Hello,
syzbot found the following issue on:
HEAD commit: 883d1a956208 Linux 6.1.75
git tree: linux-6.1.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=10677467e80000
kernel config:
https://syzkaller.appspot.com/x/.config?x=c421ffef554bdd17
dashboard link:
https://syzkaller.appspot.com/bug?extid=9e980ae625534d4b4e41
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/1ff30edbe66d/disk-883d1a95.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/1cd87be79a04/vmlinux-883d1a95.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/e50c5a26cded/Image-883d1a95.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+9e980a...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:393 [inline]
BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read fs/hfsplus/bnode.c:32 [inline]
BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read_key+0x3bc/0x658 fs/hfsplus/bnode.c:70
Write of size 4026 at addr ffff0000cdcd3000 by task syz-executor.0/13419
CPU: 1 PID: 13419 Comm: syz-executor.0 Not tainted 6.1.75-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x60/0x90 mm/kasan/shadow.c:66
memcpy_from_page include/linux/highmem.h:393 [inline]
hfsplus_bnode_read fs/hfsplus/bnode.c:32 [inline]
hfsplus_bnode_read_key+0x3bc/0x658 fs/hfsplus/bnode.c:70
hfsplus_brec_insert+0x520/0xaa0 fs/hfsplus/brec.c:141
hfsplus_create_attr+0x3b0/0x568 fs/hfsplus/attributes.c:252
__hfsplus_setxattr+0x990/0x1d10 fs/hfsplus/xattr.c:354
hfsplus_setxattr+0xb4/0xec fs/hfsplus/xattr.c:434
hfsplus_user_setxattr+0x54/0x6c fs/hfsplus/xattr_user.c:30
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:309
do_setxattr fs/xattr.c:594 [inline]
setxattr+0x230/0x294 fs/xattr.c:617
path_setxattr+0x17c/0x258 fs/xattr.c:636
__do_sys_setxattr fs/xattr.c:652 [inline]
__se_sys_setxattr fs/xattr.c:648 [inline]
__arm64_sys_setxattr+0xbc/0xd8 fs/xattr.c:648
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 13419:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
kmalloc include/linux/slab.h:558 [inline]
hfsplus_find_init+0x84/0x1bc fs/hfsplus/bfind.c:21
hfsplus_create_attr+0x14c/0x568 fs/hfsplus/attributes.c:216
__hfsplus_setxattr+0x990/0x1d10 fs/hfsplus/xattr.c:354
hfsplus_setxattr+0xb4/0xec fs/hfsplus/xattr.c:434
hfsplus_user_setxattr+0x54/0x6c fs/hfsplus/xattr_user.c:30
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:309
do_setxattr fs/xattr.c:594 [inline]
setxattr+0x230/0x294 fs/xattr.c:617
path_setxattr+0x17c/0x258 fs/xattr.c:636
__do_sys_setxattr fs/xattr.c:652 [inline]
__se_sys_setxattr fs/xattr.c:648 [inline]
__arm64_sys_setxattr+0xbc/0xd8 fs/xattr.c:648
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Last potentially related work creation:
kasan_save_stack+0x40/0x70 mm/kasan/common.c:45
__kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486
kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496
kvfree_call_rcu+0xb4/0x714 kernel/rcu/tree.c:3368
neigh_destroy+0x470/0x6b0 net/core/neighbour.c:918
neigh_release include/net/neighbour.h:447 [inline]
neigh_cleanup_and_release+0x15c/0x414 net/core/neighbour.c:103
neigh_periodic_work+0x46c/0xb14 net/core/neighbour.c:1005
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
The buggy address belongs to the object at ffff0000cdcd3000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
1024-byte region [ffff0000cdcd3000, ffff0000cdcd3400)
The buggy address belongs to the physical page:
page:00000000b30699b0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10dcd0
head:00000000b30699b0 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000cdcd3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000cdcd3180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cdcd3200: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000cdcd3280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000cdcd3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup