dev_config net/ipv6/addrconf.c:3408 [inline]
addrconf_init_auto_addrs+0x88e/0xe60 net/ipv6/addrconf.c:3495
addrconf_notify+0xade/0xf60 net/ipv6/addrconf.c:3668
notifier_call_chain kernel/notifier.c:87 [inline]
raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:455
__dev_notify_flags+0x304/0x610
dev_change_flags+0xe7/0x190 net/core/dev.c:8661
do_setlink+0xcf4/0x3e30 net/core/rtnetlink.c:2801
__rtnl_newlink net/core/rtnetlink.c:3576 [inline]
rtnl_newlink+0x172c/0x2050 net/core/rtnetlink.c:3623
rtnetlink_rcv_msg+0x818/0xff0 net/core/rtnetlink.c:6121
netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2508
netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
netlink_unicast+0x7d8/0x970 net/netlink/af_netlink.c:1352
netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1874
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
__sys_sendto+0x480/0x600 net/socket.c:2148
__do_sys_sendto net/socket.c:2160 [inline]
__se_sys_sendto net/socket.c:2156 [inline]
__x64_sys_sendto+0xda/0xf0 net/socket.c:2156
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Freed by task 21:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x25c/0x3c0 mm/slub.c:3674
rcu_do_batch kernel/rcu/tree.c:2296 [inline]
rcu_core+0xad5/0x1810 kernel/rcu/tree.c:2556
__do_softirq+0x2e9/0xa4c kernel/softirq.c:571
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486
call_rcu+0x163/0xa10 kernel/rcu/tree.c:2844
fib6_info_release include/net/ip6_fib.h:340 [inline]
fib6_del_route net/ipv6/ip6_fib.c:1995 [inline]
fib6_del+0x10e8/0x1570 net/ipv6/ip6_fib.c:2028
fib6_clean_node+0x2ed/0x5d0 net/ipv6/ip6_fib.c:2190
fib6_walk_continue+0x636/0x8c0 net/ipv6/ip6_fib.c:2112
fib6_walk+0x168/0x2b0 net/ipv6/ip6_fib.c:2160
fib6_clean_tree net/ipv6/ip6_fib.c:2240 [inline]
__fib6_clean_all+0x31b/0x4b0 net/ipv6/ip6_fib.c:2256
rt6_sync_down_dev net/ipv6/route.c:4895 [inline]
rt6_disable_ip+0x14c/0x890 net/ipv6/route.c:4900
addrconf_ifdown+0x154/0x1b90 net/ipv6/addrconf.c:3781
addrconf_notify+0x3ec/0xf60
notifier_call_chain kernel/notifier.c:87 [inline]
raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:455
call_netdevice_notifiers_info net/core/dev.c:1970 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2008 [inline]
call_netdevice_notifiers net/core/dev.c:2022 [inline]
dev_close_many+0x37c/0x530 net/core/dev.c:1570
unregister_netdevice_many+0x4f7/0x17a0 net/core/dev.c:10855
default_device_exit_batch+0x956/0x9d0 net/core/dev.c:11394
ops_exit_list net/core/net_namespace.c:174 [inline]
cleanup_net+0x763/0xb60 net/core/net_namespace.c:601
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
The buggy address belongs to the object at ffff888056c09000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 462 bytes inside of
512-byte region [ffff888056c09000, ffff888056c09200)
The buggy address belongs to the physical page:
page:ffffea00015b0200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x56c08
head:ffffea00015b0200 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff80000010200(slab|head|node=0|zone=1|lastcpupid=0xfff)
raw: 00fff80000010200 ffffea00016e5700 dead000000000002 ffff888012441c80
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 3563, tgid 3563 (syz-executor.0), ts 76638147318, free_ts 17186578833
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2513
prep_new_page mm/page_alloc.c:2520 [inline]
get_page_from_freelist+0x31a1/0x3320 mm/page_alloc.c:4279
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5547
__alloc_pages_node include/linux/gfp.h:237 [inline]
alloc_slab_page+0x59/0x150 mm/slub.c:1796
allocate_slab mm/slub.c:1939 [inline]
new_slab+0x84/0x2d0 mm/slub.c:1992
___slab_alloc+0xc20/0x1270 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
__kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437
__do_kmalloc_node mm/slab_common.c:954 [inline]
__kmalloc_node+0xa2/0x230 mm/slab_common.c:962
kmalloc_array_node include/linux/slab.h:669 [inline]
kcalloc_node include/linux/slab.h:674 [inline]
memcg_alloc_slab_cgroups+0x7d/0x120 mm/memcontrol.c:2886
account_slab mm/slab.h:635 [inline]
allocate_slab mm/slub.c:1957 [inline]
new_slab+0xc0/0x2d0 mm/slub.c:1992
___slab_alloc+0xc20/0x1270 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x1a5/0x2d0 mm/slub.c:3422
__sigqueue_alloc+0x42e/0x540 kernel/signal.c:435
__send_signal_locked+0x22f/0xdc0 kernel/signal.c:1128
do_send_sig_info kernel/signal.c:1300 [inline]
group_send_sig_info+0x28a/0x300 kernel/signal.c:1448
bpf_send_signal_common+0x2d8/0x420 kernel/trace/bpf_trace.c:882
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1440 [inline]
free_pcp_prepare mm/page_alloc.c:1490 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3358
free_unref_page+0x33/0x3e0 mm/page_alloc.c:3453
free_contig_range+0x9a/0x150 mm/page_alloc.c:9507
destroy_args+0xfe/0x997 mm/debug_vm_pgtable.c:1031
debug_vm_pgtable+0x416/0x46b mm/debug_vm_pgtable.c:1354
do_one_initcall+0x265/0x8f0 init/main.c:1297
do_initcall_level+0x157/0x207 init/main.c:1370
do_initcalls+0x49/0x86 init/main.c:1386
kernel_init_freeable+0x45c/0x60f init/main.c:1625
kernel_init+0x19/0x290 init/main.c:1513
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
Memory state around the buggy address:
ffff888056c09100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888056c09180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888056c09200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888056c09280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
syzbot
Apr 27, 2024, 9:55:23 PM (10 days ago) Apr 27
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: f2295faba5e8 Linux 6.1.88
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1019d908980000
kernel config: https://syzkaller.appspot.com/x/.config?x=508163b9ab79dc25
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ba97bb180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c0da0f180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/db6c44dd5d81/disk-f2295fab.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/96a1c7aa1507/vmlinux-f2295fab.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84353702f58a/Image-f2295fab.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/8e1040e64a55/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bdff56...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in sysv_new_inode+0xd8c/0xf04 fs/sysv/ialloc.c:153
Read of size 2 at addr ffff0000e70ee1ce by task syz-executor772/4336
CPU: 0 PID: 4336 Comm: syz-executor772 Not tainted 6.1.88-syzkaller #0
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report_generic.c:349
sysv_new_inode+0xd8c/0xf04 fs/sysv/ialloc.c:153
do_filp_open+0x1bc/0x3cc fs/namei.c:3812
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 4335:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x74/0x458 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
kmem_cache_zalloc include/linux/slab.h:682 [inline]
alloc_buffer_head+0x2c/0x150 fs/buffer.c:2899
alloc_page_buffers+0x398/0x980 fs/buffer.c:829
create_empty_buffers+0x4c/0x5c4 fs/buffer.c:1543
create_page_buffers+0x180/0x2cc fs/buffer.c:1660
block_read_full_folio+0x13c/0x98c fs/buffer.c:2251
sysv_read_folio+0x28/0x38 fs/sysv/itree.c:463
filemap_read_folio+0x14c/0x39c mm/filemap.c:2461
do_read_cache_folio+0x24c/0x544 mm/filemap.c:3598
do_read_cache_page mm/filemap.c:3640 [inline]
read_cache_page+0x6c/0x180 mm/filemap.c:3649
read_mapping_page include/linux/pagemap.h:791 [inline]
dir_get_page fs/sysv/dir.c:58 [inline]
sysv_find_entry+0x170/0x5a8 fs/sysv/dir.c:146
sysv_inode_by_name+0xa0/0x330 fs/sysv/dir.c:360
sysv_lookup+0x74/0xe4 fs/sysv/namei.c:38
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3552 [inline]
path_openat+0xd3c/0x2548 fs/namei.c:3782
do_filp_open+0x1bc/0x3cc fs/namei.c:3812
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000e70ee0e8
which belongs to the cache buffer_head of size 168
The buggy address is located 62 bytes to the right of
168-byte region [ffff0000e70ee0e8, ffff0000e70ee190)
