From: syzbot <syzbot+2b149e3a2468e54d2178@syzkaller.appspotmail.com>
To: arnd@arndb.de, clemens@ladisch.de, gregkh@linuxfoundation.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: upstream boot error: KASAN: slab-out-of-bounds Write in hpet_alloc
Date: Thu, 30 Jan 2020 02:07:11 -0800 [thread overview]
Message-ID: <000000000000e3e280059d589ef4@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: 39bed42d Merge tag 'for-linus-hmm' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1569d9a5e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2646535f8818ae25
dashboard link: https://syzkaller.appspot.com/bug?extid=2b149e3a2468e54d2178
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2b149e3a2468e54d2178@syzkaller.appspotmail.com
pci 0000:00:1f.3: reg 0x20: [io 0x0700-0x073f]
ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)
ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)
ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)
ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)
ACPI: PCI Interrupt Link [LNKE] (IRQs 5 *10 11)
ACPI: PCI Interrupt Link [LNKF] (IRQs 5 *10 11)
ACPI: PCI Interrupt Link [LNKG] (IRQs 5 10 *11)
ACPI: PCI Interrupt Link [LNKH] (IRQs 5 10 *11)
ACPI: PCI Interrupt Link [GSIA] (IRQs *16)
ACPI: PCI Interrupt Link [GSIB] (IRQs *17)
ACPI: PCI Interrupt Link [GSIC] (IRQs *18)
ACPI: PCI Interrupt Link [GSID] (IRQs *19)
ACPI: PCI Interrupt Link [GSIE] (IRQs *20)
ACPI: PCI Interrupt Link [GSIF] (IRQs *21)
ACPI: PCI Interrupt Link [GSIG] (IRQs *22)
ACPI: PCI Interrupt Link [GSIH] (IRQs *23)
iommu: Default domain type: Translated
pci 0000:00:01.0: vgaarb: setting as boot VGA device
pci 0000:00:01.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
pci 0000:00:01.0: vgaarb: bridge control possible
vgaarb: loaded
SCSI subsystem initialized
ACPI: bus type USB registered
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
mc: Linux media interface: v0.10
videodev: Linux video capture interface: v2.00
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
PTP clock support registered
EDAC MC: Ver: 3.0.0
Advanced Linux Sound Architecture Driver Initialized.
PCI: Using ACPI for IRQ routing
Bluetooth: Core ver 2.22
NET: Registered protocol family 31
Bluetooth: HCI device and connection manager initialized
Bluetooth: HCI socket layer initialized
Bluetooth: L2CAP socket layer initialized
Bluetooth: SCO socket layer initialized
NET: Registered protocol family 8
NET: Registered protocol family 20
NetLabel: Initializing
NetLabel: domain hash size = 128
NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
NetLabel: unlabeled traffic allowed by default
nfc: nfc_init: NFC Core ver 0.1
NET: Registered protocol family 39
==================================================================
BUG: KASAN: slab-out-of-bounds in hpet_alloc+0x442/0x490 drivers/char/hpet.c:871
Write of size 4 at addr ffff88807882e5d8 by task swapper/0/1
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.5.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:639
__asan_report_store4_noabort+0x17/0x20 mm/kasan/generic_report.c:139
hpet_alloc+0x442/0x490 drivers/char/hpet.c:871
hpet_reserve_platform_timers+0x1fc/0x245 arch/x86/kernel/hpet.c:222
hpet_late_init+0x2f4/0x38b arch/x86/kernel/hpet.c:954
do_one_initcall+0x120/0x820 init/main.c:939
do_initcall_level init/main.c:1007 [inline]
do_initcalls init/main.c:1015 [inline]
do_basic_setup init/main.c:1032 [inline]
kernel_init_freeable+0x4ca/0x570 init/main.c:1203
kernel_init+0x12/0x1bf init/main.c:1110
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 1:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:513 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
__do_kmalloc mm/slab.c:3656 [inline]
__kmalloc+0x163/0x770 mm/slab.c:3665
kmalloc include/linux/slab.h:561 [inline]
kzalloc include/linux/slab.h:670 [inline]
hpet_alloc+0x12b/0x490 drivers/char/hpet.c:858
hpet_reserve_platform_timers+0x1fc/0x245 arch/x86/kernel/hpet.c:222
hpet_late_init+0x2f4/0x38b arch/x86/kernel/hpet.c:954
do_one_initcall+0x120/0x820 init/main.c:939
do_initcall_level init/main.c:1007 [inline]
do_initcalls init/main.c:1015 [inline]
do_basic_setup init/main.c:1032 [inline]
kernel_init_freeable+0x4ca/0x570 init/main.c:1203
kernel_init+0x12/0x1bf init/main.c:1110
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff88807882e400
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 472 bytes inside of
512-byte region [ffff88807882e400, ffff88807882e600)
The buggy address belongs to the page:
page:ffffea0001e20b80 refcount:1 mapcount:0 mapping:ffff88802cc00a80 index:0xffff88807882ec00
raw: 04fffe0000000200 ffff88807a800738 ffff88807a800738 ffff88802cc00a80
raw: ffff88807882ec00 ffff88807882e000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88807882e480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807882e500: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
>ffff88807882e580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88807882e600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807882e680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
next reply other threads:[~2020-01-30 10:07 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-30 10:07 syzbot [this message]
2020-01-30 10:14 ` upstream boot error: KASAN: slab-out-of-bounds Write in hpet_alloc Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000e3e280059d589ef4@google.com \
--to=syzbot+2b149e3a2468e54d2178@syzkaller.appspotmail.com \
--cc=arnd@arndb.de \
--cc=clemens@ladisch.de \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.