syzbot


KASAN: slab-out-of-bounds Read in arch_stack_walk

Status: upstream: reported on 2022/05/16 15:00
Reported-by: syzbot+8631f4b15d790f42c8ad@syzkaller.appspotmail.com
First crash: 211d, last: 12h41m
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in do_user_addr_fault (3) C 680 211d 260d 2/24 closed as invalid on 2022/05/12 12:08

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
Read of size 8 at addr ffffaf800cc97fd0 by task syz-executor.0/2045

CPU: 0 PID: 2045 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8000a052>] walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
[<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:146

Allocated by task 0:
(stack is not available)

The buggy address belongs to the object at ffffaf800cc97800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 976 bytes to the right of
 1024-byte region [ffffaf800cc97800, ffffaf800cc97c00)
The buggy address belongs to the page:
page:ffffaf807a9e1880 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf800cc96000 pfn:0x8ce90
head:ffffaf807a9e1880 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8800010200(slab|head|section=17|node=0|zone=0)
raw: 0000008800010200 ffffaf807ab51b08 ffffaf807a9c58c8 ffffaf8007201dc0
raw: ffffaf800cc96000 000000000010000e 00000001ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1991, ts 506899338600, free_ts 506813467100
 __set_page_owner+0x48/0x136 mm/page_owner.c:183
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165
 __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389
 alloc_pages+0x132/0x2a6 mm/mempolicy.c:2271
 alloc_slab_page.constprop.0+0xc2/0xfa mm/slub.c:1799
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x76/0x2cc mm/slub.c:2004
 ___slab_alloc+0x56e/0x918 mm/slub.c:3018
 __slab_alloc.constprop.0+0x50/0x8c mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 __kmalloc_node_track_caller+0x26c/0x362 mm/slub.c:4957
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0xee/0x2e4 net/core/skbuff.c:426
 __napi_alloc_skb+0x72/0x214 net/core/skbuff.c:568
 napi_alloc_skb include/linux/skbuff.h:3005 [inline]
 page_to_skb+0x16e/0x70e drivers/net/virtio_net.c:437
 receive_mergeable drivers/net/virtio_net.c:1039 [inline]
 receive_buf+0xa20/0x3e50 drivers/net/virtio_net.c:1149
 virtnet_receive drivers/net/virtio_net.c:1441 [inline]
 virtnet_poll+0x39c/0x986 drivers/net/virtio_net.c:1550
 __napi_poll+0x7c/0x358 net/core/dev.c:6365
page last free stack trace:
 __reset_page_owner+0x4a/0xea mm/page_owner.c:142
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x29c/0x45e mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x6a/0x31e mm/page_alloc.c:3404
 free_the_page mm/page_alloc.c:706 [inline]
 free_compound_page+0x70/0x8a mm/page_alloc.c:729
 destroy_compound_page include/linux/mm.h:889 [inline]
 __put_compound_page+0x7c/0xb0 mm/swap.c:112
 __put_page+0x48/0x100 mm/swap.c:128
 folio_put include/linux/mm.h:1199 [inline]
 put_page include/linux/mm.h:1237 [inline]
 __skb_frag_unref include/linux/skbuff.h:3178 [inline]
 skb_release_data+0x2f8/0x3c4 net/core/skbuff.c:672
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb+0x38/0x50 net/core/skbuff.c:756
 __sk_defer_free_flush+0x52/0x68 net/ipv4/tcp.c:1592
 sk_defer_free_flush include/net/tcp.h:1378 [inline]
 tcp_v4_rcv+0x1bbc/0x1f46 net/ipv4/tcp_ipv4.c:2114
 ip_protocol_deliver_rcu+0x9c/0x8c0 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x12c/0x278 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_local_deliver+0x160/0x464 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:461 [inline]
 ip_sublist_rcv_finish+0x64/0x1b2 net/ipv4/ip_input.c:551
 ip_list_rcv_finish net/ipv4/ip_input.c:601 [inline]
 ip_sublist_rcv+0x420/0x738 net/ipv4/ip_input.c:609
 ip_list_rcv+0x268/0x2c0 net/ipv4/ip_input.c:644

Memory state around the buggy address:
 ffffaf800cc97e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffffaf800cc97f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffffaf800cc97f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                 ^
 ffffaf800cc98000: 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3
 ffffaf800cc98080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (229):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu2-riscv64 2022/12/08 18:12 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 1034e5fa .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/07 01:21 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d d88f3abb .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/06 08:53 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 045cbb84 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/06 02:34 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 045cbb84 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/05 13:09 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d dff7de3a .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/05 09:09 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d e080de16 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/02 09:37 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d e080de16 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/29 22:07 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 05dc7993 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/25 17:20 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 0d68fcb4 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/25 13:36 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 0d68fcb4 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/25 08:52 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 74a66371 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/24 05:24 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d ff68ff8f .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/22 13:20 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 1c8e10bc .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/17 20:01 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 4ba8ab94 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/16 06:57 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d bfcab33d .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/16 01:17 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d bfcab33d .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/15 17:59 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d bfcab33d .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/15 02:45 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 97de9cfc .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/09 19:49 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d bebca8b7 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/08 18:24 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 060f945e .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/08 01:35 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 6feb842b .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/07 21:05 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d a779b11a .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/04 20:41 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 6d752409 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/04 13:20 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 6d752409 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/04 02:08 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 6d752409 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/03 23:37 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 6d752409 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/02 03:13 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 08977f5d .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/10/31 06:44 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 2a71366b .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/10/29 22:33 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 2a71366b .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/10/28 22:20 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d bc17b3a4 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/10/28 05:27 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 5c716ff6 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/10/27 22:05 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 5c716ff6 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/10/27 13:53 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 5c716ff6 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/10/27 03:38 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 86777b7f .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/05/15 17:22 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 744a39e2 .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/05/12 14:54 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 9ad6612a .config log report info KASAN: slab-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/09 14:02 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 67be1ae7 .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/06 20:33 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d d88f3abb .config log report info KASAN: stack-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/06 15:26 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d d88f3abb .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/05 02:51 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d e080de16 .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/12/03 22:38 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d e080de16 .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/27 13:51 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d f4470a7b .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/27 08:04 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d f4470a7b .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/22 09:17 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 1c576c23 .config log report info KASAN: stack-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/18 23:07 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 5bb70014 .config log report info KASAN: stack-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/18 07:13 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 5bb70014 .config log report info KASAN: stack-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/15 22:20 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d bfcab33d .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/15 12:41 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 97de9cfc .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/15 11:13 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 97de9cfc .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/14 08:24 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 7ba4d859 .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/14 05:22 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 7ba4d859 .config log report info KASAN: stack-out-of-bounds Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/11 09:33 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d f42ee5d8 .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/08 08:38 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 6feb842b .config log report info KASAN: use-after-free Read in arch_stack_walk
ci-qemu2-riscv64 2022/11/01 05:24 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 43f72c2d .config log report info KASAN: use-after-free Read in arch_stack_walk
* Struck through repros no longer work on HEAD.