[syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events

[syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ced1b9e0392d Merge tag 'ata-6.17-rc1' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133b8cf0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=52c12ce9080f644c
dashboard link: https://syzkaller.appspot.com/bug?extid=fa3a12519f0d3fd4ec16
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=154b31bc580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=171a9782580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ced1b9e0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c709b0d9538c/vmlinux-ced1b9e0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/129af0799fa3/bzImage-ced1b9e0.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
Read of size 8 at addr ffff888036fa1400 by task syz.2.1231/9834

CPU: 3 UID: 0 PID: 9834 Comm: syz.2.1231 Not tainted 6.16.0-syzkaller-00857-gced1b9e0392d #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
 __list_add_valid include/linux/list.h:88 [inline]
 __list_add include/linux/list.h:150 [inline]
 list_add_tail include/linux/list.h:183 [inline]
 disk_add_events+0x90/0x170 block/disk-events.c:463
 add_disk_final block/genhd.c:427 [inline]
 add_disk_fwnode+0x3c8/0x5d0 block/genhd.c:610
 add_disk include/linux/blkdev.h:773 [inline]
 md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
 md_alloc_and_put drivers/md/md.c:6016 [inline]
 md_probe drivers/md/md.c:6029 [inline]
 md_probe+0x6e/0xd0 drivers/md/md.c:6024
 blk_probe_dev+0x116/0x1a0 block/genhd.c:884
 blk_request_module+0x16/0xb0 block/genhd.c:897
 blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
 blkdev_open+0x141/0x3f0 block/fops.c:684
 do_dentry_open+0x744/0x1c10 fs/open.c:965
 vfs_open+0x82/0x3f0 fs/open.c:1095
 do_open fs/namei.c:3887 [inline]
 path_openat+0x1de4/0x2cb0 fs/namei.c:4046
 do_filp_open+0x20b/0x470 fs/namei.c:4073
 do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
 do_sys_open fs/open.c:1450 [inline]
 __do_sys_openat fs/open.c:1466 [inline]
 __se_sys_openat fs/open.c:1461 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1461
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4ea558e9a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4ea645e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f4ea57b6080 RCX: 00007f4ea558e9a9
RDX: 0000000000000000 RSI: 0000200000000a80 RDI: ffffffffffffff9c
RBP: 00007f4ea5610d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f4ea57b6080 R15: 00007fff25d53038
 </TASK>

Allocated by task 9822:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 disk_alloc_events+0xf0/0x3f0 block/disk-events.c:439
 __add_disk+0x475/0xf00 block/genhd.c:500
 add_disk_fwnode+0x3f8/0x5d0 block/genhd.c:601
 add_disk include/linux/blkdev.h:773 [inline]
 md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
 md_alloc_and_put drivers/md/md.c:6016 [inline]
 md_probe drivers/md/md.c:6029 [inline]
 md_probe+0x6e/0xd0 drivers/md/md.c:6024
 blk_probe_dev+0x116/0x1a0 block/genhd.c:884
 blk_request_module+0x16/0xb0 block/genhd.c:897
 blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
 blkdev_open+0x141/0x3f0 block/fops.c:684
 do_dentry_open+0x744/0x1c10 fs/open.c:965
 vfs_open+0x82/0x3f0 fs/open.c:1095
 do_open fs/namei.c:3887 [inline]
 path_openat+0x1de4/0x2cb0 fs/namei.c:4046
 do_filp_open+0x20b/0x470 fs/namei.c:4073
 do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
 do_sys_open fs/open.c:1450 [inline]
 __do_sys_openat fs/open.c:1466 [inline]
 __se_sys_openat fs/open.c:1461 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1461
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 9817:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4842
 disk_release+0x161/0x410 block/genhd.c:1301
 device_release+0xa1/0x240 drivers/base/core.c:2568
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e7/0x5a0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3800
 blkdev_release+0x15/0x20 block/fops.c:699
 __fput+0x402/0xb70 fs/file_table.c:468
 task_work_run+0x14d/0x240 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:114
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888036fa1400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 freed 512-byte region [ffff888036fa1400, ffff888036fa1600)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36fa0
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0000dbe801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 71482349709, free_ts 68765218476
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab mm/slub.c:2619 [inline]
 new_slab+0x23b/0x330 mm/slub.c:2673
 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4354
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 set_kthread_struct+0xcb/0x380 kernel/kthread.c:126
 copy_process+0x3107/0x7650 kernel/fork.c:2097
 kernel_clone+0xfc/0x960 kernel/fork.c:2599
 kernel_thread+0xd4/0x120 kernel/fork.c:2661
 create_kthread kernel/kthread.c:487 [inline]
 kthreadd+0x503/0x800 kernel/kthread.c:847
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 6016 tgid 6016 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
 vfree+0x1fd/0xb50 mm/vmalloc.c:3434
 kcov_put kernel/kcov.c:439 [inline]
 kcov_put kernel/kcov.c:435 [inline]
 kcov_close+0x34/0x60 kernel/kcov.c:535
 __fput+0x402/0xb70 fs/file_table.c:468
 task_work_run+0x14d/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x86c/0x2bd0 kernel/exit.c:964
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1105
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888036fa1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888036fa1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888036fa1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888036fa1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888036fa1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5978,10 +5978,6 @@ struct mddev *md_alloc(dev_t dev, char *name)
 
 	disk->events |= DISK_EVENT_MEDIA_CHANGE;
 	mddev->gendisk = disk;
-	error = add_disk(disk);
-	if (error)
-		goto out_put_disk;
-
 	kobject_init(&mddev->kobj, &md_ktype);
 	error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md");
 	if (error) {
@@ -5999,6 +5995,9 @@ struct mddev *md_alloc(dev_t dev, char *name)
 	kobject_uevent(&mddev->kobj, KOBJ_ADD);
 	mddev->sysfs_state = sysfs_get_dirent_safe(mddev->kobj.sd, "array_state");
 	mddev->sysfs_level = sysfs_get_dirent_safe(mddev->kobj.sd, "level");
+	error = add_disk(disk);
+	if (error)
+		goto out_put_disk;
 	mutex_unlock(&disks_mutex);
 	return mddev;
 
-- 
2.43.0

Re: syztest

[Yu Kuai]

Hi,

在 2025/07/30 13:51, Arnaud Lecomte 写道:
> #syz test
> 
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -5978,10 +5978,6 @@ struct mddev *md_alloc(dev_t dev, char *name)
>   
>   	disk->events |= DISK_EVENT_MEDIA_CHANGE;
>   	mddev->gendisk = disk;
> -	error = add_disk(disk);
> -	if (error)
> -		goto out_put_disk;
> -
>   	kobject_init(&mddev->kobj, &md_ktype);
>   	error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md");

This is wrong, you can't add mddev >kobj under the disk without
kobject_add for the disk kobj.

Thanks,
Kuai

>   	if (error) {
> @@ -5999,6 +5995,9 @@ struct mddev *md_alloc(dev_t dev, char *name)
>   	kobject_uevent(&mddev->kobj, KOBJ_ADD);
>   	mddev->sysfs_state = sysfs_get_dirent_safe(mddev->kobj.sd, "array_state");
>   	mddev->sysfs_level = sysfs_get_dirent_safe(mddev->kobj.sd, "level");
> +	error = add_disk(disk);
> +	if (error)
> +		goto out_put_disk;
>   	mutex_unlock(&disks_mutex);
>   	return mddev;
>   
> 

Re: syztest

[Arnaud Lecomte]

On 30/07/2025 07:09, Yu Kuai wrote:
> Hi,
>
> 在 2025/07/30 13:51, Arnaud Lecomte 写道:
>> #syz test
>>
>> --- a/drivers/md/md.c
>> +++ b/drivers/md/md.c
>> @@ -5978,10 +5978,6 @@ struct mddev *md_alloc(dev_t dev, char *name)
>>         disk->events |= DISK_EVENT_MEDIA_CHANGE;
>>       mddev->gendisk = disk;
>> -    error = add_disk(disk);
>> -    if (error)
>> -        goto out_put_disk;
>> -
>>       kobject_init(&mddev->kobj, &md_ktype);
>>       error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, 
>> "%s", "md");
>
> This is wrong, you can't add mddev >kobj under the disk without
> kobject_add for the disk kobj.
>
Will dive a bit more into that after work,
Thanks

> Thanks,
> Kuai
>
>>       if (error) {
>> @@ -5999,6 +5995,9 @@ struct mddev *md_alloc(dev_t dev, char *name)
>>       kobject_uevent(&mddev->kobj, KOBJ_ADD);
>>       mddev->sysfs_state = sysfs_get_dirent_safe(mddev->kobj.sd, 
>> "array_state");
>>       mddev->sysfs_level = sysfs_get_dirent_safe(mddev->kobj.sd, 
>> "level");
>> +    error = add_disk(disk);
>> +    if (error)
>> +        goto out_put_disk;
>>       mutex_unlock(&disks_mutex);
>>       return mddev;
>>
>

Re: [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com
Tested-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com

Tested on:

commit:         4b290aae Merge tag 'sysctl-6.17-rc1' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10908834580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=295b41325f4e1bab
dashboard link: https://syzkaller.appspot.com/bug?extid=fa3a12519f0d3fd4ec16
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15ac34a2580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events

[Yu Kuai]

+CC Xiao

在 2025/07/30 5:58, syzbot 写道:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    ced1b9e0392d Merge tag 'ata-6.17-rc1' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=133b8cf0580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=52c12ce9080f644c
> dashboard link: https://syzkaller.appspot.com/bug?extid=fa3a12519f0d3fd4ec16
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=154b31bc580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=171a9782580000
> 

This looks like the same cause with another report:

https://lore.kernel.org/all/68894408.a00a0220.26d0e1.0012.GAE@google.com/

The mddev kobject liftime is broken, now in the case del_work is queued,
means mddev is about to be freed, meanwhile md_open can succeed.

Thanks,
Kuai

> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ced1b9e0.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/c709b0d9538c/vmlinux-ced1b9e0.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/129af0799fa3/bzImage-ced1b9e0.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com
> 
> ==================================================================
> BUG: KASAN: slab-use-after-free in __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
> Read of size 8 at addr ffff888036fa1400 by task syz.2.1231/9834
> 
> CPU: 3 UID: 0 PID: 9834 Comm: syz.2.1231 Not tainted 6.16.0-syzkaller-00857-gced1b9e0392d #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
>   <TASK>
>   __dump_stack lib/dump_stack.c:94 [inline]
>   dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
>   print_address_description mm/kasan/report.c:378 [inline]
>   print_report+0xcd/0x630 mm/kasan/report.c:482
>   kasan_report+0xe0/0x110 mm/kasan/report.c:595
>   __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
>   __list_add_valid include/linux/list.h:88 [inline]
>   __list_add include/linux/list.h:150 [inline]
>   list_add_tail include/linux/list.h:183 [inline]
>   disk_add_events+0x90/0x170 block/disk-events.c:463
>   add_disk_final block/genhd.c:427 [inline]
>   add_disk_fwnode+0x3c8/0x5d0 block/genhd.c:610
>   add_disk include/linux/blkdev.h:773 [inline]
>   md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
>   md_alloc_and_put drivers/md/md.c:6016 [inline]
>   md_probe drivers/md/md.c:6029 [inline]
>   md_probe+0x6e/0xd0 drivers/md/md.c:6024
>   blk_probe_dev+0x116/0x1a0 block/genhd.c:884
>   blk_request_module+0x16/0xb0 block/genhd.c:897
>   blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
>   blkdev_open+0x141/0x3f0 block/fops.c:684
>   do_dentry_open+0x744/0x1c10 fs/open.c:965
>   vfs_open+0x82/0x3f0 fs/open.c:1095
>   do_open fs/namei.c:3887 [inline]
>   path_openat+0x1de4/0x2cb0 fs/namei.c:4046
>   do_filp_open+0x20b/0x470 fs/namei.c:4073
>   do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
>   do_sys_open fs/open.c:1450 [inline]
>   __do_sys_openat fs/open.c:1466 [inline]
>   __se_sys_openat fs/open.c:1461 [inline]
>   __x64_sys_openat+0x174/0x210 fs/open.c:1461
>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f4ea558e9a9
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f4ea645e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
> RAX: ffffffffffffffda RBX: 00007f4ea57b6080 RCX: 00007f4ea558e9a9
> RDX: 0000000000000000 RSI: 0000200000000a80 RDI: ffffffffffffff9c
> RBP: 00007f4ea5610d69 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f4ea57b6080 R15: 00007fff25d53038
>   </TASK>
> 
> Allocated by task 9822:
>   kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>   kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>   poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
>   __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
>   kmalloc_noprof include/linux/slab.h:905 [inline]
>   kzalloc_noprof include/linux/slab.h:1039 [inline]
>   disk_alloc_events+0xf0/0x3f0 block/disk-events.c:439
>   __add_disk+0x475/0xf00 block/genhd.c:500
>   add_disk_fwnode+0x3f8/0x5d0 block/genhd.c:601
>   add_disk include/linux/blkdev.h:773 [inline]
>   md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
>   md_alloc_and_put drivers/md/md.c:6016 [inline]
>   md_probe drivers/md/md.c:6029 [inline]
>   md_probe+0x6e/0xd0 drivers/md/md.c:6024
>   blk_probe_dev+0x116/0x1a0 block/genhd.c:884
>   blk_request_module+0x16/0xb0 block/genhd.c:897
>   blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
>   blkdev_open+0x141/0x3f0 block/fops.c:684
>   do_dentry_open+0x744/0x1c10 fs/open.c:965
>   vfs_open+0x82/0x3f0 fs/open.c:1095
>   do_open fs/namei.c:3887 [inline]
>   path_openat+0x1de4/0x2cb0 fs/namei.c:4046
>   do_filp_open+0x20b/0x470 fs/namei.c:4073
>   do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
>   do_sys_open fs/open.c:1450 [inline]
>   __do_sys_openat fs/open.c:1466 [inline]
>   __se_sys_openat fs/open.c:1461 [inline]
>   __x64_sys_openat+0x174/0x210 fs/open.c:1461
>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> Freed by task 9817:
>   kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>   kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>   kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
>   poison_slab_object mm/kasan/common.c:247 [inline]
>   __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
>   kasan_slab_free include/linux/kasan.h:233 [inline]
>   slab_free_hook mm/slub.c:2381 [inline]
>   slab_free mm/slub.c:4643 [inline]
>   kfree+0x2b4/0x4d0 mm/slub.c:4842
>   disk_release+0x161/0x410 block/genhd.c:1301
>   device_release+0xa1/0x240 drivers/base/core.c:2568
>   kobject_cleanup lib/kobject.c:689 [inline]
>   kobject_release lib/kobject.c:720 [inline]
>   kref_put include/linux/kref.h:65 [inline]
>   kobject_put+0x1e7/0x5a0 lib/kobject.c:737
>   put_device+0x1f/0x30 drivers/base/core.c:3800
>   blkdev_release+0x15/0x20 block/fops.c:699
>   __fput+0x402/0xb70 fs/file_table.c:468
>   task_work_run+0x14d/0x240 kernel/task_work.c:227
>   resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
>   exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:114
>   exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
>   syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
>   syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
>   do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> The buggy address belongs to the object at ffff888036fa1400
>   which belongs to the cache kmalloc-512 of size 512
> The buggy address is located 0 bytes inside of
>   freed 512-byte region [ffff888036fa1400, ffff888036fa1600)
> 
> The buggy address belongs to the physical page:
> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36fa0
> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
> raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
> head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000002 ffffea0000dbe801 00000000ffffffff 00000000ffffffff
> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 71482349709, free_ts 68765218476
>   set_page_owner include/linux/page_owner.h:32 [inline]
>   post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
>   prep_new_page mm/page_alloc.c:1712 [inline]
>   get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
>   __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
>   alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
>   alloc_slab_page mm/slub.c:2451 [inline]
>   allocate_slab mm/slub.c:2619 [inline]
>   new_slab+0x23b/0x330 mm/slub.c:2673
>   ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
>   __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
>   __slab_alloc_node mm/slub.c:4024 [inline]
>   slab_alloc_node mm/slub.c:4185 [inline]
>   __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4354
>   kmalloc_noprof include/linux/slab.h:905 [inline]
>   kzalloc_noprof include/linux/slab.h:1039 [inline]
>   set_kthread_struct+0xcb/0x380 kernel/kthread.c:126
>   copy_process+0x3107/0x7650 kernel/fork.c:2097
>   kernel_clone+0xfc/0x960 kernel/fork.c:2599
>   kernel_thread+0xd4/0x120 kernel/fork.c:2661
>   create_kthread kernel/kthread.c:487 [inline]
>   kthreadd+0x503/0x800 kernel/kthread.c:847
>   ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> page last free pid 6016 tgid 6016 stack trace:
>   reset_page_owner include/linux/page_owner.h:25 [inline]
>   free_pages_prepare mm/page_alloc.c:1248 [inline]
>   __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
>   vfree+0x1fd/0xb50 mm/vmalloc.c:3434
>   kcov_put kernel/kcov.c:439 [inline]
>   kcov_put kernel/kcov.c:435 [inline]
>   kcov_close+0x34/0x60 kernel/kcov.c:535
>   __fput+0x402/0xb70 fs/file_table.c:468
>   task_work_run+0x14d/0x240 kernel/task_work.c:227
>   exit_task_work include/linux/task_work.h:40 [inline]
>   do_exit+0x86c/0x2bd0 kernel/exit.c:964
>   do_group_exit+0xd3/0x2a0 kernel/exit.c:1105
>   get_signal+0x2673/0x26d0 kernel/signal.c:3034
>   arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
>   exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
>   exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
>   syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
>   syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
>   do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> Memory state around the buggy address:
>   ffff888036fa1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>   ffff888036fa1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff888036fa1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                     ^
>   ffff888036fa1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>   ffff888036fa1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
> 
> 
> .
> 

