================================================================== BUG: KASAN: stack-out-of-bounds in iterate_bvec include/linux/iov_iter.h:116 [inline] BUG: KASAN: stack-out-of-bounds in __copy_from_iter_mc+0x30a/0x3f0 lib/iov_iter.c:262 Read of size 4 at addr ffffc9000525f594 by task syz-executor.2/5209 CPU: 1 PID: 5209 Comm: syz-executor.2 Not tainted 6.6.0-rc3-next-20230929-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 iterate_bvec include/linux/iov_iter.h:116 [inline] __copy_from_iter_mc+0x30a/0x3f0 lib/iov_iter.c:262 __copy_from_iter lib/iov_iter.c:271 [inline] copy_page_from_iter_atomic+0x471/0x11e0 lib/iov_iter.c:504 generic_perform_write+0x2e9/0x600 mm/filemap.c:3964 ext4_buffered_write_iter+0x11f/0x3c0 fs/ext4/file.c:299 ext4_file_write_iter+0x7f7/0x1860 fs/ext4/file.c:717 __kernel_write_iter+0x261/0x7e0 fs/read_write.c:517 dump_emit_page fs/coredump.c:888 [inline] dump_user_range+0x299/0x790 fs/coredump.c:915 elf_core_dump+0x2700/0x3900 fs/binfmt_elf.c:2142 do_coredump+0x2c97/0x3fc0 fs/coredump.c:764 get_signal+0x2434/0x2790 kernel/signal.c:2890 arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:309 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204 irqentry_exit_to_user_mode+0x9/0x40 kernel/entry/common.c:309 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0033:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:0000000020000348 EFLAGS: 00010217 RAX: 0000000000000000 RBX: 00007fbc6419bf80 RCX: 00007fbc6407cae9 RDX: 0000000020000440 RSI: 0000000020000340 RDI: 0000000000000000 RBP: 00007fbc640c847a R08: 00000000200004c0 R09: 00000000200004c0 R10: 0000000020000480 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fbc6419bf80 R15: 00007ffcd7434198 The buggy address belongs to stack of task syz-executor.2/5209 and is located at offset 108 in frame: dump_user_range+0x0/0x790 fs/coredump.c:482 This frame has 3 objects: [48, 56) 'pos' [80, 96) 'bvec' [112, 152) 'iter' The buggy address belongs to the virtual mapping at [ffffc90005258000, ffffc90005261000) created by: kernel_clone+0xfd/0x920 kernel/fork.c:2902 The buggy address belongs to the physical page: page:ffffea0000a3a240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28e89 memcg:ffff88807de94a82 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88807de94a82 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5206, tgid 5205 (syz-executor.2), ts 249153663323, free_ts 249134397128 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1534 prep_new_page mm/page_alloc.c:1541 [inline] get_page_from_freelist+0x98f/0x32a0 mm/page_alloc.c:3333 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4589 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2304 vm_area_alloc_pages mm/vmalloc.c:3063 [inline] __vmalloc_area_node mm/vmalloc.c:3139 [inline] __vmalloc_node_range+0x8f3/0x1bf0 mm/vmalloc.c:3320 alloc_thread_stack_node kernel/fork.c:309 [inline] dup_task_struct kernel/fork.c:1118 [inline] copy_process+0x13e3/0x74b0 kernel/fork.c:2327 kernel_clone+0xfd/0x920 kernel/fork.c:2902 __do_sys_clone+0xba/0x100 kernel/fork.c:3045 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1134 [inline] free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2383 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2518 __unfreeze_partials+0x21d/0x240 mm/slub.c:2655 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slub.c:3478 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc+0x15d/0x3a0 mm/slub.c:3502 getname_flags.part.0+0x50/0x4d0 fs/namei.c:140 getname_flags+0x9c/0xf0 include/linux/audit.h:321 user_path_at_empty+0x2c/0x60 fs/namei.c:2909 do_readlinkat+0xdd/0x2f0 fs/stat.c:490 __do_sys_readlink fs/stat.c:523 [inline] __se_sys_readlink fs/stat.c:520 [inline] __x64_sys_readlink+0x78/0xb0 fs/stat.c:520 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffffc9000525f480: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc9000525f500: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 f2 f2 f2 00 >ffffc9000525f580: 00 f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 ^ ffffc9000525f600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc9000525f680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================