* [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
@ 2024-11-05 15:28 syzbot
2024-11-06 14:50 ` Jeongjun Park
` (10 more replies)
0 siblings, 11 replies; 23+ messages in thread
From: syzbot @ 2024-11-05 15:28 UTC (permalink / raw)
To: dan.j.williams, dave.jiang, ira.weiny, lenb, linux-acpi,
linux-kernel, nvdimm, rafael, syzkaller-bugs, vishal.l.verma
Hello,
syzbot found the following issue on:
HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb399ccda79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc90000e0e000, ffffc90000e10000) created by:
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880401b9a80 pfn:0x401b9
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316 (syz-executor229), ts 69039468240, free_ts 68666765389
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5312 tgid 5312 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__folio_put+0x2c7/0x440 mm/swap.c:126
pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
pipe_update_tail fs/pipe.c:224 [inline]
pipe_read+0x6ed/0x13e0 fs/pipe.c:344
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x991/0xb70 fs/read_write.c:569
ksys_read+0x183/0x2b0 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
@ 2024-11-06 14:50 ` Jeongjun Park
2024-11-06 15:06 ` syzbot
2024-11-07 7:41 ` [syzbot] " syzbot
` (9 subsequent siblings)
10 siblings, 1 reply; 23+ messages in thread
From: Jeongjun Park @ 2024-11-06 14:50 UTC (permalink / raw)
To: syzbot+7534f060ebda6b8b51b3; +Cc: linux-kernel
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
drivers/acpi/nfit/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 5429ec9ef06f..863b59210664 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -412,6 +412,7 @@ static int cmd_to_func(struct nfit_mem *nfit_mem, unsigned int cmd,
if (nfit_mem && nfit_mem->family != call_pkg->nd_family)
return -ENOTTY;
+ printk(KERN_INFO "%lx", ARRAY_SIZE(call_pkg->nd_reserved2));
for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
if (call_pkg->nd_reserved2[i])
return -EINVAL;
--
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-06 14:50 ` Jeongjun Park
@ 2024-11-06 15:06 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-06 15:06 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl
9
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:417 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x2061/0x2440 drivers/acpi/nfit/core.c:460
Read of size 4 at addr ffffc9000166e038 by task syz.0.15/5815
CPU: 0 UID: 0 PID: 5815 Comm: syz.0.15 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:417 [inline]
acpi_nfit_ctl+0x2061/0x2440 drivers/acpi/nfit/core.c:460
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f768a37e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f768b263038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f768a535f80 RCX: 00007f768a37e719
RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
RBP: 00007f768a3f139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f768a535f80 R15: 00007ffec5fc1248
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc9000166e000, ffffc90001670000) created by:
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888040f74360 pfn:0x40f74
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff888040f74360 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5815, tgid 5814 (syz.0.15), ts 117205092748, free_ts 117198254028
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5612 tgid 5612 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4490
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000166df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000166df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9000166e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000166e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000166e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Tested on:
commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16808d87980000
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1109b6a7980000
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
2024-11-06 14:50 ` Jeongjun Park
@ 2024-11-07 7:41 ` syzbot
2024-11-07 19:56 ` syzbot
` (8 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-07 7:41 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajsonawane0215@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
[not found] <CAHiZj8jdL5H9fBK5aA-VpNmEPkf7iatuBh5u2fby__t8nekTtg@mail.gmail.com>
@ 2024-11-07 7:56 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-07 7:56 UTC (permalink / raw)
To: linux-kernel, surajsonawane0215, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
Read of size 4 at addr ffffc9000169e038 by task syz.0.15/5821
CPU: 0 UID: 0 PID: 5821 Comm: syz.0.15 Not tainted 6.12.0-rc6-syzkaller-00110-gff7afaeca1a1-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7eff6877e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007eff6951b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007eff68935f80 RCX: 00007eff6877e719
RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
RBP: 00007eff687f139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007eff68935f80 R15: 00007ffc0d47a418
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc9000169e000, ffffc900016a0000) created by:
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888040b49700 pfn:0x40b49
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff888040b49700 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5821, tgid 5820 (syz.0.15), ts 123316051472, free_ts 123283007135
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5712 tgid 5712 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4490
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_kernel+0x59/0x2f0 fs/namei.c:234
kern_path+0x1d/0x50 fs/namei.c:2716
tomoyo_mount_acl security/tomoyo/mount.c:136 [inline]
tomoyo_mount_permission+0x8db/0xb80 security/tomoyo/mount.c:237
security_sb_mount+0xe0/0x2f0 security/security.c:1565
path_mount+0xb9/0xfa0 fs/namespace.c:3776
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000169df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000169df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9000169e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000169e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000169e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Tested on:
commit: ff7afaec Merge tag 'nfs-for-6.12-3' of git://git.linux..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1504ae30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14d2df40580000
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
2024-11-06 14:50 ` Jeongjun Park
2024-11-07 7:41 ` [syzbot] " syzbot
@ 2024-11-07 19:56 ` syzbot
2024-11-08 14:59 ` syzbot
` (7 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-07 19:56 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajsonawane0215@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
[not found] <CAHiZj8jxeKnsZca8PGgoYvU4cH+gRveNkqjVguA3WX+V_eOtaQ@mail.gmail.com>
@ 2024-11-07 20:18 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-07 20:18 UTC (permalink / raw)
To: linux-kernel, surajsonawane0215, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
nx6: QNX6 filesystem 1.0.0 registered.
