[syzbot] [mm?] upstream boot error: KASAN: slab-out-of-bounds Read in bootstrap

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+2f508e913916096bf53a@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	 linux-mm@kvack.org, rppt@kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: [syzbot] [mm?] upstream boot error: KASAN: slab-out-of-bounds Read in bootstrap
Date: Mon, 14 Aug 2023 04:04:59 -0700	[thread overview]
Message-ID: <0000000000008fe2100602e008a4@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    3feecb1b8483 Merge tag 'char-misc-6.5-rc6' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=137dddaba80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d84c6cf3c2bbdb4d
dashboard link: https://syzkaller.appspot.com/bug?extid=2f508e913916096bf53a
compiler:       aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-3feecb1b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/066a563f6f65/vmlinux-3feecb1b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/eb9963107316/Image-3feecb1b.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2f508e913916096bf53a@syzkaller.appspotmail.com

Booting Linux on physical CPU 0x0000000000 [0x000f0510]
Linux version 6.5.0-rc5-syzkaller-00349-g3feecb1b8483 (syzkaller@syzkaller) (aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #0 SMP PREEMPT now
random: crng init done
Machine model: linux,dummy-virt
efi: UEFI not found.
NUMA: No NUMA configuration found
NUMA: Faking a node at [mem 0x0000000040000000-0x00000000bfffffff]
NUMA: NODE_DATA [mem 0xbf9f6000-0xbf9f8fff]
Zone ranges:
  DMA      [mem 0x0000000040000000-0x00000000bfffffff]
  DMA32    empty
  Normal   empty
  Device   empty
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x0000000040000000-0x00000000bfffffff]
Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]
cma: Reserved 32 MiB at 0x00000000bb800000
psci: probing for conduit method from DT.
psci: PSCIv1.1 detected in firmware.
psci: Using standard PSCI v0.2 function IDs
psci: Trusted OS migration not required
psci: SMC Calling Convention v1.0
percpu: Embedded 22 pages/cpu s51016 r8192 d30904 u90112
Detected PIPT I-cache on CPU0
CPU features: detected: Address authentication (architected QARMA5 algorithm)
CPU features: detected: HCRX_EL2 register
CPU features: detected: Virtualization Host Extensions
CPU features: detected: Hardware dirty bit management
CPU features: detected: Memory Tagging Extension
CPU features: detected: Asymmetric MTE Tag Check Fault
CPU features: detected: Spectre-v4
MTE: enabled in synchronous mode at EL1
alternatives: applying boot alternatives
kasan: KernelAddressSanitizer initialized (hw-tags, mode=sync, vmalloc=on, stacktrace=on)
Kernel command line: root=/dev/vda console=ttyAMA0 
Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
Fallback order for Node 0: 0 
Built 1 zonelists, mobility grouping on.  Total pages: 516096
Policy zone: DMA
mem auto-init: stack:all(zero), heap alloc:on, heap free:off
stackdepot: allocating hash table via alloc_large_system_hash
stackdepot hash table entries: 1048576 (order: 11, 8388608 bytes, linear)
software IO TLB: area num 2.
software IO TLB: mapped [mem 0x00000000b6d00000-0x00000000bad00000] (64MB)
Memory: 1904996K/2097152K available (25152K kernel code, 2446K rwdata, 10084K rodata, 1280K init, 1475K bss, 159388K reserved, 32768K cma-reserved)
==================================================================
BUG: KASAN: slab-out-of-bounds in __kasan_slab_alloc+0x7c/0xcc mm/kasan/common.c:331
Read at addr fcff000002c01008 by task swapper/0
Pointer tag: [fc], memory tag: [fd]

CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0-rc5-syzkaller-00349-g3feecb1b8483 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:233
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x108/0x618 mm/kasan/report.c:475
 kasan_report+0x88/0xac mm/kasan/report.c:588
 report_tag_fault arch/arm64/mm/fault.c:334 [inline]
 do_tag_recovery arch/arm64/mm/fault.c:346 [inline]
 __do_kernel_fault+0x180/0x1ec arch/arm64/mm/fault.c:393
 do_bad_area arch/arm64/mm/fault.c:493 [inline]
 do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:771
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:847
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:369
 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:429
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:586
 __kasan_slab_alloc+0x7c/0xcc mm/kasan/common.c:331
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slub.c:3470 [inline]
 slab_alloc mm/slub.c:3478 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3485 [inline]
 kmem_cache_alloc+0x144/0x290 mm/slub.c:3494
 kmem_cache_zalloc include/linux/slab.h:693 [inline]
 bootstrap+0x2c/0x174 mm/slub.c:4988
 kmem_cache_init+0x144/0x1c8 mm/slub.c:5051
 mm_core_init+0x23c/0x2d0 mm/mm_init.c:2787
 start_kernel+0x220/0x5fc init/main.c:928
 __primary_switched+0xb4/0xbc arch/arm64/kernel/head.S:523

Allocated by task 0:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 save_stack_info+0x38/0x118 mm/kasan/tags.c:104
 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:138
 __kasan_slab_alloc+0x94/0xcc mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slub.c:3470 [inline]
 slab_alloc mm/slub.c:3478 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3485 [inline]
 kmem_cache_alloc+0x144/0x290 mm/slub.c:3494
 kmem_cache_zalloc include/linux/slab.h:693 [inline]
 bootstrap+0x2c/0x174 mm/slub.c:4988
 kmem_cache_init+0x134/0x1c8 mm/slub.c:5050
 mm_core_init+0x23c/0x2d0 mm/mm_init.c:2787
 start_kernel+0x220/0x5fc init/main.c:928
 __primary_switched+0xb4/0xbc arch/arm64/kernel/head.S:523

The buggy address belongs to the object at ffff000002c01000
 which belongs to the cache kmem_cache of size 208
The buggy address is located 8 bytes inside of
 208-byte region [ffff000002c01000, ffff000002c010d0)

The buggy address belongs to the physical page:
page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42c01
flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
page_type: 0xffffffff()
raw: 01ffc00000000200 fcff000002c01000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff000002c00e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff000002c00f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff000002c01000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
                   ^
 ffff000002c01100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 ffff000002c01200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
==================================================================
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
rcu: Preemptible hierarchical RCU implementation.
rcu: 	RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
	Trampoline variant of Tasks RCU enabled.
	Tracing variant of Tasks RCU enabled.
rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
Root IRQ handler: gic_handle_irq
GIC: Using split EOI/Deactivate mode
GICv2m: range[mem 0x08020000-0x08020fff], SPI[80:143]
rcu: srcu_init: Setting srcu_struct sizes based on contention.
arch_timer: cp15 timer(s) running at 62.50MHz (phys).
clocksource: arch_sys_counter: mask: 0x1ffffffffffffff max_cycles: 0x1cd42e208c, max_idle_ns: 881590405314 ns
sched_clock: 57 bits at 63MHz, resolution 16ns, wraps every 4398046511096ns
kfence: initialized - using 2097152 bytes for 255 objects at 0x(____ptrval____)-0x(____ptrval____)
Console: colour dummy device 80x25
Calibrating delay loop (skipped), value calculated using timer frequency.. 125.00 BogoMIPS (lpj=625000)
pid_max: default: 32768 minimum: 301
LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,tomoyo,smack,integrity
landlock: Up and running.
Yama: becoming mindful.
TOMOYO Linux initialized
Smack:  Initializing.
Smack:  Netfilter enabled.
Smack:  IPv6 Netfilter enabled.
Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
Detected PIPT I-cache on CPU1
CPU1: Booted secondary processor 0x0000000001 [0x000f0510]

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2023-08-14 11:05 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-14 11:04 syzbot [this message]
2023-08-14 18:28 ` [syzbot] [mm?] upstream boot error: KASAN: slab-out-of-bounds Read in bootstrap Mike Rapoport

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000008fe2100602e008a4@google.com \
    --to=syzbot+2f508e913916096bf53a@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=rppt@kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.