================================================================== BUG: KASAN: invalid-access in btf_name_valid_section kernel/bpf/btf.c:822 [inline] BUG: KASAN: invalid-access in btf_datasec_check_meta+0x90/0x2fc kernel/bpf/btf.c:4582 Read at addr fdf0000006b392c0 by task syz.0.687/6031 Pointer tag: [fd], memory tag: [fa] CPU: 0 PID: 6031 Comm: syz.0.687 Not tainted 6.10.0-rc7-syzkaller-00025-ga19ea421490d #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x108/0x618 mm/kasan/report.c:488 kasan_report+0x88/0xac mm/kasan/report.c:601 report_tag_fault arch/arm64/mm/fault.c:331 [inline] do_tag_recovery arch/arm64/mm/fault.c:343 [inline] __do_kernel_fault+0x1a0/0x1dc arch/arm64/mm/fault.c:385 do_bad_area arch/arm64/mm/fault.c:485 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:750 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:826 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:432 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:492 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:593 btf_name_valid_section kernel/bpf/btf.c:822 [inline] btf_datasec_check_meta+0x90/0x2fc kernel/bpf/btf.c:4582 btf_check_meta kernel/bpf/btf.c:5064 [inline] btf_check_all_metas kernel/bpf/btf.c:5088 [inline] btf_parse_type_sec kernel/bpf/btf.c:5224 [inline] btf_parse kernel/bpf/btf.c:5616 [inline] btf_new_fd+0x544/0x1454 kernel/bpf/btf.c:7482 bpf_btf_load kernel/bpf/syscall.c:5014 [inline] __sys_bpf+0x8c8/0x21e4 kernel/bpf/syscall.c:5733 __do_sys_bpf kernel/bpf/syscall.c:5795 [inline] __se_sys_bpf kernel/bpf/syscall.c:5793 [inline] __arm64_sys_bpf+0x24/0x34 kernel/bpf/syscall.c:5793 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150 el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 The buggy address belongs to the object at fff0000006b392c0 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [fff0000006b392c0, fff0000006b39300) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xfcf0000006b39580 pfn:0x46b39 ksm flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) page_type: 0xffffefff(slab) raw: 01ffc00000000000 faf0000002c01600 ffffc1ffc010c040 dead000000000003 raw: fcf0000006b39580 0000000080400037 00000001ffffefff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: fff0000006b39000: fb fb fb fb f4 f4 f4 f4 fd fd fd fd f4 f4 f4 fe fff0000006b39100: f4 f4 f4 f4 fe fe fe fe fe fe fe fe f8 f8 f8 fe >fff0000006b39200: f4 f4 f4 f4 f8 f8 f8 f8 fd fd fd fd fa fa fa fa ^ fff0000006b39300: f0 f0 f0 fe f2 f2 f2 f2 fe fe fe fe fe fe fe fe fff0000006b39400: f7 f7 f7 f7 f4 f4 f4 f4 f5 f5 f5 f5 f8 f8 f8 f8 ==================================================================