Re: [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events

[Yu Kuai]

在 2025/07/30 14:14, Yu Kuai 写道:
> +CC Xiao

Forgot to CC in the last emial, sorry for the noisy.

Thanks,
Kuai

> 
> 在 2025/07/30 5:58, syzbot 写道:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    ced1b9e0392d Merge tag 'ata-6.17-rc1' of 
>> git://git.kernel...
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=133b8cf0580000
>> kernel config:  
>> https://syzkaller.appspot.com/x/.config?x=52c12ce9080f644c
>> dashboard link: 
>> https://syzkaller.appspot.com/bug?extid=fa3a12519f0d3fd4ec16
>> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils 
>> for Debian) 2.40
>> syz repro:      
>> https://syzkaller.appspot.com/x/repro.syz?x=154b31bc580000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=171a9782580000
>>
> 
> This looks like the same cause with another report:
> 
> https://lore.kernel.org/all/68894408.a00a0220.26d0e1.0012.GAE@google.com/
> 
> The mddev kobject liftime is broken, now in the case del_work is queued,
> means mddev is about to be freed, meanwhile md_open can succeed.
> 
> Thanks,
> Kuai
> 
>> Downloadable assets:
>> disk image (non-bootable): 
>> https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ced1b9e0.raw.xz 
>>
>> vmlinux: 
>> https://storage.googleapis.com/syzbot-assets/c709b0d9538c/vmlinux-ced1b9e0.xz 
>>
>> kernel image: 
>> https://storage.googleapis.com/syzbot-assets/129af0799fa3/bzImage-ced1b9e0.xz 
>>
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the 
>> commit:
>> Reported-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: slab-use-after-free in 
>> __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
>> Read of size 8 at addr ffff888036fa1400 by task syz.2.1231/9834
>>
>> CPU: 3 UID: 0 PID: 9834 Comm: syz.2.1231 Not tainted 
>> 6.16.0-syzkaller-00857-gced1b9e0392d #0 PREEMPT(full)
>> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 
>> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
>> Call Trace:
>>   <TASK>
>>   __dump_stack lib/dump_stack.c:94 [inline]
>>   dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
>>   print_address_description mm/kasan/report.c:378 [inline]
>>   print_report+0xcd/0x630 mm/kasan/report.c:482
>>   kasan_report+0xe0/0x110 mm/kasan/report.c:595
>>   __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
>>   __list_add_valid include/linux/list.h:88 [inline]
>>   __list_add include/linux/list.h:150 [inline]
>>   list_add_tail include/linux/list.h:183 [inline]
>>   disk_add_events+0x90/0x170 block/disk-events.c:463
>>   add_disk_final block/genhd.c:427 [inline]
>>   add_disk_fwnode+0x3c8/0x5d0 block/genhd.c:610
>>   add_disk include/linux/blkdev.h:773 [inline]
>>   md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
>>   md_alloc_and_put drivers/md/md.c:6016 [inline]
>>   md_probe drivers/md/md.c:6029 [inline]
>>   md_probe+0x6e/0xd0 drivers/md/md.c:6024
>>   blk_probe_dev+0x116/0x1a0 block/genhd.c:884
>>   blk_request_module+0x16/0xb0 block/genhd.c:897
>>   blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
>>   blkdev_open+0x141/0x3f0 block/fops.c:684
>>   do_dentry_open+0x744/0x1c10 fs/open.c:965
>>   vfs_open+0x82/0x3f0 fs/open.c:1095
>>   do_open fs/namei.c:3887 [inline]
>>   path_openat+0x1de4/0x2cb0 fs/namei.c:4046
>>   do_filp_open+0x20b/0x470 fs/namei.c:4073
>>   do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
>>   do_sys_open fs/open.c:1450 [inline]
>>   __do_sys_openat fs/open.c:1466 [inline]
>>   __se_sys_openat fs/open.c:1461 [inline]
>>   __x64_sys_openat+0x174/0x210 fs/open.c:1461
>>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>>   do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> RIP: 0033:0x7f4ea558e9a9
>> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 
>> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 
>> 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
>> RSP: 002b:00007f4ea645e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
>> RAX: ffffffffffffffda RBX: 00007f4ea57b6080 RCX: 00007f4ea558e9a9
>> RDX: 0000000000000000 RSI: 0000200000000a80 RDI: ffffffffffffff9c
>> RBP: 00007f4ea5610d69 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
>> R13: 0000000000000000 R14: 00007f4ea57b6080 R15: 00007fff25d53038
>>   </TASK>
>>
>> Allocated by task 9822:
>>   kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>>   kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>>   poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
>>   __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
>>   kmalloc_noprof include/linux/slab.h:905 [inline]
>>   kzalloc_noprof include/linux/slab.h:1039 [inline]
>>   disk_alloc_events+0xf0/0x3f0 block/disk-events.c:439
>>   __add_disk+0x475/0xf00 block/genhd.c:500
>>   add_disk_fwnode+0x3f8/0x5d0 block/genhd.c:601
>>   add_disk include/linux/blkdev.h:773 [inline]
>>   md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
>>   md_alloc_and_put drivers/md/md.c:6016 [inline]
>>   md_probe drivers/md/md.c:6029 [inline]
>>   md_probe+0x6e/0xd0 drivers/md/md.c:6024
>>   blk_probe_dev+0x116/0x1a0 block/genhd.c:884
>>   blk_request_module+0x16/0xb0 block/genhd.c:897
>>   blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
>>   blkdev_open+0x141/0x3f0 block/fops.c:684
>>   do_dentry_open+0x744/0x1c10 fs/open.c:965
>>   vfs_open+0x82/0x3f0 fs/open.c:1095
>>   do_open fs/namei.c:3887 [inline]
>>   path_openat+0x1de4/0x2cb0 fs/namei.c:4046
>>   do_filp_open+0x20b/0x470 fs/namei.c:4073
>>   do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
>>   do_sys_open fs/open.c:1450 [inline]
>>   __do_sys_openat fs/open.c:1466 [inline]
>>   __se_sys_openat fs/open.c:1461 [inline]
>>   __x64_sys_openat+0x174/0x210 fs/open.c:1461
>>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>>   do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> Freed by task 9817:
>>   kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>>   kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>>   kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
>>   poison_slab_object mm/kasan/common.c:247 [inline]
>>   __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
>>   kasan_slab_free include/linux/kasan.h:233 [inline]
>>   slab_free_hook mm/slub.c:2381 [inline]
>>   slab_free mm/slub.c:4643 [inline]
>>   kfree+0x2b4/0x4d0 mm/slub.c:4842
>>   disk_release+0x161/0x410 block/genhd.c:1301
>>   device_release+0xa1/0x240 drivers/base/core.c:2568
>>   kobject_cleanup lib/kobject.c:689 [inline]
>>   kobject_release lib/kobject.c:720 [inline]
>>   kref_put include/linux/kref.h:65 [inline]
>>   kobject_put+0x1e7/0x5a0 lib/kobject.c:737
>>   put_device+0x1f/0x30 drivers/base/core.c:3800
>>   blkdev_release+0x15/0x20 block/fops.c:699
>>   __fput+0x402/0xb70 fs/file_table.c:468
>>   task_work_run+0x14d/0x240 kernel/task_work.c:227
>>   resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
>>   exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:114
>>   exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
>>   syscall_exit_to_user_mode_work include/linux/entry-common.h:414 
>> [inline]
>>   syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
>>   do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
>>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> The buggy address belongs to the object at ffff888036fa1400
>>   which belongs to the cache kmalloc-512 of size 512
>> The buggy address is located 0 bytes inside of
>>   freed 512-byte region [ffff888036fa1400, ffff888036fa1600)
>>
>> The buggy address belongs to the physical page:
>> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 
>> pfn:0x36fa0
>> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
>> flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
>> page_type: f5(slab)
>> raw: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
>> raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
>> head: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
>> head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
>> head: 00fff00000000002 ffffea0000dbe801 00000000ffffffff 00000000ffffffff
>> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
>> page dumped because: kasan: bad access detected
>> page_owner tracks the page as allocated
>> page last allocated via order 2, migratetype Unmovable, gfp_mask 
>> 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), 
>> pid 2, tgid 2 (kthreadd), ts 71482349709, free_ts 68765218476
>>   set_page_owner include/linux/page_owner.h:32 [inline]
>>   post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
>>   prep_new_page mm/page_alloc.c:1712 [inline]
>>   get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
>>   __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
>>   alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
>>   alloc_slab_page mm/slub.c:2451 [inline]
>>   allocate_slab mm/slub.c:2619 [inline]
>>   new_slab+0x23b/0x330 mm/slub.c:2673
>>   ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
>>   __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
>>   __slab_alloc_node mm/slub.c:4024 [inline]
>>   slab_alloc_node mm/slub.c:4185 [inline]
>>   __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4354
>>   kmalloc_noprof include/linux/slab.h:905 [inline]
>>   kzalloc_noprof include/linux/slab.h:1039 [inline]
>>   set_kthread_struct+0xcb/0x380 kernel/kthread.c:126
>>   copy_process+0x3107/0x7650 kernel/fork.c:2097
>>   kernel_clone+0xfc/0x960 kernel/fork.c:2599
>>   kernel_thread+0xd4/0x120 kernel/fork.c:2661
>>   create_kthread kernel/kthread.c:487 [inline]
>>   kthreadd+0x503/0x800 kernel/kthread.c:847
>>   ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
>>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>> page last free pid 6016 tgid 6016 stack trace:
>>   reset_page_owner include/linux/page_owner.h:25 [inline]
>>   free_pages_prepare mm/page_alloc.c:1248 [inline]
>>   __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
>>   vfree+0x1fd/0xb50 mm/vmalloc.c:3434
>>   kcov_put kernel/kcov.c:439 [inline]
>>   kcov_put kernel/kcov.c:435 [inline]
>>   kcov_close+0x34/0x60 kernel/kcov.c:535
>>   __fput+0x402/0xb70 fs/file_table.c:468
>>   task_work_run+0x14d/0x240 kernel/task_work.c:227
>>   exit_task_work include/linux/task_work.h:40 [inline]
>>   do_exit+0x86c/0x2bd0 kernel/exit.c:964
>>   do_group_exit+0xd3/0x2a0 kernel/exit.c:1105
>>   get_signal+0x2673/0x26d0 kernel/signal.c:3034
>>   arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
>>   exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
>>   exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
>>   syscall_exit_to_user_mode_work include/linux/entry-common.h:414 
>> [inline]
>>   syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
>>   do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
>>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> Memory state around the buggy address:
>>   ffff888036fa1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>   ffff888036fa1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ffff888036fa1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>                     ^
>>   ffff888036fa1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>   ffff888036fa1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>>
>> If the report is already addressed, let syzbot know by replying with:
>> #syz fix: exact-commit-title
>>
>> If you want syzbot to run the reproducer, reply with:
>> #syz test: git://repo/address.git branch-or-commit-hash
>> If you attach or paste a git patch, syzbot will apply it before testing.
>>
>> If you want to overwrite report's subsystems, reply with:
>> #syz set subsystems: new-subsystem
>> (See the list of subsystem names on the web dashboard)
>>
>> If the report is a duplicate of another one, reply with:
>> #syz dup: exact-subject-of-another-report
>>
>> If you want to undo deduplication, reply with:
>> #syz undup
>>
>>
>> .
>>
> 
> .
> 

Re: [syzbot] [bpf?] KASAN: slab-out-of-bounds Write in __bpf_get_stackid

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    5b4c54ac49af bpf: Fix various typos in verifier.c comments
git tree:       bpf-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17441782580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=934611ae034ab218
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16f294a2580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14349034580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5a5cfac28d08/disk-5b4c54ac.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bb5b9f9f1b33/vmlinux-5b4c54ac.xz
kernel image: https://storage.googleapis.com/syzbot-assets/14b928da2760/bzImage-5b4c54ac.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
Write of size 8 at addr ffff8880439aa258 by task syz-executor265/6114

CPU: 1 UID: 0 PID: 6114 Comm: syz-executor265 Not tainted 6.16.0-rc6-syzkaller-g5b4c54ac49af #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
 ____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
 bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
 bpf_prog_b724608cae728045+0x27/0x2f
 bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
 __bpf_prog_run include/linux/filter.h:718 [inline]
 bpf_prog_run include/linux/filter.h:725 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
 bpf_trace_run2+0x284/0x4b0 kernel/trace/bpf_trace.c:2298
 __do_trace_kfree include/trace/events/kmem.h:94 [inline]
 trace_kfree include/trace/events/kmem.h:94 [inline]
 kfree+0x3a0/0x440 mm/slub.c:4829
 slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4680
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2832
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:xas_load+0xd9/0x5b0 lib/xarray.c:244
Code: 42 0f b6 04 28 84 c0 0f 85 3a 04 00 00 49 8d 5e fe 48 8b 44 24 08 0f b6 28 48 89 d8 48 c1 e8 03 48 89 44 24 20 42 0f b6 04 28 <84> c0 0f 85 34 04 00 00 44 0f b6 23 44 0f b6 fd 44 89 ff 44 89 e6
RSP: 0000:ffffc9000459f898 EFLAGS: 00000a02
RAX: 0000000000000000 RBX: ffff888025438840 RCX: ffff88807c050000
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000002
RBP: 0000000000000000 R08: ffff88807c050000 R09: 0000000000000002
R10: 0000000000000003 R11: 0000000000000000 R12: ffffc9000459fb32
R13: dffffc0000000000 R14: ffff888025438842 R15: 0000000000000002
 xas_find+0x157/0x990 lib/xarray.c:1406
 next_uptodate_folio+0x32/0x5d0 mm/filemap.c:3562
 filemap_map_pages+0x21f/0x1740 mm/filemap.c:3714
 do_fault_around mm/memory.c:5548 [inline]
 do_read_fault mm/memory.c:5581 [inline]
 do_fault mm/memory.c:5724 [inline]
 do_pte_missing mm/memory.c:4251 [inline]
 handle_pte_fault mm/memory.c:6069 [inline]
 __handle_mm_fault+0x3687/0x5620 mm/memory.c:6212
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6381
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f3d52e29438
Code: Unable to access opcode bytes at 0x7f3d52e2940e.
RSP: 002b:00007fff46c399c8 EFLAGS: 00010206
RAX: 00007f3d52e59ad8 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 00007f3d52e5ad00 RSI: 0000000000000000 RDI: 00007f3d52e59ad8
RBP: 00007f3d52e58118 R08: 00007fff46c39a3c R09: 00007fff46c39a3c
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3d52e5ace8
R13: 0000000000000000 R14: 00007f3d52e5ad00 R15: 00007f3d52db0290
 </TASK>

Allocated by task 6114:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4328 [inline]
 __kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4334
 kmalloc_node_noprof include/linux/slab.h:932 [inline]
 __bpf_map_area_alloc kernel/bpf/syscall.c:391 [inline]
 bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:404
 prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:51
 stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:114
 map_create+0xaa0/0x1310 kernel/bpf/syscall.c:1477
 __sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6004
 __do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8880439aa000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes to the right of
 allocated 576-byte region [ffff8880439aa000, ffff8880439aa240)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x439a8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a441dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a441dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea00010e6a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5514, tgid 5514 (dhcpcd), ts 48384102667, free_ts 48383277611
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab+0x8a/0x3b0 mm/slub.c:2619
 new_slab mm/slub.c:2673 [inline]
 ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_noprof+0x305/0x4f0 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 load_elf_phdrs fs/binfmt_elf.c:525 [inline]
 load_elf_binary+0x2cd/0x2790 fs/binfmt_elf.c:854
 search_binary_handler fs/exec.c:1670 [inline]
 exec_binprm fs/exec.c:1702 [inline]
 bprm_execve+0x999/0x1450 fs/exec.c:1754
 do_execveat_common+0x510/0x6a0 fs/exec.c:1860
 do_execve fs/exec.c:1934 [inline]
 __do_sys_execve fs/exec.c:2010 [inline]
 __se_sys_execve fs/exec.c:2005 [inline]
 __x64_sys_execve+0x94/0xb0 fs/exec.c:2005
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5514 tgid 5514 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 discard_slab mm/slub.c:2717 [inline]
 __put_partials+0x161/0x1c0 mm/slub.c:3186
 put_cpu_partial+0x17c/0x250 mm/slub.c:3261
 __slab_free+0x2f7/0x400 mm/slub.c:4513
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_noprof+0x224/0x4f0 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 tomoyo_add_entry security/tomoyo/common.c:2132 [inline]
 tomoyo_supervisor+0xbd5/0x1480 security/tomoyo/common.c:2204
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x15cf/0x1aa0 security/tomoyo/domain.c:888
 tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x89/0x270 security/security.c:1302
 search_binary_handler fs/exec.c:1660 [inline]
 exec_binprm fs/exec.c:1702 [inline]
 bprm_execve+0x8ee/0x1450 fs/exec.c:1754
 do_execveat_common+0x510/0x6a0 fs/exec.c:1860
 do_execve fs/exec.c:1934 [inline]
 __do_sys_execve fs/exec.c:2010 [inline]
 __se_sys_execve fs/exec.c:2005 [inline]
 __x64_sys_execve+0x94/0xb0 fs/exec.c:2005

Memory state around the buggy address:
 ffff8880439aa100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880439aa180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880439aa200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                                    ^
 ffff8880439aa280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880439aa300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax
   5:	84 c0                	test   %al,%al
   7:	0f 85 3a 04 00 00    	jne    0x447
   d:	49 8d 5e fe          	lea    -0x2(%r14),%rbx
  11:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
  16:	0f b6 28             	movzbl (%rax),%ebp
  19:	48 89 d8             	mov    %rbx,%rax
  1c:	48 c1 e8 03          	shr    $0x3,%rax
  20:	48 89 44 24 20       	mov    %rax,0x20(%rsp)
  25:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax
* 2a:	84 c0                	test   %al,%al <-- trapping instruction
  2c:	0f 85 34 04 00 00    	jne    0x466
  32:	44 0f b6 23          	movzbl (%rbx),%r12d
  36:	44 0f b6 fd          	movzbl %bpl,%r15d
  3a:	44 89 ff             	mov    %r15d,%edi
  3d:	44 89 e6             	mov    %r12d,%esi


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

syztest

[Arnaud Lecomte]

#syz test

--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -230,7 +230,7 @@ static long __bpf_get_stackid(struct bpf_map *map,
 	struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
 	struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
 	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
-	u32 hash, id, trace_nr, trace_len, i;
+	u32 hash, id, trace_nr, trace_len, i, max_depth;
 	bool user = flags & BPF_F_USER_STACK;
 	u64 *ips;
 	bool hash_matches;
@@ -241,6 +241,19 @@ static long __bpf_get_stackid(struct bpf_map *map,
 
 	trace_nr = trace->nr - skip;
 	trace_len = trace_nr * sizeof(u64);
+
+	/* Clamp the trace to max allowed depth */
+	if (stack_map_use_build_id(map))
+		max_depth = smap->map.value_size / sizeof(struct bpf_stack_build_id);
+	else
+		max_depth = smap->map.value_size / sizeof(u64);
+
+	if (trace_nr > max_depth)
+		trace_nr = max_depth;
+
+ 	ips = trace->ip + skip;
+
+
 	ips = trace->ip + skip;
 	hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
 	id = hash & (smap->n_buckets - 1);
-- 

[syzbot] [bpf?] KASAN: slab-out-of-bounds Write in __bpf_get_stackid

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    5345e64760d3 bpf: Simplify bounds refinement from s32
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1052e782580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=934611ae034ab218
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/533f77de596b/disk-5345e647.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/771fbeaf8fb5/vmlinux-5345e647.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6bb4eec6d31b/bzImage-5345e647.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com

hrtimer: interrupt took 66349 ns
==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
Write of size 8 at addr ffff888143fd0a58 by task syz.1.2/5975

CPU: 1 UID: 0 PID: 5975 Comm: syz.1.2 Not tainted 6.16.0-rc6-syzkaller-g5345e64760d3 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
 ____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
 bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
 bpf_prog_b724608cae728045+0x27/0x2f
 bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
 __bpf_prog_run include/linux/filter.h:718 [inline]
 bpf_prog_run include/linux/filter.h:725 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
 bpf_trace_run2+0x284/0x4b0 kernel/trace/bpf_trace.c:2298
 __do_trace_kfree include/trace/events/kmem.h:94 [inline]
 trace_kfree include/trace/events/kmem.h:94 [inline]
 kfree+0x3a0/0x440 mm/slub.c:4829
 slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4680
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2832
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x9f/0x2c0 mm/kasan/generic.c:189
Code: 00 fc ff df 4d 8d 34 19 4d 89 f4 4d 29 dc 49 83 fc 10 7f 29 4d 85 e4 0f 84 41 01 00 00 4c 89 cb 48 f7 d3 4c 01 fb 41 80 3b 00 <0f> 85 de 01 00 00 49 ff c3 48 ff c3 75 ee e9 21 01 00 00 44 89 dd
RSP: 0018:ffffc900044dee68 EFLAGS: 00000246
RAX: 0000000000000001 RBX: ffffffffffffffff RCX: ffffffff8215d67f
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffea0000c7f634
RBP: 0000000000000000 R08: ffffea0000c7f637 R09: 1ffffd400018fec6
R10: dffffc0000000000 R11: fffff9400018fec6 R12: 0000000000000001
R13: 0000000000000000 R14: fffff9400018fec7 R15: 1ffffd400018fec6
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 page_ref_count include/linux/page_ref.h:67 [inline]
 set_page_refcounted+0x4f/0x160 mm/internal.h:491
 __alloc_pages_noprof mm/page_alloc.c:4995 [inline]
 alloc_pages_bulk_noprof+0x570/0x710 mm/page_alloc.c:4913
 ___alloc_pages_bulk mm/kasan/shadow.c:344 [inline]
 __kasan_populate_vmalloc mm/kasan/shadow.c:368 [inline]
 kasan_populate_vmalloc+0xba/0x1a0 mm/kasan/shadow.c:417
 alloc_vmap_area+0xd51/0x1490 mm/vmalloc.c:2092
 __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3187
 __vmalloc_node_range_noprof+0x301/0x12f0 mm/vmalloc.c:3853
 __vmalloc_node_noprof mm/vmalloc.c:3956 [inline]
 vmalloc_noprof+0xb2/0xf0 mm/vmalloc.c:3989
 bpf_prog_calc_tag+0xb9/0x620 kernel/bpf/core.c:307
 resolve_pseudo_ldimm64+0xbc/0xc50 kernel/bpf/verifier.c:20479
 bpf_check+0x1c58/0x1d2e0 kernel/bpf/verifier.c:24614
 bpf_prog_load+0x1318/0x1930 kernel/bpf/syscall.c:2972
 __sys_bpf+0x528/0x870 kernel/bpf/syscall.c:6022
 __do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1cabb8e9a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1cac9f6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f1cabdb5fa0 RCX: 00007f1cabb8e9a9
RDX: 0000000000000094 RSI: 0000200000000640 RDI: 0000000000000005
RBP: 00007f1cabc10d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1cabdb5fa0 R15: 00007ffee0b40348
 </TASK>

Allocated by task 5979:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4328 [inline]
 __kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4334
 kmalloc_node_noprof include/linux/slab.h:932 [inline]
 __bpf_map_area_alloc kernel/bpf/syscall.c:391 [inline]
 bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:404
 prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:51
 stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:114
 map_create+0xaa0/0x1310 kernel/bpf/syscall.c:1477
 __sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6004
 __do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888143fd0800
 which belongs to the cache kmalloc-cg-1k of size 1024
The buggy address is located 24 bytes to the right of
 allocated 576-byte region [ffff888143fd0800, ffff888143fd0a40)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143fd0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88814cb20d01
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801a44b280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000000f5000000 ffff88814cb20d01
head: 057ff00000000040 ffff88801a44b280 dead000000000122 0000000000000000
head: 0000000000000000 0000000080100010 00000000f5000000 ffff88814cb20d01
head: 057ff00000000003 ffffea00050ff401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5854, tgid 5854 (syz-executor), ts 88680071975, free_ts 62656261060
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_slab_page mm/slub.c:2453 [inline]
 allocate_slab+0x65/0x3b0 mm/slub.c:2619
 new_slab mm/slub.c:2673 [inline]
 ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __kmalloc_cache_node_noprof+0x29a/0x3d0 mm/slub.c:4367
 kmalloc_node_noprof include/linux/slab.h:928 [inline]
 alloc_mem_cgroup_per_node_info mm/memcontrol.c:3665 [inline]
 mem_cgroup_alloc mm/memcontrol.c:3747 [inline]
 mem_cgroup_css_alloc+0x4b2/0x1f20 mm/memcontrol.c:3789
 css_create kernel/cgroup/cgroup.c:5669 [inline]
 cgroup_apply_control_enable+0x3d1/0xa80 kernel/cgroup/cgroup.c:3289
 cgroup_mkdir+0xc40/0xe60 kernel/cgroup/cgroup.c:5893
 kernfs_iop_mkdir+0x211/0x350 fs/kernfs/dir.c:1268
 vfs_mkdir+0x306/0x510 fs/namei.c:4375
 do_mkdirat+0x247/0x590 fs/namei.c:4408
 __do_sys_mkdirat fs/namei.c:4425 [inline]
 __se_sys_mkdirat fs/namei.c:4423 [inline]
 __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4423
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5696 tgid 5696 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 discard_slab mm/slub.c:2717 [inline]
 __put_partials+0x161/0x1c0 mm/slub.c:3186
 put_cpu_partial+0x17c/0x250 mm/slub.c:3261
 __slab_free+0x2f7/0x400 mm/slub.c:4513
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
 ptlock_alloc+0x20/0x70 mm/memory.c:7174
 ptlock_init include/linux/mm.h:2939 [inline]
 pagetable_pte_ctor include/linux/mm.h:2988 [inline]
 __pte_alloc_one_noprof include/asm-generic/pgalloc.h:78 [inline]
 pte_alloc_one+0x7d/0x170 arch/x86/mm/pgtable.c:18
 do_fault_around mm/memory.c:5542 [inline]
 do_read_fault mm/memory.c:5581 [inline]
 do_fault mm/memory.c:5724 [inline]
 do_pte_missing mm/memory.c:4251 [inline]
 handle_pte_fault mm/memory.c:6069 [inline]
 __handle_mm_fault+0x294d/0x5620 mm/memory.c:6212
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6381
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

