KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks

Status: upstream: reported syz repro on 2019/12/23 14:45
First crash: 1020d, last: 808d

Cause bisection: introduced by (bisect log) :
commit 9121923c457d1d8667a6e3a67302c29e5c5add6b
Author: Jim Mattson <>
Date: Thu Oct 24 23:03:26 2019 +0000

  kvm: Allocate memslots and buses before calling kvm_arch_init_vm

Crash: general protection fault in kvm_coalesced_mmio_init (log)
Repro: syz .config

Fix bisection: failed (bisect log)
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/22 02:29 15m upstream OK log
2022/09/22 00:29 15m upstream OK log
2022/09/21 21:29 16m upstream OK log
2022/09/19 23:29 10m linux-next report log
2022/09/19 09:29 16m upstream OK log
2022/09/18 08:29 16m upstream OK log
2022/09/18 06:29 17m upstream OK log
2022/09/11 22:27 16m upstream OK log
2022/09/11 18:27 15m upstream OK log

Sample crash report:
BUG: KASAN: vmalloc-out-of-bounds in __read_once_size include/linux/compiler.h:232 [inline]
BUG: KASAN: vmalloc-out-of-bounds in rcu_seq_current kernel/rcu/rcu.h:99 [inline]
BUG: KASAN: vmalloc-out-of-bounds in srcu_invoke_callbacks+0x304/0x320 kernel/rcu/srcutree.c:1172
Read of size 8 at addr ffffc900041c4c80 by task kworker/1:1/9703

CPU: 1 PID: 9703 Comm: kworker/1:1 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: rcu_gp srcu_invoke_callbacks
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x315 mm/kasan/report.c:374
 __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:618
 __read_once_size include/linux/compiler.h:232 [inline]
 rcu_seq_current kernel/rcu/rcu.h:99 [inline]
 srcu_invoke_callbacks+0x304/0x320 kernel/rcu/srcutree.c:1172
 process_one_work+0x94b/0x1690 kernel/workqueue.c:2266
 worker_thread+0x96/0xe20 kernel/workqueue.c:2412
 kthread+0x357/0x430 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Memory state around the buggy address:
 ffffc900041c4b80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffc900041c4c00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
>ffffc900041c4c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffc900041c4d00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffc900041c4d80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9

Crashes (20):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-linux-next-kasan-gce-root 2020/03/19 20:35 linux-next 770fbb32d34e 2c31c529 .config log report syz
ci-upstream-kasan-gce 2020/07/07 08:25 upstream 7cc2a8ea1048 51095195 .config log report syz
ci-upstream-kasan-gce-smack-root 2020/03/10 19:33 upstream 30bb5572ce7a 35f53e45 .config log report syz
ci-upstream-kasan-gce-root 2020/03/06 05:07 upstream 63623fd44972 c88c7b75 .config log report syz
ci-upstream-kasan-gce-smack-root 2020/03/04 00:15 upstream 63623fd44972 c88c7b75 .config log report syz
ci-upstream-kasan-gce-selinux-root 2020/01/11 16:03 upstream bef1d88263ff 4c04afaa .config log report syz
ci-upstream-kasan-gce 2020/01/04 19:59 upstream 3a562aee727a 68256974 .config log report syz
ci-upstream-kasan-gce-root 2020/01/02 11:27 upstream 738d2902773e 25a0186e .config log report syz
ci-upstream-kasan-gce-root 2019/12/21 03:13 upstream 6398b9fc818e bc586918 .config log report syz
ci-upstream-kasan-gce-selinux-root 2020/07/20 19:42 upstream 5714ee50bb43 4285ffa3 .config log report
ci-upstream-kasan-gce-selinux-root 2020/07/05 01:13 upstream 7cc2a8ea1048 51095195 .config log report
ci-upstream-kasan-gce-selinux-root 2020/07/02 15:08 upstream cd77006e01b3 bed10395 .config log report
ci-upstream-kasan-gce-root 2020/05/30 03:16 upstream 75caf310d16c 3905eaae .config log report
ci-upstream-kasan-gce 2020/03/31 06:59 upstream 673b41e04a03 c8d1cc20 .config log report
ci-upstream-kasan-gce-selinux-root 2020/03/17 06:23 upstream fb33c6510d55 749688d2 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/10 04:00 upstream d1ea35f4cdd4 35f5e45e .config log report
ci-upstream-kasan-gce 2020/01/31 08:58 upstream 9f68e3655aae 5ed23f9a .config log report
ci-upstream-kasan-gce-root 2020/01/25 02:39 upstream 6381b442836e 2e95ab33 .config log report
ci-upstream-kasan-gce-smack-root 2020/01/15 01:59 upstream e033e7d4a808 fa12bd3c .config log report
ci-upstream-kasan-gce-386 2020/01/15 14:20 upstream 95e20af9fb9c fa12bd3c .config log report
* Struck through repros no longer work on HEAD.