==================================================================
BUG: KASAN: slab-out-of-bounds in mt_slot lib/maple_tree.c:816 [inline]
BUG: KASAN: slab-out-of-bounds in mas_slot lib/maple_tree.c:849 [inline]
BUG: KASAN: slab-out-of-bounds in mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
Read of size 8 at addr ffff8880228f8500 by task syz-executor.3/30724
CPU: 1 PID: 30724 Comm: syz-executor.3 Not tainted 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364
print_report mm/kasan/report.c:475 [inline]
kasan_report+0x11d/0x130 mm/kasan/report.c:588
mt_slot lib/maple_tree.c:816 [inline]
mas_slot lib/maple_tree.c:849 [inline]
mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
Allocated by task 30724:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
kmem_cache_alloc_bulk+0x424/0x860 mm/slub.c:4048
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp lib/maple_tree.c:1362 [inline]
mas_preallocate+0x1bb/0x360 lib/maple_tree.c:5546
vma_iter_prealloc mm/internal.h:1032 [inline]
__split_vma+0x1b7/0x830 mm/mmap.c:2344
do_vmi_align_munmap+0x413/0x1680 mm/mmap.c:2477
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
vma_complete+0x8fd/0xdc0 mm/mmap.c:553
__split_vma+0x53b/0x830 mm/mmap.c:2381
split_vma+0xc6/0x110 mm/mmap.c:2409
mprotect_fixup+0x891/0xbd0 mm/mprotect.c:643
do_mprotect_pkey+0x883/0xd40 mm/mprotect.c:817
__do_sys_mprotect mm/mprotect.c:838 [inline]
__se_sys_mprotect mm/mprotect.c:835 [inline]
__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:835
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
mmap_region+0x91c/0x2570 mm/mmap.c:2811
do_mmap+0x850/0xee0 mm/mmap.c:1362
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1408
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880228f8400
which belongs to the cache maple_node of size 256
The buggy address is located 0 bytes to the right of
allocated 256-byte region [ffff8880228f8400, ffff8880228f8500)
The buggy address belongs to the physical page:
page:ffffea00008a3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x228f8
head:ffffea00008a3e00 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff88801324d000 ffffea0000b1f800 dead000000000004
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4667, tgid 4667 (dhcpcd), ts 25452731667, free_ts 24860157482
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221
__alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x25f/0x390 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0xbc3/0x15d0 mm/slub.c:3215
__kmem_cache_alloc_bulk mm/slub.c:3966 [inline]
kmem_cache_alloc_bulk+0x270/0x860 mm/slub.c:4041
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp+0x106/0x140 lib/maple_tree.c:1362
mas_node_count lib/maple_tree.c:1376 [inline]
mas_expected_entries+0x117/0x200 lib/maple_tree.c:5656
vma_iter_bulk_alloc include/linux/mm.h:898 [inline]
dup_mmap+0x4e4/0x19b0 kernel/fork.c:681
dup_mm kernel/fork.c:1688 [inline]
copy_mm kernel/fork.c:1737 [inline]
copy_process+0x6663/0x75c0 kernel/fork.c:2503
kernel_clone+0xeb/0x890 kernel/fork.c:2911
__do_sys_clone+0xba/0x100 kernel/fork.c:3054
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348
free_unref_page+0x33/0x370 mm/page_alloc.c:2443
__unfreeze_partials+0x1fe/0x220 mm/slub.c:2647
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3470 [inline]
slab_alloc mm/slub.c:3478 [inline]
__kmem_cache_alloc_lru mm/slub.c:3485 [inline]
kmem_cache_alloc+0x16c/0x380 mm/slub.c:3494
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags+0x9e/0xe0 include/linux/audit.h:319
vfs_fstatat+0x77/0xb0 fs/stat.c:275
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880228f8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880228f8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880228f8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880228f8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880228f8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in mt_slot lib/maple_tree.c:816 [inline]
BUG: KASAN: slab-out-of-bounds in mas_slot lib/maple_tree.c:849 [inline]
BUG: KASAN: slab-out-of-bounds in mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
Read of size 8 at addr ffff8880228f8508 by task syz-executor.3/30724
CPU: 0 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364
print_report mm/kasan/report.c:475 [inline]
kasan_report+0x11d/0x130 mm/kasan/report.c:588
mt_slot lib/maple_tree.c:816 [inline]
mas_slot lib/maple_tree.c:849 [inline]
mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
Allocated by task 30724:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
kmem_cache_alloc_bulk+0x424/0x860 mm/slub.c:4048
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp lib/maple_tree.c:1362 [inline]
mas_preallocate+0x1bb/0x360 lib/maple_tree.c:5546
vma_iter_prealloc mm/internal.h:1032 [inline]
__split_vma+0x1b7/0x830 mm/mmap.c:2344
do_vmi_align_munmap+0x413/0x1680 mm/mmap.c:2477
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
vma_complete+0x8fd/0xdc0 mm/mmap.c:553
__split_vma+0x53b/0x830 mm/mmap.c:2381
split_vma+0xc6/0x110 mm/mmap.c:2409
mprotect_fixup+0x891/0xbd0 mm/mprotect.c:643
do_mprotect_pkey+0x883/0xd40 mm/mprotect.c:817
__do_sys_mprotect mm/mprotect.c:838 [inline]
__se_sys_mprotect mm/mprotect.c:835 [inline]
__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:835
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
mmap_region+0x91c/0x2570 mm/mmap.c:2811
do_mmap+0x850/0xee0 mm/mmap.c:1362
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1408
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880228f8400
which belongs to the cache maple_node of size 256
The buggy address is located 8 bytes to the right of
allocated 256-byte region [ffff8880228f8400, ffff8880228f8500)
The buggy address belongs to the physical page:
page:ffffea00008a3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x228f8
head:ffffea00008a3e00 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff88801324d000 ffffea0000b1f800 dead000000000004
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4667, tgid 4667 (dhcpcd), ts 25452731667, free_ts 24860157482
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221
__alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x25f/0x390 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0xbc3/0x15d0 mm/slub.c:3215
__kmem_cache_alloc_bulk mm/slub.c:3966 [inline]
kmem_cache_alloc_bulk+0x270/0x860 mm/slub.c:4041
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp+0x106/0x140 lib/maple_tree.c:1362
mas_node_count lib/maple_tree.c:1376 [inline]
mas_expected_entries+0x117/0x200 lib/maple_tree.c:5656
vma_iter_bulk_alloc include/linux/mm.h:898 [inline]
dup_mmap+0x4e4/0x19b0 kernel/fork.c:681
dup_mm kernel/fork.c:1688 [inline]
copy_mm kernel/fork.c:1737 [inline]
copy_process+0x6663/0x75c0 kernel/fork.c:2503
kernel_clone+0xeb/0x890 kernel/fork.c:2911
__do_sys_clone+0xba/0x100 kernel/fork.c:3054
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348
free_unref_page+0x33/0x370 mm/page_alloc.c:2443
__unfreeze_partials+0x1fe/0x220 mm/slub.c:2647
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3470 [inline]
slab_alloc mm/slub.c:3478 [inline]
__kmem_cache_alloc_lru mm/slub.c:3485 [inline]
kmem_cache_alloc+0x16c/0x380 mm/slub.c:3494
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags+0x9e/0xe0 include/linux/audit.h:319
vfs_fstatat+0x77/0xb0 fs/stat.c:275
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880228f8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880228f8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880228f8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880228f8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880228f8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in mt_slot lib/maple_tree.c:816 [inline]
BUG: KASAN: slab-out-of-bounds in mas_slot lib/maple_tree.c:849 [inline]
BUG: KASAN: slab-out-of-bounds in mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
Read of size 8 at addr ffff8880228f8510 by task syz-executor.3/30724
CPU: 0 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364
print_report mm/kasan/report.c:475 [inline]
kasan_report+0x11d/0x130 mm/kasan/report.c:588
mt_slot lib/maple_tree.c:816 [inline]
mas_slot lib/maple_tree.c:849 [inline]
mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
Allocated by task 30724:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
kmem_cache_alloc_bulk+0x424/0x860 mm/slub.c:4048
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp lib/maple_tree.c:1362 [inline]
mas_preallocate+0x1bb/0x360 lib/maple_tree.c:5546
vma_iter_prealloc mm/internal.h:1032 [inline]
__split_vma+0x1b7/0x830 mm/mmap.c:2344
do_vmi_align_munmap+0x413/0x1680 mm/mmap.c:2477
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
vma_complete+0x8fd/0xdc0 mm/mmap.c:553
__split_vma+0x53b/0x830 mm/mmap.c:2381
split_vma+0xc6/0x110 mm/mmap.c:2409
mprotect_fixup+0x891/0xbd0 mm/mprotect.c:643
do_mprotect_pkey+0x883/0xd40 mm/mprotect.c:817
__do_sys_mprotect mm/mprotect.c:838 [inline]
__se_sys_mprotect mm/mprotect.c:835 [inline]
__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:835
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
mmap_region+0x91c/0x2570 mm/mmap.c:2811
do_mmap+0x850/0xee0 mm/mmap.c:1362
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1408
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880228f8400
which belongs to the cache maple_node of size 256
The buggy address is located 16 bytes to the right of
allocated 256-byte region [ffff8880228f8400, ffff8880228f8500)
The buggy address belongs to the physical page:
page:ffffea00008a3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x228f8
head:ffffea00008a3e00 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff88801324d000 ffffea0000b1f800 dead000000000004
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4667, tgid 4667 (dhcpcd), ts 25452731667, free_ts 24860157482
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221
__alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x25f/0x390 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0xbc3/0x15d0 mm/slub.c:3215
__kmem_cache_alloc_bulk mm/slub.c:3966 [inline]
kmem_cache_alloc_bulk+0x270/0x860 mm/slub.c:4041
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp+0x106/0x140 lib/maple_tree.c:1362
mas_node_count lib/maple_tree.c:1376 [inline]
mas_expected_entries+0x117/0x200 lib/maple_tree.c:5656
vma_iter_bulk_alloc include/linux/mm.h:898 [inline]
dup_mmap+0x4e4/0x19b0 kernel/fork.c:681
dup_mm kernel/fork.c:1688 [inline]
copy_mm kernel/fork.c:1737 [inline]
copy_process+0x6663/0x75c0 kernel/fork.c:2503
kernel_clone+0xeb/0x890 kernel/fork.c:2911
__do_sys_clone+0xba/0x100 kernel/fork.c:3054
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348
free_unref_page+0x33/0x370 mm/page_alloc.c:2443
__unfreeze_partials+0x1fe/0x220 mm/slub.c:2647
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3470 [inline]
slab_alloc mm/slub.c:3478 [inline]
__kmem_cache_alloc_lru mm/slub.c:3485 [inline]
kmem_cache_alloc+0x16c/0x380 mm/slub.c:3494
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags+0x9e/0xe0 include/linux/audit.h:319
vfs_fstatat+0x77/0xb0 fs/stat.c:275
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880228f8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880228f8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880228f8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880228f8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880228f8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in mt_slot lib/maple_tree.c:816 [inline]
BUG: KASAN: slab-out-of-bounds in mas_slot lib/maple_tree.c:849 [inline]
BUG: KASAN: slab-out-of-bounds in mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
Read of size 8 at addr ffff8880228f8518 by task syz-executor.3/30724
CPU: 1 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364
print_report mm/kasan/report.c:475 [inline]
kasan_report+0x11d/0x130 mm/kasan/report.c:588
mt_slot lib/maple_tree.c:816 [inline]
mas_slot lib/maple_tree.c:849 [inline]
mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
Allocated by task 30724:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
kmem_cache_alloc_bulk+0x424/0x860 mm/slub.c:4048
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp lib/maple_tree.c:1362 [inline]
mas_preallocate+0x1bb/0x360 lib/maple_tree.c:5546
vma_iter_prealloc mm/internal.h:1032 [inline]
__split_vma+0x1b7/0x830 mm/mmap.c:2344
do_vmi_align_munmap+0x413/0x1680 mm/mmap.c:2477
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
vma_complete+0x8fd/0xdc0 mm/mmap.c:553
__split_vma+0x53b/0x830 mm/mmap.c:2381
split_vma+0xc6/0x110 mm/mmap.c:2409
mprotect_fixup+0x891/0xbd0 mm/mprotect.c:643
do_mprotect_pkey+0x883/0xd40 mm/mprotect.c:817
__do_sys_mprotect mm/mprotect.c:838 [inline]
__se_sys_mprotect mm/mprotect.c:835 [inline]
__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:835
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
mmap_region+0x91c/0x2570 mm/mmap.c:2811
do_mmap+0x850/0xee0 mm/mmap.c:1362
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1408
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880228f8400
which belongs to the cache maple_node of size 256
The buggy address is located 24 bytes to the right of
allocated 256-byte region [ffff8880228f8400, ffff8880228f8500)
The buggy address belongs to the physical page:
page:ffffea00008a3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x228f8
head:ffffea00008a3e00 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff88801324d000 ffffea0000b1f800 dead000000000004
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4667, tgid 4667 (dhcpcd), ts 25452731667, free_ts 24860157482
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221
__alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x25f/0x390 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0xbc3/0x15d0 mm/slub.c:3215
__kmem_cache_alloc_bulk mm/slub.c:3966 [inline]
kmem_cache_alloc_bulk+0x270/0x860 mm/slub.c:4041
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp+0x106/0x140 lib/maple_tree.c:1362
mas_node_count lib/maple_tree.c:1376 [inline]
mas_expected_entries+0x117/0x200 lib/maple_tree.c:5656
vma_iter_bulk_alloc include/linux/mm.h:898 [inline]
dup_mmap+0x4e4/0x19b0 kernel/fork.c:681
dup_mm kernel/fork.c:1688 [inline]
copy_mm kernel/fork.c:1737 [inline]
copy_process+0x6663/0x75c0 kernel/fork.c:2503
kernel_clone+0xeb/0x890 kernel/fork.c:2911
__do_sys_clone+0xba/0x100 kernel/fork.c:3054
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348
free_unref_page+0x33/0x370 mm/page_alloc.c:2443
__unfreeze_partials+0x1fe/0x220 mm/slub.c:2647
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3470 [inline]
slab_alloc mm/slub.c:3478 [inline]
__kmem_cache_alloc_lru mm/slub.c:3485 [inline]
kmem_cache_alloc+0x16c/0x380 mm/slub.c:3494
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags+0x9e/0xe0 include/linux/audit.h:319
vfs_fstatat+0x77/0xb0 fs/stat.c:275
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880228f8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880228f8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880228f8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880228f8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880228f8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Sequential nulls end at ffff8880228f8400[19]
BUG at mt_validate_nulls:7177 (1)
maple_tree(ffff888015f05f40) flags 30B, height 2 root ffff88802c8aa41e
0-ffffffffffffffff: node ffff88802c8aa400 depth 0 type 3 parent ffff888015f05f41 contents: 93708290682880 16384 18446603339339005952 0 0 0 0 0 0 0 | 02 02| ffff8880408e760c 140238366179327 ffff88802c8aa00c 140238385954815 ffff88802c8aa20c 18446744073709551615 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000
0-7f8bc9ffffff: node ffff8880408e7600 depth 1 type 1 parent ffff88802c8aa406 contents: 0000000000000000 1FFFEFFF ffff888027a62100 1FFFFFFF ffff888027a62400 20FFFFFF ffff888027a62f00 21000FFF 0000000000000000 1B2DA1FFFF ffff888027a62600 1B2DA5FFFF 0000000000000000 55555706EFFF ffff888027a62500 555557090FFF 0000000000000000 7F8BC0E1EFFF ffff88801f749c00 7F8BC91FEFFF ffff888027a62e00 7F8BC91FFFFF ffff888027a62800 7F8BC99FFFFF ffff888027a62000 7F8BC9BFFFFF ffff888027a62700 7F8BC9DFFFFF ffff888027a62d00 7F8BC9FFFFFF 000000000000000e
0-1fffefff: 0000000000000000
1ffff000-1fffffff: ffff888027a62100
20000000-20ffffff: ffff888027a62400
21000000-21000fff: ffff888027a62f00
21001000-1b2da1ffff: 0000000000000000
1b2da20000-1b2da5ffff: ffff888027a62600
1b2da60000-55555706efff: 0000000000000000
55555706f000-555557090fff: ffff888027a62500
555557091000-7f8bc0e1efff: 0000000000000000
7f8bc0e1f000-7f8bc91fefff: ffff88801f749c00
7f8bc91ff000-7f8bc91fffff: ffff888027a62e00
7f8bc9200000-7f8bc99fffff: ffff888027a62800
7f8bc9a00000-7f8bc9bfffff: ffff888027a62000
7f8bc9c00000-7f8bc9dfffff: ffff888027a62700
7f8bc9e00000-7f8bc9ffffff: ffff888027a62d00
7f8bca000000-7f8bcb2dbfff: node ffff88802c8aa000 depth 1 type 1 parent ffff88802c8aa40e contents: ffff888027b85f00 7F8BCA1FFFFF ffff888027fc7500 7F8BCA5FFFFF ffff888027fc7300 7F8BCA623FFF ffff88802bef3600 7F8BCA6D5FFF ffff88802bef3900 7F8BCA728FFF ffff88802bef3000 7F8BCA782FFF ffff88802bef3f00 7F8BCA78BFFF 0000000000000000 7F8BCA78FFFF ffff88802bef3700 7F8BCB2DBFFF 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000008
7f8bca000000-7f8bca1fffff: ffff888027b85f00
7f8bca200000-7f8bca5fffff: ffff888027fc7500
7f8bca600000-7f8bca623fff: ffff888027fc7300
7f8bca624000-7f8bca6d5fff: ffff88802bef3600
7f8bca6d6000-7f8bca728fff: ffff88802bef3900
7f8bca729000-7f8bca782fff: ffff88802bef3000
7f8bca783000-7f8bca78bfff: ffff88802bef3f00
7f8bca78c000-7f8bca78ffff: 0000000000000000
7f8bca790000-7f8bcb2dbfff: ffff88802bef3700
7f8bcb2dc000-ffffffffffffffff: node ffff88802c8aa200 depth 1 type 1 parent ffff88802c8aa416 contents: 0000000000000000 7F8BCB406FFF ffff88807a74ba00 7F8BCB407FFF ffff88807a74b000 7F8BCB427FFF ffff888021dd6f00 7F8BCB428FFF ffff88807a74b300 7F8BCB448FFF ffff88807a74b700 7F8BCB449FFF ffff88807a74b900 7F8BCB469FFF ffff88807a74b600 7F8BCB46AFFF ffff88807a74bc00 7F8BCB48AFFF 0000000000000000 7FFF46251FFF ffff88802bef3100 7FFF46272FFF 0000000000000000 7FFF46299FFF ffff88802bef3c00 7FFF4629DFFF ffff88802bef3400 7FFF4629FFFF 0000000000000000 FFFFFFFFFFFFFFFF 000000000000000e
7f8bcb2dc000-7f8bcb406fff: 0000000000000000
7f8bcb407000-7f8bcb407fff: ffff88807a74ba00
7f8bcb408000-7f8bcb427fff: ffff88807a74b000
7f8bcb428000-7f8bcb428fff: ffff888021dd6f00
7f8bcb429000-7f8bcb448fff: ffff88807a74b300
7f8bcb449000-7f8bcb449fff: ffff88807a74b700
7f8bcb44a000-7f8bcb469fff: ffff88807a74b900
7f8bcb46a000-7f8bcb46afff: ffff88807a74b600
7f8bcb46b000-7f8bcb48afff: ffff88807a74bc00
7f8bcb48b000-7fff46251fff: 0000000000000000
7fff46252000-7fff46272fff: ffff88802bef3100
7fff46273000-7fff46299fff: 0000000000000000
7fff4629a000-7fff4629dfff: ffff88802bef3c00
7fff4629e000-7fff4629ffff: ffff88802bef3400
7fff462a0000-ffffffffffffffff: 0000000000000000
Pass: 24855660 Run:24855661
CPU: 1 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
mt_validate_nulls+0x93d/0xd10 lib/maple_tree.c:7177
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
==================================================================
BUG: KASAN: slab-out-of-bounds in mt_slot lib/maple_tree.c:816 [inline]
BUG: KASAN: slab-out-of-bounds in mas_slot lib/maple_tree.c:849 [inline]
