syzbot


KASAN: global-out-of-bounds Read in process_one_work

Status: moderation: reported on 2024/05/20 01:05
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+0aa6ce5c74b1e8a2647d@syzkaller.appspotmail.com
First crash: 30d, last: 30d
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: use-after-free Read in process_one_work missing-backport origin:downstream C unreliable 195 15h33m 592d 0/2 upstream: reported C repro on 2022/10/31 08:36
upstream KMSAN: kernel-infoleak in copyout (2) net C 6723 372d 1541d 22/27 fixed on 2023/06/08 14:41
android-5-10 BUG: corrupted list in process_one_work C error done 8 59d 796d 2/2 upstream: reported C repro on 2022/04/10 06:05
upstream general protection fault in process_one_work (2) kernel 1 1061d 1057d 0/27 auto-closed as invalid on 2021/09/17 12:34
upstream KASAN: slab-out-of-bounds Read in process_one_work kernel 1 596d 592d 0/27 auto-obsoleted due to no activity on 2023/01/25 20:05
android-6-1 KASAN: use-after-free Read in process_one_work origin:upstream missing-backport C error 232 1d13h 390d 0/2 upstream: reported C repro on 2023/05/21 23:04
upstream KASAN: slab-use-after-free Read in process_one_work kernel 2 279d 282d 0/27 auto-obsoleted due to no activity on 2023/12/08 17:35
android-54 KASAN: use-after-free Read in process_one_work 1 452d 452d 0/2 auto-obsoleted due to no activity on 2023/07/18 18:33

Sample crash report:
------------[ cut here ]------------
==================================================================
BUG: KASAN: global-out-of-bounds in string_nocheck lib/vsprintf.c:646 [inline]
BUG: KASAN: global-out-of-bounds in string+0x398/0x3d0 lib/vsprintf.c:728
Read of size 1 at addr ffffffff8b6d26fa by task kworker/1:1/55

CPU: 1 PID: 55 Comm: kworker/1:1 Not tainted 6.9.0-syzkaller-07370-g33e02dc69afb #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: xfs-inodegc/loop0 xfs_inodegc_worker
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 string_nocheck lib/vsprintf.c:646 [inline]
 string+0x398/0x3d0 lib/vsprintf.c:728
 vsnprintf+0xc67/0x1870 lib/vsprintf.c:2824
 vprintk_store+0x3a2/0xbb0 kernel/printk/printk.c:2228
 vprintk_emit kernel/printk/printk.c:2329 [inline]
 vprintk_emit+0xac/0x5a0 kernel/printk/printk.c:2303
 vprintk+0x7f/0xa0 kernel/printk/printk_safe.c:45
 __warn_printk+0x181/0x350 kernel/panic.c:741
 look_up_lock_class+0x132/0x140 kernel/locking/lockdep.c:932
 register_lock_class+0xb1/0x1230 kernel/locking/lockdep.c:1284
 __lock_acquire+0x111/0x3b30 kernel/locking/lockdep.c:5014
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
 process_one_work+0x86e/0x1a30 kernel/workqueue.c:3243
 process_scheduled_works kernel/workqueue.c:3348 [inline]
 worker_thread+0x6c8/0xf70 kernel/workqueue.c:3429
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the variable:
 xstats.0+0x18fa/0x2640

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb6d2
flags: 0xfff00000004000(reserved|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000004000 ffffea00002db488 ffffea00002db488 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff8b6d2580: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
 ffffffff8b6d2600: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 00 07
>ffffffff8b6d2680: f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9
                                                                ^
 ffffffff8b6d2700: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 06 f9
 ffffffff8b6d2780: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 02 f9
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/16 00:53 upstream 33e02dc69afb ef5d53ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: global-out-of-bounds Read in process_one_work
* Struck through repros no longer work on HEAD.