From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 711B1EB64DD for ; Mon, 14 Aug 2023 11:05:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234346AbjHNLF2 (ORCPT ); Mon, 14 Aug 2023 07:05:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59810 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231387AbjHNLFB (ORCPT ); Mon, 14 Aug 2023 07:05:01 -0400 Received: from mail-pj1-f77.google.com (mail-pj1-f77.google.com [209.85.216.77]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4FB6818F for ; Mon, 14 Aug 2023 04:05:00 -0700 (PDT) Received: by mail-pj1-f77.google.com with SMTP id 98e67ed59e1d1-2685bc4f867so4644379a91.0 for ; Mon, 14 Aug 2023 04:05:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692011100; x=1692615900; h=to:from:subject:message-id:date:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=YcKSRohjVIKuuvNZ4BYCYzg+dhK1WKBTv271/C07ueo=; b=A/QDIBtnM5chLtlcGdqhOugHKOXy1FSq6DMp7GA/FaAcaqnUxQMk+8P/MulTxTqMy1 nJHDRhqnAVQbAQHl7obYfQ1CWfsnXaDWnWiFHh8pNJzaE7AJvzUR4BZNYbXGnfzY/zyj QycUFd4t5oT3VCoqZr3j0sTwXl/tBcA8jZZrVchZ4/QWb3EYND5adu09rslIUVjxBH+e 15QYSxWZirtiSfQEZyR82ap95I8iTU5Uuc9iXnS9g3SYhOr7Qk7U5ecOjQWrtD81rTg1 RAxjjF16fn4y9/eCMpe5q6+jqtKDx7PA3OPXNlCqz7k2kmCi121QRx07GD9H2IWwzzRr eymw== X-Gm-Message-State: AOJu0YyLbAh3sQ//bOJes3zdTaf2ZZMLd9SJGgDYKT2XdNHOjutB/Xkn IUoZrrjrTUjBLTJCtoQ1saF8qp/lhUnEWABrQw3Std/8gKVD X-Google-Smtp-Source: AGHT+IFls9/Muz2LlL7JV1SdDr0dgmjubFiddpwsyFJFvHMExufpMlY3+hKJmbNVCQX5KUqv8fymPTNWYdoZcmx/g5V3ag+74fbd MIME-Version: 1.0 X-Received: by 2002:a17:902:da8f:b0:1bb:b39d:8cb0 with SMTP id j15-20020a170902da8f00b001bbb39d8cb0mr3833616plx.1.1692011099839; Mon, 14 Aug 2023 04:04:59 -0700 (PDT) Date: Mon, 14 Aug 2023 04:04:59 -0700 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000008fe2100602e008a4@google.com> Subject: [syzbot] [mm?] upstream boot error: KASAN: slab-out-of-bounds Read in bootstrap From: syzbot To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, rppt@kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, syzbot found the following issue on: HEAD commit: 3feecb1b8483 Merge tag 'char-misc-6.5-rc6' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=137dddaba80000 kernel config: https://syzkaller.appspot.com/x/.config?x=d84c6cf3c2bbdb4d dashboard link: https://syzkaller.appspot.com/bug?extid=2f508e913916096bf53a compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 userspace arch: arm64 Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-3feecb1b.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/066a563f6f65/vmlinux-3feecb1b.xz kernel image: https://storage.googleapis.com/syzbot-assets/eb9963107316/Image-3feecb1b.gz.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2f508e913916096bf53a@syzkaller.appspotmail.com Booting Linux on physical CPU 0x0000000000 [0x000f0510] Linux version 6.5.0-rc5-syzkaller-00349-g3feecb1b8483 (syzkaller@syzkaller) (aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #0 SMP PREEMPT now random: crng init done Machine model: linux,dummy-virt efi: UEFI not found. NUMA: No NUMA configuration found NUMA: Faking a node at [mem 0x0000000040000000-0x00000000bfffffff] NUMA: NODE_DATA [mem 0xbf9f6000-0xbf9f8fff] Zone ranges: DMA [mem 0x0000000040000000-0x00000000bfffffff] DMA32 empty Normal empty Device empty Movable zone start for each node Early memory node ranges node 0: [mem 0x0000000040000000-0x00000000bfffffff] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff] cma: Reserved 32 MiB at 0x00000000bb800000 psci: probing for conduit method from DT. psci: PSCIv1.1 detected in firmware. psci: Using standard PSCI v0.2 function IDs psci: Trusted OS migration not required psci: SMC Calling Convention v1.0 percpu: Embedded 22 pages/cpu s51016 r8192 d30904 u90112 Detected PIPT I-cache on CPU0 CPU features: detected: Address authentication (architected QARMA5 algorithm) CPU features: detected: HCRX_EL2 register CPU features: detected: Virtualization Host Extensions CPU features: detected: Hardware dirty bit management CPU features: detected: Memory Tagging Extension CPU features: detected: Asymmetric MTE Tag Check Fault CPU features: detected: Spectre-v4 MTE: enabled in synchronous mode at EL1 alternatives: applying boot alternatives kasan: KernelAddressSanitizer initialized (hw-tags, mode=sync, vmalloc=on, stacktrace=on) Kernel command line: root=/dev/vda console=ttyAMA0 Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear) Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear) Fallback order for Node 0: 0 Built 1 zonelists, mobility grouping on. Total pages: 516096 Policy zone: DMA mem auto-init: stack:all(zero), heap alloc:on, heap free:off stackdepot: allocating hash table via alloc_large_system_hash stackdepot hash table entries: 1048576 (order: 11, 8388608 bytes, linear) software IO TLB: area num 2. software IO TLB: mapped [mem 0x00000000b6d00000-0x00000000bad00000] (64MB) Memory: 1904996K/2097152K available (25152K kernel code, 2446K rwdata, 10084K rodata, 1280K init, 1475K bss, 159388K reserved, 32768K cma-reserved) ================================================================== BUG: KASAN: slab-out-of-bounds in __kasan_slab_alloc+0x7c/0xcc mm/kasan/common.c:331 Read at addr fcff000002c01008 by task swapper/0 Pointer tag: [fc], memory tag: [fd] CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0-rc5-syzkaller-00349-g3feecb1b8483 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:233 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x108/0x618 mm/kasan/report.c:475 kasan_report+0x88/0xac mm/kasan/report.c:588 report_tag_fault arch/arm64/mm/fault.c:334 [inline] do_tag_recovery arch/arm64/mm/fault.c:346 [inline] __do_kernel_fault+0x180/0x1ec arch/arm64/mm/fault.c:393 do_bad_area arch/arm64/mm/fault.c:493 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:771 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:847 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:369 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:429 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:586 __kasan_slab_alloc+0x7c/0xcc mm/kasan/common.c:331 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slub.c:3470 [inline] slab_alloc mm/slub.c:3478 [inline] __kmem_cache_alloc_lru mm/slub.c:3485 [inline] kmem_cache_alloc+0x144/0x290 mm/slub.c:3494 kmem_cache_zalloc include/linux/slab.h:693 [inline] bootstrap+0x2c/0x174 mm/slub.c:4988 kmem_cache_init+0x144/0x1c8 mm/slub.c:5051 mm_core_init+0x23c/0x2d0 mm/mm_init.c:2787 start_kernel+0x220/0x5fc init/main.c:928 __primary_switched+0xb4/0xbc arch/arm64/kernel/head.S:523 Allocated by task 0: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45 save_stack_info+0x38/0x118 mm/kasan/tags.c:104 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:138 __kasan_slab_alloc+0x94/0xcc mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slub.c:3470 [inline] slab_alloc mm/slub.c:3478 [inline] __kmem_cache_alloc_lru mm/slub.c:3485 [inline] kmem_cache_alloc+0x144/0x290 mm/slub.c:3494 kmem_cache_zalloc include/linux/slab.h:693 [inline] bootstrap+0x2c/0x174 mm/slub.c:4988 kmem_cache_init+0x134/0x1c8 mm/slub.c:5050 mm_core_init+0x23c/0x2d0 mm/mm_init.c:2787 start_kernel+0x220/0x5fc init/main.c:928 __primary_switched+0xb4/0xbc arch/arm64/kernel/head.S:523 The buggy address belongs to the object at ffff000002c01000 which belongs to the cache kmem_cache of size 208 The buggy address is located 8 bytes inside of 208-byte region [ffff000002c01000, ffff000002c010d0) The buggy address belongs to the physical page: page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42c01 flags: 0x1ffc00000000200(slab|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) page_type: 0xffffffff() raw: 01ffc00000000200 fcff000002c01000 dead000000000100 dead000000000122 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000002c00e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff000002c00f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff000002c01000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd ^ ffff000002c01100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd ffff000002c01200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd ================================================================== SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1 rcu: Preemptible hierarchical RCU implementation. rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2. Trampoline variant of Tasks RCU enabled. Tracing variant of Tasks RCU enabled. rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies. rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2 NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0 Root IRQ handler: gic_handle_irq GIC: Using split EOI/Deactivate mode GICv2m: range[mem 0x08020000-0x08020fff], SPI[80:143] rcu: srcu_init: Setting srcu_struct sizes based on contention. arch_timer: cp15 timer(s) running at 62.50MHz (phys). clocksource: arch_sys_counter: mask: 0x1ffffffffffffff max_cycles: 0x1cd42e208c, max_idle_ns: 881590405314 ns sched_clock: 57 bits at 63MHz, resolution 16ns, wraps every 4398046511096ns kfence: initialized - using 2097152 bytes for 255 objects at 0x(____ptrval____)-0x(____ptrval____) Console: colour dummy device 80x25 Calibrating delay loop (skipped), value calculated using timer frequency.. 125.00 BogoMIPS (lpj=625000) pid_max: default: 32768 minimum: 301 LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,tomoyo,smack,integrity landlock: Up and running. Yama: becoming mindful. TOMOYO Linux initialized Smack: Initializing. Smack: Netfilter enabled. Smack: IPv6 Netfilter enabled. Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear) Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear) Detected PIPT I-cache on CPU1 CPU1: Booted secondary processor 0x0000000001 [0x000f0510] --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the bug is already fixed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to change bug's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the bug is a duplicate of another bug, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup