syzbot


KASAN: slab-out-of-bounds Read in __bfs (2)
Status: upstream: reported on 2022/04/20 20:21
Reported-by: syzbot+a7de825fb004b4dced19@syzkaller.appspotmail.com
First crash: 76d, last: 3h24m
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in __bfs 1 223d 219d 0/22 auto-closed as invalid on 2022/01/14 09:46
linux-4.14 general protection fault in __bfs 4 441d 585d 0/1 auto-closed as invalid on 2021/07/10 18:06

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in __bfs+0x154/0x394 kernel/locking/lockdep.c:1708
Read of size 8 at addr ffffaf8009bdbdd0 by task syz-executor.1/2032

CPU: 0 PID: 2032 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8010dd9a>] __bfs+0x154/0x394 kernel/locking/lockdep.c:1708
[<ffffffff8010e52a>] __bfs_forwards kernel/locking/lockdep.c:1803 [inline]
[<ffffffff8010e52a>] check_path.constprop.0+0x24/0x46 kernel/locking/lockdep.c:2104
[<ffffffff8010f95c>] check_noncircular+0x11a/0x1fe kernel/locking/lockdep.c:2131
[<ffffffff80113c26>] check_prev_add kernel/locking/lockdep.c:3063 [inline]
[<ffffffff80113c26>] check_prevs_add kernel/locking/lockdep.c:3186 [inline]
[<ffffffff80113c26>] validate_chain kernel/locking/lockdep.c:3801 [inline]
[<ffffffff80113c26>] __lock_acquire+0x19a4/0x333e kernel/locking/lockdep.c:5027

Allocated by task 2516:
 stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
 kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 __kasan_slab_alloc+0x8e/0x98 mm/kasan/common.c:469
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slub.c:3230 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc+0x338/0x3de mm/slub.c:3243
 ptlock_alloc mm/memory.c:5467 [inline]
 ptlock_init include/linux/mm.h:2293 [inline]
 pgtable_pte_page_ctor include/linux/mm.h:2320 [inline]
 __pte_alloc_one include/asm-generic/pgalloc.h:66 [inline]
 pte_alloc_one include/asm-generic/pgalloc.h:85 [inline]
 __pte_alloc+0xe0/0x394 mm/memory.c:465
 do_anonymous_page mm/memory.c:3747 [inline]
 handle_pte_fault mm/memory.c:4568 [inline]
 __handle_mm_fault+0x1bc8/0x23a4 mm/memory.c:4705
 handle_mm_fault+0x296/0x674 mm/memory.c:4803
 faultin_page mm/gup.c:944 [inline]
 __get_user_pages+0x444/0x7b4 mm/gup.c:1165
 __get_user_pages_locked mm/gup.c:1350 [inline]
 __get_user_pages_remote+0x156/0x63a mm/gup.c:1996
 get_user_pages_remote+0x5e/0x86 mm/gup.c:2069
 get_arg_page+0xf4/0x282 fs/exec.c:222
 copy_string_kernel+0x13c/0x3ea fs/exec.c:634
 kernel_execve+0x16c/0x288 fs/exec.c:1967
 call_usermodehelper_exec_async+0x1c0/0x2dc kernel/umh.c:112
 ret_from_exception+0x0/0x10

The buggy address belongs to the object at ffffaf8009bdbd80
 which belongs to the cache page->ptl of size 64
The buggy address is located 16 bytes to the right of
 64-byte region [ffffaf8009bdbd80, ffffaf8009bdbdc0)
The buggy address belongs to the page:
page:ffffaf807a906598 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89ddb
flags: 0x8800000200(slab|section=17|node=0|zone=0)
raw: 0000008800000200 0000000000000000 0000000000000122 ffffaf800720d640
raw: 0000000000000000 00000000002a002a 00000001ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2479, ts 797178038100, free_ts 796963729500
 __set_page_owner+0x48/0x136 mm/page_owner.c:183
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165
 __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389
 alloc_pages+0x132/0x2a6 mm/mempolicy.c:2271
 alloc_slab_page.constprop.0+0xc2/0xfa mm/slub.c:1799
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x76/0x2cc mm/slub.c:2004
 ___slab_alloc+0x56e/0x918 mm/slub.c:3018
 __slab_alloc.constprop.0+0x50/0x8c mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc+0x39c/0x3de mm/slub.c:3243
 ptlock_alloc mm/memory.c:5467 [inline]
 ptlock_init include/linux/mm.h:2293 [inline]
 pgtable_pte_page_ctor include/linux/mm.h:2320 [inline]
 __pte_alloc_one include/asm-generic/pgalloc.h:66 [inline]
 pte_alloc_one include/asm-generic/pgalloc.h:85 [inline]
 __pte_alloc+0xe0/0x394 mm/memory.c:465
 do_anonymous_page mm/memory.c:3747 [inline]
 handle_pte_fault mm/memory.c:4568 [inline]
 __handle_mm_fault+0x1bc8/0x23a4 mm/memory.c:4705
 handle_mm_fault+0x296/0x674 mm/memory.c:4803
 faultin_page mm/gup.c:944 [inline]
 __get_user_pages+0x444/0x7b4 mm/gup.c:1165
 __get_user_pages_locked mm/gup.c:1350 [inline]
 __get_user_pages_remote+0x156/0x63a mm/gup.c:1996
 get_user_pages_remote+0x5e/0x86 mm/gup.c:2069
page last free stack trace:
 __reset_page_owner+0x4a/0xea mm/page_owner.c:142
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x29c/0x45e mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x6a/0x31e mm/page_alloc.c:3404
 free_the_page mm/page_alloc.c:706 [inline]
 __free_pages+0xe2/0x112 mm/page_alloc.c:5474
 free_pages.part.0+0xe0/0xf6 mm/page_alloc.c:5485
 free_pages+0xe/0x18 mm/page_alloc.c:5482
 pmd_free include/asm-generic/pgalloc.h:142 [inline]
 free_pmd_range mm/memory.c:266 [inline]
 free_pud_range mm/memory.c:284 [inline]
 free_p4d_range mm/memory.c:318 [inline]
 free_pgd_range+0x8b0/0xc54 mm/memory.c:398
 free_pgtables+0xf2/0x1c8 mm/memory.c:430
 exit_mmap+0x168/0x412 mm/mmap.c:3179
 __mmput kernel/fork.c:1114 [inline]
 mmput+0xee/0x2c2 kernel/fork.c:1135
 free_bprm+0xbc/0x1de fs/exec.c:1485
 kernel_execve+0x214/0x288 fs/exec.c:1982
 call_usermodehelper_exec_async+0x1c0/0x2dc kernel/umh.c:112
 ret_from_exception+0x0/0x10

Memory state around the buggy address:
 ffffaf8009bdbc80: f1 f1 f1 f1 00 f3 f3 f3 fa fb fb fb fb fb fb fb
 ffffaf8009bdbd00: fc fc fc fc fa fb fb fb fb fb fb fb 00 00 00 00
>ffffaf8009bdbd80: f1 f1 f1 f1 00 f2 f2 f2 fc fc fc fc 00 00 00 f3
                                                 ^
 ffffaf8009bdbe00: f3 f3 f3 f3 fc fc fc fc fa fb fb fb fb fb fb fb
 ffffaf8009bdbe80: fc fc fc fc fa fb fb fb fb fb fb fb fc fc fc fc
==================================================================

Crashes (6):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu2-riscv64 2022/05/27 16:08 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 116e7a7b .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/04/20 20:20 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 160a3f31 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/04/20 13:26 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 160a3f31 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/04/19 23:05 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 7d7bc738 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/03/12 15:04 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 9e8eaa75 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/03/20 13:23 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d e2d91b1d .config log report info KASAN: use-after-free Read in __bfs