The buggy address belongs to the physical page:
page:000000000a184439 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1270ee
flags: 0x5ffe00000000200(slab|node=0|zone=2|lastcpupid=0xfff)
raw: 05ffe00000000200 0000000000000000 dead000000000122 ffff0000c03df980
raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
ffff0000e70ee100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e70ee180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
^
ffff0000e70ee200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
ffff0000e70ee280: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: f2295faba5e8 Linux 6.1.88
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1019d908980000
kernel config: https://syzkaller.appspot.com/x/.config?x=508163b9ab79dc25
dashboard link: https://syzkaller.appspot.com/bug?extid=bdff56916773908c2fcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ba97bb180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c0da0f180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/db6c44dd5d81/disk-f2295fab.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/96a1c7aa1507/vmlinux-f2295fab.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84353702f58a/Image-f2295fab.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/8e1040e64a55/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bdff56...@syzkaller.appspotmail.com
==================================================================
Read of size 2 at addr ffff0000e70ee1ce by task syz-executor772/4336
CPU: 0 PID: 4336 Comm: syz-executor772 Not tainted 6.1.88-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report_generic.c:349
sysv_new_inode+0xd8c/0xf04 fs/sysv/ialloc.c:153
sysv_mknod+0x5c/0x100 fs/sysv/namei.c:53
sysv_create+0x38/0x4c fs/sysv/namei.c:67
sysv_create+0x38/0x4c fs/sysv/namei.c:67
lookup_open fs/namei.c:3484 [inline]
open_last_lookups fs/namei.c:3552 [inline]
path_openat+0xeac/0x2548 fs/namei.c:3782
open_last_lookups fs/namei.c:3552 [inline]
do_filp_open+0x1bc/0x3cc fs/namei.c:3812
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 4335:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x74/0x458 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x230/0x37c mm/slub.c:3422
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_zalloc include/linux/slab.h:682 [inline]
alloc_buffer_head+0x2c/0x150 fs/buffer.c:2899
alloc_page_buffers+0x398/0x980 fs/buffer.c:829
create_empty_buffers+0x4c/0x5c4 fs/buffer.c:1543
create_page_buffers+0x180/0x2cc fs/buffer.c:1660
block_read_full_folio+0x13c/0x98c fs/buffer.c:2251
sysv_read_folio+0x28/0x38 fs/sysv/itree.c:463
filemap_read_folio+0x14c/0x39c mm/filemap.c:2461
do_read_cache_folio+0x24c/0x544 mm/filemap.c:3598
do_read_cache_page mm/filemap.c:3640 [inline]
read_cache_page+0x6c/0x180 mm/filemap.c:3649
read_mapping_page include/linux/pagemap.h:791 [inline]
dir_get_page fs/sysv/dir.c:58 [inline]
sysv_find_entry+0x170/0x5a8 fs/sysv/dir.c:146
sysv_inode_by_name+0xa0/0x330 fs/sysv/dir.c:360
sysv_lookup+0x74/0xe4 fs/sysv/namei.c:38
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3552 [inline]
path_openat+0xd3c/0x2548 fs/namei.c:3782
do_filp_open+0x1bc/0x3cc fs/namei.c:3812
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000e70ee0e8
which belongs to the cache buffer_head of size 168
The buggy address is located 62 bytes to the right of
168-byte region [ffff0000e70ee0e8, ffff0000e70ee190)
The buggy address belongs to the physical page:
flags: 0x5ffe00000000200(slab|node=0|zone=2|lastcpupid=0xfff)
raw: 05ffe00000000200 0000000000000000 dead000000000122 ffff0000c03df980
raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e70ee080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
ffff0000e70ee100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e70ee180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
^
ffff0000e70ee200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
ffff0000e70ee280: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
May 4, 2024, 5:21:26 PM (3 days ago) May 4
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 284087d4f7d5 Linux 5.15.158
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13cbf1f8980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b0dd54e4b5171ebc
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=147717c4980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c2e33c1db6bf/disk-284087d4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d9f77284af1d/vmlinux-284087d4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a600323dd149/bzImage-284087d4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6b01ab3593c0/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3d6b2f...@syzkaller.appspotmail.com
Buffer I/O error on dev loop0, logical block 3245774, async page read
Buffer I/O error on dev loop0, logical block 8834939, async page read
==================================================================
BUG: KASAN: slab-out-of-bounds in sysv_new_inode+0x1062/0x11f0 fs/sysv/ialloc.c:153
Read of size 2 at addr ffff88801e72c1ce by task syz-executor810/3559
CPU: 0 PID: 3559 Comm: syz-executor810 Not tainted 5.15.158-syzkaller #0
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
sysv_new_inode+0x1062/0x11f0 fs/sysv/ialloc.c:153
sysv_mknod+0x4a/0xe0 fs/sysv/namei.c:53
do_filp_open+0x21c/0x460 fs/namei.c:3769
do_sys_openat2+0x13b/0x500 fs/open.c:1253
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f8696cde1d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe6f992b48 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f8696cde1d9
RDX: 0000000000002c41 RSI: 0000000020000040 RDI: 00000000ffffff9c
RBP: 0000000000000004 R08: 00ffffffffffffff R09: 0000000001208000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe6f992b90
R13: 00007ffe6f992bd0 R14: 0000000000010000 R15: 0000000000000003
</TASK>
Allocated by task 1:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x8e/0xc0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0xf3/0x280 mm/slub.c:3233
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xdb/0x750 fs/kernfs/dir.c:593
kernfs_new_node+0x136/0x230 fs/kernfs/dir.c:669
__kernfs_create_file+0x45/0x2e0 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x308/0x3e0 fs/sysfs/file.c:317
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x573/0xf00 fs/sysfs/group.c:149
internal_create_groups fs/sysfs/group.c:189 [inline]
sysfs_create_groups+0x52/0x110 fs/sysfs/group.c:215
device_add_groups drivers/base/core.c:2488 [inline]
device_add_attrs+0x13c/0x470 drivers/base/core.c:2647
device_add+0x63e/0xfd0 drivers/base/core.c:3360
usb_new_device+0xc17/0x18e0 drivers/usb/core/hub.c:2593
register_root_hub+0x25f/0x540 drivers/usb/core/hcd.c:1021
usb_add_hcd+0xc4e/0x1250 drivers/usb/core/hcd.c:3001
dummy_hcd_probe+0x154/0x2a0 drivers/usb/gadget/udc/dummy_hcd.c:2675
platform_probe+0x131/0x1b0 drivers/base/platform.c:1391
really_probe+0x24e/0xb60 drivers/base/dd.c:595
__driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:755
driver_probe_device+0x50/0x420 drivers/base/dd.c:785
__device_attach_driver+0x2b9/0x500 drivers/base/dd.c:907
bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
__device_attach+0x359/0x570 drivers/base/dd.c:979
bus_probe_device+0xba/0x1e0 drivers/base/bus.c:487
device_add+0xb48/0xfd0 drivers/base/core.c:3409
platform_device_add+0x46e/0x7d0 drivers/base/platform.c:712
init+0x83b/0x1070 drivers/usb/gadget/udc/dummy_hcd.c:2828
do_one_initcall+0x22b/0x7a0 init/main.c:1302
do_initcall_level+0x157/0x210 init/main.c:1375
do_initcalls+0x49/0x90 init/main.c:1391
kernel_init_freeable+0x425/0x5c0 init/main.c:1615
kernel_init+0x19/0x290 init/main.c:1506
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
The buggy address belongs to the object at ffff88801e72c0e8
which belongs to the cache kernfs_node_cache of size 168
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888011decb40
raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5423
alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2031
alloc_slab_page mm/slub.c:1775 [inline]
allocate_slab mm/slub.c:1912 [inline]
new_slab+0xbb/0x4b0 mm/slub.c:1975
___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
__slab_alloc mm/slub.c:3095 [inline]
slab_alloc_node mm/slub.c:3186 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0x18e/0x280 mm/slub.c:3233
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xdb/0x750 fs/kernfs/dir.c:593
kernfs_new_node+0x136/0x230 fs/kernfs/dir.c:669
__kernfs_create_file+0x45/0x2e0 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x308/0x3e0 fs/sysfs/file.c:317
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x573/0xf00 fs/sysfs/group.c:149
internal_create_groups fs/sysfs/group.c:189 [inline]
sysfs_create_groups+0x52/0x110 fs/sysfs/group.c:215
device_add_groups drivers/base/core.c:2488 [inline]
device_add_attrs+0x13c/0x470 drivers/base/core.c:2647
device_add+0x63e/0xfd0 drivers/base/core.c:3360
usb_new_device+0xc17/0x18e0 drivers/usb/core/hub.c:2593
register_root_hub+0x25f/0x540 drivers/usb/core/hcd.c:1021
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
exit_mmap+0x3cd/0x670 mm/mmap.c:3188
__mmput+0x112/0x3b0 kernel/fork.c:1126
free_bprm+0x135/0x2f0 fs/exec.c:1496
kernel_execve+0x3bd/0x9b0 fs/exec.c:2011
call_usermodehelper_exec_async+0x22f/0x370 kernel/umh.c:112
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
Memory state around the buggy address:
ffff88801e72c080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
ffff88801e72c100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801e72c180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
^
ffff88801e72c200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
ffff88801e72c280: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00
HEAD commit: 284087d4f7d5 Linux 5.15.158
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13cbf1f8980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b0dd54e4b5171ebc
dashboard link: https://syzkaller.appspot.com/bug?extid=3d6b2fd70949d09bcec7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12cb6338980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=147717c4980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c2e33c1db6bf/disk-284087d4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d9f77284af1d/vmlinux-284087d4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a600323dd149/bzImage-284087d4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6b01ab3593c0/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3d6b2f...@syzkaller.appspotmail.com
attempt to access beyond end of device
loop0: rw=0, want=17669880, limit=128
Buffer I/O error on dev loop0, logical block 8834939, async page read
==================================================================
BUG: KASAN: slab-out-of-bounds in sysv_new_inode+0x1062/0x11f0 fs/sysv/ialloc.c:153
Read of size 2 at addr ffff88801e72c1ce by task syz-executor810/3559
CPU: 0 PID: 3559 Comm: syz-executor810 Not tainted 5.15.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
sysv_new_inode+0x1062/0x11f0 fs/sysv/ialloc.c:153
sysv_mknod+0x4a/0xe0 fs/sysv/namei.c:53
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3532 [inline]
path_openat+0x130a/0x2f20 fs/namei.c:3739
open_last_lookups fs/namei.c:3532 [inline]
do_filp_open+0x21c/0x460 fs/namei.c:3769
do_sys_openat2+0x13b/0x500 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1280
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f8696cde1d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe6f992b48 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f8696cde1d9
RDX: 0000000000002c41 RSI: 0000000020000040 RDI: 00000000ffffff9c
RBP: 0000000000000004 R08: 00ffffffffffffff R09: 0000000001208000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe6f992b90
R13: 00007ffe6f992bd0 R14: 0000000000010000 R15: 0000000000000003
</TASK>
Allocated by task 1:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x8e/0xc0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0xf3/0x280 mm/slub.c:3233
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xdb/0x750 fs/kernfs/dir.c:593
kernfs_new_node+0x136/0x230 fs/kernfs/dir.c:669
__kernfs_create_file+0x45/0x2e0 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x308/0x3e0 fs/sysfs/file.c:317
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x573/0xf00 fs/sysfs/group.c:149
internal_create_groups fs/sysfs/group.c:189 [inline]
sysfs_create_groups+0x52/0x110 fs/sysfs/group.c:215
device_add_groups drivers/base/core.c:2488 [inline]
device_add_attrs+0x13c/0x470 drivers/base/core.c:2647
device_add+0x63e/0xfd0 drivers/base/core.c:3360
usb_new_device+0xc17/0x18e0 drivers/usb/core/hub.c:2593
register_root_hub+0x25f/0x540 drivers/usb/core/hcd.c:1021
usb_add_hcd+0xc4e/0x1250 drivers/usb/core/hcd.c:3001
dummy_hcd_probe+0x154/0x2a0 drivers/usb/gadget/udc/dummy_hcd.c:2675
platform_probe+0x131/0x1b0 drivers/base/platform.c:1391
really_probe+0x24e/0xb60 drivers/base/dd.c:595
__driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:755
driver_probe_device+0x50/0x420 drivers/base/dd.c:785
__device_attach_driver+0x2b9/0x500 drivers/base/dd.c:907
bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
__device_attach+0x359/0x570 drivers/base/dd.c:979
bus_probe_device+0xba/0x1e0 drivers/base/bus.c:487
device_add+0xb48/0xfd0 drivers/base/core.c:3409
platform_device_add+0x46e/0x7d0 drivers/base/platform.c:712
init+0x83b/0x1070 drivers/usb/gadget/udc/dummy_hcd.c:2828
do_one_initcall+0x22b/0x7a0 init/main.c:1302
do_initcall_level+0x157/0x210 init/main.c:1375
do_initcalls+0x49/0x90 init/main.c:1391
kernel_init_freeable+0x425/0x5c0 init/main.c:1615
kernel_init+0x19/0x290 init/main.c:1506
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
The buggy address belongs to the object at ffff88801e72c0e8
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 62 bytes to the right of
168-byte region [ffff88801e72c0e8, ffff88801e72c190)
The buggy address belongs to the page:
page:ffffea000079cb00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e72c
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888011decb40
raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 6926308692, free_ts 6809088710
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5423
alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2031
alloc_slab_page mm/slub.c:1775 [inline]
allocate_slab mm/slub.c:1912 [inline]
new_slab+0xbb/0x4b0 mm/slub.c:1975
___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
__slab_alloc mm/slub.c:3095 [inline]
slab_alloc_node mm/slub.c:3186 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0x18e/0x280 mm/slub.c:3233
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xdb/0x750 fs/kernfs/dir.c:593
kernfs_new_node+0x136/0x230 fs/kernfs/dir.c:669
__kernfs_create_file+0x45/0x2e0 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x308/0x3e0 fs/sysfs/file.c:317
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x573/0xf00 fs/sysfs/group.c:149
internal_create_groups fs/sysfs/group.c:189 [inline]
sysfs_create_groups+0x52/0x110 fs/sysfs/group.c:215
device_add_groups drivers/base/core.c:2488 [inline]
device_add_attrs+0x13c/0x470 drivers/base/core.c:2647
device_add+0x63e/0xfd0 drivers/base/core.c:3360
usb_new_device+0xc17/0x18e0 drivers/usb/core/hub.c:2593
register_root_hub+0x25f/0x540 drivers/usb/core/hcd.c:1021
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
exit_mmap+0x3cd/0x670 mm/mmap.c:3188
__mmput+0x112/0x3b0 kernel/fork.c:1126
free_bprm+0x135/0x2f0 fs/exec.c:1496
kernel_execve+0x3bd/0x9b0 fs/exec.c:2011
call_usermodehelper_exec_async+0x22f/0x370 kernel/umh.c:112
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
Memory state around the buggy address:
ffff88801e72c100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801e72c180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
^
ffff88801e72c200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
ffff88801e72c280: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00
Reply all
Reply to author
Forward
0 new messages