syzbot


KASAN: slab-out-of-bounds Write in shmem_file_read_iter

Status: upstream: reported C repro on 2024/02/01 06:28
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+9ecd279148f3382f7bea@syzkaller.appspotmail.com
First crash: 115d, last: 18d
Bug presence (1)
Date Name Commit Repro Result
2024/04/02 upstream (ToT) 026e680b0a08 C [report] KASAN: slab-out-of-bounds Read in generic_perform_write
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: slab-out-of-bounds Write in shmem_file_read_iter origin:upstream C error 1 114d 114d 0/3 upstream: reported C repro on 2024/02/02 14:56
upstream KASAN: slab-out-of-bounds Write in shmem_file_read_iter hfs mm C 3 65d 164d 0/26 upstream: reported C repro on 2023/12/14 19:30
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2024/05/03 01:24 2h03m bisect fix linux-6.1.y job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
Write of size 2048 at addr ffff0000c3080800 by task kworker/u4:1/11

CPU: 0 PID: 11 Comm: kworker/u4:1 Not tainted 6.1.83-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: loop0 loop_rootcg_workfn
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x174/0x4c0 mm/kasan/report.c:395
 kasan_report+0xd4/0x130 mm/kasan/report.c:495
 kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
 memcpy+0x60/0x90 mm/kasan/shadow.c:66
 _copy_to_iter+0x738/0xe58 lib/iov_iter.c:527
 copy_page_to_iter+0x218/0x344 lib/iov_iter.c:725
 shmem_file_read_iter+0x4d0/0xa04 mm/shmem.c:2692
 do_iter_read+0x578/0x998 fs/read_write.c:796
 vfs_iter_read+0x88/0xac fs/read_write.c:838
 lo_read_simple drivers/block/loop.c:288 [inline]
 do_req_filebacked drivers/block/loop.c:498 [inline]
 loop_handle_cmd drivers/block/loop.c:1909 [inline]
 loop_process_work+0xe7c/0x24a4 drivers/block/loop.c:1944
 loop_rootcg_workfn+0x28/0x38 drivers/block/loop.c:1975
 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864

Allocated by task 4228:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slab_common.c:955 [inline]
 __kmalloc+0xd8/0x1c4 mm/slab_common.c:968
 kmalloc include/linux/slab.h:561 [inline]
 hfsplus_read_wrapper+0x46c/0xfcc fs/hfsplus/wrapper.c:181
 hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:413
 mount_bdev+0x274/0x370 fs/super.c:1432
 hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
 vfs_get_tree+0x90/0x274 fs/super.c:1562
 do_new_mount+0x278/0x8fc fs/namespace.c:3051
 path_mount+0x590/0xe5c fs/namespace.c:3381
 do_mount fs/namespace.c:3394 [inline]
 __do_sys_mount fs/namespace.c:3602 [inline]
 __se_sys_mount fs/namespace.c:3579 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3579
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

The buggy address belongs to the object at ffff0000c3080800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 512-byte region [ffff0000c3080800, ffff0000c3080a00)

The buggy address belongs to the physical page:
page:00000000bcf74046 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103080
head:00000000bcf74046 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002600
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000c3080900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000c3080980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000c3080a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff0000c3080a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000c3080b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/01 22:07 linux-6.1.y e5cd595e23c1 6baf5069 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Write in shmem_file_read_iter
2024/05/08 20:30 linux-6.1.y 909ba1f1b414 20bf80e1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Write in shmem_file_read_iter
2024/02/01 06:27 linux-6.1.y e5c3b988b827 373b66cd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Write in shmem_file_read_iter
* Struck through repros no longer work on HEAD.