Re: [syzbot] [bpf?] KASAN: invalid-access Write in do_bad_area

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+997752115a851cb0cf36@syzkaller.appspotmail.com>
To: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
	 daniel@iogearbox.net, eddyz87@gmail.com, haoluo@google.com,
	 john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
	 linux-kernel@vger.kernel.org, martin.lau@linux.dev,
	sdf@fomichev.me,  song@kernel.org,
	syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [syzbot] [bpf?] KASAN: invalid-access Write in do_bad_area
Date: Tue, 07 Oct 2025 07:58:28 -0700	[thread overview]
Message-ID: <68e52a94.a00a0220.298cc0.047c.GAE@google.com> (raw)
In-Reply-To: <68e243a2.050a0220.1696c6.007d.GAE@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    c746c3b51698 Merge tag 'for-6.18-tag' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=149b5a7c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f49b7d923ce867a
dashboard link: https://syzkaller.appspot.com/bug?extid=997752115a851cb0cf36
compiler:       aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17ee792f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=163955cd980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-c746c3b5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/85796940f78d/vmlinux-c746c3b5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1d82d6550867/Image-c746c3b5.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+997752115a851cb0cf36@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: invalid-access in __memcpy+0xc/0x54 arch/arm64/lib/memcpy.S:250
Write at addr f0ff800083d6d268 by task syz.2.17/3596
Pointer tag: [f0], memory tag: [fe]

CPU: 1 UID: 0 PID: 3596 Comm: syz.2.17 Not tainted syzkaller #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Call trace:
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x78/0x90 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x108/0x61c mm/kasan/report.c:482
 kasan_report+0x88/0xac mm/kasan/report.c:595
 report_tag_fault arch/arm64/mm/fault.c:326 [inline]
 do_tag_recovery arch/arm64/mm/fault.c:338 [inline]
 __do_kernel_fault+0x170/0x1c8 arch/arm64/mm/fault.c:380
 do_bad_area+0x68/0x78 arch/arm64/mm/fault.c:480
 do_tag_check_fault+0x34/0x44 arch/arm64/mm/fault.c:853
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:929
 el1_abort+0x44/0x68 arch/arm64/kernel/entry-common.c:325
 el1h_64_sync_handler+0x50/0xac arch/arm64/kernel/entry-common.c:459
 el1h_64_sync+0x6c/0x70 arch/arm64/kernel/entry.S:591
 __memcpy+0xc/0x54 arch/arm64/lib/memcpy.S:250 (P)
 do_misc_fixups+0x174/0x1aac kernel/bpf/verifier.c:22553
 bpf_check+0x1348/0x2a24 kernel/bpf/verifier.c:24686
 bpf_prog_load+0x63c/0xcd4 kernel/bpf/syscall.c:3062
 __sys_bpf+0x2e0/0x1a88 kernel/bpf/syscall.c:6134
 __do_sys_bpf kernel/bpf/syscall.c:6244 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6242 [inline]
 __arm64_sys_bpf+0x24/0x34 kernel/bpf/syscall.c:6242
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0x10c arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:763
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596

The buggy address belongs to a 1-page vmalloc region starting at 0xf0ff800083d6d000 allocated at bpf_check+0x8c/0x2a24 kernel/bpf/verifier.c:24529
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x544b2
flags: 0x1fffc0000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0xf)
raw: 01fffc0000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff800083d6d000: f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0
 ffff800083d6d100: f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 fe fe fe fe
>ffff800083d6d200: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                                     ^
 ffff800083d6d300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff800083d6d400: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

next prev parent reply	other threads:[~2025-10-07 14:58 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-05 10:08 [syzbot] [bpf?] KASAN: invalid-access Write in do_bad_area syzbot
2025-10-07 14:58 ` syzbot [this message]
2025-10-07 18:35   ` Eduard Zingerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=68e52a94.a00a0220.298cc0.047c.GAE@google.com \
    --to=syzbot+997752115a851cb0cf36@syzkaller.appspotmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.