Memory state around the buggy address:
 ffff888143fd0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888143fd0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888143fd0a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                                    ^
 ffff888143fd0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888143fd0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	df 4d 8d             	fisttps -0x73(%rbp)
   3:	34 19                	xor    $0x19,%al
   5:	4d 89 f4             	mov    %r14,%r12
   8:	4d 29 dc             	sub    %r11,%r12
   b:	49 83 fc 10          	cmp    $0x10,%r12
   f:	7f 29                	jg     0x3a
  11:	4d 85 e4             	test   %r12,%r12
  14:	0f 84 41 01 00 00    	je     0x15b
  1a:	4c 89 cb             	mov    %r9,%rbx
  1d:	48 f7 d3             	not    %rbx
  20:	4c 01 fb             	add    %r15,%rbx
  23:	41 80 3b 00          	cmpb   $0x0,(%r11)
* 27:	0f 85 de 01 00 00    	jne    0x20b <-- trapping instruction
  2d:	49 ff c3             	inc    %r11
  30:	48 ff c3             	inc    %rbx
  33:	75 ee                	jne    0x23
  35:	e9 21 01 00 00       	jmp    0x15b
  3a:	44 89 dd             	mov    %r11d,%ebp


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..29e05c9ff1bd 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map)
 		sizeof(struct bpf_stack_build_id) : sizeof(u64);
 }
 
+/**
+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth
+ * @size:  Size of the buffer/map value in bytes
+ * @elem_size:  Size of each stack trace element
+ * @flags:  BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...)
+ *
+ * Return: Maximum number of stack trace entries that can be safely stored
+ */
+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags)
+{
+	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 max_depth;
+	u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack);
+
+	max_depth = size / elem_size;
+	max_depth += skip;
+	if (max_depth > curr_sysctl_max_stack)
+		return curr_sysctl_max_stack;
+
+	return max_depth;
+}
+
 static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
 {
 	u64 elem_size = sizeof(struct stack_map_bucket) +
@@ -300,20 +322,17 @@ static long __bpf_get_stackid(struct bpf_map *map,
 BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
 	   u64, flags)
 {
-	u32 max_depth = map->value_size / stack_map_data_size(map);
-	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 elem_size = stack_map_data_size(map);
 	bool user = flags & BPF_F_USER_STACK;
 	struct perf_callchain_entry *trace;
 	bool kernel = !user;
+	u32 max_depth;
 
 	if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
 			       BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
 		return -EINVAL;
 
-	max_depth += skip;
-	if (max_depth > sysctl_perf_event_max_stack)
-		max_depth = sysctl_perf_event_max_stack;
-
+	max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
 	trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 				   false, false);
 
@@ -350,6 +369,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 {
 	struct perf_event *event = ctx->event;
 	struct perf_callchain_entry *trace;
+	u32 elem_size, max_depth;
 	bool kernel, user;
 	__u64 nr_kernel;
 	int ret;
@@ -371,11 +391,15 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 		return -EFAULT;
 
 	nr_kernel = count_kernel_ip(trace);
+	elem_size = stack_map_data_size(map);
 
 	if (kernel) {
 		__u64 nr = trace->nr;
 
 		trace->nr = nr_kernel;
+		max_depth =
+			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+		trace->nr = min_t(u32, nr_kernel, max_depth);
 		ret = __bpf_get_stackid(map, trace, flags);
 
 		/* restore nr */
@@ -388,6 +412,9 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 			return -EFAULT;
 
 		flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
+		max_depth =
+			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+		trace->nr = min_t(u32, trace->nr, max_depth);
 		ret = __bpf_get_stackid(map, trace, flags);
 	}
 	return ret;
@@ -406,8 +433,8 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 			    struct perf_callchain_entry *trace_in,
 			    void *buf, u32 size, u64 flags, bool may_fault)
 {
-	u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
 	bool user_build_id = flags & BPF_F_USER_BUILD_ID;
+	u32 trace_nr, copy_len, elem_size, max_depth;
 	bool crosstask = task && task != current;
 	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
 	bool user = flags & BPF_F_USER_STACK;
@@ -438,21 +465,20 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 		goto clear;
 	}
 
-	num_elem = size / elem_size;
-	max_depth = num_elem + skip;
-	if (sysctl_perf_event_max_stack < max_depth)
-		max_depth = sysctl_perf_event_max_stack;
+	max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
 
 	if (may_fault)
 		rcu_read_lock(); /* need RCU for perf's callchain below */
 
-	if (trace_in)
+	if (trace_in) {
 		trace = trace_in;
-	else if (kernel && task)
+		trace->nr = min_t(u32, trace->nr, max_depth);
+	} else if (kernel && task) {
 		trace = get_callchain_entry_for_task(task, max_depth);
-	else
+	} else {
 		trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 					   crosstask, false);
+	}
 
 	if (unlikely(!trace) || trace->nr < skip) {
 		if (may_fault)
@@ -461,7 +487,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	trace_nr = trace->nr - skip;
-	trace_nr = (trace_nr <= num_elem) ? trace_nr : num_elem;
 	copy_len = trace_nr * elem_size;
 
 	ips = trace->ip + skip;
-- 
2.47.3

syztest

[Arnaud Lecomte]

#syz test

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..1389712bc1df 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map)
 		sizeof(struct bpf_stack_build_id) : sizeof(u64);
 }
 
+/**
+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth
+ * @size:  Size of the buffer/map value in bytes
+ * @elem_size:  Size of each stack trace element
+ * @flags:  BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...)
+ *
+ * Return: Maximum number of stack trace entries that can be safely stored
+ */
+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags)
+{
+	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 max_depth;
+	u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack);
+
+	max_depth = size / elem_size;
+	max_depth += skip;
+	if (max_depth > curr_sysctl_max_stack)
+		return curr_sysctl_max_stack;
+
+	return max_depth;
+}
+
 static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
 {
 	u64 elem_size = sizeof(struct stack_map_bucket) +
@@ -300,22 +322,20 @@ static long __bpf_get_stackid(struct bpf_map *map,
 BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
 	   u64, flags)
 {
-	u32 max_depth = map->value_size / stack_map_data_size(map);
-	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 elem_size = stack_map_data_size(map);
 	bool user = flags & BPF_F_USER_STACK;
 	struct perf_callchain_entry *trace;
 	bool kernel = !user;
+	u32 max_depth;
 
 	if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
 			       BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
 		return -EINVAL;
 
-	max_depth += skip;
-	if (max_depth > sysctl_perf_event_max_stack)
-		max_depth = sysctl_perf_event_max_stack;
-
+	max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
 	trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 				   false, false);
+	trace->nr = min_t(u32, trace->nr, max_depth);
 
 	if (unlikely(!trace))
 		/* couldn't fetch the stack trace */
@@ -350,6 +370,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 {
 	struct perf_event *event = ctx->event;
 	struct perf_callchain_entry *trace;
+	u32 elem_size, max_depth;
 	bool kernel, user;
 	__u64 nr_kernel;
 	int ret;
@@ -371,11 +392,15 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 		return -EFAULT;
 
 	nr_kernel = count_kernel_ip(trace);
+	elem_size = stack_map_data_size(map);
 
 	if (kernel) {
 		__u64 nr = trace->nr;
 
 		trace->nr = nr_kernel;
+		max_depth =
+			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+		trace->nr = min_t(u32, nr_kernel, max_depth);
 		ret = __bpf_get_stackid(map, trace, flags);
 
 		/* restore nr */
@@ -388,6 +413,9 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 			return -EFAULT;
 
 		flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
+		max_depth =
+			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+		trace->nr = min_t(u32, trace->nr, max_depth);
 		ret = __bpf_get_stackid(map, trace, flags);
 	}
 	return ret;
@@ -406,8 +434,8 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 			    struct perf_callchain_entry *trace_in,
 			    void *buf, u32 size, u64 flags, bool may_fault)
 {
-	u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
 	bool user_build_id = flags & BPF_F_USER_BUILD_ID;
+	u32 trace_nr, copy_len, elem_size, max_depth;
 	bool crosstask = task && task != current;
 	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
 	bool user = flags & BPF_F_USER_STACK;
@@ -438,21 +466,20 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 		goto clear;
 	}
 
-	num_elem = size / elem_size;
-	max_depth = num_elem + skip;
-	if (sysctl_perf_event_max_stack < max_depth)
-		max_depth = sysctl_perf_event_max_stack;
+	max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
 
 	if (may_fault)
 		rcu_read_lock(); /* need RCU for perf's callchain below */
 
-	if (trace_in)
+	if (trace_in) {
 		trace = trace_in;
-	else if (kernel && task)
+		trace->nr = min_t(u32, trace->nr, max_depth);
+	} else if (kernel && task) {
 		trace = get_callchain_entry_for_task(task, max_depth);
-	else
+	} else {
 		trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 					   crosstask, false);
+	}
 
 	if (unlikely(!trace) || trace->nr < skip) {
 		if (may_fault)
@@ -461,7 +488,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	trace_nr = trace->nr - skip;
-	trace_nr = (trace_nr <= num_elem) ? trace_nr : num_elem;
 	copy_len = trace_nr * elem_size;
 
 	ips = trace->ip + skip;
-- 
2.47.3

Re: syztest

[Jakub Kicinski]

On Thu,  4 Sep 2025 16:11:13 +0200 Arnaud Lecomte wrote:
> #syz test

You are hereby encouraged to not CC the vger MLs on your attempts 
to get your patches tested by syzbot. It's not necessary.

Re: syztest

[Lecomte, Arnaud]

On 04/09/2025 16:47, Jakub Kicinski wrote:
> On Thu,  4 Sep 2025 16:11:13 +0200 Arnaud Lecomte wrote:
>> #syz test
> You are hereby encouraged to not CC the vger MLs on your attempts
> to get your patches tested by syzbot. It's not necessary.
>
Hey, sorry for the inconvenience.
Will be removed.

Re: [syzbot] [kernel?] KMSAN: kernel-infoleak in do_insn_ioctl

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    89be9a83ccf1 Linux 6.16-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=172b7722580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7753c32e11ff6a95
dashboard link: https://syzkaller.appspot.com/bug?extid=a5e45f768aab5892da5d
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13358fd4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=146fc4f0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d81be8d18fda/disk-89be9a83.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/00dac9042245/vmlinux-89be9a83.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0d63e27252f4/bzImage-89be9a83.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a5e45f768aab5892da5d@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak-after-free in _inline_copy_to_user include/linux/uaccess.h:196 [inline]
BUG: KMSAN: kernel-infoleak-after-free in _copy_to_user+0xcc/0x120 lib/usercopy.c:26
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _inline_copy_to_user include/linux/uaccess.h:196 [inline]
 _copy_to_user+0xcc/0x120 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:225 [inline]
 do_insn_ioctl+0x59c/0x6d0 drivers/comedi/comedi_fops.c:1661
 comedi_unlocked_ioctl+0x1432/0x1e80 drivers/comedi/comedi_fops.c:2286
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0x23c/0x400 fs/ioctl.c:893
 __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:893
 x64_sys_call+0x1ebe/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:17
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_free_hook mm/slub.c:2307 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x252/0xec0 mm/slub.c:4842
 put_css_set_locked+0xf5c/0x1440 kernel/cgroup/cgroup.c:971
 cgroup_migrate_finish+0x1d0/0x7c0 kernel/cgroup/cgroup.c:2758
 cgroup_attach_task+0x6ec/0x970 kernel/cgroup/cgroup.c:2957
 __cgroup1_procs_write+0x4ba/0x670 kernel/cgroup/cgroup-v1.c:528
 cgroup1_procs_write+0x44/0x60 kernel/cgroup/cgroup-v1.c:541
 cgroup_file_write+0x38d/0x920 kernel/cgroup/cgroup.c:4183
 kernfs_fop_write_iter+0x545/0x9e0 fs/kernfs/file.c:334
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0xb4b/0x1580 fs/read_write.c:686
 ksys_write fs/read_write.c:738 [inline]
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
 x64_sys_call+0x38c3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 4-59 of 60 are uninitialized
Memory access of size 60 starts at ffff88804acc6380
Data copied to user address 0000200000000080

CPU: 0 UID: 0 PID: 6052 Comm: syz.0.16 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
=====================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

syztest

[Arnaud Lecomte]

#syz test

--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1636,7 +1636,7 @@ static int do_insn_ioctl(struct comedi_device *dev,
 		n_data = MAX_SAMPLES;
 	}
 
-	data = kmalloc_array(n_data, sizeof(unsigned int), GFP_KERNEL);
+	data = kcalloc(n_data, sizeof(unsigned int), GFP_KERNEL);
 	if (!data) {
 		ret = -ENOMEM;
 		goto error;
-- 

Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_bin_event

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in mon_bin_event

usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9
usb 1-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
microsoft 0003:045E:07DA.0001: unknown main item tag 0x0
microsoft 0003:045E:07DA.0001: ignoring exceeding usage max
==================================================================
BUG: KASAN: slab-out-of-bounds in mon_copy_to_buff drivers/usb/mon/mon_bin.c:252 [inline]
BUG: KASAN: slab-out-of-bounds in mon_bin_get_data drivers/usb/mon/mon_bin.c:420 [inline]
BUG: KASAN: slab-out-of-bounds in mon_bin_event+0x12ec/0x23b0 drivers/usb/mon/mon_bin.c:608
Read of size 832 at addr ffff888021ad5e81 by task kworker/1:3/5846

CPU: 1 UID: 0 PID: 5846 Comm: kworker/1:3 Not tainted 6.16.0-rc4-next-20250702-syzkaller-06656-g50c8770a42fa-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xd2/0x2b0 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 mon_copy_to_buff drivers/usb/mon/mon_bin.c:252 [inline]
 mon_bin_get_data drivers/usb/mon/mon_bin.c:420 [inline]
 mon_bin_event+0x12ec/0x23b0 drivers/usb/mon/mon_bin.c:608
 mon_bus_submit drivers/usb/mon/mon_main.c:89 [inline]
 mon_submit+0x193/0x210 drivers/usb/mon/mon_main.c:100
 usbmon_urb_submit include/linux/usb/hcd.h:724 [inline]
 usb_hcd_submit_urb+0x11d/0x1aa0 drivers/usb/core/hcd.c:1518
 usb_start_wait_urb+0x114/0x4c0 drivers/usb/core/message.c:59
 usb_internal_control_msg drivers/usb/core/message.c:103 [inline]
 usb_control_msg+0x232/0x3e0 drivers/usb/core/message.c:154
 usbhid_raw_request+0x3cd/0x4e0 drivers/hid/usbhid/hid-core.c:-1
 __hid_request+0x1c1/0x370 drivers/hid/hid-core.c:1989
 hidinput_change_resolution_multipliers drivers/hid/hid-input.c:1950 [inline]
 hidinput_connect+0x218a/0x3030 drivers/hid/hid-input.c:2327
 hid_connect+0x499/0x19a0 drivers/hid/hid-core.c:2239
 hid_hw_start+0xa8/0x120 drivers/hid/hid-core.c:2357
 ms_probe+0x180/0x430 drivers/hid/hid-microsoft.c:391
 __hid_device_probe drivers/hid/hid-core.c:2727 [inline]
 hid_device_probe+0x39d/0x710 drivers/hid/hid-core.c:2764
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26a/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3691
 hid_add_device+0x398/0x540 drivers/hid/hid-core.c:2910
 usbhid_probe+0xe13/0x12a0 drivers/hid/usbhid/hid-core.c:1435
 usb_probe_interface+0x637/0xbf0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26a/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3691
 usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26a/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3691
 usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5866 [inline]
 hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
 process_one_work kernel/workqueue.c:3239 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3322
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3403
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 5846:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4365 [inline]
 __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 hid_alloc_report_buf drivers/hid/hid-core.c:1890 [inline]
 __hid_request+0x94/0x370 drivers/hid/hid-core.c:1980
 hidinput_change_resolution_multipliers drivers/hid/hid-input.c:1950 [inline]
 hidinput_connect+0x218a/0x3030 drivers/hid/hid-input.c:2327
 hid_connect+0x499/0x19a0 drivers/hid/hid-core.c:2239
 hid_hw_start+0xa8/0x120 drivers/hid/hid-core.c:2357
 ms_probe+0x180/0x430 drivers/hid/hid-microsoft.c:391
 __hid_device_probe drivers/hid/hid-core.c:2727 [inline]
 hid_device_probe+0x39d/0x710 drivers/hid/hid-core.c:2764
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26a/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3691
 hid_add_device+0x398/0x540 drivers/hid/hid-core.c:2910
 usbhid_probe+0xe13/0x12a0 drivers/hid/usbhid/hid-core.c:1435
 usb_probe_interface+0x637/0xbf0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26a/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3691
 usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26a/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3691
 usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5866 [inline]
 hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
 process_one_work kernel/workqueue.c:3239 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3322
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3403
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888021ad5e80
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 1 bytes inside of
 allocated 7-byte region [ffff888021ad5e80, ffff888021ad5e87)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21ad5
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801a841500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 3280583634, free_ts 3148007746
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1848
 prep_new_page mm/page_alloc.c:1856 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3855
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5145
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x370 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 __do_kmalloc_node mm/slub.c:4364 [inline]
 __kmalloc_noprof+0x305/0x4f0 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 acpi_ns_internalize_name+0x2c2/0x3a0 drivers/acpi/acpica/nsutils.c:331
 acpi_ns_get_node_unlocked drivers/acpi/acpica/nsutils.c:666 [inline]
 acpi_ns_get_node+0x1a3/0x350 drivers/acpi/acpica/nsutils.c:726
 acpi_get_handle+0x181/0x2a0 drivers/acpi/acpica/nsxfname.c:98
 acpi_has_method+0x86/0xd0 drivers/acpi/utils.c:672
 acpi_show_attr drivers/acpi/device_sysfs.c:548 [inline]
 acpi_attr_is_visible+0x19d/0x4f0 drivers/acpi/device_sysfs.c:588
 create_files fs/sysfs/group.c:65 [inline]
 internal_create_group+0x5d7/0x1110 fs/sysfs/group.c:183
 internal_create_groups fs/sysfs/group.c:223 [inline]
 sysfs_create_groups+0x59/0x120 fs/sysfs/group.c:249
 device_add_groups drivers/base/core.c:2838 [inline]
 device_add_attrs+0x1c4/0x5a0 drivers/base/core.c:2913
 device_add+0x496/0xb50 drivers/base/core.c:3645
page last free pid 43 tgid 43 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1392 [inline]
 __free_frozen_pages+0xb80/0xd80 mm/page_alloc.c:2892
 discard_slab mm/slub.c:2753 [inline]
 __put_partials+0x156/0x1a0 mm/slub.c:3218
 put_partials mm/slub.c:3237 [inline]
 flush_cpu_slab+0x2b7/0x450 mm/slub.c:3372
 process_one_work kernel/workqueue.c:3239 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3322
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3403
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888021ad5d80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
 ffff888021ad5e00: 00 fc fc fc 02 fc fc fc 00 fc fc fc fa fc fc fc
>ffff888021ad5e80: 07 fc fc fc 00 fc fc fc 00 fc fc fc 05 fc fc fc
                   ^
 ffff888021ad5f00: fa fc fc fc 05 fc fc fc fa fc fc fc 05 fc fc fc
 ffff888021ad5f80: 00 fc fc fc fa fc fc fc 00 fc fc fc 00 fc fc fc
==================================================================


Tested on:

commit:         50c8770a Add linux-next specific files for 20250702
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17507770580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=76d012e863976d4c
dashboard link: https://syzkaller.appspot.com/bug?extid=86b6d7c8bcc66747c505
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15210c8c580000

syztest

[Arnaud Lecomte]

#syz test

--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -249,7 +249,11 @@ static unsigned int mon_copy_to_buff(const struct mon_reader_bin *this,
 		 * Copy data and advance pointers.
 		 */
 		buf = this->b_vec[off / CHUNK_SIZE].ptr + off % CHUNK_SIZE;
-		memcpy(buf, from, step_len);
+
+		if (copy_from_kernel_nofault(buf, from, step_len)) {
+			pr_warn("Failed to copy URB transfer buffer content into mon bin.");
+			return -EFAULT;
+		}
 		if ((off += step_len) >= this->b_size) off = 0;
 		from += step_len;
 		length -= step_len;
@@ -413,11 +417,13 @@ static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
 
 	*flag = 0;
 	if (urb->num_sgs == 0) {
-		if (urb->transfer_buffer == NULL) {
+		if (
+			urb->transfer_buffer == NULL ||
+			mon_copy_to_buff(rp, offset, urb->transfer_buffer, length) < 0
+		) {
 			*flag = 'Z';
 			return length;
 		}
-		mon_copy_to_buff(rp, offset, urb->transfer_buffer, length);
 		length = 0;
 
 	} else {
@@ -434,6 +440,10 @@ static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
 			this_len = min_t(unsigned int, sg->length, length);
 			offset = mon_copy_to_buff(rp, offset, sg_virt(sg),
 					this_len);
+			if (offset < 0) {
+				*flag = 'Z';
+				return length;
+			}
 			length -= this_len;
 		}
 		if (i == 0)

[syzbot] [block?] BUG: unable to handle kernel NULL pointer dereference in guard_bio_eod

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    6fea5fabd332 Merge tag 'mm-hotfixes-stable-2025-04-19-21-2..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15551ccc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b7c08f42e927242f
dashboard link: https://syzkaller.appspot.com/bug?extid=3291296495fc970e4b1c
compiler:       aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17551ccc580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13a7f4cc580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-6fea5fab.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/59473b9bbb43/vmlinux-6fea5fab.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a2e0095d3721/Image-6fea5fab.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3291296495fc970e4b1c@syzkaller.appspotmail.com

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 52-bit VAs, pgdp=00000000442aa200
[0000000000000008] pgd=080000004b293403, p4d=080000004b27f403, pud=080000004b237403, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1]  SMP
Modules linked in:
CPU: 1 UID: 0 PID: 6338 Comm: syz-executor150 Not tainted 6.15.0-rc2-syzkaller-00488-g6fea5fabd332 #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
pstate: 41402009 (nZcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : bdev_nr_sectors include/linux/blkdev.h:831 [inline]
pc : guard_bio_eod+0x18/0x210 block/bio.c:694
lr : mpage_bio_submit_read fs/mpage.c:74 [inline]
lr : do_mpage_readpage+0x2d0/0x6dc fs/mpage.c:296
sp : ffff80008331b820
x29: ffff80008331b820 x28: f4f0000004143e00 x27: ffff80008331b960
x26: 0000000000000001 x25: ffff80008331b940 x24: 0000000000000000
x23: 0000000000000000 x22: 0000000000000000 x21: ffffc1ffc02c9dc0
x20: 0000000000000010 x19: f4f0000004143e00 x18: 0000000000001000
x17: 0000000000000000 x16: 1e9e000000c6abc1 x15: 0000000000000000
x14: ffffc1ffc02c9dc0 x13: 0000000000000000 x12: f4f0000004143e00
x11: 0000000000000000 x10: ffffc1ffc02ca580 x9 : 0000000000000003
x8 : 00000000000000b8 x7 : fcf0000003f3b97c x6 : f6f0000006355c00
x5 : f6f0000006355c00 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff8000803bbfc0 x0 : 0000000000000000
Call trace:
 bdev_nr_sectors include/linux/blkdev.h:831 [inline] (P)
 guard_bio_eod+0x18/0x210 block/bio.c:694 (P)
 mpage_bio_submit_read fs/mpage.c:74 [inline]
 do_mpage_readpage+0x2d0/0x6dc fs/mpage.c:296
 mpage_readahead+0xcc/0x164 fs/mpage.c:371
 blkdev_readahead+0x18/0x24 block/fops.c:472
 read_pages+0x70/0x2b8 mm/readahead.c:160
 page_cache_ra_unbounded+0x1d4/0x260 mm/readahead.c:280
 do_page_cache_ra mm/readahead.c:327 [inline]
 page_cache_ra_order+0x34c/0x400 mm/readahead.c:532
 do_sync_mmap_readahead mm/filemap.c:3262 [inline]
 filemap_fault+0x444/0x924 mm/filemap.c:3403
 __do_fault+0x3c/0x21c mm/memory.c:5098
 do_shared_fault mm/memory.c:5582 [inline]
 do_fault mm/memory.c:5656 [inline]
 do_pte_missing mm/memory.c:4160 [inline]
 handle_pte_fault mm/memory.c:5997 [inline]
 __handle_mm_fault+0xadc/0x1b00 mm/memory.c:6140
 handle_mm_fault+0x164/0x314 mm/memory.c:6309
 do_page_fault+0x118/0x688 arch/arm64/mm/fault.c:647
 do_translation_fault+0xac/0xbc arch/arm64/mm/fault.c:783
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:919
 el0_da+0x78/0xa8 arch/arm64/kernel/entry-common.c:604
 el0t_64_sync_handler+0xc4/0x138 arch/arm64/kernel/entry-common.c:765
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:600
Code: 910003fd a90153f3 aa0003f3 f9400400 (f9400400) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	910003fd 	mov	x29, sp
   4:	a90153f3 	stp	x19, x20, [sp, #16]
   8:	aa0003f3 	mov	x19, x0
   c:	f9400400 	ldr	x0, [x0, #8]
* 10:	f9400400 	ldr	x0, [x0, #8] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

--- a/block/bio.c
+++ b/block/bio.c
@@ -691,6 +691,9 @@ static void bio_truncate(struct bio *bio, unsigned new_size)
  */
 void guard_bio_eod(struct bio *bio)
 {
+	if (unlikely(!bio->bi_bdev)
+		return;
+
 	sector_t maxsector = bdev_nr_sectors(bio->bi_bdev);
 
 	if (!maxsector)
-- 
2.43.0

syztest

[Arnaud Lecomte]

#syz test

--- a/block/bio.c
+++ b/block/bio.c
@@ -691,6 +691,9 @@ static void bio_truncate(struct bio *bio, unsigned new_size)
  */
 void guard_bio_eod(struct bio *bio)
 {
+	if (unlikely(!bio->bi_bdev))
+		return;
+
 	sector_t maxsector = bdev_nr_sectors(bio->bi_bdev);
 
 	if (!maxsector)
-- 
2.43.0

[syzbot] [xfs?] KMSAN: uninit-value in xfs_dialloc_ag_inobt

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8560697b23dc Merge tag '6.15-rc2-smb3-client-fixes' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11d3dfe4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a27b81e0cf56c60b
dashboard link: https://syzkaller.appspot.com/bug?extid=b4a84825ea149bb99bfc
compiler:       Debian clang version 15.0.6, Debian LLD 15.0.6

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/03806cf4a3af/disk-8560697b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d86507d5b30/vmlinux-8560697b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f5f2020007a8/bzImage-8560697b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4a84825ea149bb99bfc@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in xfs_dialloc_ag_inobt+0x99b/0x2550 fs/xfs/libxfs/xfs_ialloc.c:1173
 xfs_dialloc_ag_inobt+0x99b/0x2550 fs/xfs/libxfs/xfs_ialloc.c:1173
 xfs_dialloc_ag fs/xfs/libxfs/xfs_ialloc.c:1585 [inline]
 xfs_dialloc_try_ag fs/xfs/libxfs/xfs_ialloc.c:1835 [inline]
 xfs_dialloc+0x14c4/0x3470 fs/xfs/libxfs/xfs_ialloc.c:1945
 xfs_create_tmpfile+0x496/0x12c0 fs/xfs/xfs_inode.c:827
 xfs_generic_create+0x65c/0x1610 fs/xfs/xfs_iops.c:227
 xfs_vn_tmpfile+0x6b/0x140 fs/xfs/xfs_iops.c:1194
 vfs_tmpfile+0x5e4/0xe40 fs/namei.c:3896
 do_tmpfile+0x19d/0x460 fs/namei.c:3961
 path_openat+0x4837/0x6280 fs/namei.c:3995
 do_filp_open+0x26b/0x610 fs/namei.c:4031
 io_openat2+0x5d5/0xa50 io_uring/openclose.c:140
 io_openat+0x35/0x40 io_uring/openclose.c:177
 __io_issue_sqe io_uring/io_uring.c:1734 [inline]
 io_issue_sqe+0x394/0x1de0 io_uring/io_uring.c:1753
 io_wq_submit_work+0xaf8/0xde0 io_uring/io_uring.c:1868
 io_worker_handle_work+0xc4d/0x2090 io_uring/io-wq.c:615
 io_wq_worker+0x403/0x1470 io_uring/io-wq.c:669
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was stored to memory at:
 xfs_dialloc_ag_inobt+0x1cc1/0x2550 fs/xfs/libxfs/xfs_ialloc.c:1227
 xfs_dialloc_ag fs/xfs/libxfs/xfs_ialloc.c:1585 [inline]
 xfs_dialloc_try_ag fs/xfs/libxfs/xfs_ialloc.c:1835 [inline]
 xfs_dialloc+0x14c4/0x3470 fs/xfs/libxfs/xfs_ialloc.c:1945
 xfs_create_tmpfile+0x496/0x12c0 fs/xfs/xfs_inode.c:827
 xfs_generic_create+0x65c/0x1610 fs/xfs/xfs_iops.c:227
 xfs_vn_tmpfile+0x6b/0x140 fs/xfs/xfs_iops.c:1194
 vfs_tmpfile+0x5e4/0xe40 fs/namei.c:3896
 do_tmpfile+0x19d/0x460 fs/namei.c:3961
 path_openat+0x4837/0x6280 fs/namei.c:3995
 do_filp_open+0x26b/0x610 fs/namei.c:4031
 io_openat2+0x5d5/0xa50 io_uring/openclose.c:140
 io_openat+0x35/0x40 io_uring/openclose.c:177
 __io_issue_sqe io_uring/io_uring.c:1734 [inline]
 io_issue_sqe+0x394/0x1de0 io_uring/io_uring.c:1753
 io_wq_submit_work+0xaf8/0xde0 io_uring/io_uring.c:1868
 io_worker_handle_work+0xc4d/0x2090 io_uring/io-wq.c:615
 io_wq_worker+0x403/0x1470 io_uring/io-wq.c:669
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Local variable trec created at:
 xfs_dialloc_ag_inobt+0x139/0x2550 fs/xfs/libxfs/xfs_ialloc.c:1101
 xfs_dialloc_ag fs/xfs/libxfs/xfs_ialloc.c:1585 [inline]
 xfs_dialloc_try_ag fs/xfs/libxfs/xfs_ialloc.c:1835 [inline]
 xfs_dialloc+0x14c4/0x3470 fs/xfs/libxfs/xfs_ialloc.c:1945

CPU: 1 UID: 0 PID: 7854 Comm: iou-wrk-7829 Not tainted 6.15.0-rc2-syzkaller-00404-g8560697b23dc #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -1182,6 +1182,8 @@ xfs_dialloc_ag_inobt(
                        if (error)
                                goto error1;
                } else {
+                       pag->pagl_leftrec = NULLAGINO;
+                       pag->pagl_rightrec = NULLAGINO;
                        /* search left with tcur, back up 1 record */
                        error = xfs_ialloc_next_rec(tcur, &trec, &doneleft, 1);
                        if (error)

Re: syztest

[syzbot]

> #syz test

This crash does not have a reproducer. I cannot test it.

>
> --- a/fs/xfs/libxfs/xfs_ialloc.c
> +++ b/fs/xfs/libxfs/xfs_ialloc.c
> @@ -1182,6 +1182,8 @@ xfs_dialloc_ag_inobt(
>                         if (error)
>                                 goto error1;
>                 } else {
> +                       pag->pagl_leftrec = NULLAGINO;
> +                       pag->pagl_rightrec = NULLAGINO;
>                         /* search left with tcur, back up 1 record */
>                         error = xfs_ialloc_next_rec(tcur, &trec, &doneleft, 1);
>                         if (error)
>

[syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dbAllocAG

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8560697b23dc Merge tag '6.15-rc2-smb3-client-fixes' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133fbbac580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2a31f7155996562
dashboard link: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
compiler:       Debian clang version 15.0.6, Debian LLD 15.0.6
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14708c70580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=115dd204580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-8560697b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2acea3e6b668/vmlinux-8560697b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d2542a0d2bcd/bzImage-8560697b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/2b4250dbd0ba/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=10708c70580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 32768
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1397:14
index 65877 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 0 UID: 0 PID: 5308 Comm: syz-executor181 Not tainted 6.15.0-rc2-syzkaller-00404-g8560697b23dc #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:453
 dbAllocAG+0x704/0x1130 fs/jfs/jfs_dmap.c:1397
 dbAlloc+0x65c/0xcb0 fs/jfs/jfs_dmap.c:873
 xtSplitUp+0x554/0x21c0 fs/jfs/jfs_xtree.c:745
 xtInsert+0x5ba/0x11a0 fs/jfs/jfs_xtree.c:593
 extAlloc+0xae7/0x10a0 fs/jfs/jfs_extent.c:150
 jfs_get_block+0x41d/0xe60 fs/jfs/inode.c:248
 get_more_blocks fs/direct-io.c:648 [inline]
 do_direct_IO fs/direct-io.c:936 [inline]
 __blockdev_direct_IO+0x1add/0x4540 fs/direct-io.c:1243
 blockdev_direct_IO include/linux/fs.h:3422 [inline]
 jfs_direct_IO+0xf7/0x1e0 fs/jfs/inode.c:331
 generic_file_direct_write+0x1e8/0x400 mm/filemap.c:4037
 __generic_file_write_iter+0x126/0x230 mm/filemap.c:4206
 generic_file_write_iter+0x10e/0x5e0 mm/filemap.c:4246
 new_sync_write fs/read_write.c:591 [inline]
 vfs_write+0x70f/0xd10 fs/read_write.c:684
 ksys_write+0x19d/0x2d0 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf3/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2346650b59
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffd3c588a8 EFLAGS: 00000206 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0073746e6576652e RCX: 00007f2346650b59
RDX: 00000000fffffdaf RSI: 0000200000000000 RDI: 0000000000000005
RBP: 652e79726f6d656d R08: 00005555682c24c0 R09: 00005555682c24c0
R10: 00005555682c24c0 R11: 0000000000000206 R12: 00007fffd3c588d0
R13: 00007fffd3c58af8 R14: 431bde82d7b634db R15: 00007f234669903b
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1385,6 +1385,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
            (1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth;
        ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
 
+       if (ti >= le32_to_cpu(dcp->nleafs)) {
+               jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page: ti out of bounds\n");
+               release_metapage(mp);
+               return -EIO;
+       }
+
        /* dmap control page trees fan-out by 4 and a single allocation
         * group may be described by 1 or 2 subtrees within the ag level
         * dmap control page, depending upon the ag size. examine the ag's

[syzbot] [bcachefs?] kernel BUG in __bch2_str_hash_check_key

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    56f944529ec2 Merge tag 'input-for-v6.15-rc0' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16391fb0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f2054704dd53fb80
dashboard link: https://syzkaller.appspot.com/bug?extid=843981bb836d699c07d1
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-56f94452.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6da83e5191b/vmlinux-56f94452.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5c060438ea13/bzImage-56f94452.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+843981bb836d699c07d1@syzkaller.appspotmail.com

    bi_dir=4096
    bi_dir_offset=5682031293254759865
    bi_subvol=0
    bi_parent_subvol=0
    bi_nocow=0
    bi_depth=0
    bi_inodes_32bit=0, fixing
bcachefs (loop0): inode points to missing dirent
  inum: 4099:4294967295 
    mode=100755
    flags=(15300000)
    journal_seq=5
    hash_seed=ab878b4c5ab7c89e
    hash_type=siphash
    bi_size=1050
    bi_sectors=8
    bi_version=0
    bi_atime=1997793410
    bi_ctime=1997793410
    bi_mtime=1997793410
    bi_otime=1997793410
    bi_uid=0
    bi_gid=0
    bi_nlink=0
    bi_generation=0
    bi_dev=0
    bi_data_checksum=0
    bi_compression=0
    bi_project=0
    bi_background_compression=0
    bi_data_replicas=0
    bi_promote_target=0
    bi_foreground_target=0
    bi_background_target=0
    bi_erasure_code=0
    bi_fields_set=0
    bi_dir=4098
    bi_dir_offset=2566586984702133180
    bi_subvol=0
    bi_parent_subvol=0
    bi_nocow=0
    bi_depth=0
    bi_inodes_32bit=0, fixing
 done
bcachefs (loop0): check_dirents...
bcachefs (loop0): hash table key at wrong offset: btree dirents inode 4096 offset 6229884513039707068, hashed to 5410109479790105297
  u64s 7 type dirent 4096:6229884513039707068:U32_MAX len 0 ver 0: �˨� -> 2166030336 -> 1073741825 type subvol, fixing
bcachefs (loop0): hash table key at wrong offset: btree dirents inode 4096 offset 6229884513039707068, hashed to 5410109479790105297
  u64s 7 type dirent 4096:6229884513039707068:U32_MAX len 0 ver 0: �˨� -> 2166030336 -> 1073741825 type subvol, fixing
------------[ cut here ]------------
kernel BUG at fs/bcachefs/fsck.c:954!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.14.0-syzkaller-13443-g56f944529ec2 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:bch2_fsck_update_backpointers+0x4ed/0x4f0 fs/bcachefs/fsck.c:954
Code: e9 2b fc ff ff 89 d9 80 e1 07 38 c1 0f 8c 62 fc ff ff 48 89 df e8 63 77 b7 fd e9 55 fc ff ff e8 39 78 ba 07 e8 74 4e 4d fd 90 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e
RSP: 0018:ffffc9000d4ce460 EFLAGS: 00010246
RAX: ffffffff847608cc RBX: 0000000000000010 RCX: 0000000000100000
RDX: ffffc9000e50a000 RSI: 00000000000fffff RDI: 0000000000100000
RBP: ffffc9000d4ce600 R08: ffffffff84760529 R09: 0000000000000000
R10: ffffc9000d4ce530 R11: fffff52001a99caf R12: ffffc9000d4cf290
R13: dffffc0000000000 R14: ffff888052bda000 R15: ffff888052900000
FS:  00007f5be4f2b6c0(0000) GS:ffff88808c596000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b32eddc088 CR3: 0000000044eda000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __bch2_str_hash_check_key+0x202c/0x3b50 fs/bcachefs/str_hash.c:257
 bch2_str_hash_check_key fs/bcachefs/str_hash.h:415 [inline]
 check_dirent fs/bcachefs/fsck.c:2135 [inline]
 bch2_check_dirents+0x2d45/0x3b90 fs/bcachefs/fsck.c:2230
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:226
 bch2_run_recovery_passes+0x2ad/0xa90 fs/bcachefs/recovery_passes.c:285
 bch2_fs_recovery+0x292a/0x3e20 fs/bcachefs/recovery.c:936
 bch2_fs_start+0x310/0x620 fs/bcachefs/super.c:1069
 bch2_fs_get_tree+0x113e/0x18f0 fs/bcachefs/fs.c:2253
 vfs_get_tree+0x90/0x2b0 fs/super.c:1759
 do_new_mount+0x2cf/0xb70 fs/namespace.c:3879
 do_mount fs/namespace.c:4219 [inline]
 __do_sys_mount fs/namespace.c:4430 [inline]
 __se_sys_mount+0x38c/0x400 fs/namespace.c:4407
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5be418e90a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5be4f2ae68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f5be4f2aef0 RCX: 00007f5be418e90a
RDX: 000020000000f640 RSI: 0000200000000140 RDI: 00007f5be4f2aeb0
RBP: 000020000000f640 R08: 00007f5be4f2aef0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000140
R13: 00007f5be4f2aeb0 R14: 000000000000f61b R15: 0000200000000340
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_fsck_update_backpointers+0x4ed/0x4f0 fs/bcachefs/fsck.c:954
Code: e9 2b fc ff ff 89 d9 80 e1 07 38 c1 0f 8c 62 fc ff ff 48 89 df e8 63 77 b7 fd e9 55 fc ff ff e8 39 78 ba 07 e8 74 4e 4d fd 90 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e
RSP: 0018:ffffc9000d4ce460 EFLAGS: 00010246
RAX: ffffffff847608cc RBX: 0000000000000010 RCX: 0000000000100000
RDX: ffffc9000e50a000 RSI: 00000000000fffff RDI: 0000000000100000
RBP: ffffc9000d4ce600 R08: ffffffff84760529 R09: 0000000000000000
R10: ffffc9000d4ce530 R11: fffff52001a99caf R12: ffffc9000d4cf290
R13: dffffc0000000000 R14: ffff888052bda000 R15: ffff888052900000
FS:  00007f5be4f2b6c0(0000) GS:ffff88808c596000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b32eddc088 CR3: 0000000044eda000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

--- a/fs/bcachefs/fsck.c
+++ b/fs/bcachefs/fsck.c
@@ -976,7 +976,24 @@ int bch2_fsck_update_backpointers(struct btree_trans *trans,
 	int ret = 0;
 
 	if (d->v.d_type == DT_SUBVOL) {
-		BUG();
+		struct bch_subvolume subvol;
+
+		ret = bch2_subvolume_get(trans, le32_to_cpu(d->v.d_child_subvol),
+					     false, &subvol);
+		if (ret && !bch2_err_matches(ret, ENOENT))
+			goto err;
+
+		ret = get_visible_inodes(trans, &target, s, le64_to_cpu(subvol.inode));
+		if (ret)
+			goto err;
+
+		if (target.inodes.nr) {
+			target.inodes.data[0].inode.bi_dir_offset = d->k.p.offset;
+			ret = __bch2_fsck_write_inode(trans, &target.inodes.data[0].inode);
+			if (ret)
+				goto err;
+		}
+
 	} else {
 		ret = get_visible_inodes(trans, &target, s, le64_to_cpu(d->v.d_inum));
 		if (ret)
-- 
2.43.0

Re: syztest

[Kent Overstreet]

On Mon, Apr 28, 2025 at 06:09:03PM +0200, Arnaud Lecomte wrote:
> #syz test

Don't rely on syzbot for testing, you really need to be running the
tests yourself and looking at all the output.

It's not enough to know that we're not crashing anymore, we want the
filesystem to repair and mount successfully.

> --- a/fs/bcachefs/fsck.c
> +++ b/fs/bcachefs/fsck.c
> @@ -976,7 +976,24 @@ int bch2_fsck_update_backpointers(struct btree_trans *trans,
>  	int ret = 0;
>  
>  	if (d->v.d_type == DT_SUBVOL) {
> -		BUG();
> +		struct bch_subvolume subvol;
> +
> +		ret = bch2_subvolume_get(trans, le32_to_cpu(d->v.d_child_subvol),
> +					     false, &subvol);
> +		if (ret && !bch2_err_matches(ret, ENOENT))
> +			goto err;
> +
> +		ret = get_visible_inodes(trans, &target, s, le64_to_cpu(subvol.inode));
> +		if (ret)
> +			goto err;
> +
> +		if (target.inodes.nr) {
> +			target.inodes.data[0].inode.bi_dir_offset = d->k.p.offset;
> +			ret = __bch2_fsck_write_inode(trans, &target.inodes.data[0].inode);
> +			if (ret)
> +				goto err;
> +		}
> +
>  	} else {
>  		ret = get_visible_inodes(trans, &target, s, le64_to_cpu(d->v.d_inum));
>  		if (ret)
> -- 
> 2.43.0

[syzbot] [rdma?] [s390?] [net?] KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    850925a8133c Merge tag '9p-for-6.12-rc5' of https://github..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1227aa87980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=17c0d505695d6b0
dashboard link: https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15489230580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6d8177e17058/disk-850925a8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5d88252f39ff/vmlinux-850925a8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7a675a61b90d/bzImage-850925a8.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com

TCP: request_sock_TCP: Possible SYN flooding on port [::]:20002. Sending cookies.
TCP: request_sock_TCP: Possible SYN flooding on port [::]:20002. Sending cookies.
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: null-ptr-deref in smc_tcp_syn_recv_sock+0xa7/0x4b0 net/smc/af_smc.c:131
Read of size 4 at addr 00000000000009d4 by task syz.4.10809/28966

CPU: 1 UID: 0 PID: 28966 Comm: syz.4.10809 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 smc_tcp_syn_recv_sock+0xa7/0x4b0 net/smc/af_smc.c:131
 tcp_get_cookie_sock+0xd5/0x790 net/ipv4/syncookies.c:204
 cookie_v4_check+0xcf8/0x1d40 net/ipv4/syncookies.c:485
 tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1864 [inline]
 tcp_v4_do_rcv+0x98e/0xa90 net/ipv4/tcp_ipv4.c:1923
 tcp_v4_rcv+0x3cd2/0x4390 net/ipv4/tcp_ipv4.c:2340
 ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x316/0x570 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:460 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_rcv+0x2c3/0x5d0 net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5666
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5779
 process_backlog+0x443/0x15f0 net/core/dev.c:6111
 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:6775
 napi_poll net/core/dev.c:6844 [inline]
 net_rx_action+0xa92/0x1010 net/core/dev.c:6966
 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
 do_softirq kernel/softirq.c:455 [inline]
 do_softirq+0xb2/0xf0 kernel/softirq.c:442
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
 __dev_queue_xmit+0x887/0x4350 net/core/dev.c:4455
 dev_queue_xmit include/linux/netdevice.h:3094 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip_finish_output2+0x16d7/0x2530 net/ipv4/ip_output.c:236
 __ip_finish_output net/ipv4/ip_output.c:314 [inline]
 __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:296
 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:324
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:434
 dst_output include/net/dst.h:450 [inline]
 ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:130
 __ip_queue_xmit+0x747/0x1940 net/ipv4/ip_output.c:536
 __tcp_transmit_skb+0x2a4c/0x3dc0 net/ipv4/tcp_output.c:1466
 __tcp_send_ack.part.0+0x390/0x720 net/ipv4/tcp_output.c:4268
 __tcp_send_ack net/ipv4/tcp_output.c:4274 [inline]
 tcp_send_ack+0x82/0xa0 net/ipv4/tcp_output.c:4274
 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6576 [inline]
 tcp_rcv_state_process+0x4332/0x4f30 net/ipv4/tcp_input.c:6770
 tcp_v4_do_rcv+0x1ad/0xa90 net/ipv4/tcp_ipv4.c:1938
 sk_backlog_rcv include/net/sock.h:1115 [inline]
 __release_sock+0x31b/0x400 net/core/sock.c:3072
 release_sock+0x5a/0x220 net/core/sock.c:3626
 mptcp_connect+0xc14/0xee0 net/mptcp/protocol.c:3800
 __inet_stream_connect+0x3ca/0x1020 net/ipv4/af_inet.c:679
 inet_stream_connect+0x57/0xa0 net/ipv4/af_inet.c:750
 __sys_connect_file+0x150/0x190 net/socket.c:2071
 __sys_connect+0x147/0x180 net/socket.c:2088
 __do_sys_connect net/socket.c:2098 [inline]
 __se_sys_connect net/socket.c:2095 [inline]
 __x64_sys_connect+0x72/0xb0 net/socket.c:2095
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f68acb7e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f68ada08038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f68acd35f80 RCX: 00007f68acb7e719
RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 00007f68acbf132e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f68acd35f80 R15: 00007ffdea14cb48
 </TASK>
==================================================================
Oops: general protection fault, probably for non-canonical address 0xdffffc000000013a: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000009d0-0x00000000000009d7]
CPU: 1 UID: 0 PID: 28966 Comm: syz.4.10809 Tainted: G    B              6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
RIP: 0010:smc_tcp_syn_recv_sock+0xb8/0x4b0 net/smc/af_smc.c:131
Code: ad d4 09 00 00 be 04 00 00 00 44 8b bb 1c 04 00 00 4c 89 ef e8 69 94 2e f7 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 4c 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 34
RSP: 0018:ffffc90000a18668 EFLAGS: 00010217
RAX: dffffc0000000000 RBX: ffff88805b9cb600 RCX: ffffffff814e856f
RDX: 000000000000013a RSI: ffffffff81ee031e RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 6e696c6261736944 R12: ffff88807df5bd00
R13: 00000000000009d4 R14: ffffc90000a186e8 R15: 0000000000000000
FS:  00007f68ada086c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f68ad9e7d58 CR3: 000000005e3fa000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 tcp_get_cookie_sock+0xd5/0x790 net/ipv4/syncookies.c:204
 cookie_v4_check+0xcf8/0x1d40 net/ipv4/syncookies.c:485
 tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1864 [inline]
 tcp_v4_do_rcv+0x98e/0xa90 net/ipv4/tcp_ipv4.c:1923
 tcp_v4_rcv+0x3cd2/0x4390 net/ipv4/tcp_ipv4.c:2340
 ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x316/0x570 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:460 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_rcv+0x2c3/0x5d0 net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5666
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5779
 process_backlog+0x443/0x15f0 net/core/dev.c:6111
 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:6775
 napi_poll net/core/dev.c:6844 [inline]
 net_rx_action+0xa92/0x1010 net/core/dev.c:6966
 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
 do_softirq kernel/softirq.c:455 [inline]
 do_softirq+0xb2/0xf0 kernel/softirq.c:442
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
 __dev_queue_xmit+0x887/0x4350 net/core/dev.c:4455
 dev_queue_xmit include/linux/netdevice.h:3094 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip_finish_output2+0x16d7/0x2530 net/ipv4/ip_output.c:236
 __ip_finish_output net/ipv4/ip_output.c:314 [inline]
 __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:296
 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:324
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:434
 dst_output include/net/dst.h:450 [inline]
 ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:130
 __ip_queue_xmit+0x747/0x1940 net/ipv4/ip_output.c:536
 __tcp_transmit_skb+0x2a4c/0x3dc0 net/ipv4/tcp_output.c:1466
 __tcp_send_ack.part.0+0x390/0x720 net/ipv4/tcp_output.c:4268
 __tcp_send_ack net/ipv4/tcp_output.c:4274 [inline]
 tcp_send_ack+0x82/0xa0 net/ipv4/tcp_output.c:4274
 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6576 [inline]
 tcp_rcv_state_process+0x4332/0x4f30 net/ipv4/tcp_input.c:6770
 tcp_v4_do_rcv+0x1ad/0xa90 net/ipv4/tcp_ipv4.c:1938
 sk_backlog_rcv include/net/sock.h:1115 [inline]
 __release_sock+0x31b/0x400 net/core/sock.c:3072
 release_sock+0x5a/0x220 net/core/sock.c:3626
 mptcp_connect+0xc14/0xee0 net/mptcp/protocol.c:3800
 __inet_stream_connect+0x3ca/0x1020 net/ipv4/af_inet.c:679
 inet_stream_connect+0x57/0xa0 net/ipv4/af_inet.c:750
 __sys_connect_file+0x150/0x190 net/socket.c:2071
 __sys_connect+0x147/0x180 net/socket.c:2088
 __do_sys_connect net/socket.c:2098 [inline]
 __se_sys_connect net/socket.c:2095 [inline]
 __x64_sys_connect+0x72/0xb0 net/socket.c:2095
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f68acb7e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f68ada08038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f68acd35f80 RCX: 00007f68acb7e719
RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 00007f68acbf132e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f68acd35f80 R15: 00007ffdea14cb48
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
RIP: 0010:smc_tcp_syn_recv_sock+0xb8/0x4b0 net/smc/af_smc.c:131
Code: ad d4 09 00 00 be 04 00 00 00 44 8b bb 1c 04 00 00 4c 89 ef e8 69 94 2e f7 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 4c 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 34
RSP: 0018:ffffc90000a18668 EFLAGS: 00010217
RAX: dffffc0000000000 RBX: ffff88805b9cb600 RCX: ffffffff814e856f
RDX: 000000000000013a RSI: ffffffff81ee031e RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 6e696c6261736944 R12: ffff88807df5bd00
R13: 00000000000009d4 R14: ffffc90000a186e8 R15: 0000000000000000
FS:  00007f68ada086c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f68ad9e7d58 CR3: 000000005e3fa000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	09 00                	or     %eax,(%rax)
   2:	00 be 04 00 00 00    	add    %bh,0x4(%rsi)
   8:	44 8b bb 1c 04 00 00 	mov    0x41c(%rbx),%r15d
   f:	4c 89 ef             	mov    %r13,%rdi
  12:	e8 69 94 2e f7       	call   0xf72e9480
  17:	4c 89 ea             	mov    %r13,%rdx
  1a:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  21:	fc ff df
  24:	48 c1 ea 03          	shr    $0x3,%rdx
* 28:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2c:	4c 89 e8             	mov    %r13,%rax
  2f:	83 e0 07             	and    $0x7,%eax
  32:	83 c0 03             	add    $0x3,%eax
  35:	38 d0                	cmp    %dl,%al
  37:	7c 08                	jl     0x41
  39:	84 d2                	test   %dl,%dl
  3b:	0f                   	.byte 0xf
  3c:	85                   	.byte 0x85
  3d:	34                   	.byte 0x34


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -123,11 +123,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 					  struct request_sock *req_unhash,
 					  bool *own_req)
 {
+        read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
 	struct smc_sock *smc;
 	struct sock *child;
-
 	smc = smc_clcsock_user_data(sk);
 
+	if (!smc)
+		goto drop;
+
 	if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
 				sk->sk_max_ack_backlog)
 		goto drop;
@@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 		if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
 			inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
 	}
+	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
 	return child;
 
 drop:
+	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
 	dst_release(dst);
 	tcp_listendrop(sk);
 	return NULL;
@@ -2613,7 +2618,7 @@ int smc_listen(struct socket *sock, int backlog)
 	int rc;
 
 	smc = smc_sk(sk);
-	lock_sock(sk);
+	lock_sock(sock->sk);
 
 	rc = -EINVAL;
 	if ((sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) ||
-- 
2.43.0

Re: syztest

[Paolo Abeni]

On 6/29/25 3:29 PM, Arnaud Lecomte wrote:
> #syz test
> 
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -123,11 +123,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
>  					  struct request_sock *req_unhash,
>  					  bool *own_req)
>  {
> +        read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
>  	struct smc_sock *smc;
>  	struct sock *child;
> -
>  	smc = smc_clcsock_user_data(sk);
>  
> +	if (!smc)
> +		goto drop;
> +
>  	if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
>  				sk->sk_max_ack_backlog)
>  		goto drop;
> @@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
>  		if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
>  			inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
>  	}
> +	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
>  	return child;
>  
>  drop:
> +	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
>  	dst_release(dst);
>  	tcp_listendrop(sk);
>  	return NULL;
> @@ -2613,7 +2618,7 @@ int smc_listen(struct socket *sock, int backlog)
>  	int rc;
>  
>  	smc = smc_sk(sk);
> -	lock_sock(sk);
> +	lock_sock(sock->sk);
>  
>  	rc = -EINVAL;
>  	if ((sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) ||

Please stop cc-ing netdev and other kernel ML with this tests. You
should keep just the syzkaller related MLs and a very restricted list of
individuals (i.e. no maintainers).

Thanks,

Paolo

syztest

[Arnaud Lecomte]

#syz test

--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -126,8 +126,12 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 	struct smc_sock *smc;
 	struct sock *child;
 
+	lockdep_assert_held_read(&sk->sk_callback_lock);
 	smc = smc_clcsock_user_data(sk);
 
+	if (!smc)
+		goto drop;
+
 	if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
 				sk->sk_max_ack_backlog)
 		goto drop;
-- 
2.43.0

syztest

[Arnaud Lecomte]

#syz test

--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -125,9 +125,12 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 {
 	struct smc_sock *smc;
 	struct sock *child;
-
+	read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
 	smc = smc_clcsock_user_data(sk);
 
+	if (!smc)
+		goto drop;
+
 	if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
 				sk->sk_max_ack_backlog)
 		goto drop;
@@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 		if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
 			inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
 	}
+	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
 	return child;
 
 drop:
+	read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
 	dst_release(dst);
 	tcp_listendrop(sk);
 	return NULL;
-- 
2.43.0

[syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d8d936c51388 usb: storage: add a macro for the upper limit..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=138e1de8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9666422a569a9b7d
dashboard link: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b5f0fe63d6bf/disk-d8d936c5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/16c74d2e64c7/vmlinux-d8d936c5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/00ab13339c70/bzImage-d8d936c5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0xf98/0x1030 drivers/hid/hid-mcp2221.c:852
Read of size 1 at addr ffff888125653fff by task kworker/1:3/5238

CPU: 1 UID: 0 PID: 5238 Comm: kworker/1:3 Not tainted 6.13.0-rc1-syzkaller-gd8d936c51388 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events legacy_dvb_usb_read_remote_control
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 mcp2221_raw_event+0xf98/0x1030 drivers/hid/hid-mcp2221.c:852
 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111
 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:285
 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x17f0/0x3930 drivers/usb/gadget/udc/dummy_hcd.c:1993
 __run_hrtimer kernel/time/hrtimer.c:1739 [inline]
 __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820
 handle_softirqs+0x206/0x8d0 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:655
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a4/0xc60 kernel/printk/printk.c:3211
Code: 00 e8 90 de 27 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 1e 39 20 00 48 85 db 0f 85 55 01 00 00 e8 a0 36 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 25 41 7a
RSP: 0018:ffffc9000211f8b0 EFLAGS: 00000293
RAX: ffffffff893a7798 RBX: 0000000000000000 RCX: ffffffff813b1bb2
RDX: ffff88810dbe1d40 RSI: ffffffff813b1bc0 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000005 R12: ffffffff893a7798
R13: ffffffff893a7740 R14: ffffc9000211f940 R15: dffffc0000000000
 __console_flush_and_unlock kernel/printk/printk.c:3269 [inline]
 console_unlock+0xd9/0x210 kernel/printk/printk.c:3309
 vprintk_emit+0x424/0x6f0 kernel/printk/printk.c:2432
 vprintk+0x7f/0xa0 kernel/printk/printk_safe.c:86
 _printk+0xc8/0x100 kernel/printk/printk.c:2457
 legacy_dvb_usb_read_remote_control+0x40d/0x500 drivers/media/usb/dvb-usb/dvb-usb-remote.c:124
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 18002:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4104 [inline]
 slab_alloc_node mm/slub.c:4153 [inline]
 kmem_cache_alloc_noprof+0x154/0x3b0 mm/slub.c:4160
 vma_lock_alloc kernel/fork.c:446 [inline]
 vm_area_dup+0x51/0x160 kernel/fork.c:499
 dup_mmap kernel/fork.c:697 [inline]
 dup_mm kernel/fork.c:1695 [inline]
 copy_mm kernel/fork.c:1744 [inline]
 copy_process+0x76a1/0x8ba0 kernel/fork.c:2395
 kernel_clone+0xfd/0x960 kernel/fork.c:2807
 __do_sys_clone+0xba/0x100 kernel/fork.c:2950
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 20259:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x37/0x50 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2338 [inline]
 slab_free mm/slub.c:4598 [inline]
 kmem_cache_free+0x133/0x470 mm/slub.c:4700
 vma_lock_free kernel/fork.c:458 [inline]
 __vm_area_free+0x38/0x50 kernel/fork.c:514
 remove_vma+0x154/0x1b0 mm/vma.c:385
 exit_mmap+0x4e2/0xb20 mm/mmap.c:1691
 __mmput kernel/fork.c:1353 [inline]
 mmput+0xdb/0x430 kernel/fork.c:1375
 exit_mm kernel/exit.c:570 [inline]
 do_exit+0x9bf/0x2ce0 kernel/exit.c:925
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x24ed/0x26c0 kernel/signal.c:3017
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x147/0x260 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888125653e58
 which belongs to the cache vma_lock of size 152
The buggy address is located 271 bytes to the right of
 allocated 152-byte region [ffff888125653e58, ffff888125653ef0)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x125653
memcg:ffff888112012101
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff888100ad6c80 ffffea000469ff40 dead000000000008
raw: 0000000000000000 0000000000120012 00000001f5000000 ffff888112012101
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 19443, tgid 19443 (modprobe), ts 1744528990053, free_ts 1582817727208
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x21c/0x22a0 mm/page_alloc.c:4751
 alloc_pages_mpol_noprof+0xeb/0x400 mm/mempolicy.c:2265
 alloc_slab_page mm/slub.c:2408 [inline]
 allocate_slab mm/slub.c:2574 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2627
 ___slab_alloc+0xd45/0x1750 mm/slub.c:3815
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3905
 __slab_alloc_node mm/slub.c:3980 [inline]
 slab_alloc_node mm/slub.c:4141 [inline]
 kmem_cache_alloc_noprof+0x1fd/0x3b0 mm/slub.c:4160
 vma_lock_alloc kernel/fork.c:446 [inline]
 vm_area_alloc+0x107/0x1f0 kernel/fork.c:477
 __mmap_new_vma mm/vma.c:2340 [inline]
 __mmap_region+0xf13/0x24f0 mm/vma.c:2456
 mmap_region+0x127/0x320 mm/mmap.c:1347
 do_mmap+0xc00/0xfc0 mm/mmap.c:496
 vm_mmap_pgoff+0x1ba/0x350 mm/util.c:580
 ksys_mmap_pgoff+0x7d/0x5c0 mm/mmap.c:542
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
 __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
page last free pid 2961 tgid 2961 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0xe40 mm/page_alloc.c:2657
 vfree+0x17a/0x890 mm/vmalloc.c:3382
 kcov_put kernel/kcov.c:439 [inline]
 kcov_put+0x2a/0x40 kernel/kcov.c:435
 kcov_close+0xd/0x20 kernel/kcov.c:535
 __fput+0x3f8/0xb60 fs/file_table.c:450
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xadd/0x2ce0 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x24ed/0x26c0 kernel/signal.c:3017
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x147/0x260 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888125653e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
 ffff888125653f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888125653f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff888125654000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888125654080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	00 e8                	add    %ch,%al
   2:	90                   	nop
   3:	de 27                	fisubs (%rdi)
   5:	00 9c 5b 81 e3 00 02 	add    %bl,0x200e381(%rbx,%rbx,2)
   c:	00 00                	add    %al,(%rax)
   e:	31 ff                	xor    %edi,%edi
  10:	48 89 de             	mov    %rbx,%rsi
  13:	e8 1e 39 20 00       	call   0x203936
  18:	48 85 db             	test   %rbx,%rbx
  1b:	0f 85 55 01 00 00    	jne    0x176
  21:	e8 a0 36 20 00       	call   0x2036c6
  26:	fb                   	sti
  27:	4c 89 e0             	mov    %r12,%rax
* 2a:	48 c1 e8 03          	shr    $0x3,%rax <-- trapping instruction
  2e:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  33:	0f 84 11 ff ff ff    	je     0xffffff4a
  39:	4c 89 e7             	mov    %r12,%rdi
  3c:	e8                   	.byte 0xe8
  3d:	25                   	.byte 0x25
  3e:	41                   	rex.B
  3f:	7a                   	.byte 0x7a


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -814,6 +814,10 @@ static int mcp2221_raw_event(struct hid_device *hdev,
 			}
 			if (data[2] == MCP2221_I2C_READ_COMPL ||
 			    data[2] == MCP2221_I2C_READ_PARTIAL) {
+				if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+					mcp->status = -EINVAL;
+					break;
+				}	
 				buf = mcp->rxbuf;
 				memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
 				mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];
-- 

[syzbot] [hfs?] KASAN: out-of-bounds Read in hfsplus_bnode_move

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    125514880ddd Merge tag 'sh-for-v6.8-tag1' of git://git.ker..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15edd643e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7a6ff9d9d5d2dc4a
dashboard link: https://syzkaller.appspot.com/bug?extid=6df204b70bf3261691c5
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=169c2d57e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11109193e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/86a8a3ee9ef1/disk-12551488.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b73f0ed65615/vmlinux-12551488.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7aa088345217/bzImage-12551488.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/3a894fc3d764/mount_0.gz

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=12fdd643e80000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=11fdd643e80000
console output: https://syzkaller.appspot.com/x/log.txt?x=16fdd643e80000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: out-of-bounds in hfsplus_bnode_move+0x5f3/0x910 fs/hfsplus/bnode.c:228
Read of size 18446744073709551602 at addr 000508800000104e by task syz-executor353/5048

CPU: 0 PID: 5048 Comm: syz-executor353 Not tainted 6.7.0-syzkaller-12829-g125514880ddd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_report+0xe6/0x540 mm/kasan/report.c:491
 kasan_report+0x142/0x170 mm/kasan/report.c:601
 kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
 __asan_memmove+0x29/0x70 mm/kasan/shadow.c:94
 hfsplus_bnode_move+0x5f3/0x910 fs/hfsplus/bnode.c:228
 hfsplus_brec_insert+0x61c/0xdd0 fs/hfsplus/brec.c:128
 hfsplus_create_attr+0x49e/0x630 fs/hfsplus/attributes.c:252
 __hfsplus_setxattr+0x6fe/0x22d0 fs/hfsplus/xattr.c:354
 hfsplus_initxattrs+0x158/0x220 fs/hfsplus/xattr_security.c:59
 security_inode_init_security+0x2a7/0x470 security/security.c:1752
 hfsplus_fill_super+0x14d3/0x1c90 fs/hfsplus/super.c:567
 mount_bdev+0x206/0x2d0 fs/super.c:1663
 legacy_get_tree+0xef/0x190 fs/fs_context.c:662
 vfs_get_tree+0x8c/0x2a0 fs/super.c:1784
 do_new_mount+0x2be/0xb40 fs/namespace.c:3352
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fd7936b4d3a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff572a70a8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff572a70c0 RCX: 00007fd7936b4d3a
RDX: 0000000020000040 RSI: 0000000020000240 RDI: 00007fff572a70c0
RBP: 0000000000000004 R08: 00007fff572a7100 R09: 00000000000006c8
R10: 0000000000800000 R11: 0000000000000286 R12: 0000000000800000
R13: 00007fff572a7100 R14: 0000000000000003 R15: 0000000000080000
 </TASK>
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syztest

[Arnaud Lecomte]

#syz test

--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -124,6 +124,12 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
 		data_rec_off += 2;
 	} while (data_rec_off < idx_rec_off);
 
+	if (end_off < data_off) {
+		hfs_dbg(BNODE_MOD, "corrupted node: end_off %u < data_off %u\n", end_off, data_off);
+		if (new_node)
+			hfs_bnode_put(new_node);
+		return -EIO;
+	}
 	/* move data away */
 	hfs_bnode_move(node, data_off + size, data_off,
 		       end_off - data_off);
-- 
2.43.0

Re: [syzbot] [hfs?] kernel BUG in hfsplus_bnode_put

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    40f71e7cd3c6 Merge tag 'net-6.4-rc7' of git://git.kernel.o..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10482ae3280000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7ff8f87c7ab0e04e
dashboard link: https://syzkaller.appspot.com/bug?extid=005d2a9ecd9fbf525f6a
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=142e7287280000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13fd185b280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/073eea957569/disk-40f71e7c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c8a97aaa4cdc/vmlinux-40f71e7c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f536015eacbd/bzImage-40f71e7c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b5f1764cd64d/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+005d2a9ecd9fbf525f6a@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 1024
------------[ cut here ]------------
kernel BUG at fs/hfsplus/bnode.c:618!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5068 Comm: syz-executor476 Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:hfsplus_bnode_put+0x6b7/0x6d0 fs/hfsplus/bnode.c:618
Code: ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 6c fd ff ff 48 89 df e8 ca 5a 81 ff e9 5f fd ff ff e8 50 83 29 ff 0f 0b e8 49 83 29 ff <0f> 0b e8 42 83 29 ff 0f 0b e8 3b 83 29 ff 0f 0b 66 0f 1f 84 00 00
RSP: 0018:ffffc90003c1f510 EFLAGS: 00010293
RAX: ffffffff8261fc57 RBX: ffff888012ad7180 RCX: ffff888014385940
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff8261f620 R09: ffffed100255ae31
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888012ad7100
R13: dffffc0000000000 R14: ffff8880283d4000 R15: dffffc0000000000
FS:  00007f26ad319700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f26ad31a000 CR3: 000000001fab8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 hfsplus_bmap_alloc+0x590/0x640 fs/hfsplus/btree.c:414
 hfs_bnode_split+0xde/0x1110 fs/hfsplus/brec.c:245
 hfsplus_brec_insert+0x3a6/0xdd0 fs/hfsplus/brec.c:100
 hfsplus_create_cat+0xeee/0x1bb0 fs/hfsplus/catalog.c:308
 hfsplus_mknod+0x16a/0x2a0 fs/hfsplus/dir.c:494
 vfs_create+0x1e2/0x330 fs/namei.c:3194
 do_mknodat+0x3c6/0x6e0 fs/namei.c:4043
 __do_sys_mknodat fs/namei.c:4071 [inline]
 __se_sys_mknodat fs/namei.c:4068 [inline]
 __x64_sys_mknodat+0xa9/0xc0 fs/namei.c:4068
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f26ad36d769
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f26ad3192f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000103
RAX: ffffffffffffffda RBX: 00007f26ad3f27a0 RCX: 00007f26ad36d769
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 00007f26ad3bf0c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000103 R11: 0000000000000246 R12: 00007f26ad3bf1c0
R13: 0073756c70736668 R14: e5652d70fedcf551 R15: 00007f26ad3f27a8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hfsplus_bnode_put+0x6b7/0x6d0 fs/hfsplus/bnode.c:618
Code: ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 6c fd ff ff 48 89 df e8 ca 5a 81 ff e9 5f fd ff ff e8 50 83 29 ff 0f 0b e8 49 83 29 ff <0f> 0b e8 42 83 29 ff 0f 0b e8 3b 83 29 ff 0f 0b 66 0f 1f 84 00 00
RSP: 0018:ffffc90003c1f510 EFLAGS: 00010293
RAX: ffffffff8261fc57 RBX: ffff888012ad7180 RCX: ffff888014385940
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff8261f620 R09: ffffed100255ae31
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888012ad7100
R13: dffffc0000000000 R14: ffff8880283d4000 R15: dffffc0000000000
FS:  00007f26ad319700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f26ad31a000 CR3: 000000001fab8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

syztest

[Chenzhi Yang]

From: Yang Chenzhi <yang.chenzhi@vivo.com>

#syz test

--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -522,6 +522,7 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
 		tree->node_hash[hash] = node;
 		tree->node_hash_cnt++;
 	} else {
+		hfs_bnode_get(node2);
 		spin_unlock(&tree->hash_lock);
 		kfree(node);
 		wait_event(node2->lock_wq,
-- 
2.43.0