KASAN: stack-out-of-bounds Read in __show

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: stack-out-of-bounds Read in __show_regs kernel	C	unreliable	unreliable	517	545d	1049d	0/26	auto-obsoleted due to no activity on 2023/05/14 10:00

RIP: 0010:preempt_schedule_thunk+0x5/0x18 arch/x86/entry/thunk_64.S:34 Code: fd 85 db 0f 84 98 00 00 00 44 8d 73 01 44 89 f6 09 de bf ff ff ff ff e8 47 e4 8f fd 41 09 de 0f 88 88 00 00 00 e8 89 e0 8f fd <4c> 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 RSP: 0000:0000000000000001 EFLAGS: 00000000 ORIG_RAX: 0000000000000000 RAX: ffff88811532d948 RBX: ffffc900072ef560 RCX: ffffc900077e7680 RDX: ffffc900072ef5b0 RSI: ffffffff8100817a RDI: dffffc0000000001 RBP: 0000000000000001 R08: ffff88811532d948 R09: ffffc900077e7690 R10: 1ffff92000efced2 R11: ffffffff84bfe126 R12: ffffc900077e7680 ================================================================== BUG: KASAN: stack-out-of-bounds in __show_regs+0x252/0x4d0 arch/x86/kernel/process_64.c:89 Read of size 8 at addr ffffc900072ef4f8 by task syz-executor.3/14487 CPU: 0 PID: 14487 Comm: syz-executor.3 Not tainted 5.15.118-syzkaller-01748-g241da2ad5601 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description+0x87/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x179/0x1c0 mm/kasan/report.c:444 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309 __show_regs+0x252/0x4d0 arch/x86/kernel/process_64.c:89 show_regs_if_on_stack+0xd9/0xe0 arch/x86/kernel/dumpstack.c:173 show_trace_log_lvl+0x2a7/0x380 arch/x86/kernel/dumpstack.c:301 show_stack+0x37/0x40 arch/x86/kernel/dumpstack.c:321 sched_show_task+0x3d0/0x620 kernel/sched/core.c:8773 show_state_filter+0x139/0x1a0 kernel/sched/core.c:8818 show_state include/linux/sched/debug.h:21 [inline] fn_show_state+0x10/0x20 drivers/tty/vt/keyboard.c:607 k_spec+0xff/0x130 drivers/tty/vt/keyboard.c:660 kbd_keycode drivers/tty/vt/keyboard.c:1512 [inline] kbd_event+0x2801/0x3910 drivers/tty/vt/keyboard.c:1531 input_to_handler drivers/input/input.c:129 [inline] input_pass_values+0x8c5/0x1040 drivers/input/input.c:156 input_handle_event+0xc70/0x1570 drivers/input/input.c:415 input_inject_event+0x120/0x150 drivers/input/input.c:487 evdev_write+0x65d/0x7a0 drivers/input/evdev.c:534 vfs_write+0x406/0x1110 fs/read_write.c:592 ksys_write+0x199/0x2c0 fs/read_write.c:647 __do_sys_write fs/read_write.c:659 [inline] __se_sys_write fs/read_write.c:656 [inline] __x64_sys_write+0x7b/0x90 fs/read_write.c:656 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fbac7523389 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fbac6275168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fbac7643050 RCX: 00007fbac7523389 RDX: 00000000000012d8 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007fbac756e493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd3ea753df R14: 00007fbac6275300 R15: 0000000000022000 </TASK> Memory state around the buggy address: ffffc900072ef380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc900072ef400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900072ef480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffffc900072ef500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc900072ef580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== R13: 49b5b4260f00e300 R14: ffffc900077e7680 R15: ffff8881f7136fb0 </TASK> task:syz-executor.1 state:R stack:23088 pid:14485 ppid: 434 flags:0x00004000 Call Trace: <TASK> context_switch kernel/sched/core.c:5147 [inline] __schedule+0xcbe/0x1580 kernel/sched/core.c:6506 schedule+0x11f/0x1e0 kernel/sched/core.c:6589 schedule_timeout+0xa9/0x370 kernel/time/timer.c:1866 unix_wait_for_peer+0x24b/0x330 net/unix/af_unix.c:1315 unix_dgram_sendmsg+0x143f/0x2090 net/unix/af_unix.c:1913 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x59e/0x8f0 net/socket.c:2412 ___sys_sendmsg+0x252/0x2e0 net/socket.c:2466 __sys_sendmmsg+0x2bf/0x530 net/socket.c:2552 __do_sys_sendmmsg net/socket.c:2581 [inline] __se_sys_sendmmsg net/socket.c:2578 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2578 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f82f40bf389 RSP: 002b:00007f82f2e11168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f82f41df050 RCX: 00007f82f40bf389 RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000004 RBP: 00007f82f410a493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff6cdb6d8f R14: 00007f82f2e11300 R15: 0000000000022000 </TASK> task:syz-executor.1 state:R running task stack:28816 pid:14492 ppid: 434 flags:0x00004000 Call Trace: <TASK> context_switch kernel/sched/core.c:5147 [inline] __schedule+0xcbe/0x1580 kernel/sched/core.c:6506 preempt_schedule_common+0x9b/0xf0 kernel/sched/core.c:6682 preempt_schedule+0xd9/0xe0 kernel/sched/core.c:6707 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:34 try_to_wake_up+0x6dc/0x1150 kernel/sched/core.c:4255 wake_up_process kernel/sched/core.c:4318 [inline] wake_up_q+0xf0/0x1d0 kernel/sched/core.c:972 futex_wake+0x821/0xc80 kernel/futex/core.c:1696 do_futex+0x1310/0x37f0 kernel/futex/core.c:3990 __do_sys_futex kernel/futex/core.c:4062 [inline] __se_sys_futex+0x37b/0x3e0 kernel/futex/core.c:4043 __x64_sys_futex+0xe5/0x100 kernel/futex/core.c:4043 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f82f40bf389 RSP: 002b:00007f82f2df0218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: ffffffffffffffda RBX: 00007f82f41df128 RCX: 00007f82f40bf389 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f82f41df12c RBP: 00007f82f41df120 R08: 00007fff6cdb80b0 R09: 0000000000000000 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f82f41df12c R13: 00007fff6cdb6d8f R14: 00007f82f2df0300 R15: 0000000000022000 </TASK> task:syz-executor.1 state:D stack:26992 pid:14496 ppid: 434 flags:0x00004000 Call Trace: <TASK> context_switch kernel/sched/core.c:5147 [inline] __schedule+0xcbe/0x1580 kernel/sched/core.c:6506 schedule+0x11f/0x1e0 kernel/sched/core.c:6589 schedule_timeout+0xa9/0x370 kernel/time/timer.c:1866 __down_common kernel/locking/semaphore.c:224 [inline] __down+0x1f2/0x370 kernel/locking/semaphore.c:241 down+0x76/0xb0 kernel/locking/semaphore.c:62 console_lock+0x1a/0x40 kernel/printk/printk.c:2573 vcs_open+0x68/0xe0 drivers/tty/vt/vc_screen.c:763 chrdev_open+0x4f7/0x620 fs/char_dev.c:414 do_dentry_open+0x81c/0xfd0 fs/open.c:828 vfs_open+0x73/0x80 fs/open.c:958 do_open fs/namei.c:3538 [inline] path_openat+0x26f0/0x2f40 fs/namei.c:3672 do_filp_open+0x21c/0x460 fs/namei.c:3699 do_sys_openat2+0x13f/0x830 fs/open.c:1234 do_sys_open fs/open.c:1250 [inline] __do_sys_openat fs/open.c:1266 [inline] __se_sys_openat fs/open.c:1261 [inline] __x64_sys_openat+0x243/0x290 fs/open.c:1261 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f82f40bf389 RSP: 002b:00007f82f2dcf168 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f82f41df1f0 RCX: 00007f82f40bf389 RDX: 0000000000000000 RSI: 0000000020000280 RDI: ffffffffffffff9c RBP: 00007f82f410a493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff6cdb6d8f R14: 00007f82f2dcf300 R15: 0000000000022000 </TASK> task:syz-executor.1 state:S stack:28784 pid:14497 ppid: 434 flags:0x00004000 Call Trace: <TASK> context_switch kernel/sched/core.c:5147 [inline] __schedule+0xcbe/0x1580 kernel/sched/core.c:6506 schedule+0x11f/0x1e0 kernel/sched/core.c:6589 freezable_schedule include/linux/freezer.h:197 [inline] futex_wait_queue_me+0x306/0x760 kernel/futex/core.c:2862 futex_wait+0x2e6/0x9a0 kernel/futex/core.c:2965 do_futex+0x1367/0x37f0 kernel/futex/core.c:3985 __do_sys_futex kernel/futex/core.c:4062 [inline] __se_sys_futex+0x37b/0x3e0 kernel/futex/core.c:4043 __x64_sys_futex+0xe5/0x100 kernel/futex/core.c:4043 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f82f40bf389 RSP: 002b:00007f82f2dae218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: ffffffffffffffda RBX: 00007f82f41df2c8 RCX: 00007f82f40bf389 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f82f41df2c8 RBP: 00007f82f41df2c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f82f41df2cc R13: 00007fff6cdb6d8f R14: 00007f82f2dae300 R15: 0000000000022000 </TASK> ---------------- Code disassembly (best guess): 0: fd std 1: 85 db test %ebx,%ebx 3: 0f 84 98 00 00 00 je 0xa1 9: 44 8d 73 01 lea 0x1(%rbx),%r14d d: 44 89 f6 mov %r14d,%esi 10: 09 de or %ebx,%esi 12: bf ff ff ff ff mov $0xffffffff,%edi 17: e8 47 e4 8f fd callq 0xfd8fe463 1c: 41 09 de or %ebx,%r14d 1f: 0f 88 88 00 00 00 js 0xad 25: e8 89 e0 8f fd callq 0xfd8fe0b3 * 2a: 4c 89 e0 mov %r12,%rax <-- trapping instruction 2d: 48 c1 e8 03 shr $0x3,%rax 31: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx 38: fc ff df 3b: 0f b6 04 08 movzbl (%rax,%rcx,1),%eax 3f: 84 .byte 0x84