[Android 6.1] KASAN: slab-out-of-bounds Write in __bpf_get_stackid
3 views
Skip to first unread message
syzbot
Feb 4, 2026, 7:19:45 PM (2 days ago) Feb 4
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 775f23d50ca8 ANDROID: GKI: enable CONFIG_EROFS_FS_ZIP_LZMA
git tree: android14-6.1
console output: https://syzkaller.appspot.com/x/log.txt?x=1495aa5a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=19de17fcb07fab22
dashboard link: https://syzkaller.appspot.com/bug?extid=6d2cdc0a08307ab5cc60
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11535a5a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=163d0a5a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/99987f9877fa/disk-775f23d5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ef8ba6bd270/vmlinux-775f23d5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b46e1ea112b3/bzImage-775f23d5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6d2cdc...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6fa/0x960 kernel/bpf/stackmap.c:274
Write of size 72 at addr ffff888112c3fb90 by task syz.2.17/376
CPU: 0 PID: 376 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
print_address_description+0x71/0x200 mm/kasan/report.c:316
print_report+0x4a/0x60 mm/kasan/report.c:420
kasan_report+0x122/0x150 mm/kasan/report.c:524
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189
memcpy+0x44/0x70 mm/kasan/shadow.c:66
__bpf_get_stackid+0x6fa/0x960 kernel/bpf/stackmap.c:274
____bpf_get_stackid_pe kernel/bpf/stackmap.c:365 [inline]
bpf_get_stackid_pe+0x2ee/0x400 kernel/bpf/stackmap.c:334
bpf_prog_47e2b75ffb32ae9a+0x21/0x39
bpf_dispatcher_nop_func include/linux/bpf.h:987 [inline]
__bpf_prog_run include/linux/filter.h:607 [inline]
bpf_prog_run include/linux/filter.h:614 [inline]
bpf_overflow_handler+0x3d0/0x5e0 kernel/events/core.c:10238
__perf_event_overflow+0x437/0x620 kernel/events/core.c:9448
perf_swevent_overflow kernel/events/core.c:9524 [inline]
perf_swevent_event+0x2f7/0x530 kernel/events/core.c:-1
do_perf_sw_event kernel/events/core.c:9665 [inline]
___perf_sw_event+0x3bf/0x4f0 kernel/events/core.c:9696
__perf_sw_event+0x134/0x270 kernel/events/core.c:9708
perf_sw_event include/linux/perf_event.h:1250 [inline]
do_user_addr_fault+0xffb/0x1050 arch/x86/mm/fault.c:1287
handle_page_fault arch/x86/mm/fault.c:1466 [inline]
exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1522
asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]
RIP: 0010:strncpy_from_user+0xdf/0x2d0 lib/strncpy_from_user.c:139
Code: 00 00 4c 89 ee e8 e1 78 e2 fe 49 83 fd 07 0f 86 a2 00 00 00 4c 89 75 c0 49 c7 c7 f8 ff ff ff 45 31 e4 4c 89 65 c8 48 8b 45 c0 <4a> 8b 1c 20 48 b8 ff fe fe fe fe fe fe fe 4c 8d 34 03 49 89 dc 49
RSP: 0018:ffffc90000a87cb8 EFLAGS: 00050246
RAX: 0000000000000000 RBX: 0000000000000fe0 RCX: ffff888113ee6540
RDX: 0000000000000000 RSI: 0000000000000fe0 RDI: 0000000000000007
RBP: ffffc90000a87d00 R08: ffffea000451ce07 R09: 1ffffd40008a39c0
R10: dffffc0000000000 R11: fffff940008a39c1 R12: 0000000000000000
R13: 0000000000000fe0 R14: 0000000000000000 R15: fffffffffffffff8
getname_flags+0xf4/0x500 fs/namei.c:150
getname+0x19/0x20 fs/namei.c:218
do_sys_openat2+0xeb/0x810 fs/open.c:1337
do_sys_open fs/open.c:1359 [inline]
__do_sys_openat fs/open.c:1375 [inline]
__se_sys_openat fs/open.c:1370 [inline]
__x64_sys_openat+0x136/0x160 fs/open.c:1370
x64_sys_call+0x783/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:258
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f13af59aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe75014a48 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f13af815fa0 RCX: 00007f13af59aeb9
RDX: 00000000000026e1 RSI: 0000000000000000 RDI: ffffffffffffff9c
RBP: 00007f13af608c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f13af815fac R14: 00007f13af815fa0 R15: 00007f13af815fa0
</TASK>
Allocated by task 376:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:380 [inline]
__kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
kasan_kmalloc include/linux/kasan.h:212 [inline]
__do_kmalloc_node mm/slab_common.c:938 [inline]
__kmalloc_node+0xb2/0x1e0 mm/slab_common.c:945
kmalloc_node include/linux/slab.h:589 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:328 [inline]
bpf_map_area_alloc+0x4b/0xe0 kernel/bpf/syscall.c:341
prealloc_elems_and_freelist+0x8a/0x1e0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x3a7/0x530 kernel/bpf/stackmap.c:117
find_and_alloc_map kernel/bpf/syscall.c:133 [inline]
map_create+0x49c/0xd80 kernel/bpf/syscall.c:1126
__sys_bpf+0x34e/0x850 kernel/bpf/syscall.c:4987
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5107
x64_sys_call+0x488/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff888112c3fb80
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 16 bytes inside of
64-byte region [ffff888112c3fb80, ffff888112c3fbc0)
The buggy address belongs to the physical page:
page:ffffea00044b0fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112c3f
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100042780
raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 366, tgid 366 (syz-executor), ts 28201775438, free_ts 27847051615
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2643
prep_new_page+0x1c/0x110 mm/page_alloc.c:2650
get_page_from_freelist+0x2d12/0x2d80 mm/page_alloc.c:4554
__alloc_pages+0x1d9/0x480 mm/page_alloc.c:5868
alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
allocate_slab mm/slub.c:1967 [inline]
new_slab+0x98/0x3d0 mm/slub.c:2020
___slab_alloc+0x6bd/0xb20 mm/slub.c:3177
__slab_alloc+0x5e/0xa0 mm/slub.c:3263
slab_alloc_node mm/slub.c:3348 [inline]
__kmem_cache_alloc_node+0x203/0x2c0 mm/slub.c:3423
kmalloc_trace+0x29/0xb0 mm/slab_common.c:1028
kmalloc include/linux/slab.h:563 [inline]
call_modprobe kernel/kmod.c:79 [inline]
__request_module+0x2a7/0x910 kernel/kmod.c:170
dev_load+0x5b/0xb0 net/core/dev_ioctl.c:449
dev_ioctl+0x3c6/0xd10 net/core/dev_ioctl.c:514
sock_do_ioctl+0x252/0x330 net/socket.c:1208
sock_ioctl+0x4ca/0x720 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0x12f/0x1b0 fs/ioctl.c:856
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1551 [inline]
free_pcp_prepare mm/page_alloc.c:1625 [inline]
free_unref_page_prepare+0x742/0x750 mm/page_alloc.c:3589
free_unref_page+0x95/0x540 mm/page_alloc.c:3687
free_the_page mm/page_alloc.c:836 [inline]
__free_pages+0x67/0x100 mm/page_alloc.c:5957
__free_slab+0xca/0x1a0 mm/slub.c:2044
free_slab mm/slub.c:2059 [inline]
discard_slab mm/slub.c:2065 [inline]
__unfreeze_partials+0x160/0x190 mm/slub.c:2614
put_cpu_partial+0xa9/0x100 mm/slub.c:2690
__slab_free+0x1c4/0x280 mm/slub.c:3589
do_slab_free mm/slub.c:3666 [inline]
___cache_free+0xbf/0xd0 mm/slub.c:3722
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0xc6/0x140 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x14a/0x170 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x24/0x80 mm/kasan/common.c:311
kasan_slab_alloc include/linux/kasan.h:202 [inline]
slab_post_alloc_hook+0x4f/0x2d0 mm/slab.h:768
slab_alloc_node mm/slub.c:3382 [inline]
slab_alloc mm/slub.c:3392 [inline]
__kmem_cache_alloc_lru mm/slub.c:3399 [inline]
kmem_cache_alloc+0x16e/0x330 mm/slub.c:3408
getname_flags+0xb9/0x500 fs/namei.c:139
getname+0x19/0x20 fs/namei.c:218
do_sys_openat2+0xeb/0x810 fs/open.c:1337
Memory state around the buggy address:
ffff888112c3fa80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888112c3fb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888112c3fb80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
^
ffff888112c3fc00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888112c3fc80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 4c 89 ee mov %r13,%rsi
5: e8 e1 78 e2 fe call 0xfee278eb
a: 49 83 fd 07 cmp $0x7,%r13
e: 0f 86 a2 00 00 00 jbe 0xb6
14: 4c 89 75 c0 mov %r14,-0x40(%rbp)
18: 49 c7 c7 f8 ff ff ff mov $0xfffffffffffffff8,%r15
1f: 45 31 e4 xor %r12d,%r12d
22: 4c 89 65 c8 mov %r12,-0x38(%rbp)
26: 48 8b 45 c0 mov -0x40(%rbp),%rax
* 2a: 4a 8b 1c 20 mov (%rax,%r12,1),%rbx <-- trapping instruction
2e: 48 b8 ff fe fe fe fe movabs $0xfefefefefefefeff,%rax
35: fe fe fe
38: 4c 8d 34 03 lea (%rbx,%rax,1),%r14
3c: 49 89 dc mov %rbx,%r12
3f: 49 rex.WB
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 775f23d50ca8 ANDROID: GKI: enable CONFIG_EROFS_FS_ZIP_LZMA
git tree: android14-6.1
console output: https://syzkaller.appspot.com/x/log.txt?x=1495aa5a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=19de17fcb07fab22
dashboard link: https://syzkaller.appspot.com/bug?extid=6d2cdc0a08307ab5cc60
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11535a5a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=163d0a5a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/99987f9877fa/disk-775f23d5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ef8ba6bd270/vmlinux-775f23d5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b46e1ea112b3/bzImage-775f23d5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6d2cdc...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6fa/0x960 kernel/bpf/stackmap.c:274
Write of size 72 at addr ffff888112c3fb90 by task syz.2.17/376
CPU: 0 PID: 376 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
print_address_description+0x71/0x200 mm/kasan/report.c:316
print_report+0x4a/0x60 mm/kasan/report.c:420
kasan_report+0x122/0x150 mm/kasan/report.c:524
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189
memcpy+0x44/0x70 mm/kasan/shadow.c:66
__bpf_get_stackid+0x6fa/0x960 kernel/bpf/stackmap.c:274
____bpf_get_stackid_pe kernel/bpf/stackmap.c:365 [inline]
bpf_get_stackid_pe+0x2ee/0x400 kernel/bpf/stackmap.c:334
bpf_prog_47e2b75ffb32ae9a+0x21/0x39
bpf_dispatcher_nop_func include/linux/bpf.h:987 [inline]
__bpf_prog_run include/linux/filter.h:607 [inline]
bpf_prog_run include/linux/filter.h:614 [inline]
