================================================================== BUG: KASAN: slab-out-of-bounds in idempotent kernel/module/main.c:3078 [inline] BUG: KASAN: slab-out-of-bounds in init_module_from_file kernel/module/main.c:3124 [inline] BUG: KASAN: slab-out-of-bounds in __do_sys_finit_module kernel/module/main.c:3171 [inline] BUG: KASAN: slab-out-of-bounds in __se_sys_finit_module+0x371/0x8d0 kernel/module/main.c:3154 Read of size 8 at addr ffff888148c005d8 by task syz-executor.0/5160 CPU: 1 PID: 5160 Comm: syz-executor.0 Not tainted 6.4.0-syzkaller-10062-gf8566aa4f176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x163/0x540 mm/kasan/report.c:475 kasan_report+0x175/0x1b0 mm/kasan/report.c:588 idempotent kernel/module/main.c:3078 [inline] init_module_from_file kernel/module/main.c:3124 [inline] __do_sys_finit_module kernel/module/main.c:3171 [inline] __se_sys_finit_module+0x371/0x8d0 kernel/module/main.c:3154 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fad4908c389 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fad49da4168 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 00007fad491ac050 RCX: 00007fad4908c389 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 RBP: 00007fad490d7493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffca2379c9f R14: 00007fad49da4300 R15: 0000000000022000 Allocated by task 0: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4f/0x70 mm/kasan/common.c:52 __kasan_slab_alloc+0x66/0x70 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:750 slab_alloc_node mm/slub.c:3470 [inline] slab_alloc mm/slub.c:3478 [inline] __kmem_cache_alloc_lru mm/slub.c:3485 [inline] kmem_cache_alloc_lru+0x122/0x300 mm/slub.c:3501 __d_alloc+0x31/0x710 fs/dcache.c:1769 d_alloc_anon fs/dcache.c:1868 [inline] d_make_root+0x4a/0xe0 fs/dcache.c:2069 pseudo_fs_fill_super+0x27d/0x370 fs/libfs.c:339 vfs_get_super fs/super.c:1152 [inline] get_tree_nodev+0xb3/0x160 fs/super.c:1181 vfs_get_tree+0x8c/0x270 fs/super.c:1519 fc_mount fs/namespace.c:1112 [inline] vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142 kern_mount+0x43/0x90 fs/namespace.c:4753 nsfs_init+0x18/0x90 fs/nsfs.c:285 start_kernel+0x44b/0x4f0 init/main.c:1057 x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:556 x86_64_start_kernel+0x99/0xa0 arch/x86/kernel/head64.c:537 secondary_startup_64_no_verify+0x168/0x16b The buggy address belongs to the object at ffff888148c00468 which belongs to the cache dentry of size 312 The buggy address is located 56 bytes to the right of allocated 312-byte region [ffff888148c00468, ffff888148c005a0) The buggy address belongs to the physical page: page:ffffea0005230000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x148c00 head:ffffea0005230000 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 057ff00000010200 ffff888140008a00 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Reclaimable, gfp_mask 0x52010(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_RECLAIMABLE), pid 0, tgid 0 (swapper/0), ts 2064643092, free_ts 0 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1570 prep_new_page mm/page_alloc.c:1577 [inline] get_page_from_freelist+0x31e8/0x3370 mm/page_alloc.c:3221 __alloc_pages+0x255/0x670 mm/page_alloc.c:4477 alloc_page_interleave+0x22/0x1d0 mm/mempolicy.c:2112 alloc_slab_page+0x6a/0x160 mm/slub.c:1862 allocate_slab mm/slub.c:2009 [inline] new_slab+0x84/0x2f0 mm/slub.c:2062 ___slab_alloc+0xade/0x1100 mm/slub.c:3215 __slab_alloc mm/slub.c:3314 [inline] __slab_alloc_node mm/slub.c:3367 [inline] slab_alloc_node mm/slub.c:3460 [inline] slab_alloc mm/slub.c:3478 [inline] __kmem_cache_alloc_lru mm/slub.c:3485 [inline] kmem_cache_alloc_lru+0x1bf/0x300 mm/slub.c:3501 __d_alloc+0x31/0x710 fs/dcache.c:1769 d_alloc_anon fs/dcache.c:1868 [inline] d_make_root+0x4a/0xe0 fs/dcache.c:2069 shmem_fill_super+0x81a/0xbd0 mm/shmem.c:4002 vfs_get_super fs/super.c:1152 [inline] get_tree_nodev+0xb3/0x160 fs/super.c:1181 vfs_get_tree+0x8c/0x270 fs/super.c:1519 fc_mount fs/namespace.c:1112 [inline] vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142 kern_mount+0x43/0x90 fs/namespace.c:4753 shmem_init+0x60/0x170 mm/shmem.c:4241 page_owner free stack trace missing Memory state around the buggy address: ffff888148c00480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888148c00500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888148c00580: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 ^ ffff888148c00600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888148c00680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================