[ 8.170952][ T1] fuse: init (API version 7.41)
[ 8.177946][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 8.183363][ T1] orangefs_init: module version upstream loaded
[ 8.187965][ T1] JFS: nTxBlock = 6193, nTxLock = 49545
[ 8.208314][ T1] SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
[ 8.216600][ T1] 9p: Installing v9fs 9p2000 file system support
[ 8.220716][ T1] NILFS version 2 loaded
[ 8.223207][ T1] befs: version: 0.9.3
[ 8.226735][ T1] ocfs2: Registered cluster interface o2cb
[ 8.231974][ T1] ocfs2: Registered cluster interface user
[ 8.236251][ T1] OCFS2 User DLM kernel interface loaded
[ 8.249844][ T1] gfs2: GFS2 installed
[ 8.263620][ T1] ceph: loaded (mds proto 32)
[ 8.291737][ T1] NET: Registered PF_ALG protocol family
[ 8.295731][ T1] xor: automatically using best checksumming function avx
[ 8.301190][ T1] async_tx: api initialized (async)
[ 8.304560][ T1] Key type asymmetric registered
[ 8.308011][ T1] Asymmetric key parser 'x509' registered
[ 8.311630][ T1] Asymmetric key parser 'pkcs8' registered
[ 8.315349][ T1] Key type pkcs7_test registered
[ 8.319667][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 238)
[ 8.325838][ T1] io scheduler mq-deadline registered
[ 8.329570][ T1] io scheduler kyber registered
[ 8.332988][ T1] io scheduler bfq registered
[ 8.359110][ T1] ACPI: \_SB_.GSIE: Enabled at IRQ 20
[ 8.370806][ T1] pcieport 0000:00:04.0: PME: Signaling with IRQ 25
[ 8.379322][ T1] pcieport 0000:00:04.0: AER: enabled with IRQ 26
[ 8.391225][ T140] kworker/u4:2 (140) used greatest stack depth: 25104 bytes left
[ 8.398097][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 8.436998][ T1] ACPI: button: Power Button [PWRF]
[ 8.637134][ T1] ==================================================================
[ 8.642545][ T1] BUG: KASAN: stack-out-of-bounds in acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] Read of size 4 at addr ffffc900003371e0 by task swapper/0/1
[ 8.646090][ T1]
[ 8.646090][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc6-syzkaller-00114-g80fb25341631-dirty #0
[ 8.646090][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 8.646090][ T1] Call Trace:
[ 8.646090][ T1] <TASK>
[ 8.646090][ T1] dump_stack_lvl+0x241/0x360
[ 8.646090][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 8.646090][ T1] ? __pfx__printk+0x10/0x10
[ 8.646090][ T1] ? _printk+0xd5/0x120
[ 8.646090][ T1] print_report+0x169/0x550
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __virt_addr_valid+0xbd/0x530
[ 8.646090][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] kasan_report+0x143/0x180
[ 8.646090][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] ? mark_lock+0x9a/0x360
[ 8.646090][ T1] ? __pfx_acpi_nfit_ctl+0x10/0x10
[ 8.646090][ T1] ? nfit_spa_type+0x81/0x410
[ 8.646090][ T1] ? nfit_spa_type+0x378/0x410
[ 8.646090][ T1] ? __pfx_nfit_spa_type+0x10/0x10
[ 8.646090][ T1] ? mark_lock+0x9a/0x360
[ 8.646090][ T1] acpi_nfit_register_regions+0x2ae/0xf50
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __pfx_acpi_nfit_register_regions+0x10/0x10
[ 8.646090][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 8.646090][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 8.646090][ T1] ? __kmalloc_node_track_caller_noprof+0x242/0x440
[ 8.646090][ T1] acpi_nfit_init+0x6fd0/0x7060
[ 8.646090][ T1] ? __pfx_acpi_nfit_init+0x10/0x10
[ 8.646090][ T1] ? acpi_evaluate_object+0x9a3/0xaf0
[ 8.646090][ T1] ? acpi_nfit_add+0x2f3/0x620
[ 8.646090][ T1] acpi_nfit_add+0x469/0x620
[ 8.646090][ T1] ? __pfx_acpi_nfit_add+0x10/0x10
[ 8.646090][ T1] ? kernfs_put+0x315/0x370
[ 8.646090][ T1] acpi_device_probe+0xa5/0x2b0
[ 8.646090][ T1] ? really_probe+0x274/0xad0
[ 8.646090][ T1] ? __pfx_acpi_device_probe+0x10/0x10
[ 8.646090][ T1] really_probe+0x2b8/0xad0
[ 8.646090][ T1] __driver_probe_device+0x1a2/0x390
[ 8.646090][ T1] driver_probe_device+0x50/0x430
[ 8.646090][ T1] __driver_attach+0x45f/0x710