bpf_overflow_handler+0x3d0/0x5e0 kernel/events/core.c:10238
__perf_event_overflow+0x437/0x620 kernel/events/core.c:9448
perf_swevent_overflow kernel/events/core.c:9524 [inline]
perf_swevent_event+0x2f7/0x530 kernel/events/core.c:-1
do_perf_sw_event kernel/events/core.c:9665 [inline]
___perf_sw_event+0x3bf/0x4f0 kernel/events/core.c:9696
__perf_sw_event+0x134/0x270 kernel/events/core.c:9708
perf_sw_event include/linux/perf_event.h:1250 [inline]
do_user_addr_fault+0xffb/0x1050 arch/x86/mm/fault.c:1287
handle_page_fault arch/x86/mm/fault.c:1466 [inline]
exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1522
asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]
RIP: 0010:strncpy_from_user+0xdf/0x2d0 lib/strncpy_from_user.c:139
Code: 00 00 4c 89 ee e8 e1 78 e2 fe 49 83 fd 07 0f 86 a2 00 00 00 4c 89 75 c0 49 c7 c7 f8 ff ff ff 45 31 e4 4c 89 65 c8 48 8b 45 c0 <4a> 8b 1c 20 48 b8 ff fe fe fe fe fe fe fe 4c 8d 34 03 49 89 dc 49
RSP: 0018:ffffc90000a87cb8 EFLAGS: 00050246
RAX: 0000000000000000 RBX: 0000000000000fe0 RCX: ffff888113ee6540
RDX: 0000000000000000 RSI: 0000000000000fe0 RDI: 0000000000000007
RBP: ffffc90000a87d00 R08: ffffea000451ce07 R09: 1ffffd40008a39c0
R10: dffffc0000000000 R11: fffff940008a39c1 R12: 0000000000000000
R13: 0000000000000fe0 R14: 0000000000000000 R15: fffffffffffffff8
getname_flags+0xf4/0x500 fs/namei.c:150
getname+0x19/0x20 fs/namei.c:218
do_sys_openat2+0xeb/0x810 fs/open.c:1337
do_sys_open fs/open.c:1359 [inline]
__do_sys_openat fs/open.c:1375 [inline]
__se_sys_openat fs/open.c:1370 [inline]
__x64_sys_openat+0x136/0x160 fs/open.c:1370
x64_sys_call+0x783/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:258
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f13af59aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe75014a48 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f13af815fa0 RCX: 00007f13af59aeb9
RDX: 00000000000026e1 RSI: 0000000000000000 RDI: ffffffffffffff9c
RBP: 00007f13af608c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f13af815fac R14: 00007f13af815fa0 R15: 00007f13af815fa0
</TASK>
Allocated by task 376:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:380 [inline]
__kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
kasan_kmalloc include/linux/kasan.h:212 [inline]
__do_kmalloc_node mm/slab_common.c:938 [inline]
__kmalloc_node+0xb2/0x1e0 mm/slab_common.c:945
kmalloc_node include/linux/slab.h:589 [inline]
__bpf_map_area_alloc kernel/bpf/syscall.c:328 [inline]
bpf_map_area_alloc+0x4b/0xe0 kernel/bpf/syscall.c:341
prealloc_elems_and_freelist+0x8a/0x1e0 kernel/bpf/stackmap.c:51
stack_map_alloc+0x3a7/0x530 kernel/bpf/stackmap.c:117
find_and_alloc_map kernel/bpf/syscall.c:133 [inline]
map_create+0x49c/0xd80 kernel/bpf/syscall.c:1126
__sys_bpf+0x34e/0x850 kernel/bpf/syscall.c:4987
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5107
x64_sys_call+0x488/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff888112c3fb80
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 16 bytes inside of
64-byte region [ffff888112c3fb80, ffff888112c3fbc0)
The buggy address belongs to the physical page:
page:ffffea00044b0fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112c3f
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100042780
raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 366, tgid 366 (syz-executor), ts 28201775438, free_ts 27847051615
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2643
prep_new_page+0x1c/0x110 mm/page_alloc.c:2650
get_page_from_freelist+0x2d12/0x2d80 mm/page_alloc.c:4554
__alloc_pages+0x1d9/0x480 mm/page_alloc.c:5868
alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
allocate_slab mm/slub.c:1967 [inline]
new_slab+0x98/0x3d0 mm/slub.c:2020
___slab_alloc+0x6bd/0xb20 mm/slub.c:3177
__slab_alloc+0x5e/0xa0 mm/slub.c:3263
slab_alloc_node mm/slub.c:3348 [inline]
__kmem_cache_alloc_node+0x203/0x2c0 mm/slub.c:3423
kmalloc_trace+0x29/0xb0 mm/slab_common.c:1028
kmalloc include/linux/slab.h:563 [inline]
call_modprobe kernel/kmod.c:79 [inline]
__request_module+0x2a7/0x910 kernel/kmod.c:170
dev_load+0x5b/0xb0 net/core/dev_ioctl.c:449
dev_ioctl+0x3c6/0xd10 net/core/dev_ioctl.c:514
sock_do_ioctl+0x252/0x330 net/socket.c:1208
sock_ioctl+0x4ca/0x720 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0x12f/0x1b0 fs/ioctl.c:856
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1551 [inline]
free_pcp_prepare mm/page_alloc.c:1625 [inline]
free_unref_page_prepare+0x742/0x750 mm/page_alloc.c:3589
free_unref_page+0x95/0x540 mm/page_alloc.c:3687
free_the_page mm/page_alloc.c:836 [inline]
__free_pages+0x67/0x100 mm/page_alloc.c:5957
__free_slab+0xca/0x1a0 mm/slub.c:2044
free_slab mm/slub.c:2059 [inline]
discard_slab mm/slub.c:2065 [inline]
__unfreeze_partials+0x160/0x190 mm/slub.c:2614
put_cpu_partial+0xa9/0x100 mm/slub.c:2690
__slab_free+0x1c4/0x280 mm/slub.c:3589
do_slab_free mm/slub.c:3666 [inline]
___cache_free+0xbf/0xd0 mm/slub.c:3722
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0xc6/0x140 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x14a/0x170 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x24/0x80 mm/kasan/common.c:311
kasan_slab_alloc include/linux/kasan.h:202 [inline]
slab_post_alloc_hook+0x4f/0x2d0 mm/slab.h:768
slab_alloc_node mm/slub.c:3382 [inline]
slab_alloc mm/slub.c:3392 [inline]
__kmem_cache_alloc_lru mm/slub.c:3399 [inline]
kmem_cache_alloc+0x16e/0x330 mm/slub.c:3408
getname_flags+0xb9/0x500 fs/namei.c:139
getname+0x19/0x20 fs/namei.c:218
do_sys_openat2+0xeb/0x810 fs/open.c:1337
Memory state around the buggy address:
ffff888112c3fa80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888112c3fb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888112c3fb80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
^
ffff888112c3fc00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888112c3fc80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 4c 89 ee mov %r13,%rsi
5: e8 e1 78 e2 fe call 0xfee278eb
a: 49 83 fd 07 cmp $0x7,%r13
e: 0f 86 a2 00 00 00 jbe 0xb6
14: 4c 89 75 c0 mov %r14,-0x40(%rbp)
18: 49 c7 c7 f8 ff ff ff mov $0xfffffffffffffff8,%r15
1f: 45 31 e4 xor %r12d,%r12d
22: 4c 89 65 c8 mov %r12,-0x38(%rbp)
26: 48 8b 45 c0 mov -0x40(%rbp),%rax
* 2a: 4a 8b 1c 20 mov (%rax,%r12,1),%rbx <-- trapping instruction
2e: 48 b8 ff fe fe fe fe movabs $0xfefefefefefefeff,%rax
35: fe fe fe
38: 4c 8d 34 03 lea (%rbx,%rax,1),%r14
3c: 49 89 dc mov %rbx,%r12
3f: 49 rex.WB
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages