syzbot


KASAN: invalid-access Read in copy_page

Status: upstream: reported on 2022/08/06 01:31
Reported-by: syzbot+c2c79c6d6eddc5262b77@syzkaller.appspotmail.com
Fix commit: a8e5e5146ad0 arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 118d, last: 48d

Sample crash report:
==================================================================
BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26
Read at addr fbff00001e8a9000 by task syz-executor.1/2227
Pointer tag: [fb], memory tag: [fd]

CPU: 0 PID: 2227 Comm: syz-executor.1 Not tainted 6.0.0-syzkaller-10109-gaa512c115a09 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
 show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report+0x104/0x604 mm/kasan/report.c:433
 kasan_report+0x8c/0xb0 mm/kasan/report.c:495
 __do_kernel_fault+0x11c/0x1bc arch/arm64/mm/fault.c:319
 do_bad_area arch/arm64/mm/fault.c:469 [inline]
 do_tag_check_fault+0x78/0x90 arch/arm64/mm/fault.c:745
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:821
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:366
 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:426
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
 copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26
 copy_user_highpage+0x18/0x40 arch/arm64/mm/copypage.c:34
 __wp_page_copy_user mm/memory.c:2856 [inline]
 wp_page_copy+0xa4/0x690 mm/memory.c:3117
 do_wp_page+0x138/0x620 mm/memory.c:3479
 handle_pte_fault mm/memory.c:4935 [inline]
 __handle_mm_fault+0x660/0xe70 mm/memory.c:5059
 handle_mm_fault+0xec/0x280 mm/memory.c:5157
 __do_page_fault arch/arm64/mm/fault.c:502 [inline]
 do_page_fault+0x17c/0x3d0 arch/arm64/mm/fault.c:602
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:821
 el0_da+0x30/0xb4 arch/arm64/kernel/entry-common.c:514
 el0t_64_sync_handler+0x68/0xc0 arch/arm64/kernel/entry-common.c:657
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581

The buggy address belongs to the physical page:
page:00000000da91530f refcount:3 mapcount:2 mapping:0000000000000000 index:0xfffffffff pfn:0x5e8a9
memcg:fdff00001f5bc000
anon flags: 0x1ffc1000208001c(uptodate|dirty|lru|swapbacked|arch_2|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x4)
raw: 01ffc1000208001c fffffc00005ac888 faff000009655000 fbff000005930301
raw: 0000000fffffffff 0000000000000000 0000000300000001 fdff00001f5bc000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff00001e8a8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff00001e8a8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff00001e8a9000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
                   ^
 ffff00001e8a9100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 ffff00001e8a9200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
==================================================================

Crashes (302):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu2-arm64-mte 2022/10/11 03:03 upstream aa512c115a09 2b253ced .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/10 09:37 upstream 493ffd6605b2 5bcf0c31 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/10 09:16 upstream 493ffd6605b2 5bcf0c31 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/09 23:38 upstream 4899a36f91a9 aea5da89 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/09 03:40 upstream a6afa4199d3d aea5da89 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/08 18:42 upstream e8bc52cb8df8 aea5da89 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/08 16:52 upstream e8bc52cb8df8 aea5da89 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/07 23:13 upstream 62e6e5940c0c aea5da89 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/07 11:10 upstream 4c86114194e6 79a59635 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/06 23:04 upstream 93ed07a23fd0 8a212197 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/06 21:22 upstream 93ed07a23fd0 131b38ac .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/06 15:35 upstream 833477fce7a1 131b38ac .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/06 09:53 upstream 833477fce7a1 2c6543ad .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/04 23:03 upstream 522667b24f08 267e3bb1 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/04 21:28 upstream 522667b24f08 267e3bb1 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/04 10:19 upstream 725737e7c21d 3fe4fea8 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/04 00:11 upstream f3dfe925f954 feb56351 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/03 12:50 upstream 4fe89d07dcc2 feb56351 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/03 09:49 upstream 4fe89d07dcc2 feb56351 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/03 00:12 upstream a962b54e162c feb56351 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/01 18:23 upstream b357fd1c2afc feb56351 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/01 04:26 upstream ffb4d94b4314 feb56351 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/10/01 03:04 upstream ffb4d94b4314 feb56351 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/30 23:09 upstream 5a77386984b5 5e8ac358 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/30 03:25 upstream 987a926c1d8a 45fd7169 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/29 23:44 upstream 987a926c1d8a 45fd7169 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/28 12:02 upstream 49c13ed0316d e2556bc3 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/28 01:10 upstream 46452d3786a8 75c78242 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/27 15:08 upstream a1375562c0a8 87840e00 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/27 03:17 upstream 3800a713b607 10323ddf .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/26 21:10 upstream f76349cf4145 10323ddf .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/26 10:28 upstream f76349cf4145 d59ba983 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/26 07:54 upstream f76349cf4145 d59ba983 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/26 00:36 upstream f76349cf4145 0042f2b4 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/25 10:23 upstream 105a36f3694e 0042f2b4 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/24 21:49 upstream 1a61b828566f 0042f2b4 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/24 12:57 upstream a63f2e7cb110 0042f2b4 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/24 10:53 upstream a63f2e7cb110 0042f2b4 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/23 17:54 upstream 1707c39ae309 0042f2b4 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/23 11:16 upstream bf682942cd26 0042f2b4 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/23 07:16 upstream bf682942cd26 0042f2b4 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/22 16:58 upstream dc164f4fb00a 0042f2b4 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/09/22 02:03 upstream 06f7db949993 60af5050 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/08/06 00:12 upstream 9e2f40233670 e853abd9 .config log report info KASAN: invalid-access Read in copy_page
ci-qemu2-arm64-mte 2022/08/02 01:26 upstream 9de1f9c8ca51 fef302b1 .config log report info KASAN: invalid-access Read in copy_page
* Struck through repros no longer work on HEAD.