syzbot


KASAN: slab-out-of-bounds Read in __bfs (2)

Status: upstream: reported on 2022/04/20 20:21
Reported-by: syzbot+a7de825fb004b4dced19@syzkaller.appspotmail.com
First crash: 205d, last: 5d19h
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in __bfs 1 352d 348d 0/24 auto-closed as invalid on 2022/01/14 09:46
linux-4.14 general protection fault in __bfs 4 570d 714d 0/1 auto-closed as invalid on 2021/07/10 18:06

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in __bfs+0x154/0x394 kernel/locking/lockdep.c:1708
Read of size 8 at addr ffffaf800e193ff0 by task sshd/2021

CPU: 0 PID: 2021 Comm: sshd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8010dd9a>] __bfs+0x154/0x394 kernel/locking/lockdep.c:1708
[<ffffffff8010e52a>] __bfs_forwards kernel/locking/lockdep.c:1803 [inline]
[<ffffffff8010e52a>] check_path.constprop.0+0x24/0x46 kernel/locking/lockdep.c:2104
[<ffffffff8010f95c>] check_noncircular+0x11a/0x1fe kernel/locking/lockdep.c:2131

Allocated by task 1839:
 stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
 kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0x80/0xb2 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:270 [inline]
 __kmalloc+0x190/0x318 mm/slub.c:4424
 kmalloc include/linux/slab.h:586 [inline]
 load_elf_phdrs+0x100/0x1e8 fs/binfmt_elf.c:480
 load_elf_binary+0xbe2/0x2716 fs/binfmt_elf.c:960
 search_binary_handler fs/exec.c:1727 [inline]
 exec_binprm fs/exec.c:1768 [inline]
 bprm_execve fs/exec.c:1837 [inline]
 bprm_execve+0x5bc/0x1140 fs/exec.c:1799
 do_execveat_common+0x298/0x312 fs/exec.c:1926
 do_execve fs/exec.c:1994 [inline]
 __do_sys_execve fs/exec.c:2070 [inline]
 sys_execve+0x32/0x40 fs/exec.c:2065
 ret_from_syscall+0x0/0x2

Last potentially related work creation:
------------[ cut here ]------------
slab index 4095 out of bounds (256) for stack id 00000fff
WARNING: CPU: 0 PID: 2021 at lib/stackdepot.c:304 stack_depot_fetch lib/stackdepot.c:304 [inline]
WARNING: CPU: 0 PID: 2021 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 lib/stackdepot.c:276
Modules linked in:
CPU: 0 PID: 2021 Comm: sshd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : stack_depot_fetch lib/stackdepot.c:304 [inline]
epc : stack_depot_print+0x66/0x70 lib/stackdepot.c:276
 ra : stack_depot_fetch lib/stackdepot.c:304 [inline]
 ra : stack_depot_print+0x66/0x70 lib/stackdepot.c:276
epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800e193d80
 gp : ffffffff85863ac0 tp : ffffaf8009df9840 t0 : ffffffff86bcb657
 t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800e193d90
 s1 : ffffaf807aa40080 a0 : 0000000000000039 a1 : 00000000000f0000
 a2 : 0000000000000506 a3 : ffffffff8012252a a4 : 2915ea31eee56300
 a5 : 2915ea31eee56300 a6 : 0000000000f00000 a7 : ffffaf805a9c8863
 s2 : ffffaf800e193ff0 s3 : ffffaf8007201c80 s4 : ffffaf800e193c00
 s5 : ffffaf800e193e00 s6 : ffffffff8588bb20 s7 : ffffffff85e09180
 s8 : ffffaf800e193f00 s9 : ffffaf8009dfa3e8 s10: ffffffff85899680
 s11: ffffaf8009df9840 t3 : ffffffff801163b2 t4 : fffff5ef0b53910c
 t5 : fffff5ef0b53910d t6 : ffffaf800e193878
status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003
[<ffffffff80474a70>] describe_object_stacks mm/kasan/report.c:216 [inline]
[<ffffffff80474a70>] describe_object mm/kasan/report.c:231 [inline]
[<ffffffff80474a70>] print_address_description.constprop.0+0x2fc/0x330 mm/kasan/report.c:263
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8010dd9a>] __bfs+0x154/0x394 kernel/locking/lockdep.c:1708
[<ffffffff8010e52a>] __bfs_forwards kernel/locking/lockdep.c:1803 [inline]
[<ffffffff8010e52a>] check_path.constprop.0+0x24/0x46 kernel/locking/lockdep.c:2104
[<ffffffff8010f95c>] check_noncircular+0x11a/0x1fe kernel/locking/lockdep.c:2131
irq event stamp: 135089
hardirqs last  enabled at (135088): [<ffffffff8041714a>] rmqueue_pcplist mm/page_alloc.c:3671 [inline]
hardirqs last  enabled at (135088): [<ffffffff8041714a>] rmqueue mm/page_alloc.c:3698 [inline]
hardirqs last  enabled at (135088): [<ffffffff8041714a>] get_page_from_freelist+0xfc8/0x12d8 mm/page_alloc.c:4162
hardirqs last disabled at (135089): [<ffffffff80417140>] rmqueue_pcplist mm/page_alloc.c:3660 [inline]
hardirqs last disabled at (135089): [<ffffffff80417140>] rmqueue mm/page_alloc.c:3698 [inline]
hardirqs last disabled at (135089): [<ffffffff80417140>] get_page_from_freelist+0xfbe/0x12d8 mm/page_alloc.c:4162
softirqs last  enabled at (134096): [<ffffffff826e668a>] spin_unlock_bh include/linux/spinlock.h:394 [inline]
softirqs last  enabled at (134096): [<ffffffff826e668a>] release_sock+0xf6/0x122 net/core/sock.c:3322
softirqs last disabled at (134137): [<ffffffff80061288>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (134137): [<ffffffff80061288>] invoke_softirq kernel/softirq.c:439 [inline]
softirqs last disabled at (134137): [<ffffffff80061288>] __irq_exit_rcu+0x142/0x1f8 kernel/softirq.c:637
---[ end trace 0000000000000000 ]---

The buggy address belongs to the object at ffffaf800e193c00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 496 bytes to the right of
 512-byte region [ffffaf800e193c00, ffffaf800e193e00)
The buggy address belongs to the page:
page:ffffaf807aa40080 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf800e190000 pfn:0x8e390
head:ffffaf807aa40080 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x8800010200(slab|head|section=17|node=0|zone=0)
raw: 0000008800010200 ffffaf807a9d6908 ffffaf807a9cbaa8 ffffaf8007201c80
raw: ffffaf800e190000 000000000010000a 00000001ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 50188607100, free_ts 50162170300
 __set_page_owner+0x48/0x136 mm/page_owner.c:183
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165
 __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389
 alloc_page_interleave+0x2a/0x1cc mm/mempolicy.c:2116
 alloc_pages+0x210/0x2a6 mm/mempolicy.c:2266
 alloc_slab_page.constprop.0+0xc2/0xfa mm/slub.c:1799
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x25a/0x2cc mm/slub.c:2004
 ___slab_alloc+0x56e/0x918 mm/slub.c:3018
 __slab_alloc.constprop.0+0x50/0x8c mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc_trace+0x2a2/0x2e0 mm/slub.c:3255
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 find_valid_gpt.constprop.0+0x1aa/0x15f4 block/partitions/efi.c:599
 efi_partition+0x100/0x70a block/partitions/efi.c:720
 check_partition block/partitions/core.c:148 [inline]
 blk_add_partitions block/partitions/core.c:609 [inline]
 bdev_disk_changed+0x352/0xb34 block/partitions/core.c:695
 blkdev_get_whole+0x168/0x17a block/bdev.c:679
 blkdev_get_by_dev.part.0+0x346/0x636 block/bdev.c:813
page last free stack trace:
 __reset_page_owner+0x4a/0xea mm/page_owner.c:142
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x29c/0x45e mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x6a/0x31e mm/page_alloc.c:3404
 free_the_page mm/page_alloc.c:706 [inline]
 __free_pages+0xe2/0x112 mm/page_alloc.c:5474
 free_pages.part.0+0xe0/0xf6 mm/page_alloc.c:5485
 free_pages+0xe/0x18 mm/page_alloc.c:5482
 __stack_depot_save+0x1b4/0x4b2 lib/stackdepot.c:427
 kasan_save_stack+0x40/0x58 mm/kasan/common.c:39
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 __kasan_slab_alloc+0x8e/0x98 mm/kasan/common.c:469
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slub.c:3230 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc+0x144/0x3de mm/slub.c:3243
 alloc_inode+0xf4/0x134 fs/inode.c:262
 new_inode_pseudo fs/inode.c:1018 [inline]
 new_inode+0x28/0x140 fs/inode.c:1047
 debugfs_get_inode+0x20/0xb0 fs/debugfs/inode.c:72
 debugfs_create_dir+0xc0/0x302 fs/debugfs/inode.c:568
 blk_mq_debugfs_register_rqos+0x132/0x1c8 block/blk-mq-debugfs.c:856
 rq_qos_add block/blk-rq-qos.h:108 [inline]
 wbt_init+0x224/0x354 block/blk-wbt.c:849

Memory state around the buggy address:
 ffffaf800e193e80: fc fc fc fc f1 f1 f1 f1 00 f3 f3 f3 fc fc fc fc
 ffffaf800e193f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffffaf800e193f80: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 fc fc fc fc
                                                             ^
 ffffaf800e194000: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
 ffffaf800e194080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (16):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu2-riscv64 2022/09/28 02:16 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 75c78242 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/09/06 10:21 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 65aea2b9 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/07/27 07:34 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d ae971e66 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/07/22 01:19 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 5e6028b9 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/07/21 11:04 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 6e67af9d .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/07/11 14:59 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d f3f217ff .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/05/27 16:08 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 116e7a7b .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/04/20 20:20 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 160a3f31 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/04/20 13:26 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 160a3f31 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/04/19 23:05 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 7d7bc738 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/03/12 15:04 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 9e8eaa75 .config log report info KASAN: slab-out-of-bounds Read in __bfs
ci-qemu2-riscv64 2022/09/07 01:43 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 5fc30c37 .config log report info KASAN: use-after-free Read in __bfs
ci-qemu2-riscv64 2022/09/05 21:32 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 9dcd38fc .config log report info KASAN: use-after-free Read in __bfs
ci-qemu2-riscv64 2022/07/31 12:11 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d fef302b1 .config log report info KASAN: use-after-free Read in __bfs
ci-qemu2-riscv64 2022/06/22 02:09 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 0fc5c330 .config log report info KASAN: use-after-free Read in __bfs
ci-qemu2-riscv64 2022/03/20 13:23 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d e2d91b1d .config log report info KASAN: use-after-free Read in __bfs
* Struck through repros no longer work on HEAD.