[ 8.646090][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.646090][ T1] bus_for_each_dev+0x239/0x2b0
[ 8.646090][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.646090][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 8.646090][ T1] bus_add_driver+0x346/0x670
[ 8.646090][ T1] driver_register+0x23a/0x320
[ 8.646090][ T1] nfit_init+0x166/0x1b0
[ 8.646090][ T1] ? __pfx_nfit_init+0x10/0x10
[ 8.646090][ T1] do_one_initcall+0x248/0x880
[ 8.646090][ T1] ? __pfx_nfit_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 8.646090][ T1] ? __pfx_parse_args+0x10/0x10
[ 8.646090][ T1] ? rcu_is_watching+0x15/0xb0
[ 8.646090][ T1] do_initcall_level+0x157/0x210
[ 8.646090][ T1] do_initcalls+0x3f/0x80
[ 8.646090][ T1] kernel_init_freeable+0x435/0x5d0
[ 8.646090][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] kernel_init+0x1d/0x2b0
[ 8.646090][ T1] ret_from_fork+0x4b/0x80
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ret_from_fork_asm+0x1a/0x30
[ 8.646090][ T1] </TASK>
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to stack of task swapper/0/1
[ 8.646090][ T1] and is located at offset 160 in frame:
[ 8.646090][ T1] acpi_nfit_register_regions+0x0/0xf50
[ 8.646090][ T1]
[ 8.646090][ T1] This frame has 4 objects:
[ 8.646090][ T1] [32, 36) 'cmd_rc.i.i87'
[ 8.646090][ T1] [48, 80) 'ars_start.i.i'
[ 8.646090][ T1] [112, 116) 'cmd_rc.i.i'
[ 8.646090][ T1] [128, 160) 'ars_cap.i'
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to the virtual mapping at
[ 8.646090][ T1] [ffffc90000330000, ffffc90000339000) created by:
[ 8.646090][ T1] copy_process+0x5d1/0x3d50
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to the physical page:
[ 8.646090][ T1] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x312a4
[ 8.646090][ T1] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 8.646090][ T1] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
[ 8.646090][ T1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 8.646090][ T1] page dumped because: kasan: bad access detected
[ 8.646090][ T1] page_owner tracks the page as allocated
[ 8.646090][ T1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2102(__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 0, tgid 0 (swapper/0), ts 2318285947, free_ts 0
[ 8.646090][ T1] post_alloc_hook+0x1f3/0x230
[ 8.646090][ T1] get_page_from_freelist+0x303f/0x3190
[ 8.646090][ T1] __alloc_pages_noprof+0x292/0x710
[ 8.646090][ T1] alloc_pages_mpol_noprof+0x3e8/0x680
[ 8.646090][ T1] __vmalloc_node_range_noprof+0xa2b/0x13f0
[ 8.646090][ T1] dup_task_struct+0x444/0x8c0
[ 8.646090][ T1] copy_process+0x5d1/0x3d50
[ 8.646090][ T1] kernel_clone+0x226/0x8f0
[ 8.646090][ T1] user_mode_thread+0x132/0x1a0
[ 8.646090][ T1] rest_init+0x23/0x300
[ 8.646090][ T1] start_kernel+0x47f/0x500
[ 8.646090][ T1] x86_64_start_reservations+0x2a/0x30
[ 8.646090][ T1] x86_64_start_kernel+0x9f/0xa0
[ 8.646090][ T1] common_startup_64+0x13e/0x147
[ 8.646090][ T1] page_owner free stack trace missing
[ 8.646090][ T1]
[ 8.646090][ T1] Memory state around the buggy address:
[ 8.646090][ T1] ffffc90000337080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ffffc90000337100: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 00
[ 8.646090][ T1] >ffffc90000337180: 00 00 f2 f2 f2 f2 04 f2 00 00 00 00 f3 f3 f3 f3
[ 8.646090][ T1] ^
[ 8.646090][ T1] ffffc90000337200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ffffc90000337280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ==================================================================
[ 9.044043][ T1] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 9.048635][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc6-syzkaller-00114-g80fb25341631-dirty #0
[ 9.053640][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 9.053640][ T1] Call Trace:
[ 9.053640][ T1] <TASK>
[ 9.053640][ T1] dump_stack_lvl+0x241/0x360
[ 9.053640][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 9.053640][ T1] ? __pfx__printk+0x10/0x10
[ 9.053640][ T1] ? preempt_schedule+0xe1/0xf0
[ 9.053640][ T1] ? vscnprintf+0x5d/0x90
[ 9.053640][ T1] panic+0x349/0x880
[ 9.053640][ T1] ? check_panic_on_warn+0x21/0xb0
[ 9.053640][ T1] ? __pfx_panic+0x10/0x10
[ 9.053640][ T1] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 9.053640][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 9.053640][ T1] ? print_report+0x502/0x550
[ 9.053640][ T1] check_panic_on_warn+0x86/0xb0
[ 9.053640][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] end_report+0x77/0x160
[ 9.053640][ T1] kasan_report+0x154/0x180
[ 9.053640][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] ? mark_lock+0x9a/0x360
[ 9.053640][ T1] ? __pfx_acpi_nfit_ctl+0x10/0x10
[ 9.053640][ T1] ? nfit_spa_type+0x81/0x410
[ 9.053640][ T1] ? nfit_spa_type+0x378/0x410
[ 9.053640][ T1] ? __pfx_nfit_spa_type+0x10/0x10
[ 9.053640][ T1] ? mark_lock+0x9a/0x360
[ 9.053640][ T1] acpi_nfit_register_regions+0x2ae/0xf50
[ 9.053640][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.053640][ T1] ? __pfx_acpi_nfit_register_regions+0x10/0x10
[ 9.053640][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 9.053640][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 9.053640][ T1] ? __kmalloc_node_track_caller_noprof+0x242/0x440
[ 9.053640][ T1] acpi_nfit_init+0x6fd0/0x7060
[ 9.053640][ T1] ? __pfx_acpi_nfit_init+0x10/0x10
[ 9.053640][ T1] ? acpi_evaluate_object+0x9a3/0xaf0
[ 9.053640][ T1] ? acpi_nfit_add+0x2f3/0x620
[ 9.053640][ T1] acpi_nfit_add+0x469/0x620
[ 9.053640][ T1] ? __pfx_acpi_nfit_add+0x10/0x10
[ 9.053640][ T1] ? kernfs_put+0x315/0x370
[ 9.053640][ T1] acpi_device_probe+0xa5/0x2b0
[ 9.053640][ T1] ? really_probe+0x274/0xad0
[ 9.053640][ T1] ? __pfx_acpi_device_probe+0x10/0x10
[ 9.053640][ T1] really_probe+0x2b8/0xad0
[ 9.053640][ T1] __driver_probe_device+0x1a2/0x390
[ 9.053640][ T1] driver_probe_device+0x50/0x430
[ 9.053640][ T1] __driver_attach+0x45f/0x710
[ 9.053640][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.053640][ T1] bus_for_each_dev+0x239/0x2b0
[ 9.053640][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.053640][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 9.053640][ T1] bus_add_driver+0x346/0x670
[ 9.053640][ T1] driver_register+0x23a/0x320
[ 9.053640][ T1] nfit_init+0x166/0x1b0
[ 9.053640][ T1] ? __pfx_nfit_init+0x10/0x10
[ 9.053640][ T1] do_one_initcall+0x248/0x880
[ 9.053640][ T1] ? __pfx_nfit_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 9.053640][ T1] ? __pfx_parse_args+0x10/0x10
[ 9.053640][ T1] ? rcu_is_watching+0x15/0xb0
[ 9.053640][ T1] do_initcall_level+0x157/0x210
[ 9.053640][ T1] do_initcalls+0x3f/0x80
[ 9.053640][ T1] kernel_init_freeable+0x435/0x5d0
[ 9.053640][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 9.053640][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] kernel_init+0x1d/0x2b0
[ 9.053640][ T1] ret_from_fork+0x4b/0x80
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ret_from_fork_asm+0x1a/0x30
[ 9.053640][ T1] </TASK>
[ 9.053640][ T1] Kernel Offset: disabled
[ 9.053640][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build70911805=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at da38b4c931f
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=da38b4c931f2882f34163d41ac10bfc78112afc8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241105-104654'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"da38b4c931f2882f34163d41ac10bfc78112afc8\"
/usr/bin/ld: /tmp/cco8PKHf.o: in function `test_cover_filter()':
executor.cc:(.text+0x1426b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/cco8PKHf.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15fb3f40580000
Tested on:
commit: 80fb2534 Merge tag 'pwm/for-6.12-rc7-fixes' of git://g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=100b2d87980000
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
` (2 preceding siblings ...)
