[moderation] [sound?] KASAN: vmalloc-out-of-bounds Write in copy_play_buf (2)
0 views
Skip to first unread message
syzbot
Jul 22, 2025, 5:47:36 AMJul 22
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6832a9317eee Merge tag 'net-6.16-rc7' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=122eb382580000
kernel config: https://syzkaller.appspot.com/x/.config?x=12b5044868deb866
dashboard link: https://syzkaller.appspot.com/bug?extid=106e20fd3577589caea7
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
CC: [linux-...@vger.kernel.org linux...@vger.kernel.org pe...@perex.cz ti...@suse.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b3124f35f69c/disk-6832a931.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/750eef79ff8a/vmlinux-6832a931.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7fac9df0ac84/bzImage-6832a931.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+106e20...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in copy_play_buf+0x528/0xa70 sound/drivers/aloop.c:603
Write of size 128 at addr ffffc9001ecc1000 by task swapper/0/0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc6-syzkaller-00121-g6832a9317eee #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
copy_play_buf+0x528/0xa70 sound/drivers/aloop.c:603
loopback_jiffies_timer_pos_update+0xc0f/0x1350 sound/drivers/aloop.c:693
loopback_jiffies_timer_function+0x62/0x250 sound/drivers/aloop.c:706
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:82
Code: 3e bc a2 f5 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d d3 ad 1a 00 f3 0f 1e fa fb f4 <e9> 13 bc a2 f5 cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffffff8de07d80 EFLAGS: 000002c2
RAX: 1031fab533705800 RBX: ffffffff81976a48 RCX: 1031fab533705800
RDX: 0000000000000001 RSI: ffffffff8d996134 RDI: ffffffff8be28c00
RBP: ffffffff8de07ea8 R08: ffff8880b8632f5b R09: 1ffff110170c65eb
R10: dffffc0000000000 R11: ffffed10170c65ec R12: ffffffff8fa1d6f0
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffffffff1bd2a50
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x13/0x20 arch/x86/kernel/process.c:749
default_idle_call+0x74/0xb0 kernel/sched/idle.c:117
cpuidle_idle_call kernel/sched/idle.c:185 [inline]
do_idle+0x1e8/0x510 kernel/sched/idle.c:325
cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:423
rest_init+0x2de/0x300 init/main.c:745
start_kernel+0x47d/0x500 init/main.c:1102
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288
common_startup_64+0x13e/0x147
</TASK>
The buggy address ffffc9001ecc1000 belongs to a vmalloc virtual mapping
Memory state around the buggy address:
ffffc9001ecc0f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9001ecc0f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9001ecc1000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9001ecc1080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9001ecc1100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
----------------
Code disassembly (best guess):
0: 3e bc a2 f5 cc cc ds mov $0xccccf5a2,%esp
6: cc int3
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: f3 0f 1e fa endbr64
1b: 66 90 xchg %ax,%ax
1d: 0f 00 2d d3 ad 1a 00 verw 0x1aadd3(%rip) # 0x1aadf7
24: f3 0f 1e fa endbr64
28: fb sti
29: f4 hlt
* 2a: e9 13 bc a2 f5 jmp 0xf5a2bc42 <-- trapping instruction
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: cc int3
37: 90 nop
38: 90 nop
39: 90 nop
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 6832a9317eee Merge tag 'net-6.16-rc7' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=122eb382580000
kernel config: https://syzkaller.appspot.com/x/.config?x=12b5044868deb866
dashboard link: https://syzkaller.appspot.com/bug?extid=106e20fd3577589caea7
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
CC: [linux-...@vger.kernel.org linux...@vger.kernel.org pe...@perex.cz ti...@suse.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b3124f35f69c/disk-6832a931.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/750eef79ff8a/vmlinux-6832a931.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7fac9df0ac84/bzImage-6832a931.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+106e20...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in copy_play_buf+0x528/0xa70 sound/drivers/aloop.c:603
Write of size 128 at addr ffffc9001ecc1000 by task swapper/0/0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc6-syzkaller-00121-g6832a9317eee #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
copy_play_buf+0x528/0xa70 sound/drivers/aloop.c:603
loopback_jiffies_timer_pos_update+0xc0f/0x1350 sound/drivers/aloop.c:693
loopback_jiffies_timer_function+0x62/0x250 sound/drivers/aloop.c:706
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:82
Code: 3e bc a2 f5 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d d3 ad 1a 00 f3 0f 1e fa fb f4 <e9> 13 bc a2 f5 cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffffff8de07d80 EFLAGS: 000002c2
RAX: 1031fab533705800 RBX: ffffffff81976a48 RCX: 1031fab533705800
RDX: 0000000000000001 RSI: ffffffff8d996134 RDI: ffffffff8be28c00
RBP: ffffffff8de07ea8 R08: ffff8880b8632f5b R09: 1ffff110170c65eb
R10: dffffc0000000000 R11: ffffed10170c65ec R12: ffffffff8fa1d6f0
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffffffff1bd2a50
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x13/0x20 arch/x86/kernel/process.c:749
default_idle_call+0x74/0xb0 kernel/sched/idle.c:117
cpuidle_idle_call kernel/sched/idle.c:185 [inline]
do_idle+0x1e8/0x510 kernel/sched/idle.c:325
cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:423
rest_init+0x2de/0x300 init/main.c:745
start_kernel+0x47d/0x500 init/main.c:1102
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288
common_startup_64+0x13e/0x147
</TASK>
The buggy address ffffc9001ecc1000 belongs to a vmalloc virtual mapping
Memory state around the buggy address:
ffffc9001ecc0f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9001ecc0f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9001ecc1000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9001ecc1080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9001ecc1100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
----------------
Code disassembly (best guess):
0: 3e bc a2 f5 cc cc ds mov $0xccccf5a2,%esp
6: cc int3
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: f3 0f 1e fa endbr64
1b: 66 90 xchg %ax,%ax
1d: 0f 00 2d d3 ad 1a 00 verw 0x1aadd3(%rip) # 0x1aadf7
24: f3 0f 1e fa endbr64
28: fb sti
29: f4 hlt
* 2a: e9 13 bc a2 f5 jmp 0xf5a2bc42 <-- trapping instruction
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: cc int3
37: 90 nop
38: 90 nop
39: 90 nop
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
5:45 AM (14 hours ago) 5:45 AM
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages