Re: [syzbot] [bpf?] KASAN: stack-out-of-bounds Write in __bpf_get_stack

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+d1b7fa1092def3628bd7@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, listout@listout.xyz,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bpf?] KASAN: stack-out-of-bounds Write in __bpf_get_stack
Date: Mon, 10 Nov 2025 11:50:03 -0800	[thread overview]
Message-ID: <691241eb.a70a0220.22f260.0107.GAE@google.com> (raw)
In-Reply-To: <6fyxpa6cocnr4hbpmzrwel4t2huouz5p4ul6qawttjzlgmuysn@hcleklvgi464>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
invalid opcode in error_return

Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6994 Comm: syz.1.247 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:error_return+0xa/0x20 arch/x86/entry/entry_64.S:1091
Code: cc cc cc cc cc cc cc cc cc cc cc cc 48 8d 7c 24 08 e8 5a 4c 46 0a 48 89 c7 e9 12 4c 46 0a 90 90 50 9c 58 a9 00 02 00 00 74 02 <0f> 0b 58 f6 84 24 88 00 00 00 03 0f 84 31 fc ff ff e9 60 fb ff ff
RSP: 0018:ffffc90000007a78 EFLAGS: 00010206
RAX: 0000000000000286 RBX: 1ffff1100f9266d4 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90000007a70
RBP: ffffffff8b46984e R08: ffffc90000007a6f R09: 0000000000000000
R10: ffffc90000007a68 R11: fffff52000000f4e R12: ffffc9000c2c3048
R13: ffffc90000007b00 R14: ffff88807c9336a0 R15: ffffc9000c2c3060
FS:  00007f9d4ee566c0(0000) GS:ffff88812613b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100000000 CR3: 00000000726c6000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
RIP: 3100:rcu_lock_release include/linux/rcupdate.h:341 [inline]
RIP: 3100:rcu_do_batch kernel/rcu/tree.c:2607 [inline]
RIP: 3100:rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
Code: 00 00 00 00 fc ff df 41 80 3c 06 00 74 08 4c 89 ff e8 59 1d 7e 00 48 c7 43 08 00 00 00 00 48 89 df 4d 89 e3 2e e8 4d 4e 58 1e <48> c7 c7 40 d7 f3 8d 4c 89 ee e8 b6 77 f5 ff 65 8b 05 7f 61 c6 10
RSP: f400:0000000000000000 EFLAGS: 404bee7c878af400
==================================================================
BUG: KASAN: stack-out-of-bounds in __show_regs+0x4e/0x620 arch/x86/kernel/process_64.c:79
Read of size 8 at addr ffffc90000007af8 by task syz.1.247/6994

CPU: 0 UID: 0 PID: 6994 Comm: syz.1.247 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __show_regs+0x4e/0x620 arch/x86/kernel/process_64.c:79
 show_regs_if_on_stack arch/x86/kernel/dumpstack.c:165 [inline]
 show_trace_log_lvl+0x31d/0x550 arch/x86/kernel/dumpstack.c:237
 show_regs arch/x86/kernel/dumpstack.c:470 [inline]
 __die_body+0xa6/0xb0 arch/x86/kernel/dumpstack.c:412
 die+0x2a/0x50 arch/x86/kernel/dumpstack.c:439
 do_trap_no_signal arch/x86/kernel/traps.c:206 [inline]
 do_trap+0x14a/0x3d0 arch/x86/kernel/traps.c:247
 do_error_trap+0x1c1/0x280 arch/x86/kernel/traps.c:267
 handle_invalid_op+0x34/0x40 arch/x86/kernel/traps.c:304
 exc_invalid_op+0x39/0x50 arch/x86/kernel/traps.c:397
 asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:616
RIP: 0010:error_return+0xa/0x20 arch/x86/entry/entry_64.S:1091
Code: cc cc cc cc cc cc cc cc cc cc cc cc 48 8d 7c 24 08 e8 5a 4c 46 0a 48 89 c7 e9 12 4c 46 0a 90 90 50 9c 58 a9 00 02 00 00 74 02 <0f> 0b 58 f6 84 24 88 00 00 00 03 0f 84 31 fc ff ff e9 60 fb ff ff
RSP: 0018:ffffc90000007a78 EFLAGS: 00010206
RAX: 0000000000000286 RBX: 1ffff1100f9266d4 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90000007a70
RBP: ffffffff8b46984e R08: ffffc90000007a6f R09: 0000000000000000
R10: ffffc90000007a68 R11: fffff52000000f4e R12: ffffc9000c2c3048
R13: ffffc90000007b00 R14: ffff88807c9336a0 R15: ffffc9000c2c3060
RIP: 3100:rcu_lock_release include/linux/rcupdate.h:341 [inline]
RIP: 3100:rcu_do_batch kernel/rcu/tree.c:2607 [inline]
RIP: 3100:rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
Code: 00 00 00 00 fc ff df 41 80 3c 06 00 74 08 4c 89 ff e8 59 1d 7e 00 48 c7 43 08 00 00 00 00 48 89 df 4d 89 e3 2e e8 4d 4e 58 1e <48> c7 c7 40 d7 f3 8d 4c 89 ee e8 b6 77 f5 ff 65 8b 05 7f 61 c6 10
RSP: f400:0000000000000000 EFLAGS: 404bee7c878af400 ORIG_RAX: 0000000000000000
RAX: ffffffff81cbf590 RBX: ffffc9000c2c3040 RCX: 0000000000000000
RDX: 0000008000000008 RSI: 0000000000000000 RDI: ffffffff8df3d740
RBP: 0000000000000000 R08: ffffffff8d74996d R09: 0000000041b58ab3
R10: 1ffff92000000f58 R11: 1ffff92001858608 R12: ffffffff81cbf716
R13: ffff88807c932970 R14: ffff88807c9309f3 R15: ffffffff81ed3477
 </IRQ>
 <TASK>
 </TASK>

The buggy address belongs to a 0-page vmalloc region starting at 0xffffc90000000000 allocated at map_irq_stack arch/x86/kernel/irq_64.c:49 [inline]
The buggy address belongs to a 0-page vmalloc region starting at 0xffffc90000000000 allocated at irq_init_percpu_irqstack+0x342/0x4a0 arch/x86/kernel/irq_64.c:76
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb8808
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea0002e20208 ffffea0002e20208 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000007a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90000007a80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2
                                                                ^
 ffffc90000007b00: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess), 6 bytes skipped:
   0:	df 41 80             	filds  -0x80(%rcx)
   3:	3c 06                	cmp    $0x6,%al
   5:	00 74 08 4c          	add    %dh,0x4c(%rax,%rcx,1)
   9:	89 ff                	mov    %edi,%edi
   b:	e8 59 1d 7e 00       	call   0x7e1d69
  10:	48 c7 43 08 00 00 00 	movq   $0x0,0x8(%rbx)
  17:	00
  18:	48 89 df             	mov    %rbx,%rdi
  1b:	4d 89 e3             	mov    %r12,%r11
  1e:	2e e8 4d 4e 58 1e    	cs call 0x1e584e71
* 24:	48 c7 c7 40 d7 f3 8d 	mov    $0xffffffff8df3d740,%rdi <-- trapping instruction
  2b:	4c 89 ee             	mov    %r13,%rsi
  2e:	e8 b6 77 f5 ff       	call   0xfff577e9
  33:	65 8b 05 7f 61 c6 10 	mov    %gs:0x10c6617f(%rip),%eax        # 0x10c661b9


Tested on:

commit:         f8c67d85 bpf: Use kmalloc_nolock() in range tree
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15ee6412580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e46b8a1c645465a9
dashboard link: https://syzkaller.appspot.com/bug?extid=d1b7fa1092def3628bd7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13eaa60a580000

next      parent reply	other threads:[~2025-11-10 19:50 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <6fyxpa6cocnr4hbpmzrwel4t2huouz5p4ul6qawttjzlgmuysn@hcleklvgi464>
2025-11-10 19:50 ` syzbot [this message]
2026-01-04 18:30 #syz test Arnaud Lecomte
2026-01-04 20:43 ` [syzbot] [bpf?] KASAN: stack-out-of-bounds Write in __bpf_get_stack syzbot
  -- strict thread matches above, loose matches on Subject: below --
2026-01-04 18:29 #syz test Arnaud Lecomte
2026-01-04 20:09 ` [syzbot] [bpf?] KASAN: stack-out-of-bounds Write in __bpf_get_stack syzbot
     [not found] <nytg5vjyof6he3v46kqhhyqochwgpk7bjx2topppykhqmw6kds@pin7crrdgg2i>
2025-11-11  2:28 ` syzbot
     [not found] <xgynmmyztqi2kkzhchyzgzd2clszohjy4vinzb2ij4qyvdz4mc@36tdk5l7bq5s>
2025-11-11  0:22 ` syzbot
     [not found] <iattottzq4koautrgwq74vaxrohcqpfcxarygoyroaimoorggg@g6lxrp34lajg>
2025-11-10 21:34 ` syzbot
     [not found] <ckkn76mbmurstoxlhjfnrwjht2hydo3daius5kc42j6s3nsc2o@d4ftoisfyii5>
2025-11-10 19:33 ` syzbot
2025-11-10 18:41 syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=691241eb.a70a0220.22f260.0107.GAE@google.com \
    --to=syzbot+d1b7fa1092def3628bd7@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=listout@listout.xyz \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox