syzbot


KASAN: slab-out-of-bounds Read in soft_cursor

Status: upstream: reported C repro on 2019/12/03 14:54
Reported-by: syzbot+c9bd0b9b06a8c0ff230e@syzkaller.appspotmail.com
First crash: 1666d, last: 1135d
Fix bisection: fixed by (bisect log) [no-op commit]:
commit 4ad066160a36ceb0b3b65785911ebd7711fe9fb8
Author: Lukas Wunner <lukas@wunner.de>
Date: Thu Aug 13 10:52:40 2020 +0000

  serial: pl011: Fix oops on -EPROBE_DEFER

  
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Read in soft_cursor (2) C done 8 1130d 1252d 1/1 fixed on 2021/06/23 17:43
linux-4.19 KASAN: slab-out-of-bounds Read in soft_cursor C done 61 1328d 1666d 1/1 fixed on 2020/12/05 19:30
upstream KASAN: slab-out-of-bounds Read in soft_cursor fbdev C done 218 1356d 1665d 15/27 fixed on 2020/11/16 12:12
linux-5.15 KASAN: null-ptr-deref Read in soft_cursor origin:lts-only syz error 1 394d 394d 0/3 upstream: reported syz repro on 2023/05/28 00:20
linux-4.14 KASAN: use-after-free Read in soft_cursor C inconclusive 7 1154d 1665d 0/1 upstream: reported C repro on 2019/12/04 13:11
upstream general protection fault in soft_cursor fbdev C 3 395d 395d 22/27 fixed on 2023/07/01 16:05
linux-4.19 KASAN: global-out-of-bounds Read in soft_cursor C done 22 1127d 1595d 1/1 fixed on 2021/06/24 08:01
linux-4.14 KASAN: global-out-of-bounds Read in soft_cursor C error 19 654d 1653d 0/1 upstream: reported C repro on 2019/12/16 00:09
Last patch testing requests (8)
Created Duration User Patch Repo Result
2023/02/08 03:32 9m retest repro linux-4.14.y report log
2023/02/08 02:32 10m retest repro linux-4.14.y report log
2023/02/08 01:32 9m retest repro linux-4.14.y report log
2023/02/08 00:32 20m retest repro linux-4.14.y report log
2022/09/17 19:29 10m retest repro linux-4.14.y report log
2022/09/17 18:29 16m retest repro linux-4.14.y report log
2022/09/17 17:29 10m retest repro linux-4.14.y report log
2022/09/17 16:29 10m retest repro linux-4.14.y report log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:376 [inline]
BUG: KASAN: slab-out-of-bounds in soft_cursor+0x442/0xa50 drivers/video/fbdev/core/softcursor.c:70
Read of size 15 at addr ffff8880b4533c70 by task kworker/1:3/4645

CPU: 1 PID: 4645 Comm: kworker/1:3 Not tainted 4.14.232-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_power_efficient fb_flashcursor
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report+0x6f/0x80 mm/kasan/report.c:409
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:376 [inline]
 soft_cursor+0x442/0xa50 drivers/video/fbdev/core/softcursor.c:70
 bit_cursor+0xf7a/0x1580 drivers/video/fbdev/core/bitblit.c:377
 fb_flashcursor+0x356/0x3f0 drivers/video/fbdev/core/fbcon.c:373
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 7955:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 __do_kmalloc mm/slab.c:3720 [inline]
 __kmalloc+0x15a/0x400 mm/slab.c:3729
 kmalloc include/linux/slab.h:493 [inline]
 fbcon_set_font+0x2fb/0x7c0 drivers/video/fbdev/core/fbcon.c:2459
 con_font_set drivers/tty/vt/vt.c:4190 [inline]
 con_font_op+0x9e8/0xdb0 drivers/tty/vt/vt.c:4234
 vt_ioctl+0xd5d/0x1d50 drivers/tty/vt/vt_ioctl.c:938
 tty_ioctl+0x50f/0x13c0 drivers/tty/tty_io.c:2661
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 6216:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 skb_free_head net/core/skbuff.c:563 [inline]
 skb_release_data+0x5f6/0x820 net/core/skbuff.c:583
 skb_release_all net/core/skbuff.c:640 [inline]
 __kfree_skb net/core/skbuff.c:654 [inline]
 consume_skb+0xe0/0x380 net/core/skbuff.c:714
 skb_free_datagram+0x16/0xe0 net/core/datagram.c:331
 netlink_recvmsg+0x5c1/0xda0 net/netlink/af_netlink.c:1957
 sock_recvmsg_nosec net/socket.c:819 [inline]
 sock_recvmsg net/socket.c:826 [inline]
 sock_recvmsg+0xc0/0x100 net/socket.c:822
 ___sys_recvmsg+0x20b/0x4d0 net/socket.c:2221
 __sys_recvmsg+0xa0/0x120 net/socket.c:2266
 SYSC_recvmsg net/socket.c:2278 [inline]
 SyS_recvmsg+0x27/0x40 net/socket.c:2273
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880b4533a80
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 496 bytes inside of
 512-byte region [ffff8880b4533a80, ffff8880b4533c80)
The buggy address belongs to the page:
page:ffffea0002d14cc0 count:1 mapcount:0 mapping:ffff8880b4533080 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880b4533080 0000000000000000 0000000100000006
raw: ffffea0002d29820 ffffea0002595720 ffff88813fe80940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b4533b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880b4533b80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880b4533c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                             ^
 ffff8880b4533c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880b4533d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (57):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/05/17 18:27 linux-4.14.y 7d7d1c0ab3eb a2eb125d .config console log report syz C ci2-linux-4-14 KASAN: slab-out-of-bounds Read in soft_cursor
2020/03/05 08:28 linux-4.14.y 78d697fc93f9 576fb9bc .config console log report syz C ci2-linux-4-14
2020/01/07 12:38 linux-4.14.y 84f5ad468100 1bcd407e .config console log report syz C ci2-linux-4-14
2019/12/03 13:53 linux-4.14.y fbc5fe7a54d0 ab342da3 .config console log report syz C ci2-linux-4-14
2021/05/07 01:12 linux-4.14.y 7d7d1c0ab3eb 06585184 .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in soft_cursor
2021/04/17 01:15 linux-4.14.y cf256fbcbe34 7e2b734b .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in soft_cursor
2021/04/03 06:18 linux-4.14.y bd634aa64163 6a81331a .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in soft_cursor
2021/01/30 16:01 linux-4.14.y 2c8a3fceddf0 fc9fd31e .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in soft_cursor
2021/01/12 14:50 linux-4.14.y ec822b3e8bf4 2c1f2513 .config console log report info ci2-linux-4-14
2021/01/09 13:53 linux-4.14.y ec822b3e8bf4 a6c52263 .config console log report info ci2-linux-4-14
2021/01/06 23:47 linux-4.14.y 1752938529c6 c104d4a3 .config console log report info ci2-linux-4-14
2021/01/04 13:43 linux-4.14.y 1752938529c6 79264ae3 .config console log report info ci2-linux-4-14
2020/11/28 11:00 linux-4.14.y 87335852c5d9 486f93ef .config console log report info ci2-linux-4-14
2020/11/09 18:22 linux-4.14.y 6b6446efedb2 cba33199 .config console log report info ci2-linux-4-14
2020/09/17 11:18 linux-4.14.y cbfa1702aaf6 8247808b .config console log report info ci2-linux-4-14
2020/08/22 21:42 linux-4.14.y 6a24ca2506d6 1da71ab0 .config console log report ci2-linux-4-14
2020/07/24 11:14 linux-4.14.y 69b94dd6dcd1 554af388 .config console log report ci2-linux-4-14
2020/07/21 09:41 linux-4.14.y b850307b279c d88894e6 .config console log report ci2-linux-4-14
2020/07/16 23:31 linux-4.14.y b850307b279c 54b3c45e .config console log report ci2-linux-4-14
2020/07/10 09:52 linux-4.14.y b850307b279c 56d01184 .config console log report ci2-linux-4-14
2020/07/05 13:13 linux-4.14.y b850307b279c 22f87567 .config console log report ci2-linux-4-14
2020/07/04 17:29 linux-4.14.y b850307b279c 4f739670 .config console log report ci2-linux-4-14
2020/06/29 13:44 linux-4.14.y b850307b279c df01f6fc .config console log report ci2-linux-4-14
2020/06/28 08:26 linux-4.14.y b850307b279c a2cdad9d .config console log report ci2-linux-4-14
2020/06/25 18:53 linux-4.14.y b850307b279c adb7d9e6 .config console log report ci2-linux-4-14
2020/06/23 15:10 linux-4.14.y b850307b279c 54566aff .config console log report ci2-linux-4-14
2020/06/09 13:12 linux-4.14.y c6db52a88798 092934c1 .config console log report ci2-linux-4-14
2020/06/08 23:55 linux-4.14.y c6db52a88798 0d60b78a .config console log report ci2-linux-4-14
2020/05/26 01:32 linux-4.14.y a41ba30d9df2 8ca3b7d2 .config console log report ci2-linux-4-14
2020/05/25 01:22 linux-4.14.y a41ba30d9df2 11284182 .config console log report ci2-linux-4-14
2020/05/20 00:08 linux-4.14.y ab9dfda23248 6d882fd2 .config console log report ci2-linux-4-14
2020/05/13 23:47 linux-4.14.y ab9dfda23248 a885920d .config console log report ci2-linux-4-14
2020/05/12 07:56 linux-4.14.y ab9dfda23248 a497a5b4 .config console log report ci2-linux-4-14
2020/05/10 03:11 linux-4.14.y d71f695ce745 8742a2b9 .config console log report ci2-linux-4-14
2020/05/08 22:21 linux-4.14.y d71f695ce745 e97b06d3 .config console log report ci2-linux-4-14
2020/05/03 15:44 linux-4.14.y 773e2b1cd56a 58ae5e18 .config console log report ci2-linux-4-14
2020/05/01 21:54 linux-4.14.y 050272a0423e bc734e7a .config console log report ci2-linux-4-14
2020/04/18 17:37 linux-4.14.y c10b57a567e4 365fba24 .config console log report ci2-linux-4-14
2020/04/03 22:18 linux-4.14.y 4520f06b03ae ef26b610 .config console log report ci2-linux-4-14
2020/03/23 08:34 linux-4.14.y 01364dad1d45 78267cec .config console log report ci2-linux-4-14
2020/03/20 14:02 linux-4.14.y 01364dad1d45 2c31c529 .config console log report ci2-linux-4-14
2020/03/17 22:12 linux-4.14.y 12cd844a39ed 97bc55ce .config console log report ci2-linux-4-14
2020/03/01 22:24 linux-4.14.y 78d697fc93f9 4a4e0509 .config console log report ci2-linux-4-14
2020/03/01 00:35 linux-4.14.y 78d697fc93f9 c88c7b75 .config console log report ci2-linux-4-14
2020/02/21 03:50 linux-4.14.y 98db2bf27b9e bd2a74a3 .config console log report ci2-linux-4-14
2020/02/20 13:58 linux-4.14.y 98db2bf27b9e 81230308 .config console log report ci2-linux-4-14
2020/02/05 11:24 linux-4.14.y 9fa690a2a016 93e5e335 .config console log report ci2-linux-4-14
2020/02/02 16:35 linux-4.14.y 9fa690a2a016 93e5e335 .config console log report ci2-linux-4-14
2020/01/28 04:56 linux-4.14.y 9a95f25269bd 56cd6c9b .config console log report ci2-linux-4-14
2020/01/24 06:36 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/22 19:08 linux-4.14.y c1141b3aab36 3334d684 .config console log report ci2-linux-4-14
2020/01/14 19:54 linux-4.14.y c04fc6fa5c96 fa12bd3c .config console log report ci2-linux-4-14
2020/01/14 19:34 linux-4.14.y 6d0c334a400d fa12bd3c .config console log report ci2-linux-4-14
2020/01/10 03:08 linux-4.14.y b0cdffaa546e 4de4e9f0 .config console log report ci2-linux-4-14
2020/01/06 20:25 linux-4.14.y 84f5ad468100 53430d97 .config console log report ci2-linux-4-14
2019/12/17 22:56 linux-4.14.y bfb9e5c03076 1af3875f .config console log report ci2-linux-4-14
2019/12/04 05:13 linux-4.14.y fbc5fe7a54d0 0ecb9746 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.