================================================================== BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x1a4/0x4d4 lib/iov_iter.c:633 Read of size 4 at addr ffff000115a4fe78 by task syz.0.352/8483 CPU: 1 UID: 0 PID: 8483 Comm: syz.0.352 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x198/0x538 mm/kasan/report.c:489 kasan_report+0xd8/0x138 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 iov_iter_revert+0x1a4/0x4d4 lib/iov_iter.c:633 p9_client_write+0x364/0x638 net/9p/client.c:1669 v9fs_issue_write+0xe4/0x1dc fs/9p/vfs_addr.c:59 netfs_do_issue_write fs/netfs/write_issue.c:233 [inline] netfs_issue_write fs/netfs/write_issue.c:262 [inline] netfs_end_issue_write+0x15c/0x3b0 fs/netfs/write_issue.c:530 netfs_unbuffered_write+0x4bc/0x51c fs/netfs/write_issue.c:722 netfs_unbuffered_write_iter_locked+0x3e8/0xa58 fs/netfs/direct_write.c:102 netfs_unbuffered_write_iter+0x45c/0x6bc fs/netfs/direct_write.c:197 v9fs_file_write_iter+0xa4/0xd8 fs/9p/vfs_file.c:404 do_iter_readv_writev+0x490/0x6d4 vfs_writev+0x410/0xbc8 fs/read_write.c:1050 do_writev+0x178/0x304 fs/read_write.c:1096 __do_sys_writev fs/read_write.c:1164 [inline] __se_sys_writev fs/read_write.c:1161 [inline] __arm64_sys_writev+0x80/0x94 fs/read_write.c:1161 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 8483: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x2cc/0x428 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] get_mountpoint+0x228/0x434 fs/namespace.c:909 attach_recursive_mnt+0x178/0x1910 fs/namespace.c:2470 graft_tree fs/namespace.c:2677 [inline] do_add_mount fs/namespace.c:3414 [inline] do_new_mount_fc fs/namespace.c:3453 [inline] do_new_mount+0x6f8/0x900 fs/namespace.c:3513 path_mount+0x590/0xe04 fs/namespace.c:3838 do_mount fs/namespace.c:3851 [inline] __do_sys_mount fs/namespace.c:4061 [inline] __se_sys_mount fs/namespace.c:4038 [inline] __arm64_sys_mount+0x4d4/0x5ac fs/namespace.c:4038 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 8483: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x180/0x478 mm/slub.c:4761 __put_mountpoint fs/namespace.c:955 [inline] put_mountpoint fs/namespace.c:962 [inline] attach_recursive_mnt+0x1704/0x1910 fs/namespace.c:2536 graft_tree fs/namespace.c:2677 [inline] do_add_mount fs/namespace.c:3414 [inline] do_new_mount_fc fs/namespace.c:3453 [inline] do_new_mount+0x6f8/0x900 fs/namespace.c:3513 path_mount+0x590/0xe04 fs/namespace.c:3838 do_mount fs/namespace.c:3851 [inline] __do_sys_mount fs/namespace.c:4061 [inline] __se_sys_mount fs/namespace.c:4038 [inline] __arm64_sys_mount+0x4d4/0x5ac fs/namespace.c:4038 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff000115a4fe00 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 56 bytes to the right of allocated 64-byte region [ffff000115a4fe00, ffff000115a4fe40) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155a4f flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000000 ffff0000c00018c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000115a4fd00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff000115a4fd80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc >ffff000115a4fe00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff000115a4fe80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ffff000115a4ff00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ================================================================== ------------[ cut here ]------------ WARNING: CPU: 1 PID: 8483 at ./include/linux/mm.h:2250 rcu_read_unlock_sched include/linux/rcupdate.h:964 [inline] WARNING: CPU: 1 PID: 8483 at ./include/linux/mm.h:2250 pfn_valid include/linux/mmzone.h:2050 [inline] WARNING: CPU: 1 PID: 8483 at ./include/linux/mm.h:2250 