2024-11-07 19:56 ` syzbot
@ 2024-11-08 14:59 ` syzbot
2024-11-10 10:34 ` Suraj Sonawane
` (6 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-08 14:59 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajsonawane0215@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
[not found] <CAHiZj8innKODZYdJr0mV8CJrR_vk8VKw7Gf+wkoUYCp2Mq=v2g@mail.gmail.com>
@ 2024-11-08 15:19 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-08 15:19 UTC (permalink / raw)
To: linux-kernel, surajsonawane0215, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested on:
commit: 906bd684 Merge tag 'spi-fix-v6.12-rc6' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1207ee30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=64aa0d9945bd5c1
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=174220c0580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
` (3 preceding siblings ...)
2024-11-08 14:59 ` syzbot
@ 2024-11-10 10:34 ` Suraj Sonawane
2024-11-10 10:55 ` syzbot
2024-11-13 12:07 ` Suraj Sonawane
` (5 subsequent siblings)
10 siblings, 1 reply; 23+ messages in thread
From: Suraj Sonawane @ 2024-11-10 10:34 UTC (permalink / raw)
To: syzbot
Cc: dan.j.williams, dave.jiang, ira.weiny, lenb, linux-acpi,
linux-kernel, nvdimm, rafael, syzkaller-bugs, vishal.l.verma
[-- Attachment #1.1: Type: text/plain, Size: 7759 bytes --]
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
[-- Attachment #1.2: Type: text/html, Size: 9891 bytes --]
[-- Attachment #2: 0001-v3KASAN-vmalloc-out-of-bounds-Read-in-acpi_nfit_ctl-.patch --]
[-- Type: text/x-patch, Size: 1015 bytes --]
From 443b5c366694650f9c771863556433270fff8bc2 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Sun, 10 Nov 2024 16:01:24 +0530
Subject: [PATCH v3] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
syz test
Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
drivers/acpi/nfit/core.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 5429ec9ef..4a2997b60 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -454,8 +454,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
if (cmd_rc)
*cmd_rc = -EINVAL;
- if (cmd == ND_CMD_CALL)
- call_pkg = buf;
+ if (cmd == ND_CMD_CALL) {
+ if (buf == NULL || buf_len < sizeof(struct nd_cmd_pkg)) {
+ rc = -EINVAL;
+ goto out;
+ }
+ call_pkg = (struct nd_cmd_pkg *)buf;
+ }
func = cmd_to_func(nfit_mem, cmd, call_pkg, &family);
if (func < 0)
return func;
--
2.34.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-10 10:34 ` Suraj Sonawane
@ 2024-11-10 10:55 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-10 10:55 UTC (permalink / raw)
To: dan.j.williams, dave.jiang, ira.weiny, lenb, linux-acpi,
linux-kernel, nvdimm, rafael, surajsonawane0215, syzkaller-bugs,
vishal.l.verma
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested on:
commit: de2f378f Merge tag 'nfsd-6.12-4' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=102594e8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=64aa0d9945bd5c1
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11629ea7980000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
` (4 preceding siblings ...)
2024-11-10 10:34 ` Suraj Sonawane
@ 2024-11-13 12:07 ` Suraj Sonawane
2024-11-13 12:27 ` syzbot
2024-11-15 15:26 ` [syzbot] " syzbot
` (4 subsequent siblings)
10 siblings, 1 reply; 23+ messages in thread
From: Suraj Sonawane @ 2024-11-13 12:07 UTC (permalink / raw)
To: syzbot
Cc: dan.j.williams, dave.jiang, ira.weiny, lenb, linux-acpi,
linux-kernel, nvdimm, rafael, syzkaller-bugs, vishal.l.verma
[-- Attachment #1.1: Type: text/plain, Size: 7759 bytes --]
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
[-- Attachment #1.2: Type: text/html, Size: 9891 bytes --]
[-- Attachment #2: 0001-PATCH-v4-KASAN-vmalloc-out-of-bounds-Read-in-acpi_nf.patch --]
[-- Type: text/x-patch, Size: 1453 bytes --]
From 6c091558d74b19dbd1888aed9338b4d0fd3396da Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Wed, 13 Nov 2024 17:35:32 +0530
Subject: [PATCH] [PATCH v4] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl(2)
syz test
Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
drivers/acpi/nfit/core.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 5429ec9ef..eb5349606 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -439,7 +439,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
{
struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc);
struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
- union acpi_object in_obj, in_buf, *out_obj;
+ union acpi_object in_obj, in_buf, *out_obj = NULL;
const struct nd_cmd_desc *desc = NULL;
struct device *dev = acpi_desc->dev;
struct nd_cmd_pkg *call_pkg = NULL;
@@ -454,8 +454,14 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
if (cmd_rc)
*cmd_rc = -EINVAL;
- if (cmd == ND_CMD_CALL)
- call_pkg = buf;
+ if (cmd == ND_CMD_CALL) {
+ if (!buf || buf_len < sizeof(*call_pkg)) {
+ rc = -EINVAL;
+ goto out;
+ }
+ call_pkg = (struct nd_cmd_pkg *)buf;
+ }
+
func = cmd_to_func(nfit_mem, cmd, call_pkg, &family);
if (func < 0)
return func;
--
2.34.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-13 12:07 ` Suraj Sonawane
@ 2024-11-13 12:27 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-13 12:27 UTC (permalink / raw)
To: dan.j.williams, dave.jiang, ira.weiny, lenb, linux-acpi,
linux-kernel, nvdimm, rafael, surajsonawane0215, syzkaller-bugs,
vishal.l.verma
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested on:
commit: f1b785f4 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17ca8df7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11d20b5f980000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
` (5 preceding siblings ...)
2024-11-13 12:07 ` Suraj Sonawane
@ 2024-11-15 15:26 ` syzbot
2024-11-16 10:17 ` Suraj Sonawane
` (3 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-15 15:26 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajsonawane0215@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
[not found] <CAHiZj8g60jN3tbjaGDc4r8vYe0s5zmvxx74Ni3vEv8TKjYXB5g@mail.gmail.com>
@ 2024-11-15 15:46 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-15 15:46 UTC (permalink / raw)
To: linux-kernel, surajsonawane0215, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested on:
commit: cfaaa7d0 Merge tag 'net-6.12-rc8' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13845130580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=172adcc0580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
` (6 preceding siblings ...)
2024-11-15 15:26 ` [syzbot] " syzbot
@ 2024-11-16 10:17 ` Suraj Sonawane
2024-11-16 10:38 ` syzbot
2024-11-18 12:30 ` [syzbot] " syzbot
` (2 subsequent siblings)
10 siblings, 1 reply; 23+ messages in thread
From: Suraj Sonawane @ 2024-11-16 10:17 UTC (permalink / raw)
To: syzbot
Cc: dan.j.williams, dave.jiang, ira.weiny, lenb, linux-acpi,
linux-kernel, nvdimm, rafael, syzkaller-bugs, vishal.l.verma
[-- Attachment #1.1: Type: text/plain, Size: 7759 bytes --]
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
[-- Attachment #1.2: Type: text/html, Size: 9891 bytes --]
[-- Attachment #2: 0001-fix-vmalloc.patch --]
[-- Type: text/x-patch, Size: 2872 bytes --]
From cd70ead500c4498914af578fd65fb446854cd9ca Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Sat, 16 Nov 2024 15:44:28 +0530
Subject: [PATCH v5] acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl
Fix an issue detected by syzbot with KASAN:
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/
core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
drivers/acpi/nfit/core.c:459
The issue occurs in cmd_to_func when the call_pkg->nd_reserved2
array is accessed without verifying that call_pkg points to a buffer
that is appropriately sized as a struct nd_cmd_pkg. This can lead
to out-of-bounds access and undefined behavior if the buffer does not
have sufficient space.
To address this, a check was added in acpi_nfit_ctl() to ensure that
buf is not NULL and that buf_len is less than sizeof(*call_pkg)
before accessing it. This ensures safe access to the members of
call_pkg, including the nd_reserved2 array.
Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Fixes: ebe9f6f19d80 ("acpi/nfit: Fix bus command validation")
Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
V1: https://lore.kernel.org/lkml/20241111080429.9861-1-surajsonawane0215@gmail.com/
V2: Initialized `out_obj` to `NULL` in `acpi_nfit_ctl()` to prevent
potential uninitialized variable usage if condition is true.
V3: Changed the condition to if (!buf || buf_len < sizeof(*call_pkg))
and updated the Fixes tag to reference the correct commit.
V4: Removed the explicit cast to maintain the original code style.
V5: Re-Initialized `out_obj` to NULL.
drivers/acpi/nfit/core.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 5429ec9ef..573ed264c 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -439,7 +439,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
{
struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc);
struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
- union acpi_object in_obj, in_buf, *out_obj;
+ union acpi_object in_obj, in_buf, *out_obj = NULL;
const struct nd_cmd_desc *desc = NULL;
struct device *dev = acpi_desc->dev;
struct nd_cmd_pkg *call_pkg = NULL;
@@ -454,8 +454,15 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
if (cmd_rc)
*cmd_rc = -EINVAL;
- if (cmd == ND_CMD_CALL)
+ if (cmd == ND_CMD_CALL) {
+ if (!buf || buf_len < sizeof(*call_pkg)) {
+ rc = -EINVAL;
+ goto out;
+ }
+
call_pkg = buf;
+ }
+
func = cmd_to_func(nfit_mem, cmd, call_pkg, &family);
if (func < 0)
return func;
--
2.34.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-16 10:17 ` Suraj Sonawane
@ 2024-11-16 10:38 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-16 10:38 UTC (permalink / raw)
To: dan.j.williams, dave.jiang, ira.weiny, lenb, linux-acpi,
linux-kernel, nvdimm, rafael, surajsonawane0215, syzkaller-bugs,
vishal.l.verma
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested on:
commit: e8bdb3c8 Merge tag 'riscv-for-linus-6.12-rc8' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12a112c0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=109e12c0580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
` (7 preceding siblings ...)
2024-11-16 10:17 ` Suraj Sonawane
@ 2024-11-18 12:30 ` syzbot
2024-11-18 13:21 ` syzbot
2024-11-18 16:01 ` syzbot
10 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-18 12:30 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajsonawane0215@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
[not found] <CAHiZj8gNs-FFFQ0E1Zyxq7wa=CrHVfbaXeNE8yYi9eZVakGk8A@mail.gmail.com>
@ 2024-11-18 12:45 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-18 12:45 UTC (permalink / raw)
To: linux-kernel, surajsonawane0215, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:465
Read of size 4 at addr ffffc90001106038 by task syz.0.15/5811
CPU: 0 UID: 0 PID: 5811 Comm: syz.0.15 Not tainted 6.12.0-syzkaller-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:465
__nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f51e537e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f51e61fb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f51e5535f80 RCX: 00007f51e537e719
RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
RBP: 00007f51e53f139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f51e5535f80 R15: 00007ffe9dc12f58
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc90001106000, ffffc90001108000) created by:
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803f405500 pfn:0x3f405
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88803f405500 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5811, tgid 5810 (syz.0.15), ts 121385960669, free_ts 121037718009
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3474
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
alloc_pages_bulk_noprof+0x70b/0xcc0 mm/page_alloc.c:4699
alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
__vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
__nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5804 tgid 5804 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_folios+0xf37/0x1a20 mm/page_alloc.c:2704
folios_put_refs+0x76c/0x860 mm/swap.c:993
free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
exit_mmap+0x496/0xc40 mm/mmap.c:1936
__mmput+0x115/0x390 kernel/fork.c:1348
exec_mmap+0x680/0x710 fs/exec.c:1014
begin_new_exec+0x12c0/0x2050 fs/exec.c:1280
load_elf_binary+0x966/0x2710 fs/binfmt_elf.c:996
search_binary_handler fs/exec.c:1752 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve+0xaf8/0x1770 fs/exec.c:1845
do_execveat_common+0x55f/0x6f0 fs/exec.c:1952
do_execve fs/exec.c:2026 [inline]
__do_sys_execve fs/exec.c:2102 [inline]
__se_sys_execve fs/exec.c:2097 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2097
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc90001105f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90001105f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90001106000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90001106080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90001106100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Tested on:
commit: adc21867 Linux 6.12
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15488ac0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e31661728c1a4027
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=162ecbf7980000
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
` (8 preceding siblings ...)
2024-11-18 12:30 ` [syzbot] " syzbot
@ 2024-11-18 13:21 ` syzbot
2024-11-18 16:01 ` syzbot
10 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-18 13:21 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajsonawane0215@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
[not found] <CAHiZj8im=xETmWAt7yi7X3KwwLy4Ad+i6Yk7NwWqJMfJR_kd-A@mail.gmail.com>
@ 2024-11-18 13:41 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-18 13:41 UTC (permalink / raw)
To: linux-kernel, surajsonawane0215, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested on:
commit: adc21867 Linux 6.12
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1189bb5f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=e31661728c1a4027
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12086ac0580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
` (9 preceding siblings ...)
2024-11-18 13:21 ` syzbot
@ 2024-11-18 16:01 ` syzbot
10 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-18 16:01 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
Author: surajsonawane0215@gmail.com
#syz test
On Tue, Nov 5, 2024 at 8:58 PM syzbot <
syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of
> git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12418e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12170f40580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16418e30580000
>
> Downloadable assets:
> disk image (non-bootable):
> https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-2e1b3cc9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/2f2588b04ae9/vmlinux-2e1b3cc9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2c9324cf16df/bzImage-2e1b3cc9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func
> drivers/acpi/nfit/core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
> Read of size 4 at addr ffffc90000e0e038 by task syz-executor229/5316
>
> CPU: 0 UID: 0 PID: 5316 Comm: syz-executor229 Not tainted
> 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> cmd_to_func drivers/acpi/nfit/core.c:416 [inline]
> acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459
> __nd_ioctl drivers/nvdimm/bus.c:1186 [inline]
> nd_ioctl+0x1844/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb399ccda79
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcf6cb8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb399ccda79
> RDX: 0000000020000180 RSI: 00000000c008640a RDI: 0000000000000003
> RBP: 00007fb399d405f0 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90000e0e000, ffffc90000e10000) created by:
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff8880401b9a80 pfn:0x401b9
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: ffff8880401b9a80 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2cc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN), pid 5316, tgid 5316
> (syz-executor229), ts 69039468240, free_ts 68666765389
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
> alloc_pages_bulk_noprof+0x729/0xd40 mm/page_alloc.c:4681
> alloc_pages_bulk_array_mempolicy_noprof+0x8ea/0x1600 mm/mempolicy.c:2556
> vm_area_alloc_pages mm/vmalloc.c:3542 [inline]
> __vmalloc_area_node mm/vmalloc.c:3646 [inline]
> __vmalloc_node_range_noprof+0x752/0x13f0 mm/vmalloc.c:3828
> __vmalloc_node_noprof mm/vmalloc.c:3893 [inline]
> vmalloc_noprof+0x79/0x90 mm/vmalloc.c:3926
> __nd_ioctl drivers/nvdimm/bus.c:1169 [inline]
> nd_ioctl+0x1594/0x1fd0 drivers/nvdimm/bus.c:1264
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5312 tgid 5312 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __folio_put+0x2c7/0x440 mm/swap.c:126
> pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
> pipe_update_tail fs/pipe.c:224 [inline]
> pipe_read+0x6ed/0x13e0 fs/pipe.c:344
> new_sync_read fs/read_write.c:488 [inline]
> vfs_read+0x991/0xb70 fs/read_write.c:569
> ksys_read+0x183/0x2b0 fs/read_write.c:712
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffffc90000e0df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> >ffffc90000e0e000: 00 00 00 00 00 00 00 03 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc90000e0e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc90000e0e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/672a3997.050a0220.2a847.11f7.GAE%40google.com
> .
>
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2)
[not found] <CAHiZj8g8JxdvFOTfkyi6nzHVfirswrdVkrmOPOCFPpqSf_rRqg@mail.gmail.com>
@ 2024-11-18 16:22 ` syzbot
0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2024-11-18 16:22 UTC (permalink / raw)
To: linux-kernel, surajsonawane0215, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
Tested on:
commit: adc21867 Linux 6.12
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14664930580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e31661728c1a4027
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10e16ac0580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 23+ messages in thread
end of thread, other threads:[~2024-11-18 16:22 UTC | newest]
Thread overview: 23+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-05 15:28 [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in acpi_nfit_ctl (2) syzbot
2024-11-06 14:50 ` Jeongjun Park
2024-11-06 15:06 ` syzbot
2024-11-07 7:41 ` [syzbot] " syzbot
2024-11-07 19:56 ` syzbot
2024-11-08 14:59 ` syzbot
2024-11-10 10:34 ` Suraj Sonawane
2024-11-10 10:55 ` syzbot
2024-11-13 12:07 ` Suraj Sonawane
2024-11-13 12:27 ` syzbot
2024-11-15 15:26 ` [syzbot] " syzbot
2024-11-16 10:17 ` Suraj Sonawane
2024-11-16 10:38 ` syzbot
2024-11-18 12:30 ` [syzbot] " syzbot
2024-11-18 13:21 ` syzbot
2024-11-18 16:01 ` syzbot
[not found] <CAHiZj8jdL5H9fBK5aA-VpNmEPkf7iatuBh5u2fby__t8nekTtg@mail.gmail.com>
2024-11-07 7:56 ` syzbot
[not found] <CAHiZj8jxeKnsZca8PGgoYvU4cH+gRveNkqjVguA3WX+V_eOtaQ@mail.gmail.com>
2024-11-07 20:18 ` syzbot
[not found] <CAHiZj8innKODZYdJr0mV8CJrR_vk8VKw7Gf+wkoUYCp2Mq=v2g@mail.gmail.com>
2024-11-08 15:19 ` syzbot
[not found] <CAHiZj8g60jN3tbjaGDc4r8vYe0s5zmvxx74Ni3vEv8TKjYXB5g@mail.gmail.com>
2024-11-15 15:46 ` syzbot
[not found] <CAHiZj8gNs-FFFQ0E1Zyxq7wa=CrHVfbaXeNE8yYi9eZVakGk8A@mail.gmail.com>
2024-11-18 12:45 ` syzbot
[not found] <CAHiZj8im=xETmWAt7yi7X3KwwLy4Ad+i6Yk7NwWqJMfJR_kd-A@mail.gmail.com>
2024-11-18 13:41 ` syzbot
[not found] <CAHiZj8g8JxdvFOTfkyi6nzHVfirswrdVkrmOPOCFPpqSf_rRqg@mail.gmail.com>
2024-11-18 16:22 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox