[syzbot] [nvme?] KASAN: slab-out-of-bounds Read in nvmet_root_discovery_nqn_show

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: a0e3919a2df2 Merge tag 'usb-6.13-rc3' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=123cbcdf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=99a5586995ec03b2
dashboard link: https://syzkaller.appspot.com/bug?extid=a84181c81389771eb46a
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/669aa1e15c11/disk-a0e3919a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ee966f8b50ac/vmlinux-a0e3919a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e872e1d072f1/bzImage-a0e3919a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a84181...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in string_nocheck lib/vsprintf.c:646 [inline]
BUG: KASAN: slab-out-of-bounds in string+0x398/0x3d0 lib/vsprintf.c:728
Read of size 1 at addr ffff88814371a8a5 by task syz.0.6476/29206

CPU: 0 UID: 0 PID: 29206 Comm: syz.0.6476 Tainted: G U 6.13.0-rc2-syzkaller-00333-ga0e3919a2df2 #0
Tainted: [U]=USER
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
string_nocheck lib/vsprintf.c:646 [inline]
string+0x398/0x3d0 lib/vsprintf.c:728
vsnprintf+0xc67/0x1870 lib/vsprintf.c:2848
snprintf+0xc8/0x100 lib/vsprintf.c:2983
nvmet_root_discovery_nqn_show+0x69/0x90 drivers/nvme/target/configfs.c:2250
fill_read_buffer fs/configfs/file.c:68 [inline]
configfs_read_iter+0x40d/0x690 fs/configfs/file.c:88
__kernel_read+0x3f1/0xb50 fs/read_write.c:523
integrity_kernel_read+0x7f/0xb0 security/integrity/iint.c:28
ima_calc_file_hash_tfm+0x2c9/0x3e0 security/integrity/ima/ima_crypto.c:480
ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
ima_calc_file_hash+0x1ba/0x490 security/integrity/ima/ima_crypto.c:568
ima_collect_measurement+0x8a7/0xa10 security/integrity/ima/ima_api.c:293
process_measurement+0x1271/0x2370 security/integrity/ima/ima_main.c:372
ima_file_check+0xc6/0x110 security/integrity/ima/ima_main.c:572
security_file_post_open+0x8e/0x210 security/security.c:3121
do_open fs/namei.c:3830 [inline]
path_openat+0x1419/0x2d60 fs/namei.c:3987
do_filp_open+0x20c/0x470 fs/namei.c:4014
do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_openat fs/open.c:1433 [inline]
__se_sys_openat fs/open.c:1428 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1428
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3dfbd85d19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3dfcb03038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f3dfbf76080 RCX: 00007f3dfbd85d19
RDX: 0000000000189002 RSI: 0000000020000100 RDI: ffffffffffffff9c
RBP: 00007f3dfbe01a20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f3dfbf76080 R15: 00007ffc48d63a98
</TASK>

The buggy address belongs to the object at ffff88814371a880
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
allocated 37-byte region [ffff88814371a880, ffff88814371a8a5)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14371a
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000000 ffff88801ac418c0 ffffea00052a0a40 dead000000000004
raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 8577258261, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4751
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2589 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2642
___slab_alloc+0xce2/0x1650 mm/slub.c:3830
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
__slab_alloc_node mm/slub.c:3995 [inline]
slab_alloc_node mm/slub.c:4156 [inline]
__kmalloc_cache_noprof+0xf6/0x420 mm/slub.c:4324
kmalloc_noprof include/linux/slab.h:901 [inline]
__kthread_create_on_node+0xcb/0x400 kernel/kthread.c:436
kthread_create_on_node+0xc8/0x110 kernel/kthread.c:513
init_rescuer+0x322/0x640 kernel/workqueue.c:5562
__alloc_workqueue+0xc27/0x1810 kernel/workqueue.c:5731
alloc_workqueue+0xd3/0x200 kernel/workqueue.c:5772
nvmet_init+0xd2/0x220 drivers/nvme/target/core.c:1760
do_one_initcall+0x128/0x630 init/main.c:1266
do_initcall_level init/main.c:1328 [inline]
do_initcalls init/main.c:1344 [inline]
do_basic_setup init/main.c:1363 [inline]
kernel_init_freeable+0x58f/0x8b0 init/main.c:1577
page_owner free stack trace missing

Memory state around the buggy address:
ffff88814371a780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff88814371a800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff88814371a880: 00 00 00 00 05 fc fc fc fc fc fc fc fc fc fc fc
^
ffff88814371a900: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff88814371a980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Dmitry Vyukov]

On Wed, 18 Dec 2024 at 08:35, syzbot
<syzbot+a84181...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: a0e3919a2df2 Merge tag 'usb-6.13-rc3' of git://git.kernel...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=123cbcdf980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=99a5586995ec03b2
> dashboard link: https://syzkaller.appspot.com/bug?extid=a84181c81389771eb46a
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/669aa1e15c11/disk-a0e3919a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/ee966f8b50ac/vmlinux-a0e3919a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/e872e1d072f1/bzImage-a0e3919a.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a84181...@syzkaller.appspotmail.com

It looks like 0 termination here is incorrect:
https://elixir.bootlin.com/linux/v6.12.5/source/drivers/nvme/target/fabrics-cmd.c#L245
should be s/NVMF_NQN_FIELD_LEN/NVMF_NQN_SIZE/

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/67627b39.050a0220.29fcd0.0087.GAE%40google.com.

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 9b2ffa6148b1 Merge tag 'mtd/fixes-for-6.13-rc5' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12a26adf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c078001e66e4a17e

dashboard link: https://syzkaller.appspot.com/bug?extid=a84181c81389771eb46a
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=109800b0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162422f8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c1d66e09941d/disk-9b2ffa61.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8aa24ea0a81d/vmlinux-9b2ffa61.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0d9c0b1e880a/bzImage-9b2ffa61.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a84181...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in string_nocheck lib/vsprintf.c:646 [inline]
BUG: KASAN: slab-out-of-bounds in string+0x398/0x3d0 lib/vsprintf.c:728

Read of size 1 at addr ffff8880263c0b25 by task syz-executor329/5823

CPU: 0 UID: 0 PID: 5823 Comm: syz-executor329 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

RIP: 0033:0x7f733fa0ca79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc342ba758 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f733fa0ca79

RDX: 0000000000189002 RSI: 0000000020000100 RDI: ffffffffffffff9c

RBP: 000000000000fe6f R08: 0000000000000006 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc342ba76c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>

The buggy address belongs to the object at ffff8880263c0b00

which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of

allocated 37-byte region [ffff8880263c0b00, ffff8880263c0b25)

The buggy address belongs to the physical page:

page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880263c0300 pfn:0x263c0
flags: 0xfff00000000200(workingset|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000200 ffff88801ac418c0 ffffea0000ba8cd0 ffffea0000a178d0
raw: ffff8880263c0300 000000000020001f 00000001f5000000 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 35, tgid 35 (kworker/u8:2), ts 8598107284, free_ts 8552526219
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558
prep_new_page mm/page_alloc.c:1566 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476
__alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753

alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2589 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2642
___slab_alloc+0xce2/0x1650 mm/slub.c:3830
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
__slab_alloc_node mm/slub.c:3995 [inline]
slab_alloc_node mm/slub.c:4156 [inline]
__kmalloc_cache_noprof+0xf6/0x420 mm/slub.c:4324
kmalloc_noprof include/linux/slab.h:901 [inline]

kzalloc_noprof include/linux/slab.h:1037 [inline]
percpu_ref_init+0xd9/0x400 lib/percpu-refcount.c:76
blk_alloc_queue+0x578/0x710 block/blk-core.c:447
blk_mq_alloc_queue+0x1a6/0x2e0 block/blk-mq.c:4339
scsi_alloc_sdev+0x890/0xd80 drivers/scsi/scsi_scan.c:337
scsi_probe_and_add_lun+0x789/0xda0 drivers/scsi/scsi_scan.c:1210
__scsi_scan_target+0x1ea/0x580 drivers/scsi/scsi_scan.c:1757
scsi_scan_channel drivers/scsi/scsi_scan.c:1845 [inline]
scsi_scan_channel+0x149/0x1e0 drivers/scsi/scsi_scan.c:1821
scsi_scan_host_selected+0x302/0x400 drivers/scsi/scsi_scan.c:1874
page last free pid 57 tgid 57 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2659
vfree+0x174/0x950 mm/vmalloc.c:3383
delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3303
process_one_work+0x958/0x1b30 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:

ffff8880263c0a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880263c0a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880263c0b00: 00 00 00 00 05 fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880263c0b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880263c0c00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[Tetsuo Handa]

#syz dup: general protection fault in account_kernel_stack (3)