[syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 7b4b9bf203da Add linux-next specific files for 20250107
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14246bc4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174f0a18580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=168aecb0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c179cc0c7a3c/disk-7b4b9bf2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fdea80f2ec16/vmlinux-7b4b9bf2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a277fcaff608/bzImage-7b4b9bf2.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a96fcb87dd70/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fcee6b...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
number+0x3be/0xf40 lib/vsprintf.c:494
pointer+0x764/0x1210 lib/vsprintf.c:2484
vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
seq_vprintf fs/seq_file.c:391 [inline]
seq_printf+0x172/0x270 fs/seq_file.c:406
show_partition+0x29f/0x3f0 block/genhd.c:905
seq_read_iter+0x969/0xd70 fs/seq_file.c:272
proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
copy_splice_read+0x63a/0xb40 fs/splice.c:365
do_splice_read fs/splice.c:985 [inline]
splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
do_splice_direct_actor fs/splice.c:1207 [inline]
do_splice_direct+0x289/0x3e0 fs/splice.c:1233
do_sendfile+0x564/0x8a0 fs/read_write.c:1363
__do_sys_sendfile64 fs/read_write.c:1424 [inline]
__se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3fa8cf4c69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd536a0078 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3fa8cf4c69
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 00007f3fa8d685f0 R08: 000055558679c4c0 R09: 000055558679c4c0
R10: 000000000000023b R11: 0000000000000246 R12: 00007ffd536a00a0
R13: 00007ffd536a02c8 R14: 431bde82d7b634db R15: 00007f3fa8d3d03b
</TASK>

The buggy address belongs to the variable:
hex_asc_upper+0x11/0x40

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc5fc
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea0000317f08 ffffea0000317f08 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
ffffffff8c5fc800: 00 03 f9 f9 02 f9 f9 f9 02 f9 f9 f9 00 02 f9 f9
ffffffff8c5fc880: 00 04 f9 f9 00 03 f9 f9 07 f9 f9 f9 00 00 04 f9
>ffffffff8c5fc900: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 00 01 f9
^
ffffffff8c5fc980: f9 f9 f9 f9 00 04 f9 f9 02 f9 f9 f9 01 f9 f9 f9
ffffffff8c5fca00: 00 f9 f9 f9 00 f9 f9 f9 00 04 f9 f9 00 06 f9 f9
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

#syz test: https://github.com/ea1davis/linux lib/syz

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

, num: 18446744071600486944, number
[ 408.835872][ T5852] base: 16, num: 18446744071600486960, number
[ 408.842226][ T5852] base: 16, num: 18446744071600487504, number
[ 408.848337][ T5852] base: 16, num: 18446744071600487520, number
[ 408.854579][ T5852] base: 16, num: 18446744071600487968, number
[ 408.860703][ T5852] base: 16, num: 18446744071600487984, number
[ 408.866804][ T5852] base: 16, num: 18446744071600488672, number
[ 408.873033][ T5852] base: 16, num: 18446744071600488688, number
[ 408.879276][ T5852] base: 16, num: 18446744071600489376, number
[ 408.885405][ T5852] base: 16, num: 18446744071600489392, number
[ 408.891529][ T5852] base: 16, num: 18446744071600489760, number
[ 408.897617][ T5852] base: 16, num: 18446744071600489776, number
[ 408.903772][ T5852] base: 16, num: 18446744071600490208, number
[ 408.909902][ T5852] base: 16, num: 18446744071600490224, number
[ 408.916010][ T5852] base: 16, num: 18446744071600490624, number
[ 408.922155][ T5852] base: 16, num: 18446744071600490640, number
[ 408.928317][ T5852] base: 16, num: 18446744071600490992, number
[ 408.934422][ T5852] base: 16, num: 18446744071600491008, number
[ 408.940543][ T5852] base: 16, num: 18446744071600491520, number
[ 408.946599][ T5852] base: 16, num: 18446744071600491536, number
[ 408.952724][ T5852] base: 16, num: 18446744071600491888, number
[ 408.958821][ T5852] base: 16, num: 18446744071600491904, number
[ 408.964988][ T5852] base: 16, num: 18446744071600492464, number
[ 408.971110][ T5852] base: 16, num: 18446744071600492480, number
[ 408.977172][ T5852] base: 16, num: 18446744071600492880, number
[ 408.983291][ T5852] base: 16, num: 18446744071600492896, number
[ 408.989409][ T5852] base: 16, num: 18446744071600493248, number
[ 408.995637][ T5852] base: 16, num: 18446744071600493264, number
[ 409.001743][ T5852] base: 16, num: 18446744071600493680, number
[ 409.007918][ T5852] base: 16, num: 18446744071600493696, number
[ 409.014059][ T5852] base: 16, num: 18446744071600494064, number
[ 409.020180][ T5852] base: 16, num: 18446744071600494080, number
[ 409.026260][ T5852] base: 16, num: 18446744071600494848, number
[ 409.032401][ T5852] base: 16, num: 18446744071600494864, number
[ 409.038486][ T5852] base: 16, num: 18446744071600495376, number
[ 409.044619][ T5852] base: 16, num: 18446744071600495392, number
[ 409.050859][ T5852] base: 16, num: 18446744071600495632, number
[ 409.057027][ T5852] base: 16, num: 18446744071600495648, number
[ 409.063245][ T5852] base: 16, num: 18446744071600495808, number
[ 409.069461][ T5852] base: 16, num: 18446744071600495824, number
[ 409.075525][ T5852] base: 16, num: 18446744071600495872, number
[ 409.081645][ T5852] base: 16, num: 18446744071600495888, number
[ 409.087725][ T5852] base: 16, num: 18446744071600496608, number
[ 409.093839][ T5852] base: 16, num: 18446744071600496624, number
[ 409.100036][ T5852] base: 16, num: 18446744071600497808, number
[ 409.106103][ T5852] base: 16, num: 18446744071600497824, number
[ 409.112215][ T5852] base: 16, num: 18446744071600499200, number
[ 409.118295][ T5852] base: 16, num: 18446744071600499216, number
[ 409.124454][ T5852] base: 16, num: 18446744071600499424, number
[ 409.130582][ T5852] base: 16, num: 18446744071600499440, number
[ 409.136647][ T5852] base: 16, num: 18446744071600500848, number
[ 409.142963][ T5852] base: 16, num: 18446744071600500864, number
[ 409.149304][ T5852] base: 16, num: 18446744071600501168, number
[ 409.155381][ T5852] base: 16, num: 18446744071600501184, number
[ 409.161528][ T5852] base: 16, num: 18446744071600501648, number
[ 409.167613][ T5852] base: 16, num: 18446744071600501664, number
[ 409.173761][ T5852] base: 16, num: 18446744071600501840, number
[ 409.179890][ T5852] base: 16, num: 18446744071600501856, number
[ 409.185987][ T5852] base: 16, num: 18446744071600502256, number
[ 409.192231][ T5852] base: 16, num: 18446744071600502256, number
[ 409.198318][ T5852] base: 16, num: 18446744071600502272, number
[ 409.204454][ T5852] base: 16, num: 18446744071600505440, number
[ 409.210585][ T5852] base: 16, num: 18446744071600505456, number
[ 409.216681][ T5852] base: 16, num: 18446744071600505920, number
[ 409.222793][ T5852] base: 16, num: 18446744071600505936, number
[ 409.228878][ T5852] base: 16, num: 18446744071600507808, number
[ 409.234998][ T5852] base: 16, num: 18446744071600507824, number
[ 409.241127][ T5852] base: 16, num: 18446744071600510096, number
[ 409.247186][ T5852] base: 16, num: 18446744071600510112, number
[ 409.253324][ T5852] base: 16, num: 18446744071600510656, number
[ 409.259452][ T5852] base: 16, num: 18446744071600510672, number
[ 409.265514][ T5852] base: 16, num: 18446744071600510896, number
[ 409.271723][ T5852] base: 16, num: 18446744071600510912, number
[ 409.277808][ T5852] base: 16, num: 18446744071600512928, number
[ 409.284117][ T5852] base: 16, num: 18446744071600512944, number
[ 409.290273][ T5852] base: 16, num: 18446744071600513312, number
[ 409.296436][ T5852] base: 16, num: 18446744071600513328, number
[ 409.302662][ T5852] base: 16, num: 18446744071600513744, number
[ 409.308767][ T5852] base: 16, num: 18446744071600513760, number
[ 409.314901][ T5852] base: 16, num: 18446744071600515424, number
[ 409.321130][ T5852] base: 16, num: 18446744071600515440, number
[ 409.327200][ T5852] base: 16, num: 18446744071600516384, number
[ 409.333306][ T5852] base: 16, num: 18446744071600516400, number
[ 409.339550][ T5852] base: 16, num: 18446744071600516704, number
[ 409.345678][ T5852] base: 16, num: 18446744071600516720, number
[ 409.351814][ T5852] base: 16, num: 18446744071600517280, number
[ 409.357899][ T5852] base: 16, num: 18446744071600517296, number
[ 409.364045][ T5852] base: 16, num: 18446744071600518432, number
[ 409.370242][ T5852] base: 16, num: 18446744071600518448, number
[ 409.376345][ T5852] base: 16, num: 18446744071600518560, number
[ 409.382491][ T5852] base: 16, num: 18446744071600518576, number
[ 409.388747][ T5852] base: 16, num: 18446744071600519280, number
[ 409.394895][ T5852] base: 16, num: 18446744071600519296, number
[ 409.401012][ T5852] base: 16, num: 18446744071600521264, number
[ 409.407071][ T5852] base: 16, num: 18446744071600521280, number
[ 409.413181][ T5852] base: 16, num: 18446744071600521520, number
[ 409.419285][ T5852] base: 16, num: 18446744071600521536, number
[ 409.425513][ T5852] base: 16, num: 18446744071600521872, number
[ 409.431658][ T5852] base: 16, num: 18446744071600521888, number
[ 409.437927][ T5852] base: 16, num: 18446744071600522432, number
[ 409.444084][ T5852] base: 16, num: 18446744071600522448, number
[ 409.450212][ T5852] base: 16, num: 18446744071600532560, number
[ 409.456353][ T5852] base: 16, num: 18446744071600532576, number
[ 409.462554][ T5852] base: 16, num: 18446744071600535344, number
[ 409.468642][ T5852] base: 16, num: 18446744071600535360, number
[ 409.474798][ T5852] base: 16, num: 18446744071600535920, number
[ 409.480974][ T5852] base: 16, num: 18446744071600535936, number
[ 409.487247][ T5852] base: 16, num: 18446744071600536480, number
[ 409.493407][ T5852] base: 16, num: 18446744071600536496, number
[ 409.499543][ T5852] base: 16, num: 18446744071600536928, number
[ 409.505786][ T5852] base: 16, num: 18446744071600536944, number
[ 409.511917][ T5852] base: 16, num: 18446744071600537536, number
[ 409.518002][ T5852] base: 16, num: 18446744071600537552, number
[ 409.524135][ T5852] base: 16, num: 18446744071600538096, number
[ 409.530291][ T5852] base: 16, num: 18446744071600538112, number
[ 409.536354][ T5852] base: 16, num: 18446744071600539200, number
[ 409.542457][ T5852] base: 16, num: 18446744071600539216, number
[ 409.548539][ T5852] base: 16, num: 18446744071600539760, number
[ 409.554688][ T5852] base: 16, num: 18446744071600539776, number
[ 409.560818][ T5852] base: 16, num: 18446744071600543040, number
[ 409.566965][ T5852] base: 16, num: 18446744071600543056, number
[ 409.573129][ T5852] base: 16, num: 18446744071600545200, number
[ 409.579340][ T5852] base: 16, num: 18446744071600545216, number
[ 409.585432][ T5852] base: 16, num: 18446744071600545680, number
[ 409.591582][ T5852] base: 16, num: 18446744071600545696, number
[ 409.597668][ T5852] base: 16, num: 18446744071600553392, number
[ 409.603999][ T5852] base: 16, num: 18446744071600553408, number
[ 409.610168][ T5852] base: 16, num: 18446744071600554496, number
[ 409.616289][ T5852] base: 16, num: 18446744071600554512, number
[ 409.622502][ T5852] base: 16, num: 18446744071600555136, number
[ 409.628606][ T5852] base: 16, num: 18446744071600555152, number
[ 409.634739][ T5852] base: 16, num: 18446744071600555696, number
[ 409.640860][ T5852] base: 16, num: 18446744071600555712, number
[ 409.647089][ T5852] base: 16, num: 18446744071600556752, number
[ 409.653211][ T5852] base: 16, num: 18446744071600556768, number
[ 409.659350][ T5852] base: 16, num: 18446744071600557728, number
[ 409.665417][ T5852] base: 16, num: 18446744071600557744, number
[ 409.671585][ T5852] base: 16, num: 18446744071600558288, number
[ 409.677692][ T5852] base: 16, num: 18446744071600558304, number
[ 409.683857][ T5852] base: 16, num: 18446744071600577072, number
[ 409.691846][ T5852] base: 16, num: 18446744071600577088, number
[ 409.698087][ T5852] base: 16, num: 18446744071600577632, number
[ 409.705293][ T5852] base: 16, num: 18446744071600577648, number
[ 409.711451][ T5852] base: 16, num: 18446744071600577856, number
[ 409.717531][ T5852] base: 16, num: 18446744071600577872, number
[ 409.723654][ T5852] base: 16, num: 18446744071600579264, number
[ 409.729781][ T5852] base: 16, num: 18446744071600579280, number
[ 409.735886][ T5852] base: 16, num: 18446744071600579840, number
[ 409.742029][ T5852] base: 16, num: 18446744071600579856, number
[ 409.748114][ T5852] base: 16, num: 18446744071600580400, number
[ 409.754280][ T5852] base: 16, num: 18446744071600580416, number
[ 409.760523][ T5852] base: 16, num: 18446744071600580976, number
[ 409.766590][ T5852] base: 16, num: 18446744071600580992, number
[ 409.772911][ T5852] base: 16, num: 18446744071600580992, number
[ 409.779088][ T5852] base: 16, num: 18446744071600582528, number
[ 409.785235][ T5852] base: 16, num: 18446744071600582544, number
[ 409.791436][ T5852] base: 16, num: 18446744071600582608, number
[ 409.797530][ T5852] base: 16, num: 18446744071600582624, number
[ 409.803676][ T5852] base: 16, num: 18446744071600583168, number
[ 409.809817][ T5852] base: 16, num: 18446744071600583184, number
[ 409.815965][ T5852] base: 16, num: 18446744071600583664, number
[ 409.822122][ T5852] base: 16, num: 18446744071600583680, number
[ 409.828212][ T5852] base: 16, num: 18446744071600584064, number
[ 409.834345][ T5852] base: 16, num: 18446744071600584080, number
[ 409.840472][ T5852] base: 16, num: 18446744071600587104, number
[ 409.846543][ T5852] base: 16, num: 18446744071600587120, number
[ 409.852686][ T5852] base: 16, num: 18446744071600590064, number
[ 409.858773][ T5852] base: 16, num: 18446744071600590080, number
[ 409.864927][ T5852] base: 16, num: 18446744071600590624, number
[ 409.871077][ T5852] base: 16, num: 18446744071600590640, number
[ 409.877150][ T5852] base: 16, num: 18446744071600598944, number
[ 409.883271][ T5852] base: 16, num: 18446744071600598960, number
[ 409.889413][ T5852] base: 16, num: 18446744071600600016, number
[ 409.895477][ T5852] base: 16, num: 18446744071600600032, number
[ 409.901584][ T5852] base: 16, num: 18446744071600600352, number
[ 409.907664][ T5852] base: 16, num: 18446744071600600368, number
[ 409.913795][ T5852] base: 16, num: 18446744071600601104, number
[ 409.919909][ T5852] base: 16, num: 18446744071600601120, number
[ 409.925985][ T5852] base: 16, num: 18446744071600601664, number
[ 409.932120][ T5852] base: 16, num: 18446744071600601680, number
[ 409.938207][ T5852] base: 16, num: 18446744071600602048, number
[ 409.944334][ T5852] base: 16, num: 18446744071600602064, number
[ 409.950445][ T5852] base: 16, num: 18446744071600603312, number
[ 409.956712][ T5852] base: 16, num: 18446744071600603328, number
[ 409.962970][ T5852] base: 16, num: 18446744071600605456, number
[ 409.969129][ T5852] base: 16, num: 18446744071600605472, number
[ 409.975350][ T5852] base: 16, num: 18446744071600606288, number
[ 409.981614][ T5852] base: 16, num: 18446744071600606304, number
[ 409.987884][ T5852] base: 16, num: 18446744071600606848, number
[ 409.994047][ T5852] base: 16, num: 18446744071600606864, number
[ 410.000347][ T5852] base: 16, num: 18446744071600607392, number
[ 410.006536][ T5852] base: 16, num: 18446744071600607408, number
[ 410.012767][ T5852] base: 16, num: 18446744071600607952, number
[ 410.019146][ T5852] base: 16, num: 18446744071600607968, number
[ 410.025407][ T5852] base: 16, num: 18446744071600608240, number
[ 410.031535][ T5852] base: 16, num: 18446744071600608256, number
[ 410.037639][ T5852] base: 16, num: 18446744071600608816, number
[ 410.043791][ T5852] base: 16, num: 18446744071600608832, number
[ 410.049924][ T5852] base: 16, num: 18446744071600609392, number
[ 410.056002][ T5852] base: 16, num: 18446744071600609408, number
[ 410.062144][ T5852] base: 16, num: 18446744071600610048, number


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2029080981=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 6dbc6a9bc
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6dbc6a9bc76e06852841ed5c5bdbb78409b17f53 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250110-142744'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6dbc6a9bc76e06852841ed5c5bdbb78409b17f53\"
/usr/bin/ld: /tmp/ccMSRdBJ.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=145eca18580000


Tested on:

commit: f333279e printf: base is too large ?
git tree: https://github.com/ea1davis/linux lib/syz
kernel config: https://syzkaller.appspot.com/x/.config?x=e01787b160d01f1

dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

[Edward Adam Davis]

[Edward Adam Davis]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fcee6b...@syzkaller.appspotmail.com
Tested-by: syzbot+fcee6b...@syzkaller.appspotmail.com

Tested on:

commit: ff395cea printf: part no is too large

git tree: https://github.com/ea1davis/linux lib/syz

console output: https://syzkaller.appspot.com/x/log.txt?x=10149bc4580000

kernel config: https://syzkaller.appspot.com/x/.config?x=e01787b160d01f1
dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Note: testing is done by a robot and is best-effort only.

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fcee6b...@syzkaller.appspotmail.com
Tested-by: syzbot+fcee6b...@syzkaller.appspotmail.com

Tested on:

commit: 1eb96728 printf: part no is too large

git tree: https://github.com/ea1davis/linux lib/syz

console output: https://syzkaller.appspot.com/x/log.txt?x=1046fef8580000

[Edward Adam Davis]

syzbot reported a global-out-of-bounds in number. [1]

Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
array.

To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.

[1]

Reported-by: syzbot+fcee6b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
Tested-by: syzbot+fcee6b...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
block/genhd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..8d539a4a3b37 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)

rcu_read_lock();
xa_for_each(&sgp->part_tbl, idx, part) {
- if (!bdev_nr_sectors(part))
+ int partno = bdev_partno(part);
+
+ if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
continue;
seq_printf(seqf, "%4d %7d %10llu %pg\n",
MAJOR(part->bd_dev), MINOR(part->bd_dev),
--
2.47.0

[syzbot]

syzbot has bisected this issue to:

commit 8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab
Author: Linus Torvalds <torv...@linux-foundation.org>
Date: Thu Dec 19 21:52:53 2024 +0000

vsnprintf: collapse the number format state into one single state

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16342a18580000
start commit: 7b4b9bf203da Add linux-next specific files for 20250107
git tree: linux-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=15342a18580000
console output: https://syzkaller.appspot.com/x/log.txt?x=11342a18580000

kernel config: https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174f0a18580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=168aecb0580000

Reported-by: syzbot+fcee6b...@syzkaller.appspotmail.com
Fixes: 8d4826cc8a8a ("vsnprintf: collapse the number format state into one single state")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Hannes Reinecke]

Maybe a warning is in order; when we are hitting this issue it means
that linux has a limitation on causing it to ignore the (otherwise
valid) partition entry.

Otherwise looks good.

Cheers,

Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
ha...@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

[Edward Adam Davis]

Signed-off-by: Edward Adam Davis <ead...@qq.com>
---

V1 -> V2: Add a warning

block/genhd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..8d539a4a3b37 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)

rcu_read_lock();
xa_for_each(&sgp->part_tbl, idx, part) {
- if (!bdev_nr_sectors(part))
+ int partno = bdev_partno(part);
+

+ if (!bdev_nr_sectors(part) || WARN_ON(partno >= DISK_MAX_PARTS))

continue;
seq_printf(seqf, "%4d %7d %10llu %pg\n",
MAJOR(part->bd_dev), MINOR(part->bd_dev),

--
2.47.0

[Jens Axboe]

On 1/14/25 1:51 AM, Edward Adam Davis wrote:
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..8d539a4a3b37 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>
> rcu_read_lock();
> xa_for_each(&sgp->part_tbl, idx, part) {
> - if (!bdev_nr_sectors(part))
> + int partno = bdev_partno(part);
> +
> + if (!bdev_nr_sectors(part) || WARN_ON(partno >= DISK_MAX_PARTS))
> continue;
> seq_printf(seqf, "%4d %7d %10llu %pg\n",
> MAJOR(part->bd_dev), MINOR(part->bd_dev),

This should be a WARN_ON_ONCE(), and please put warn-on's on a separate
line.

--
Jens Axboe

[Edward Adam Davis]

V2 -> V3: replace to WARN_ON_ONCE on a separate line

block/genhd.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..3a9c36ad6bbd 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)

rcu_read_lock();
xa_for_each(&sgp->part_tbl, idx, part) {

+ int partno = bdev_partno(part);
+

+ WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
if (!bdev_nr_sectors(part))

continue;
seq_printf(seqf, "%4d %7d %10llu %pg\n",

--
2.47.0

[Jens Axboe]

On 1/14/25 7:58 AM, Edward Adam Davis wrote:
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..3a9c36ad6bbd 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>
> rcu_read_lock();
> xa_for_each(&sgp->part_tbl, idx, part) {
> + int partno = bdev_partno(part);
> +
> + WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
> if (!bdev_nr_sectors(part))
> continue;
> seq_printf(seqf, "%4d %7d %10llu %pg\n",

Surely you still want to continue for that condition?

--
Jens Axboe

[Edward Adam Davis]

No.
But like following, ok?
diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..142b13620f0c 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,7 +890,10 @@ static int show_partition(struct seq_file *seqf, void *v)

rcu_read_lock();
xa_for_each(&sgp->part_tbl, idx, part) {

- if (!bdev_nr_sectors(part))

+ int partno = bdev_partno(part);
+
+ WARN_ON_ONCE(partno >= DISK_MAX_PARTS);

+ if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)

continue;
seq_printf(seqf, "%4d %7d %10llu %pg\n",

MAJOR(part->bd_dev), MINOR(part->bd_dev),

[Jens Axboe]

On 1/14/25 8:15 AM, Edward Adam Davis wrote:
> On Tue, 14 Jan 2025 08:02:15 -0700, Jens Axboe wrote:
>>> diff --git a/block/genhd.c b/block/genhd.c
>>> index 9130e163e191..3a9c36ad6bbd 100644
>>> --- a/block/genhd.c
>>> +++ b/block/genhd.c
>>> @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>>>
>>> rcu_read_lock();
>>> xa_for_each(&sgp->part_tbl, idx, part) {
>>> + int partno = bdev_partno(part);
>>> +
>>> + WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
>>> if (!bdev_nr_sectors(part))
>>> continue;
>>> seq_printf(seqf, "%4d %7d %10llu %pg\n",
>>
>> Surely you still want to continue for that condition?
> No.

No?

> But like following, ok?
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..142b13620f0c 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,7 +890,10 @@ static int show_partition(struct seq_file *seqf, void *v)
>
> rcu_read_lock();
> xa_for_each(&sgp->part_tbl, idx, part) {
> - if (!bdev_nr_sectors(part))
> + int partno = bdev_partno(part);
> +
> + WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
> + if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
> continue;
> seq_printf(seqf, "%4d %7d %10llu %pg\n",
> MAJOR(part->bd_dev), MINOR(part->bd_dev),

That's just silly...

xa_for_each(&sgp->part_tbl, idx, part) {
int partno = bdev_partno(part);

if (!bdev_nr_sectors(part))
continue;
if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS))
continue;

...
}

--
Jens Axboe

[Edward Adam Davis]

V3 -> V4: add continue

block/genhd.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..a9a1d5a429aa 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,8 +890,12 @@ static int show_partition(struct seq_file *seqf, void *v)

rcu_read_lock();
xa_for_each(&sgp->part_tbl, idx, part) {
+ int partno = bdev_partno(part);
+

if (!bdev_nr_sectors(part))
continue;
+ if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS))
+ continue;

seq_printf(seqf, "%4d %7d %10llu %pg\n",
MAJOR(part->bd_dev), MINOR(part->bd_dev),

bdev_nr_sectors(part) >> 1, part);
--
2.47.0

[Edward Adam Davis]

I checked WARN_ON_ONCE(), and when the condition is met, the subsequent
WARN_ON_ONCE() will still return true, so adding it will not affect the
judgment of the condition.
It just issues a warning the first time the condition is met, and it will
still return true if the condition is true.

>
> xa_for_each(&sgp->part_tbl, idx, part) {
> int partno = bdev_partno(part);
>
> if (!bdev_nr_sectors(part))
> continue;
> if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS))
> continue;
>
> ...
> }

Edward

[Christoph Hellwig]

Ummm...

DISK_MAX_PARTS is 256.

bdev_partno reads form bdev->__bd_flags and masks out BD_PARTNO,
which is 255.

In other words we should never be able to get a value bigger than 255
from bdev_partno, so something is really fishy here that a WARN_ON in
the show function won't help with.

Also the fact that the low-level printf code trips over a 8-bit integer
sounds wrong, and if it does for something not caused by say a use
after free higher up we've got another deep problem there.

All of that has nothing to do with show_partition, though.

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.