BUG: KASAN: slab-out-of-bounds in mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
Read of size 8 at addr ffff8880228f8520 by task syz-executor.3/30724
CPU: 1 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364
print_report mm/kasan/report.c:475 [inline]
kasan_report+0x11d/0x130 mm/kasan/report.c:588
mt_slot lib/maple_tree.c:816 [inline]
mas_slot lib/maple_tree.c:849 [inline]
mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
Allocated by task 30724:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
kmem_cache_alloc_bulk+0x424/0x860 mm/slub.c:4048
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp lib/maple_tree.c:1362 [inline]
mas_preallocate+0x1bb/0x360 lib/maple_tree.c:5546
vma_iter_prealloc mm/internal.h:1032 [inline]
__split_vma+0x1b7/0x830 mm/mmap.c:2344
do_vmi_align_munmap+0x413/0x1680 mm/mmap.c:2477
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
vma_complete+0x8fd/0xdc0 mm/mmap.c:553
__split_vma+0x53b/0x830 mm/mmap.c:2381
split_vma+0xc6/0x110 mm/mmap.c:2409
mprotect_fixup+0x891/0xbd0 mm/mprotect.c:643
do_mprotect_pkey+0x883/0xd40 mm/mprotect.c:817
__do_sys_mprotect mm/mprotect.c:838 [inline]
__se_sys_mprotect mm/mprotect.c:835 [inline]
__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:835
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
mmap_region+0x91c/0x2570 mm/mmap.c:2811
do_mmap+0x850/0xee0 mm/mmap.c:1362
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1408
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880228f8400
which belongs to the cache maple_node of size 256
The buggy address is located 32 bytes to the right of
allocated 256-byte region [ffff8880228f8400, ffff8880228f8500)
The buggy address belongs to the physical page:
page:ffffea00008a3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x228f8
head:ffffea00008a3e00 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff88801324d000 ffffea0000b1f800 dead000000000004
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4667, tgid 4667 (dhcpcd), ts 25452731667, free_ts 24860157482
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221
__alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x25f/0x390 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0xbc3/0x15d0 mm/slub.c:3215
__kmem_cache_alloc_bulk mm/slub.c:3966 [inline]
kmem_cache_alloc_bulk+0x270/0x860 mm/slub.c:4041
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp+0x106/0x140 lib/maple_tree.c:1362
mas_node_count lib/maple_tree.c:1376 [inline]
mas_expected_entries+0x117/0x200 lib/maple_tree.c:5656
vma_iter_bulk_alloc include/linux/mm.h:898 [inline]
dup_mmap+0x4e4/0x19b0 kernel/fork.c:681
dup_mm kernel/fork.c:1688 [inline]
copy_mm kernel/fork.c:1737 [inline]
copy_process+0x6663/0x75c0 kernel/fork.c:2503
kernel_clone+0xeb/0x890 kernel/fork.c:2911
__do_sys_clone+0xba/0x100 kernel/fork.c:3054
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348
free_unref_page+0x33/0x370 mm/page_alloc.c:2443
__unfreeze_partials+0x1fe/0x220 mm/slub.c:2647
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3470 [inline]
slab_alloc mm/slub.c:3478 [inline]
__kmem_cache_alloc_lru mm/slub.c:3485 [inline]
kmem_cache_alloc+0x16c/0x380 mm/slub.c:3494
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags+0x9e/0xe0 include/linux/audit.h:319
vfs_fstatat+0x77/0xb0 fs/stat.c:275
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880228f8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880228f8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880228f8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880228f8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880228f8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Sequential nulls end at ffff8880228f8400[20]
BUG at mt_validate_nulls:7177 (1)
maple_tree(ffff888015f05f40) flags 30B, height 2 root ffff88802c8aa41e
0-ffffffffffffffff: node ffff88802c8aa400 depth 0 type 3 parent ffff888015f05f41 contents: 93708290682880 16384 18446603339339005952 0 0 0 0 0 0 0 | 02 02| ffff8880408e760c 140238366179327 ffff88802c8aa00c 140238385954815 ffff88802c8aa20c 18446744073709551615 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000
0-7f8bc9ffffff: node ffff8880408e7600 depth 1 type 1 parent ffff88802c8aa406 contents: 0000000000000000 1FFFEFFF ffff888027a62100 1FFFFFFF ffff888027a62400 20FFFFFF ffff888027a62f00 21000FFF 0000000000000000 1B2DA1FFFF ffff888027a62600 1B2DA5FFFF 0000000000000000 55555706EFFF ffff888027a62500 555557090FFF 0000000000000000 7F8BC0E1EFFF ffff88801f749c00 7F8BC91FEFFF ffff888027a62e00 7F8BC91FFFFF ffff888027a62800 7F8BC99FFFFF ffff888027a62000 7F8BC9BFFFFF ffff888027a62700 7F8BC9DFFFFF ffff888027a62d00 7F8BC9FFFFFF 000000000000000e
0-1fffefff: 0000000000000000
1ffff000-1fffffff: ffff888027a62100
20000000-20ffffff: ffff888027a62400
21000000-21000fff: ffff888027a62f00
21001000-1b2da1ffff: 0000000000000000
1b2da20000-1b2da5ffff: ffff888027a62600
1b2da60000-55555706efff: 0000000000000000
55555706f000-555557090fff: ffff888027a62500
555557091000-7f8bc0e1efff: 0000000000000000
7f8bc0e1f000-7f8bc91fefff: ffff88801f749c00
7f8bc91ff000-7f8bc91fffff: ffff888027a62e00
7f8bc9200000-7f8bc99fffff: ffff888027a62800
7f8bc9a00000-7f8bc9bfffff: ffff888027a62000
7f8bc9c00000-7f8bc9dfffff: ffff888027a62700
7f8bc9e00000-7f8bc9ffffff: ffff888027a62d00
7f8bca000000-7f8bcb2dbfff: node ffff88802c8aa000 depth 1 type 1 parent ffff88802c8aa40e contents: ffff888027b85f00 7F8BCA1FFFFF ffff888027fc7500 7F8BCA5FFFFF ffff888027fc7300 7F8BCA623FFF ffff88802bef3600 7F8BCA6D5FFF ffff88802bef3900 7F8BCA728FFF ffff88802bef3000 7F8BCA782FFF ffff88802bef3f00 7F8BCA78BFFF 0000000000000000 7F8BCA78FFFF ffff88802bef3700 7F8BCB2DBFFF 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000008
7f8bca000000-7f8bca1fffff: ffff888027b85f00
7f8bca200000-7f8bca5fffff: ffff888027fc7500
7f8bca600000-7f8bca623fff: ffff888027fc7300
7f8bca624000-7f8bca6d5fff: ffff88802bef3600
7f8bca6d6000-7f8bca728fff: ffff88802bef3900
7f8bca729000-7f8bca782fff: ffff88802bef3000
7f8bca783000-7f8bca78bfff: ffff88802bef3f00
7f8bca78c000-7f8bca78ffff: 0000000000000000
7f8bca790000-7f8bcb2dbfff: ffff88802bef3700
7f8bcb2dc000-ffffffffffffffff: node ffff88802c8aa200 depth 1 type 1 parent ffff88802c8aa416 contents: 0000000000000000 7F8BCB406FFF ffff88807a74ba00 7F8BCB407FFF ffff88807a74b000 7F8BCB427FFF ffff888021dd6f00 7F8BCB428FFF ffff88807a74b300 7F8BCB448FFF ffff88807a74b700 7F8BCB449FFF ffff88807a74b900 7F8BCB469FFF ffff88807a74b600 7F8BCB46AFFF ffff88807a74bc00 7F8BCB48AFFF 0000000000000000 7FFF46251FFF ffff88802bef3100 7FFF46272FFF 0000000000000000 7FFF46299FFF ffff88802bef3c00 7FFF4629DFFF ffff88802bef3400 7FFF4629FFFF 0000000000000000 FFFFFFFFFFFFFFFF 000000000000000e
7f8bcb2dc000-7f8bcb406fff: 0000000000000000
7f8bcb407000-7f8bcb407fff: ffff88807a74ba00
7f8bcb408000-7f8bcb427fff: ffff88807a74b000
7f8bcb428000-7f8bcb428fff: ffff888021dd6f00
7f8bcb429000-7f8bcb448fff: ffff88807a74b300
7f8bcb449000-7f8bcb449fff: ffff88807a74b700
7f8bcb44a000-7f8bcb469fff: ffff88807a74b900
7f8bcb46a000-7f8bcb46afff: ffff88807a74b600
7f8bcb46b000-7f8bcb48afff: ffff88807a74bc00
7f8bcb48b000-7fff46251fff: 0000000000000000
7fff46252000-7fff46272fff: ffff88802bef3100
7fff46273000-7fff46299fff: 0000000000000000
7fff4629a000-7fff4629dfff: ffff88802bef3c00
7fff4629e000-7fff4629ffff: ffff88802bef3400
7fff462a0000-ffffffffffffffff: 0000000000000000
Pass: 24855660 Run:24855662
CPU: 1 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
mt_validate_nulls+0x93d/0xd10 lib/maple_tree.c:7177
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
==================================================================
BUG: KASAN: slab-out-of-bounds in mt_slot lib/maple_tree.c:816 [inline]
BUG: KASAN: slab-out-of-bounds in mas_slot lib/maple_tree.c:849 [inline]
BUG: KASAN: slab-out-of-bounds in mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
Read of size 8 at addr ffff8880228f8528 by task syz-executor.3/30724
CPU: 0 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364
print_report mm/kasan/report.c:475 [inline]
kasan_report+0x11d/0x130 mm/kasan/report.c:588
mt_slot lib/maple_tree.c:816 [inline]
mas_slot lib/maple_tree.c:849 [inline]
mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
Allocated by task 30724:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
kmem_cache_alloc_bulk+0x424/0x860 mm/slub.c:4048
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp lib/maple_tree.c:1362 [inline]
mas_preallocate+0x1bb/0x360 lib/maple_tree.c:5546
vma_iter_prealloc mm/internal.h:1032 [inline]
__split_vma+0x1b7/0x830 mm/mmap.c:2344
do_vmi_align_munmap+0x413/0x1680 mm/mmap.c:2477
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
vma_complete+0x8fd/0xdc0 mm/mmap.c:553
__split_vma+0x53b/0x830 mm/mmap.c:2381
split_vma+0xc6/0x110 mm/mmap.c:2409
mprotect_fixup+0x891/0xbd0 mm/mprotect.c:643
do_mprotect_pkey+0x883/0xd40 mm/mprotect.c:817
__do_sys_mprotect mm/mprotect.c:838 [inline]
__se_sys_mprotect mm/mprotect.c:835 [inline]
__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:835
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
mmap_region+0x91c/0x2570 mm/mmap.c:2811
do_mmap+0x850/0xee0 mm/mmap.c:1362
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1408
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880228f8400
which belongs to the cache maple_node of size 256
The buggy address is located 40 bytes to the right of
allocated 256-byte region [ffff8880228f8400, ffff8880228f8500)
The buggy address belongs to the physical page:
page:ffffea00008a3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x228f8
head:ffffea00008a3e00 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff88801324d000 ffffea0000b1f800 dead000000000004
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4667, tgid 4667 (dhcpcd), ts 25452731667, free_ts 24860157482
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221
__alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x25f/0x390 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0xbc3/0x15d0 mm/slub.c:3215
__kmem_cache_alloc_bulk mm/slub.c:3966 [inline]
kmem_cache_alloc_bulk+0x270/0x860 mm/slub.c:4041
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp+0x106/0x140 lib/maple_tree.c:1362
mas_node_count lib/maple_tree.c:1376 [inline]
mas_expected_entries+0x117/0x200 lib/maple_tree.c:5656
vma_iter_bulk_alloc include/linux/mm.h:898 [inline]
dup_mmap+0x4e4/0x19b0 kernel/fork.c:681
dup_mm kernel/fork.c:1688 [inline]
copy_mm kernel/fork.c:1737 [inline]
copy_process+0x6663/0x75c0 kernel/fork.c:2503
kernel_clone+0xeb/0x890 kernel/fork.c:2911
__do_sys_clone+0xba/0x100 kernel/fork.c:3054
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348
free_unref_page+0x33/0x370 mm/page_alloc.c:2443
__unfreeze_partials+0x1fe/0x220 mm/slub.c:2647
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3470 [inline]
slab_alloc mm/slub.c:3478 [inline]
__kmem_cache_alloc_lru mm/slub.c:3485 [inline]
kmem_cache_alloc+0x16c/0x380 mm/slub.c:3494
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags+0x9e/0xe0 include/linux/audit.h:319
vfs_fstatat+0x77/0xb0 fs/stat.c:275
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880228f8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880228f8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880228f8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880228f8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880228f8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Sequential nulls end at ffff8880228f8400[21]
BUG at mt_validate_nulls:7177 (1)
maple_tree(ffff888015f05f40) flags 30B, height 2 root ffff88802c8aa41e
0-ffffffffffffffff: node ffff88802c8aa400 depth 0 type 3 parent ffff888015f05f41 contents: 93708290682880 16384 18446603339339005952 0 0 0 0 0 0 0 | 02 02| ffff8880408e760c 140238366179327 ffff88802c8aa00c 140238385954815 ffff88802c8aa20c 18446744073709551615 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000
0-7f8bc9ffffff: node ffff8880408e7600 depth 1 type 1 parent ffff88802c8aa406 contents: 0000000000000000 1FFFEFFF ffff888027a62100 1FFFFFFF ffff888027a62400 20FFFFFF ffff888027a62f00 21000FFF 0000000000000000 1B2DA1FFFF ffff888027a62600 1B2DA5FFFF 0000000000000000 55555706EFFF ffff888027a62500 555557090FFF 0000000000000000 7F8BC0E1EFFF ffff88801f749c00 7F8BC91FEFFF ffff888027a62e00 7F8BC91FFFFF ffff888027a62800 7F8BC99FFFFF ffff888027a62000 7F8BC9BFFFFF ffff888027a62700 7F8BC9DFFFFF ffff888027a62d00 7F8BC9FFFFFF 000000000000000e
0-1fffefff: 0000000000000000
1ffff000-1fffffff: ffff888027a62100
20000000-20ffffff: ffff888027a62400
21000000-21000fff: ffff888027a62f00
21001000-1b2da1ffff: 0000000000000000
1b2da20000-1b2da5ffff: ffff888027a62600
1b2da60000-55555706efff: 0000000000000000
55555706f000-555557090fff: ffff888027a62500
555557091000-7f8bc0e1efff: 0000000000000000
7f8bc0e1f000-7f8bc91fefff: ffff88801f749c00
7f8bc91ff000-7f8bc91fffff: ffff888027a62e00
7f8bc9200000-7f8bc99fffff: ffff888027a62800
7f8bc9a00000-7f8bc9bfffff: ffff888027a62000
7f8bc9c00000-7f8bc9dfffff: ffff888027a62700
7f8bc9e00000-7f8bc9ffffff: ffff888027a62d00
7f8bca000000-7f8bcb2dbfff: node ffff88802c8aa000 depth 1 type 1 parent ffff88802c8aa40e contents: ffff888027b85f00 7F8BCA1FFFFF ffff888027fc7500 7F8BCA5FFFFF ffff888027fc7300 7F8BCA623FFF ffff88802bef3600 7F8BCA6D5FFF ffff88802bef3900 7F8BCA728FFF ffff88802bef3000 7F8BCA782FFF ffff88802bef3f00 7F8BCA78BFFF 0000000000000000 7F8BCA78FFFF ffff88802bef3700 7F8BCB2DBFFF 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000008
7f8bca000000-7f8bca1fffff: ffff888027b85f00
7f8bca200000-7f8bca5fffff: ffff888027fc7500
7f8bca600000-7f8bca623fff: ffff888027fc7300
7f8bca624000-7f8bca6d5fff: ffff88802bef3600
7f8bca6d6000-7f8bca728fff: ffff88802bef3900
7f8bca729000-7f8bca782fff: ffff88802bef3000
7f8bca783000-7f8bca78bfff: ffff88802bef3f00
7f8bca78c000-7f8bca78ffff: 0000000000000000
7f8bca790000-7f8bcb2dbfff: ffff88802bef3700
7f8bcb2dc000-ffffffffffffffff: node ffff88802c8aa200 depth 1 type 1 parent ffff88802c8aa416 contents: 0000000000000000 7F8BCB406FFF ffff88807a74ba00 7F8BCB407FFF ffff88807a74b000 7F8BCB427FFF ffff888021dd6f00 7F8BCB428FFF ffff88807a74b300 7F8BCB448FFF ffff88807a74b700 7F8BCB449FFF ffff88807a74b900 7F8BCB469FFF ffff88807a74b600 7F8BCB46AFFF ffff88807a74bc00 7F8BCB48AFFF 0000000000000000 7FFF46251FFF ffff88802bef3100 7FFF46272FFF 0000000000000000 7FFF46299FFF ffff88802bef3c00 7FFF4629DFFF ffff88802bef3400 7FFF4629FFFF 0000000000000000 FFFFFFFFFFFFFFFF 000000000000000e
7f8bcb2dc000-7f8bcb406fff: 0000000000000000
7f8bcb407000-7f8bcb407fff: ffff88807a74ba00
7f8bcb408000-7f8bcb427fff: ffff88807a74b000
7f8bcb428000-7f8bcb428fff: ffff888021dd6f00
7f8bcb429000-7f8bcb448fff: ffff88807a74b300
7f8bcb449000-7f8bcb449fff: ffff88807a74b700
7f8bcb44a000-7f8bcb469fff: ffff88807a74b900
7f8bcb46a000-7f8bcb46afff: ffff88807a74b600
7f8bcb46b000-7f8bcb48afff: ffff88807a74bc00
7f8bcb48b000-7fff46251fff: 0000000000000000
7fff46252000-7fff46272fff: ffff88802bef3100
7fff46273000-7fff46299fff: 0000000000000000
7fff4629a000-7fff4629dfff: ffff88802bef3c00
7fff4629e000-7fff4629ffff: ffff88802bef3400
7fff462a0000-ffffffffffffffff: 0000000000000000
Pass: 24857170 Run:24857173
CPU: 0 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
mt_validate_nulls+0x93d/0xd10 lib/maple_tree.c:7177
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
==================================================================
BUG: KASAN: slab-out-of-bounds in mt_slot lib/maple_tree.c:816 [inline]
BUG: KASAN: slab-out-of-bounds in mas_slot lib/maple_tree.c:849 [inline]
BUG: KASAN: slab-out-of-bounds in mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
Read of size 8 at addr ffff8880228f8530 by task syz-executor.3/30724
CPU: 1 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364
print_report mm/kasan/report.c:475 [inline]
kasan_report+0x11d/0x130 mm/kasan/report.c:588
mt_slot lib/maple_tree.c:816 [inline]
mas_slot lib/maple_tree.c:849 [inline]
mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
Allocated by task 30724:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
kmem_cache_alloc_bulk+0x424/0x860 mm/slub.c:4048
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp lib/maple_tree.c:1362 [inline]
mas_preallocate+0x1bb/0x360 lib/maple_tree.c:5546
vma_iter_prealloc mm/internal.h:1032 [inline]
__split_vma+0x1b7/0x830 mm/mmap.c:2344
do_vmi_align_munmap+0x413/0x1680 mm/mmap.c:2477
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
vma_complete+0x8fd/0xdc0 mm/mmap.c:553
__split_vma+0x53b/0x830 mm/mmap.c:2381
split_vma+0xc6/0x110 mm/mmap.c:2409
mprotect_fixup+0x891/0xbd0 mm/mprotect.c:643
do_mprotect_pkey+0x883/0xd40 mm/mprotect.c:817
__do_sys_mprotect mm/mprotect.c:838 [inline]
__se_sys_mprotect mm/mprotect.c:835 [inline]
__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:835
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
mmap_region+0x91c/0x2570 mm/mmap.c:2811
do_mmap+0x850/0xee0 mm/mmap.c:1362
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1408
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880228f8400
which belongs to the cache maple_node of size 256
The buggy address is located 48 bytes to the right of
allocated 256-byte region [ffff8880228f8400, ffff8880228f8500)
The buggy address belongs to the physical page:
page:ffffea00008a3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x228f8
head:ffffea00008a3e00 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff88801324d000 ffffea0000b1f800 dead000000000004
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4667, tgid 4667 (dhcpcd), ts 25452731667, free_ts 24860157482
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221
__alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x25f/0x390 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0xbc3/0x15d0 mm/slub.c:3215
__kmem_cache_alloc_bulk mm/slub.c:3966 [inline]
kmem_cache_alloc_bulk+0x270/0x860 mm/slub.c:4041
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp+0x106/0x140 lib/maple_tree.c:1362
mas_node_count lib/maple_tree.c:1376 [inline]
mas_expected_entries+0x117/0x200 lib/maple_tree.c:5656
vma_iter_bulk_alloc include/linux/mm.h:898 [inline]
dup_mmap+0x4e4/0x19b0 kernel/fork.c:681
dup_mm kernel/fork.c:1688 [inline]
copy_mm kernel/fork.c:1737 [inline]
copy_process+0x6663/0x75c0 kernel/fork.c:2503
kernel_clone+0xeb/0x890 kernel/fork.c:2911
__do_sys_clone+0xba/0x100 kernel/fork.c:3054
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348
free_unref_page+0x33/0x370 mm/page_alloc.c:2443
__unfreeze_partials+0x1fe/0x220 mm/slub.c:2647
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3470 [inline]
slab_alloc mm/slub.c:3478 [inline]
__kmem_cache_alloc_lru mm/slub.c:3485 [inline]
kmem_cache_alloc+0x16c/0x380 mm/slub.c:3494
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags+0x9e/0xe0 include/linux/audit.h:319
vfs_fstatat+0x77/0xb0 fs/stat.c:275
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880228f8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880228f8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880228f8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880228f8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880228f8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Sequential nulls end at ffff8880228f8400[22]
BUG at mt_validate_nulls:7177 (1)
maple_tree(ffff888015f05f40) flags 30B, height 2 root ffff88802c8aa41e
0-ffffffffffffffff: node ffff88802c8aa400 depth 0 type 3 parent ffff888015f05f41 contents: 93708290682880 16384 18446603339339005952 0 0 0 0 0 0 0 | 02 02| ffff8880408e760c 140238366179327 ffff88802c8aa00c 140238385954815 ffff88802c8aa20c 18446744073709551615 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000
0-7f8bc9ffffff: node ffff8880408e7600 depth 1 type 1 parent ffff88802c8aa406 contents: 0000000000000000 1FFFEFFF ffff888027a62100 1FFFFFFF ffff888027a62400 20FFFFFF ffff888027a62f00 21000FFF 0000000000000000 1B2DA1FFFF ffff888027a62600 1B2DA5FFFF 0000000000000000 55555706EFFF ffff888027a62500 555557090FFF 0000000000000000 7F8BC0E1EFFF ffff88801f749c00 7F8BC91FEFFF ffff888027a62e00 7F8BC91FFFFF ffff888027a62800 7F8BC99FFFFF ffff888027a62000 7F8BC9BFFFFF ffff888027a62700 7F8BC9DFFFFF ffff888027a62d00 7F8BC9FFFFFF 000000000000000e
0-1fffefff: 0000000000000000
1ffff000-1fffffff: ffff888027a62100
20000000-20ffffff: ffff888027a62400
21000000-21000fff: ffff888027a62f00
21001000-1b2da1ffff: 0000000000000000
1b2da20000-1b2da5ffff: ffff888027a62600
1b2da60000-55555706efff: 0000000000000000
55555706f000-555557090fff: ffff888027a62500
555557091000-7f8bc0e1efff: 0000000000000000
7f8bc0e1f000-7f8bc91fefff: ffff88801f749c00
7f8bc91ff000-7f8bc91fffff: ffff888027a62e00
7f8bc9200000-7f8bc99fffff: ffff888027a62800
7f8bc9a00000-7f8bc9bfffff: ffff888027a62000
7f8bc9c00000-7f8bc9dfffff: ffff888027a62700
7f8bc9e00000-7f8bc9ffffff: ffff888027a62d00
7f8bca000000-7f8bcb2dbfff: node ffff88802c8aa000 depth 1 type 1 parent ffff88802c8aa40e contents: ffff888027b85f00 7F8BCA1FFFFF ffff888027fc7500 7F8BCA5FFFFF ffff888027fc7300 7F8BCA623FFF ffff88802bef3600 7F8BCA6D5FFF ffff88802bef3900 7F8BCA728FFF ffff88802bef3000 7F8BCA782FFF ffff88802bef3f00 7F8BCA78BFFF 0000000000000000 7F8BCA78FFFF ffff88802bef3700 7F8BCB2DBFFF 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000008
7f8bca000000-7f8bca1fffff: ffff888027b85f00
7f8bca200000-7f8bca5fffff: ffff888027fc7500
7f8bca600000-7f8bca623fff: ffff888027fc7300
7f8bca624000-7f8bca6d5fff: ffff88802bef3600
7f8bca6d6000-7f8bca728fff: ffff88802bef3900
7f8bca729000-7f8bca782fff: ffff88802bef3000
7f8bca783000-7f8bca78bfff: ffff88802bef3f00
7f8bca78c000-7f8bca78ffff: 0000000000000000
7f8bca790000-7f8bcb2dbfff: ffff88802bef3700
7f8bcb2dc000-ffffffffffffffff: node ffff88802c8aa200 depth 1 type 1 parent ffff88802c8aa416 contents: 0000000000000000 7F8BCB406FFF ffff88807a74ba00 7F8BCB407FFF ffff88807a74b000 7F8BCB427FFF ffff888021dd6f00 7F8BCB428FFF ffff88807a74b300 7F8BCB448FFF ffff88807a74b700 7F8BCB449FFF ffff88807a74b900 7F8BCB469FFF ffff88807a74b600 7F8BCB46AFFF ffff88807a74bc00 7F8BCB48AFFF 0000000000000000 7FFF46251FFF ffff88802bef3100 7FFF46272FFF 0000000000000000 7FFF46299FFF ffff88802bef3c00 7FFF4629DFFF ffff88802bef3400 7FFF4629FFFF 0000000000000000 FFFFFFFFFFFFFFFF 000000000000000e
7f8bcb2dc000-7f8bcb406fff: 0000000000000000
7f8bcb407000-7f8bcb407fff: ffff88807a74ba00
7f8bcb408000-7f8bcb427fff: ffff88807a74b000
7f8bcb428000-7f8bcb428fff: ffff888021dd6f00
7f8bcb429000-7f8bcb448fff: ffff88807a74b300
7f8bcb449000-7f8bcb449fff: ffff88807a74b700
7f8bcb44a000-7f8bcb469fff: ffff88807a74b900
7f8bcb46a000-7f8bcb46afff: ffff88807a74b600
7f8bcb46b000-7f8bcb48afff: ffff88807a74bc00
7f8bcb48b000-7fff46251fff: 0000000000000000
7fff46252000-7fff46272fff: ffff88802bef3100
7fff46273000-7fff46299fff: 0000000000000000
7fff4629a000-7fff4629dfff: ffff88802bef3c00
7fff4629e000-7fff4629ffff: ffff88802bef3400
7fff462a0000-ffffffffffffffff: 0000000000000000
Pass: 24857170 Run:24857174
CPU: 0 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
mt_validate_nulls+0x93d/0xd10 lib/maple_tree.c:7177
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
==================================================================
BUG: KASAN: slab-out-of-bounds in mt_slot lib/maple_tree.c:816 [inline]
BUG: KASAN: slab-out-of-bounds in mas_slot lib/maple_tree.c:849 [inline]
BUG: KASAN: slab-out-of-bounds in mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
Read of size 8 at addr ffff8880228f8538 by task syz-executor.3/30724
CPU: 1 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364
print_report mm/kasan/report.c:475 [inline]
kasan_report+0x11d/0x130 mm/kasan/report.c:588
mt_slot lib/maple_tree.c:816 [inline]
mas_slot lib/maple_tree.c:849 [inline]
mt_validate_nulls+0xc04/0xd10 lib/maple_tree.c:7172
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8bca68c467
Code: 00 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8bcb489f38 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8bca68c467
RDX: 0000000000020000 RSI: 0000000000020000 RDI: 00007f8bc0dff000
RBP: 00007f8bc0dff000 R08: 0000000000000000 R09: 00000000000014f9
R10: 0000000000020000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8bcb489fdc R14: 00007f8bcb489fe0 R15: 0000000020002042
Allocated by task 30724:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
kmem_cache_alloc_bulk+0x424/0x860 mm/slub.c:4048
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp lib/maple_tree.c:1362 [inline]
mas_preallocate+0x1bb/0x360 lib/maple_tree.c:5546
vma_iter_prealloc mm/internal.h:1032 [inline]
__split_vma+0x1b7/0x830 mm/mmap.c:2344
do_vmi_align_munmap+0x413/0x1680 mm/mmap.c:2477
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899
__do_sys_munmap mm/mmap.c:2916 [inline]
__se_sys_munmap mm/mmap.c:2913 [inline]
__x64_sys_munmap+0x62/0x80 mm/mmap.c:2913
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
vma_complete+0x8fd/0xdc0 mm/mmap.c:553
__split_vma+0x53b/0x830 mm/mmap.c:2381
split_vma+0xc6/0x110 mm/mmap.c:2409
mprotect_fixup+0x891/0xbd0 mm/mprotect.c:643
do_mprotect_pkey+0x883/0xd40 mm/mprotect.c:817
__do_sys_mprotect mm/mprotect.c:838 [inline]
__se_sys_mprotect mm/mprotect.c:835 [inline]
__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:835
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb9/0xd0 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
ma_free_rcu lib/maple_tree.c:189 [inline]
mas_free lib/maple_tree.c:1344 [inline]
mas_replace+0x98c/0xfa0 lib/maple_tree.c:1785
mas_wr_node_store+0xcab/0x1170 lib/maple_tree.c:4151
mas_wr_modify+0x28b/0x10d0 lib/maple_tree.c:4346
mas_wr_store_entry.isra.0+0x495/0x1030 lib/maple_tree.c:4390
mas_store_prealloc+0xb3/0x270 lib/maple_tree.c:5529
mmap_region+0x91c/0x2570 mm/mmap.c:2811
do_mmap+0x850/0xee0 mm/mmap.c:1362
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1408
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880228f8400
which belongs to the cache maple_node of size 256
The buggy address is located 56 bytes to the right of
allocated 256-byte region [ffff8880228f8400, ffff8880228f8500)
The buggy address belongs to the physical page:
page:ffffea00008a3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x228f8
head:ffffea00008a3e00 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff88801324d000 ffffea0000b1f800 dead000000000004
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4667, tgid 4667 (dhcpcd), ts 25452731667, free_ts 24860157482
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221
__alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x25f/0x390 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0xbc3/0x15d0 mm/slub.c:3215
__kmem_cache_alloc_bulk mm/slub.c:3966 [inline]
kmem_cache_alloc_bulk+0x270/0x860 mm/slub.c:4041
mt_alloc_bulk lib/maple_tree.c:164 [inline]
mas_alloc_nodes+0x341/0x8b0 lib/maple_tree.c:1304
mas_node_count_gfp+0x106/0x140 lib/maple_tree.c:1362
mas_node_count lib/maple_tree.c:1376 [inline]
mas_expected_entries+0x117/0x200 lib/maple_tree.c:5656
vma_iter_bulk_alloc include/linux/mm.h:898 [inline]
dup_mmap+0x4e4/0x19b0 kernel/fork.c:681
dup_mm kernel/fork.c:1688 [inline]
copy_mm kernel/fork.c:1737 [inline]
copy_process+0x6663/0x75c0 kernel/fork.c:2503
kernel_clone+0xeb/0x890 kernel/fork.c:2911
__do_sys_clone+0xba/0x100 kernel/fork.c:3054
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348
free_unref_page+0x33/0x370 mm/page_alloc.c:2443
__unfreeze_partials+0x1fe/0x220 mm/slub.c:2647
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3470 [inline]
slab_alloc mm/slub.c:3478 [inline]
__kmem_cache_alloc_lru mm/slub.c:3485 [inline]
kmem_cache_alloc+0x16c/0x380 mm/slub.c:3494
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags+0x9e/0xe0 include/linux/audit.h:319
vfs_fstatat+0x77/0xb0 fs/stat.c:275
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880228f8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880228f8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880228f8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880228f8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880228f8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Sequential nulls end at ffff8880228f8400[23]
BUG at mt_validate_nulls:7177 (1)
maple_tree(ffff888015f05f40) flags 30B, height 2 root ffff88802c8aa41e
0-ffffffffffffffff: node ffff88802c8aa400 depth 0 type 3 parent ffff888015f05f41 contents: 93708290682880 16384 18446603339339005952 0 0 0 0 0 0 0 | 02 02| ffff8880408e760c 140238366179327 ffff88802c8aa00c 140238385954815 ffff88802c8aa20c 18446744073709551615 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000
0-7f8bc9ffffff: node ffff8880408e7600 depth 1 type 1 parent ffff88802c8aa406 contents: 0000000000000000 1FFFEFFF ffff888027a62100 1FFFFFFF ffff888027a62400 20FFFFFF ffff888027a62f00 21000FFF 0000000000000000 1B2DA1FFFF ffff888027a62600 1B2DA5FFFF 0000000000000000 55555706EFFF ffff888027a62500 555557090FFF 0000000000000000 7F8BC0E1EFFF ffff88801f749c00 7F8BC91FEFFF ffff888027a62e00 7F8BC91FFFFF ffff888027a62800 7F8BC99FFFFF ffff888027a62000 7F8BC9BFFFFF ffff888027a62700 7F8BC9DFFFFF ffff888027a62d00 7F8BC9FFFFFF 000000000000000e
0-1fffefff: 0000000000000000
1ffff000-1fffffff: ffff888027a62100
20000000-20ffffff: ffff888027a62400
21000000-21000fff: ffff888027a62f00
21001000-1b2da1ffff: 0000000000000000
1b2da20000-1b2da5ffff: ffff888027a62600
1b2da60000-55555706efff: 0000000000000000
55555706f000-555557090fff: ffff888027a62500
555557091000-7f8bc0e1efff: 0000000000000000
7f8bc0e1f000-7f8bc91fefff: ffff88801f749c00
7f8bc91ff000-7f8bc91fffff: ffff888027a62e00
7f8bc9200000-7f8bc99fffff: ffff888027a62800
7f8bc9a00000-7f8bc9bfffff: ffff888027a62000
7f8bc9c00000-7f8bc9dfffff: ffff888027a62700
7f8bc9e00000-7f8bc9ffffff: ffff888027a62d00
7f8bca000000-7f8bcb2dbfff: node ffff88802c8aa000 depth 1 type 1 parent ffff88802c8aa40e contents: ffff888027b85f00 7F8BCA1FFFFF ffff888027fc7500 7F8BCA5FFFFF ffff888027fc7300 7F8BCA623FFF ffff88802bef3600 7F8BCA6D5FFF ffff88802bef3900 7F8BCA728FFF ffff88802bef3000 7F8BCA782FFF ffff88802bef3f00 7F8BCA78BFFF 0000000000000000 7F8BCA78FFFF ffff88802bef3700 7F8BCB2DBFFF 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000000 0 0000000000000008
7f8bca000000-7f8bca1fffff: ffff888027b85f00
7f8bca200000-7f8bca5fffff: ffff888027fc7500
7f8bca600000-7f8bca623fff: ffff888027fc7300
7f8bca624000-7f8bca6d5fff: ffff88802bef3600
7f8bca6d6000-7f8bca728fff: ffff88802bef3900
7f8bca729000-7f8bca782fff: ffff88802bef3000
7f8bca783000-7f8bca78bfff: ffff88802bef3f00
7f8bca78c000-7f8bca78ffff: 0000000000000000
7f8bca790000-7f8bcb2dbfff: ffff88802bef3700
7f8bcb2dc000-ffffffffffffffff: node ffff88802c8aa200 depth 1 type 1 parent ffff88802c8aa416 contents: 0000000000000000 7F8BCB406FFF ffff88807a74ba00 7F8BCB407FFF ffff88807a74b000 7F8BCB427FFF ffff888021dd6f00 7F8BCB428FFF ffff88807a74b300 7F8BCB448FFF ffff88807a74b700 7F8BCB449FFF ffff88807a74b900 7F8BCB469FFF ffff88807a74b600 7F8BCB46AFFF ffff88807a74bc00 7F8BCB48AFFF 0000000000000000 7FFF46251FFF ffff88802bef3100 7FFF46272FFF 0000000000000000 7FFF46299FFF ffff88802bef3c00 7FFF4629DFFF ffff88802bef3400 7FFF4629FFFF 0000000000000000 FFFFFFFFFFFFFFFF 000000000000000e
7f8bcb2dc000-7f8bcb406fff: 0000000000000000
7f8bcb407000-7f8bcb407fff: ffff88807a74ba00
7f8bcb408000-7f8bcb427fff: ffff88807a74b000
7f8bcb428000-7f8bcb428fff: ffff888021dd6f00
7f8bcb429000-7f8bcb448fff: ffff88807a74b300
7f8bcb449000-7f8bcb449fff: ffff88807a74b700
7f8bcb44a000-7f8bcb469fff: ffff88807a74b900
7f8bcb46a000-7f8bcb46afff: ffff88807a74b600
7f8bcb46b000-7f8bcb48afff: ffff88807a74bc00
7f8bcb48b000-7fff46251fff: 0000000000000000
7fff46252000-7fff46272fff: ffff88802bef3100
7fff46273000-7fff46299fff: 0000000000000000
7fff4629a000-7fff4629dfff: ffff88802bef3c00
7fff4629e000-7fff4629ffff: ffff88802bef3400
7fff462a0000-ffffffffffffffff: 0000000000000000
Pass: 24857170 Run:24857175
CPU: 1 PID: 30724 Comm: syz-executor.3 Tainted: G B 6.4.0-syzkaller-10173-ga901a3568fd2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
mt_validate_nulls+0x93d/0xd10 lib/maple_tree.c:7177
mt_validate+0x17e3/0x4370 lib/maple_tree.c:7227
validate_mm+0x9d/0x470 mm/mmap.c:300
do_vmi_align_munmap+0x1199/0x1680 mm/mmap.c:2561
do_vmi_munmap+0x266/0x430 mm/mmap.c:2619
__vm_munmap+0x137/0x380 mm/mmap.c:2899