lowmem_page_address include/linux/mm.h:2250 [inline] WARNING: CPU: 1 PID: 8483 at ./include/linux/mm.h:2250 kmap_local_page+0x398/0x518 include/linux/highmem-internal.h:180 Modules linked in: CPU: 1 UID: 0 PID: 8483 Comm: syz.0.352 Tainted: G B 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : lowmem_page_address include/linux/rcupdate.h:964 [inline] pc : kmap_local_page+0x398/0x518 include/linux/highmem-internal.h:180 lr : pfn_valid include/linux/mmzone.h:2042 [inline] lr : lowmem_page_address include/linux/mm.h:2250 [inline] lr : kmap_local_page+0x148/0x518 include/linux/highmem-internal.h:180 sp : ffff80009c976c30 x29: ffff80009c976c30 x28: ffff000115a4fe00 x27: ffff0000c2b00578 x26: ffff0000c2b00570 x25: dfff800000000000 x24: ffff80008f33c000 x23: 1ffff00011e67998 x22: 0000000000000000 x21: 0000000005680297 x20: 0000000000001f69 x19: ffff02013d64a6c0 x18: ffff80009c976be0 x17: ffff80008fa0d000 x16: ffff8000831fde74 x15: 0000000000000001 x14: 0000000000000002 x13: 0000000000000005 x12: ffff0000d5531e40 x11: 0000000000080000 x10: 0000000000028ca9 x9 : ffff8000a3509000 x8 : 0000000000028caa x7 : ffff80009c976d00 x6 : ffff800080b54644 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000831fe5b8 x2 : 0000000000000000 x1 : ffff02013d64a6c0 x0 : 0400000000000000 Call trace: rcu_read_unlock_sched include/linux/rcupdate.h:964 [inline] (P) pfn_valid include/linux/mmzone.h:2050 [inline] (P) lowmem_page_address include/linux/mm.h:2250 [inline] (P) kmap_local_page+0x398/0x518 include/linux/highmem-internal.h:180 (P) iterate_bvec include/linux/iov_iter.h:118 [inline] iterate_and_advance2 include/linux/iov_iter.h:304 [inline] iterate_and_advance include/linux/iov_iter.h:328 [inline] __copy_from_iter lib/iov_iter.c:249 [inline] _copy_from_iter+0x764/0x16fc lib/iov_iter.c:260 copy_from_iter include/linux/uio.h:219 [inline] copy_from_iter_full include/linux/uio.h:236 [inline] pdu_write_u net/9p/protocol.c:234 [inline] p9pdu_vwritef+0x1454/0x2144 net/9p/protocol.c:614 p9_client_prepare_req+0x950/0xf10 net/9p/client.c:651 p9_client_rpc+0x170/0x99c net/9p/client.c:691 p9_client_write+0x298/0x638 net/9p/client.c:1645 v9fs_issue_write+0xe4/0x1dc fs/9p/vfs_addr.c:59 netfs_do_issue_write fs/netfs/write_issue.c:233 [inline] netfs_issue_write fs/netfs/write_issue.c:262 [inline] netfs_end_issue_write+0x15c/0x3b0 fs/netfs/write_issue.c:530 netfs_unbuffered_write+0x4bc/0x51c fs/netfs/write_issue.c:722 netfs_unbuffered_write_iter_locked+0x3e8/0xa58 fs/netfs/direct_write.c:102 netfs_unbuffered_write_iter+0x45c/0x6bc fs/netfs/direct_write.c:197 v9fs_file_write_iter+0xa4/0xd8 fs/9p/vfs_file.c:404 do_iter_readv_writev+0x490/0x6d4 vfs_writev+0x410/0xbc8 fs/read_write.c:1050 do_writev+0x178/0x304 fs/read_write.c:1096 __do_sys_writev fs/read_write.c:1164 [inline] __se_sys_writev fs/read_write.c:1161 [inline] __arm64_sys_writev+0x80/0x94 fs/read_write.c:1161 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 irq event stamp: 2073 hardirqs last enabled at (2073): [] raw_spin_rq_unlock_irq kernel/sched/sched.h:1535 [inline] hardirqs last enabled at (2073): [] finish_lock_switch+0xbc/0x1e4 kernel/sched/core.c:5123 hardirqs last disabled at (2072): [] __schedule+0x2bc/0x27f0 kernel/sched/core.c:6660 softirqs last enabled at (1776): [] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (1776): [] netfs_prepare_write fs/netfs/write_issue.c:212 [inline] softirqs last enabled at (1776): [] netfs_advance_write+0x5a4/0x9c8 fs/netfs/write_issue.c:291 softirqs last disabled at (1774): [] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (1774): [] netfs_prepare_write fs/netfs/write_issue.c:201 [inline] softirqs last disabled at (1774): [] netfs_advance_write+0x424/0x9c8 