syzbot


KASAN: slab-out-of-bounds Write in shmem_file_read_iter

Status: upstream: reported C repro on 2023/12/14 19:30
Subsystems: hfs mm
[Documentation on labels]
Reported-by: syzbot+3e719fc23ab95580e4c2@syzkaller.appspotmail.com
First crash: 367d, last: 40d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 1c82587cb57687de3f18ab4b98a8850c789bedcf
Author: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Date: Thu Nov 7 11:41:09 2024 +0000

  hfsplus: don't query the device logical block size multiple times

  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [mm?] [hfs?] KASAN: slab-out-of-bounds Write in shmem_file_read_iter 0 (2) 2024/12/06 14:16
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: slab-out-of-bounds Write in shmem_file_read_iter origin:upstream C error 5 103d 315d 0/3 upstream: reported C repro on 2024/02/01 06:28
linux-5.15 KASAN: slab-out-of-bounds Write in shmem_file_read_iter origin:upstream C error 1 313d 313d 0/3 upstream: reported C repro on 2024/02/02 14:56
Last patch testing requests (8)
Created Duration User Patch Repo Result
2024/11/27 23:00 23m retest repro upstream OK log
2024/11/01 10:02 20m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/09/18 22:11 15m retest repro upstream report log
2024/07/10 18:43 2h58m retest repro upstream report log
2024/04/27 16:23 16m retest repro upstream report log
2024/04/25 09:21 16m retest repro upstream report log
2024/03/04 03:45 26m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2023/12/24 22:19 17m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
Fix bisection attempts (5)
Created Duration User Patch Repo Result
2024/12/06 08:11 6h04m bisect fix upstream OK (1) job log
2024/10/04 11:04 2h26m bisect fix upstream OK (0) job log log
2024/08/30 22:30 2h31m bisect fix upstream OK (0) job log log
2024/07/31 12:08 1h48m bisect fix upstream OK (0) job log log
2024/06/23 14:24 5h30m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy_to_iter lib/iov_iter.c:65 [inline]
BUG: KASAN: slab-out-of-bounds in iterate_bvec include/linux/iov_iter.h:123 [inline]
BUG: KASAN: slab-out-of-bounds in iterate_and_advance2 include/linux/iov_iter.h:304 [inline]
BUG: KASAN: slab-out-of-bounds in iterate_and_advance include/linux/iov_iter.h:328 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x81c/0x1860 lib/iov_iter.c:185
Write of size 2048 at addr ffff0000c5924000 by task kworker/u8:4/167

CPU: 1 UID: 0 PID: 167 Comm: kworker/u8:4 Tainted: G        W          6.12.0-rc3-syzkaller-gc7e6f5e2fb8d #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: loop0 loop_rootcg_workfn
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:484 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 kasan_check_range+0x268/0x2a8 mm/kasan/generic.c:189
 __asan_memcpy+0x54/0x84 mm/kasan/shadow.c:106
 memcpy_to_iter lib/iov_iter.c:65 [inline]
 iterate_bvec include/linux/iov_iter.h:123 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:304 [inline]
 iterate_and_advance include/linux/iov_iter.h:328 [inline]
 _copy_to_iter+0x81c/0x1860 lib/iov_iter.c:185
 copy_page_to_iter+0x204/0x2fc lib/iov_iter.c:362
 shmem_file_read_iter+0x4a4/0x9e0 mm/shmem.c:3167
 do_iter_readv_writev+0x490/0x6d4
 vfs_iter_read+0x138/0x3bc fs/read_write.c:923
 lo_read_simple drivers/block/loop.c:283 [inline]
 do_req_filebacked drivers/block/loop.c:516 [inline]
 loop_handle_cmd drivers/block/loop.c:1910 [inline]
 loop_process_work+0xc3c/0x1fe8 drivers/block/loop.c:1945
 loop_rootcg_workfn+0x28/0x38 drivers/block/loop.c:1976
 process_one_work+0x7bc/0x1600 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x97c/0xeec kernel/workqueue.c:3391
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

Allocated by task 13249:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:257 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_noprof+0x2a4/0x49c mm/slub.c:4276
 kmalloc_noprof include/linux/slab.h:882 [inline]
 hfsplus_read_wrapper+0x38c/0xf6c fs/hfsplus/wrapper.c:182
 hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:419
 mount_bdev+0x1d4/0x2a0 fs/super.c:1679
 hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:647
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
 vfs_get_tree+0x90/0x28c fs/super.c:1800
 do_new_mount+0x278/0x900 fs/namespace.c:3507
 path_mount+0x590/0xe04 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4055 [inline]
 __se_sys_mount fs/namespace.c:4032 [inline]
 __arm64_sys_mount+0x45c/0x5a8 fs/namespace.c:4032
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff0000c5924000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 allocated 512-byte region [ffff0000c5924000, ffff0000c5924200)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105924
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0001c80 fffffdffc343a800 dead000000000003
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0001c80 fffffdffc343a800 dead000000000003
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 05ffc00000000002 fffffdffc3164901 ffffffffffffffff 0000000000000000
head: ffff000000000004 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000c5924100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000c5924180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000c5924200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff0000c5924280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000c5924300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/18 07:47 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c7e6f5e2fb8d 666f77ed .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Write in shmem_file_read_iter
2023/12/10 19:26 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci d46efae31672 28b24332 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Write in shmem_file_read_iter
2024/03/22 21:16 upstream fe46a7dd189e 7a239ce7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Write in shmem_file_read_iter
2024/03/17 00:02 upstream fe46a7dd189e d615901c .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Write in shmem_file_read_iter
* Struck through repros no longer work on HEAD.