syzbot


KASAN: slab-out-of-bounds Read in bit_putcs

Status: auto-obsoleted due to no activity on 2022/09/25 19:49
Reported-by: syzbot+998dec6452146bd7a90c@syzkaller.appspotmail.com
First crash: 1096d, last: 787d

Cause bisection: introduced by (bisect log) :
commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31
Author: Russell Currey <ruscur@russell.cc>
Date: Mon Feb 8 04:08:20 2016 +0000

  powerpc/powernv: Remove support for p5ioc2

Crash: BUG: spinlock lockup suspected in nf_conntrack_lock (log)
Repro: C syz .config

Fix bisection: failed (bisect log)
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: slab-out-of-bounds Read in bit_putcs C error 95 86d 1098d 0/1 upstream: reported C repro on 2019/12/03 16:38
linux-4.19 KASAN: slab-out-of-bounds Read in bit_putcs C inconclusive 138 564d 1098d 0/1 upstream: reported C repro on 2019/12/03 12:47
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/25 18:30 18m retest repro linux-next OK log
2022/09/25 16:30 18m retest repro linux-next OK log
2022/09/25 14:30 16m retest repro linux-next OK log
2022/09/25 13:30 16m retest repro linux-next OK log
2022/09/25 04:30 19m retest repro upstream OK log
2022/09/25 02:30 18m retest repro upstream OK log
2022/09/25 00:30 16m retest repro upstream OK log
2022/09/24 22:30 16m retest repro upstream OK log
2022/09/22 06:29 18m retest repro upstream OK log
2022/09/22 04:29 18m retest repro upstream OK log
2022/09/22 02:29 16m retest repro upstream OK log
2022/09/22 00:29 16m retest repro upstream OK log
2022/09/21 01:29 16m retest repro upstream OK log
2022/09/20 23:29 16m retest repro upstream OK log
2021/04/15 14:09 15m alaaemadhossney.ae@gmail.com upstream OK

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:655 [inline]
BUG: KASAN: slab-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: slab-out-of-bounds in bit_putcs+0xbb6/0xd20 drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffff8880a6fd5a30 by task syz-executor165/6920

CPU: 1 PID: 6920 Comm: syz-executor165 Not tainted 5.8.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __fb_pad_aligned_buffer include/linux/fb.h:655 [inline]
 bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
 bit_putcs+0xbb6/0xd20 drivers/video/fbdev/core/bitblit.c:185
 fbcon_putcs+0x33c/0x3f0 drivers/video/fbdev/core/fbcon.c:1362
 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:683
 redraw_screen+0x64c/0x770 drivers/tty/vt/vt.c:1029
 vc_do_resize+0x110e/0x13f0 drivers/tty/vt/vt.c:1314
 vt_ioctl+0x2037/0x2670 drivers/tty/vt/vt_ioctl.c:901
 tty_ioctl+0x1019/0x15f0 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:48 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
 __do_sys_ioctl fs/ioctl.c:762 [inline]
 __se_sys_ioctl fs/ioctl.c:760 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4403a9
Code: Bad RIP value.
RSP: 002b:00007ffc17538eb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403a9
RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10
R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6920:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x17a/0x340 mm/slab.c:3665
 kmalloc include/linux/slab.h:560 [inline]
 fbcon_set_font+0x34f/0x8b0 drivers/video/fbdev/core/fbcon.c:2673
 con_font_set drivers/tty/vt/vt.c:4571 [inline]
 con_font_op+0xd25/0x1110 drivers/tty/vt/vt.c:4636
 vt_ioctl+0x1180/0x2670 drivers/tty/vt/vt_ioctl.c:928
 tty_ioctl+0x1019/0x15f0 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:48 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
 __do_sys_ioctl fs/ioctl.c:762 [inline]
 __se_sys_ioctl fs/ioctl.c:760 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 6819:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3757
 skb_free_head net/core/skbuff.c:590 [inline]
 skb_release_data+0x6d9/0x910 net/core/skbuff.c:610
 skb_release_all net/core/skbuff.c:664 [inline]
 _kfree_skb_defer net/core/skbuff.c:872 [inline]
 napi_consume_skb net/core/skbuff.c:917 [inline]
 napi_consume_skb+0x167/0x370 net/core/skbuff.c:894
 free_old_xmit_skbs+0xd5/0x230 drivers/net/virtio_net.c:1389
 virtnet_poll_tx+0x1e9/0x370 drivers/net/virtio_net.c:1516
 napi_poll net/core/dev.c:6684 [inline]
 net_rx_action+0x4a1/0xe60 net/core/dev.c:6752
 __do_softirq+0x34c/0xa60 kernel/softirq.c:292

The buggy address belongs to the object at ffff8880a6fd5800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 560 bytes inside of
 1024-byte region [ffff8880a6fd5800, ffff8880a6fd5c00)
The buggy address belongs to the page:
page:ffffea00029bf540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027ae608 ffffea00024048c8 ffff8880aa000c40
raw: 0000000000000000 ffff8880a6fd5000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a6fd5900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a6fd5980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a6fd5a00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                     ^
 ffff8880a6fd5a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a6fd5b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (343):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2020/07/12 05:55 upstream a581387e415b 18d18b59 .config log report syz C
ci-upstream-kasan-gce-root 2020/07/12 05:45 upstream a581387e415b 18d18b59 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/07/12 05:28 upstream a581387e415b 18d18b59 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/05/05 04:38 upstream 9851a0dee7c2 9941337c .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/05/04 17:11 upstream 0e698dfa2822 58ae5e18 .config log report syz C
ci-upstream-kasan-gce-root 2020/05/03 14:09 upstream f66ed1ebbfde 5457883a .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/10 05:31 upstream 6794862a16ef 4b83c8fb .config log report syz C
ci-upstream-kasan-gce-root 2019/12/09 20:52 upstream e42617b825f8 b31eda3d .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/09 15:11 upstream e42617b825f8 b31eda3d .config log report syz C
ci-upstream-kasan-gce-root 2019/12/09 05:24 upstream 9455d25f4e3b 1508f453 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/07/12 16:54 linux-next d31958b30ea3 115e1930 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/05/04 23:15 linux-next ac935d227366 9941337c .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/12/22 04:45 linux-next 7ddd09fc4b74 bc586918 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/12/21 13:51 linux-next 7ddd09fc4b74 bc586918 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/10/10 03:51 upstream 6f2f486d57c4 93817d89 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/10/09 20:32 upstream 583090b1b823 d81b165e .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/03 23:58 upstream 22fbc037cd32 1a3f9408 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/10/02 02:43 upstream fcadab740480 9602ddf4 .config log report info
ci-upstream-kasan-gce-root 2020/10/01 22:59 upstream fcadab740480 9602ddf4 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/01 07:01 upstream 60e720931556 a9767fb2 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/30 14:06 upstream 02de58b24d2e 8516f6d3 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/24 04:11 upstream c9c9e6a49f89 54289b08 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/22 05:42 upstream 98477740630f 9e1fa68e .config log report info
ci-upstream-kasan-gce-selinux-root 2020/09/20 07:59 upstream 325d0eab4f31 53ce8104 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/09/20 03:12 upstream eb5f95f1593f 53ce8104 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/09/20 01:52 upstream eb5f95f1593f 53ce8104 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/19 09:51 upstream eb5f95f1593f 53ce8104 .config log report info
ci-upstream-kasan-gce-root 2020/09/18 18:51 upstream 10b82d517648 53ce8104 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/17 07:02 upstream 5925fa68fe82 8247808b .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/16 06:26 upstream fc4f28bb3daf 18d7d030 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/14 07:02 upstream e4c26faa426c 2d3cdd63 .config log report
ci-upstream-kasan-gce-smack-root 2020/09/08 14:43 upstream f4d51dffc6c0 abf9ba4f .config log report
ci-upstream-kasan-gce-smack-root 2020/09/08 08:14 upstream f4d51dffc6c0 abf9ba4f .config log report
ci-upstream-kasan-gce-smack-root 2020/09/03 03:59 upstream fc3abb53250a abf9ba4f .config log report
ci-upstream-kasan-gce-root 2020/08/29 14:20 upstream 4d41ead6ead9 d5a3ae1f .config log report
ci-upstream-kasan-gce-smack-root 2020/08/19 01:21 upstream 18445bf405cb e1c29030 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/18 02:54 upstream 06a4ec1d9dc6 424dd8e7 .config log report
ci-upstream-kasan-gce-selinux-root 2020/08/17 23:04 upstream 9123e3a74ec7 424dd8e7 .config log report
ci-upstream-kasan-gce-selinux-root 2020/08/15 07:43 upstream 7fca4dee610d 424dd8e7 .config log report
ci-upstream-kasan-gce-root 2020/08/15 01:26 upstream b923f1247b72 424dd8e7 .config log report
ci-upstream-kasan-gce-root 2020/08/13 23:15 upstream 990f227371a4 54ce1ed6 .config log report
ci-upstream-kasan-gce-selinux-root 2020/08/13 19:53 upstream fb893de323e2 54ce1ed6 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/13 09:25 upstream fb893de323e2 bc15f7db .config log report
ci-upstream-kasan-gce-smack-root 2020/08/12 04:00 upstream c636eef2ee36 bb3e5fe6 .config log report
ci-upstream-kasan-gce-root 2020/08/10 18:35 upstream fc80c51fd4b2 7adc7b65 .config log report
ci-upstream-kasan-gce-root 2020/08/08 04:49 upstream 5631c5e0eb90 ff51e522 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/08 04:01 upstream 5631c5e0eb90 ff51e522 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/06 03:53 upstream fffe3ae0ee84 0487ea6f .config log report
ci-upstream-kasan-gce-selinux-root 2020/08/04 06:08 upstream bcf876870b95 196277c4 .config log report
ci-upstream-kasan-gce-root 2020/08/03 05:53 upstream bcf876870b95 196277c4 .config log report
ci-upstream-kasan-gce-root 2020/08/03 03:53 upstream bcf876870b95 196277c4 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/03 02:38 upstream 5a30a78924ec 196277c4 .config log report
ci-qemu-upstream 2020/06/12 17:06 upstream 435faf5c218a d1c1c849 .config log report
ci-qemu-upstream-386 2020/07/30 23:03 upstream e2c46b5762c6 8df85ed9 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/09/27 08:14 linux-next d1d2220c7f39 5dd8aee8 .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/08/30 02:46 linux-next b36c969764ab d5a3ae1f .config log report
ci-upstream-linux-next-kasan-gce-root 2020/08/28 01:45 linux-next 88abac0b753d 816e0689 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/08/28 00:45 linux-next 88abac0b753d 816e0689 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/08/15 20:52 linux-next 4993e4fe12af 424dd8e7 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/08/15 00:20 linux-next 4993e4fe12af 424dd8e7 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/08/12 07:13 linux-next bc09acc9f224 bb3e5fe6 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/08/10 15:53 linux-next f80535b9aa10 70301872 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/12/05 15:20 linux-next 282ffdf30a3e 4fb74474 .config log report
* Struck through repros no longer work on HEAD.