fs/netfs/write_issue.c:291 ---[ end trace 0000000000000000 ]--- Unable to handle kernel paging request at virtual address ffff7009e3253677 KASAN: probably wild-memory-access in range [0xffff804f1929b3b8-0xffff804f1929b3bf] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000001a550b000 [ffff7009e3253677] pgd=0000000000000000, p4d=000000023ea68003, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 UID: 0 PID: 8483 Comm: syz.0.352 Tainted: G B W 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : bytes_is_nonzero mm/kasan/generic.c:87 [inline] pc : memory_is_nonzero mm/kasan/generic.c:104 [inline] pc : memory_is_poisoned_n mm/kasan/generic.c:129 [inline] pc : memory_is_poisoned mm/kasan/generic.c:161 [inline] pc : check_region_inline mm/kasan/generic.c:180 [inline] pc : kasan_check_range+0x78/0x2a8 mm/kasan/generic.c:189 lr : __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105 sp : ffff80009c976c40 x29: ffff80009c976c40 x28: ffff000115a4fe00 x27: ffff0000c2b00578 x26: ffff0000c2b00570 x25: dfff800000000000 x24: ffff000115a4fe08 x23: 0000000000000001 x22: ffff8000831fe628 x21: ffff0000d5b08017 x20: ffff804f1929b3b9 x19: 0000000000000001 x18: ffff80009c976be0 x17: ffff80008fa0d000 x16: ffff8000831fde74 x15: 0000000000000001 x14: 1ffff009e3253677 x13: 0000000000000005 x12: ffffffffffffffff x11: ffff7009e3253677 x10: 1ffff009e3253677 x9 : dfff800000000000 x8 : ffff804f1929b3b9 x7 : ffff80009c976d00 x6 : ffff800080b54644 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000831fe628 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff804f1929b3b9 Call trace: bytes_is_nonzero mm/kasan/generic.c:86 [inline] (P) memory_is_nonzero mm/kasan/generic.c:104 [inline] (P) memory_is_poisoned_n mm/kasan/generic.c:129 [inline] (P) memory_is_poisoned mm/kasan/generic.c:161 [inline] (P) check_region_inline mm/kasan/generic.c:180 [inline] (P) kasan_check_range+0x78/0x2a8 mm/kasan/generic.c:189 (P) __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105 memcpy_from_iter lib/iov_iter.c:73 [inline] iterate_bvec include/linux/iov_iter.h:123 [inline] iterate_and_advance2 include/linux/iov_iter.h:304 [inline] iterate_and_advance include/linux/iov_iter.h:328 [inline] __copy_from_iter lib/iov_iter.c:249 [inline] _copy_from_iter+0x7b4/0x16fc lib/iov_iter.c:260 copy_from_iter include/linux/uio.h:219 [inline] copy_from_iter_full include/linux/uio.h:236 [inline] pdu_write_u net/9p/protocol.c:234 [inline] p9pdu_vwritef+0x1454/0x2144 net/9p/protocol.c:614 p9_client_prepare_req+0x950/0xf10 net/9p/client.c:651 p9_client_rpc+0x170/0x99c net/9p/client.c:691 p9_client_write+0x298/0x638 net/9p/client.c:1645 v9fs_issue_write+0xe4/0x1dc fs/9p/vfs_addr.c:59 netfs_do_issue_write fs/netfs/write_issue.c:233 [inline] netfs_issue_write fs/netfs/write_issue.c:262 [inline] netfs_end_issue_write+0x15c/0x3b0 fs/netfs/write_issue.c:530 netfs_unbuffered_write+0x4bc/0x51c fs/netfs/write_issue.c:722 netfs_unbuffered_write_iter_locked+0x3e8/0xa58 fs/netfs/direct_write.c:102 netfs_unbuffered_write_iter+0x45c/0x6bc fs/netfs/direct_write.c:197 v9fs_file_write_iter+0xa4/0xd8 fs/9p/vfs_file.c:404 do_iter_readv_writev+0x490/0x6d4 vfs_writev+0x410/0xbc8 fs/read_write.c:1050 do_writev+0x178/0x304 fs/read_write.c:1096 __do_sys_writev fs/read_write.c:1164 [inline] __se_sys_writev fs/read_write.c:1161 [inline] __arm64_sys_writev+0x80/0x94 fs/read_write.c:1161 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: 5400014c b4000b8f aa2a03ec 8b0e018c (3940016d) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 5400014c b.gt 0x28 4: b4000b8f cbz x15, 0x174 8: aa2a03ec mvn x12, x10 c: 8b0e018c add x12, x12, x14 * 10: 3940016d ldrb w13, [x11] <-- trapping instruction