syzbot


KASAN: slab-out-of-bounds Read in pdu_read

Status: upstream: reported C repro on 2019/05/15 07:31
Reported-by: syzbot+df0110558e129f624612@syzkaller.appspotmail.com
First crash: 1859d, last: 499d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in pdu_read v9fs C 267 2134d 2169d 8/27 fixed on 2018/08/28 17:48
Fix bisection attempts (23)
Created Duration User Patch Repo Result
2022/10/13 02:18 0m bisect fix linux-4.14.y error job log (0)
2022/08/15 07:39 29m bisect fix linux-4.14.y job log (0) log
2022/06/19 00:48 22m bisect fix linux-4.14.y job log (0) log
2022/05/19 10:37 22m bisect fix linux-4.14.y job log (0) log
2022/03/14 02:08 30m bisect fix linux-4.14.y job log (0) log
2022/02/11 19:23 27m bisect fix linux-4.14.y job log (0) log
2022/01/12 18:27 28m bisect fix linux-4.14.y job log (0) log
2021/12/13 17:59 27m bisect fix linux-4.14.y job log (0) log
2021/11/13 17:36 22m bisect fix linux-4.14.y job log (0) log
2021/10/14 17:11 25m bisect fix linux-4.14.y job log (0) log
2021/09/14 16:47 24m bisect fix linux-4.14.y job log (0) log
2021/08/15 16:24 22m bisect fix linux-4.14.y job log (0) log
2021/07/16 16:01 22m bisect fix linux-4.14.y job log (0) log
2021/06/16 15:39 21m bisect fix linux-4.14.y job log (0) log
2021/05/17 15:08 30m bisect fix linux-4.14.y job log (0) log
2021/02/18 14:44 18m bisect fix linux-4.14.y error job log (0)
2021/02/11 21:24 1m bisect fix linux-4.14.y error job log (0)
2021/01/07 22:30 22m bisect fix linux-4.14.y job log (0) log
2020/11/07 18:20 21m bisect fix linux-4.14.y job log (0) log
2020/08/20 15:15 25m bisect fix linux-4.14.y job log (0) log
2020/05/17 21:30 25m bisect fix linux-4.14.y job log (0) log
2020/03/30 22:36 23m bisect fix linux-4.14.y job log (0) log
2020/01/03 18:05 23m bisect fix linux-4.14.y job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:376 [inline]
BUG: KASAN: slab-out-of-bounds in pdu_read+0x94/0x100 net/9p/protocol.c:64
Read of size 65419 at addr ffff8880a2c783ad by task syz-executor650/7975

CPU: 0 PID: 7975 Comm: syz-executor650 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report+0x6f/0x80 mm/kasan/report.c:409
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:376 [inline]
 pdu_read+0x94/0x100 net/9p/protocol.c:64
 p9pdu_vreadf net/9p/protocol.c:167 [inline]
 p9pdu_readf+0x381/0x1970 net/9p/protocol.c:540
 p9_client_version net/9p/client.c:988 [inline]
 p9_client_create+0x9b2/0x12c0 net/9p/client.c:1086
 v9fs_session_init+0x1c5/0x1540 fs/9p/v9fs.c:422
 v9fs_mount+0x73/0x860 fs/9p/vfs_super.c:135
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2572 [inline]
 do_mount+0xe65/0x2a30 fs/namespace.c:2905
 SYSC_mount fs/namespace.c:3121 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3098
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7fddb121fff9
RSP: 002b:00007fddb11d22f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fddb12a84c0 RCX: 00007fddb121fff9
RDX: 0000000020000500 RSI: 00000000200004c0 RDI: 0000000000000000
RBP: 00007fddb12a84cc R08: 0000000020000540 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fddb1276024
R13: 0030656c69662f2e R14: 64663d736e617274 R15: 00007fddb12a84c8

Allocated by task 7975:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 __do_kmalloc mm/slab.c:3720 [inline]
 __kmalloc+0x15a/0x400 mm/slab.c:3729
 kmalloc include/linux/slab.h:493 [inline]
 p9_fcall_alloc+0x19/0x90 net/9p/client.c:242
 p9_tag_alloc net/9p/client.c:312 [inline]
 p9_client_prepare_req.part.0+0x7f8/0xb60 net/9p/client.c:728
 p9_client_prepare_req net/9p/client.c:718 [inline]
 p9_client_rpc+0x170/0x1520 net/9p/client.c:763
 p9_client_version net/9p/client.c:978 [inline]
 p9_client_create+0x92f/0x12c0 net/9p/client.c:1086
 v9fs_session_init+0x1c5/0x1540 fs/9p/v9fs.c:422
 v9fs_mount+0x73/0x860 fs/9p/vfs_super.c:135
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2572 [inline]
 do_mount+0xe65/0x2a30 fs/namespace.c:2905
 SYSC_mount fs/namespace.c:3121 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3098
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

Freed by task 4599:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 devkmsg_release+0xb3/0xe0 kernel/printk/printk.c:993
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:868
 do_group_exit+0x100/0x2e0 kernel/exit.c:965
 SYSC_exit_group kernel/exit.c:976 [inline]
 SyS_exit_group+0x19/0x20 kernel/exit.c:974
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

The buggy address belongs to the object at ffff8880a2c78380
 which belongs to the cache kmalloc-16384 of size 16384
The buggy address is located 45 bytes inside of
 16384-byte region [ffff8880a2c78380, ffff8880a2c7c380)
The buggy address belongs to the page:
page:ffffea00028b1e00 count:1 mapcount:0 mapping:ffff8880a2c78380 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff8880a2c78380 0000000000000000 0000000100000001
raw: ffffea0002859820 ffffea0002895020 ffff88813fe65200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a2c7a280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a2c7a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a2c7a380: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff8880a2c7a400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a2c7a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (60):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/01/16 08:49 linux-4.14.y c4215ee4771b a63719e7 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2022/07/16 07:36 linux-4.14.y 424a46ea058e 95cb00d1 .config console log report syz C ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/03/05 12:05 linux-4.14.y 397a88b2cc86 9d751681 .config console log report syz C ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2019/09/22 11:17 linux-4.14.y f6e27dbb1afa d96e88f3 .config console log report syz C ci2-linux-4-14
2019/09/08 06:51 linux-4.14.y 414510bc00a5 a60cb4cd .config console log report syz C ci2-linux-4-14
2023/02/03 08:55 linux-4.14.y 3949d1610004 33fc5c09 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2023/01/25 20:35 linux-4.14.y 3949d1610004 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2023/01/16 08:32 linux-4.14.y c4215ee4771b a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2022/09/05 10:39 linux-4.14.y 65640c873dcf 922294ab .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2022/09/03 04:58 linux-4.14.y e548869f356f 49e94a20 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2022/07/16 07:13 linux-4.14.y 424a46ea058e 95cb00d1 .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2022/04/19 10:37 linux-4.14.y 74766a973637 c334415e .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2022/04/16 00:23 linux-4.14.y 74766a973637 8bcc32a6 .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2022/04/11 11:34 linux-4.14.y 74766a973637 e22c3da3 .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/04/17 15:08 linux-4.14.y cf256fbcbe34 7e2b734b .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/04/06 05:13 linux-4.14.y bd634aa64163 6a81331a .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/03/16 10:21 linux-4.14.y c7150cd2fa8c fdb2bb2c .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/03/12 10:04 linux-4.14.y c7150cd2fa8c 429d8a6b .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/02/27 12:14 linux-4.14.y 3242aa3a635c 4c37c133 .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/02/24 16:11 linux-4.14.y 3242aa3a635c fcc6d71b .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/02/23 13:00 linux-4.14.y 29c52025152b fcc6d71b .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/02/22 21:46 linux-4.14.y 29c52025152b c26fb06b .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/02/20 00:15 linux-4.14.y 29c52025152b f689d40a .config console log report info ci2-linux-4-14 KASAN: slab-out-of-bounds Read in pdu_read
2021/01/12 21:24 linux-4.14.y f79dc86058bc 0cdd6185 .config console log report info ci2-linux-4-14
2021/01/09 14:52 linux-4.14.y ec822b3e8bf4 a6c52263 .config console log report info ci2-linux-4-14
2021/01/09 11:13 linux-4.14.y 1752938529c6 a6c52263 .config console log report info ci2-linux-4-14
2020/12/08 22:30 linux-4.14.y 47cbf4cc32db 40cc414d .config console log report info ci2-linux-4-14
2020/12/08 09:59 linux-4.14.y c196b3a9c83a 9af51e31 .config console log report info ci2-linux-4-14
2020/12/07 21:19 linux-4.14.y c196b3a9c83a 51a9082e .config console log report info ci2-linux-4-14
2020/12/06 21:15 linux-4.14.y c196b3a9c83a c521566d .config console log report info ci2-linux-4-14
2020/10/08 18:20 linux-4.14.y cbfa1702aaf6 92390980 .config console log report info ci2-linux-4-14
2020/09/10 10:21 linux-4.14.y 458a534cac0c ac7ca78e .config console log report ci2-linux-4-14
2020/08/20 15:54 linux-4.14.y 14b58326976d ed282a3a .config console log report ci2-linux-4-14
2020/07/21 14:15 linux-4.14.y b850307b279c e562dd8a .config console log report ci2-linux-4-14
2020/07/19 17:15 linux-4.14.y b850307b279c 9c812472 .config console log report ci2-linux-4-14
2020/06/26 14:18 linux-4.14.y b850307b279c b202c7a8 .config console log report ci2-linux-4-14
2020/06/10 14:17 linux-4.14.y c6db52a88798 5caaad3a .config console log report ci2-linux-4-14
2020/06/01 20:36 linux-4.14.y 4f68020fef1c a0331e89 .config console log report ci2-linux-4-14
2020/04/17 21:12 linux-4.14.y c10b57a567e4 435c6d53 .config console log report ci2-linux-4-14
2020/04/17 07:22 linux-4.14.y c10b57a567e4 18397578 .config console log report ci2-linux-4-14
2020/04/17 02:56 linux-4.14.y c10b57a567e4 c743fcb3 .config console log report ci2-linux-4-14
2020/04/16 06:20 linux-4.14.y c10b57a567e4 c743fcb3 .config console log report ci2-linux-4-14
2020/04/14 20:26 linux-4.14.y c10b57a567e4 3f3c5574 .config console log report ci2-linux-4-14
2020/04/12 23:19 linux-4.14.y 4520f06b03ae 36b0b050 .config console log report ci2-linux-4-14
2020/02/29 22:36 linux-4.14.y 78d697fc93f9 c88c7b75 .config console log report ci2-linux-4-14
2020/02/13 12:14 linux-4.14.y e0f8b8a65a47 84f4fc8a .config console log report ci2-linux-4-14
2020/01/29 10:44 linux-4.14.y 9a95f25269bd c8e81ce4 .config console log report ci2-linux-4-14
2019/12/04 16:58 linux-4.14.y fbc5fe7a54d0 b2088328 .config console log report ci2-linux-4-14
2019/10/19 23:37 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
2019/10/06 01:41 linux-4.14.y db1892238c55 f3f7d9c8 .config console log report ci2-linux-4-14
2019/09/25 03:25 linux-4.14.y f6e27dbb1afa e38a6630 .config console log report ci2-linux-4-14
2019/09/24 09:17 linux-4.14.y f6e27dbb1afa f8368f99 .config console log report ci2-linux-4-14
2019/09/19 21:05 linux-4.14.y b10ab5e2c476 4d3ae0b7 .config console log report ci2-linux-4-14
2019/09/19 09:08 linux-4.14.y b10ab5e2c476 eb940044 .config console log report ci2-linux-4-14
2019/09/18 16:54 linux-4.14.y 968722f5371a 46c0be24 .config console log report ci2-linux-4-14
2019/09/18 13:15 linux-4.14.y 968722f5371a 1037b424 .config console log report ci2-linux-4-14
2019/09/18 12:30 linux-4.14.y 968722f5371a c2dcd700 .config console log report ci2-linux-4-14
2019/09/08 06:25 linux-4.14.y 414510bc00a5 a60cb4cd .config console log report ci2-linux-4-14
2019/09/06 02:17 linux-4.14.y 01fd1694b93c bf6bcce4 .config console log report ci2-linux-4-14
2019/05/15 06:30 linux-4.14.y 2af67d29b6fe bd4e3ac7 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.