From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE457ECAAA1 for ; Wed, 7 Sep 2022 00:47:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 56A088D0003; Tue, 6 Sep 2022 20:47:21 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 51A0C6B0073; Tue, 6 Sep 2022 20:47:21 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3B9A28D0003; Tue, 6 Sep 2022 20:47:21 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 2DAF96B0072 for ; Tue, 6 Sep 2022 20:47:21 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 04E964086C for ; Wed, 7 Sep 2022 00:47:20 +0000 (UTC) X-FDA: 79883450682.24.5A58025 Received: from mail-oa1-f52.google.com (mail-oa1-f52.google.com [209.85.160.52]) by imf21.hostedemail.com (Postfix) with ESMTP id B59E61C007F for ; Wed, 7 Sep 2022 00:47:20 +0000 (UTC) Received: by mail-oa1-f52.google.com with SMTP id 586e51a60fabf-12243fcaa67so32348527fac.8 for ; Tue, 06 Sep 2022 17:47:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date; bh=aUp8DHq2D23M7Ma032JZWGdA56y+PEflLl/7xbbNcJQ=; b=YBBlaZd5iyKikeNxeBwiB23EAqDm00R8TxOWx6aQuzGWGTLVn1bquh3O6kZL/lkcJp 0D9w0bngcw/1JJVqF51eASn2VHKFmG3PvSuzDQRrvV+81odev3jYG2fdug44TM5atffR 0OgZUwvh4y6rkdmV1q5iqybOCu2zCFkPpMtwNJJlOivUeVsGcwM8TjvFJYHyh4hySsUI ZbDV1KqeSNIpxrm1XBwqINE7sIQ0j6rm0PYD5z3B4pME51TJOOEDpbQ28rW2T6U4rQxR vTkEH0ssfilnAw1t/t3k8NcAKul88dnDwBdjsw1dzgbIrKlDrPNh0oLNNNeutlSuRbYv ovpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date; bh=aUp8DHq2D23M7Ma032JZWGdA56y+PEflLl/7xbbNcJQ=; b=0vNgmFwJ+FWvWQQo2wAZLyj3DMg9EJd/O6z45Gq4KLXo6Oo0FfKZoPDJIbqi5MytHG spZW7Li3RVIOVpWhTHHHnJRC+8wb08WeEwEzx4/X/bJp9kQ3PPdFm6NE3sgb8WfBmDkV WoyywN1m8tStfW5epyTO+5OrCk4cSo12LEBILRgYyKPxDYAT1o/hPVQ8hyWaQt0fVIl1 D6sYVhwzpLQfbphkMmYzynuUECmbk4qjzmae4cHzWsggfO2qf4UcwT5sjTDP/NYvTX3I kBAhXLuqkk8W/C9iFT+j0nd2fRt0SSew9YzI/1yzCPA+MfjENsBRXla/4FbuYIHbo8oK iihg== X-Gm-Message-State: ACgBeo2a174b1OVe1dPoXaeriDvEiJ62Bf8z/1UER1IYDYs/iT3hYe4P pW0P3s6x6NDYxyPWfeAusds= X-Google-Smtp-Source: AA6agR5HKMpePoO5fBNDaPv5pRi3ojhMzIyrWy53rHh1MKGNOBa1HVuljJBMfgxlsvsCCW/hA8xB0A== X-Received: by 2002:a05:6870:4586:b0:10d:2ec7:be6 with SMTP id y6-20020a056870458600b0010d2ec70be6mr13586659oao.7.1662511639900; Tue, 06 Sep 2022 17:47:19 -0700 (PDT) Received: from localhost ([12.97.180.36]) by smtp.gmail.com with ESMTPSA id o186-20020aca5ac3000000b0034564365bf2sm6021407oib.17.2022.09.06.17.47.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Sep 2022 17:47:19 -0700 (PDT) Date: Tue, 6 Sep 2022 17:45:07 -0700 From: Yury Norov To: Andrew Morton Cc: syzbot , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-next@vger.kernel.org, sfr@canb.auug.org.au, syzkaller-bugs@googlegroups.com, Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino Subject: Re: [syzbot] linux-next boot error: KASAN: slab-out-of-bounds Read in _find_next_bit Message-ID: References: <000000000000974e2805e802137e@google.com> <20220906173154.6f2664c8fc6b83470c5dfea1@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220906173154.6f2664c8fc6b83470c5dfea1@linux-foundation.org> ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1662511640; a=rsa-sha256; cv=none; b=1er5bh5VA9hzGvVGpMOXFJtJ4YSrbxbM+0HqSaa1ZfiA0z3monJXZzPRPSK1zxtbcZRSVi 7VnvTPjK165vEcWwmjQ2u6vrLS0U7gyuTVpHxIFliZXKMUKLDPc929eRtcUyKVsBTAQIcq 3O2VIQ6ZBuFy7aQATsPHO/y32ebbkzA= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=YBBlaZd5; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf21.hostedemail.com: domain of yury.norov@gmail.com designates 209.85.160.52 as permitted sender) smtp.mailfrom=yury.norov@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1662511640; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=aUp8DHq2D23M7Ma032JZWGdA56y+PEflLl/7xbbNcJQ=; b=QDeBe0Hd1iYe/5JC+rUMfZUcwvPKC3JukU9I5pww17Sm6O5DQgYbqLaZQlMufz16cqTPeE +/BkPyST2KuOUcdF02CJdFcE8DDZyCZLzgnxJfbnqWpGsKKlKIF/VhI2X0c4Ydb5xZ5tWm jAKv0CIq6KuyB2dzGjI8Bfgs/Da+w8c= X-Rspam-User: Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=YBBlaZd5; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf21.hostedemail.com: domain of yury.norov@gmail.com designates 209.85.160.52 as permitted sender) smtp.mailfrom=yury.norov@gmail.com X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: B59E61C007F X-Stat-Signature: 4ikmhbbzxhtwbmuyxz454akuuwchgo81 X-HE-Tag: 1662511640-77897 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000003, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Sep 06, 2022 at 05:31:54PM -0700, Andrew Morton wrote: > (cc Yury and KASAN developers) > > On Tue, 06 Sep 2022 06:21:39 -0700 syzbot wrote: > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 840126e36e8f Add linux-next specific files for 20220906 > > git tree: linux-next > > console output: https://syzkaller.appspot.com/x/log.txt?x=1216969b080000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=239c4c4e44185526 > > dashboard link: https://syzkaller.appspot.com/bug?extid=08ca1fa706a22cc17efe > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/1b9017e387a8/disk-840126e3.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/12182558f88d/vmlinux-840126e3.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+08ca1fa706a22cc17efe@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: slab-out-of-bounds in _find_next_bit+0x143/0x160 lib/find_bit.c:109 > > Presumably the for_each_clear_bitrange() in pcpu_balance_populated(). > > > Read of size 8 at addr ffff8880175766b8 by task kworker/1:1/26 > > An eight byte read... > > > CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.0.0-rc4-next-20220906-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 > > Workqueue: events pcpu_balance_workfn > > Call Trace: > > > > __dump_stack lib/dump_stack.c:88 [inline] > > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 > > print_address_description mm/kasan/report.c:287 [inline] > > print_report+0x164/0x463 mm/kasan/report.c:398 > > kasan_report+0xbb/0x1f0 mm/kasan/report.c:486 > > _find_next_bit+0x143/0x160 lib/find_bit.c:109 > > find_next_bit include/linux/find.h:55 [inline] > > pcpu_balance_populated mm/percpu.c:2086 [inline] > > pcpu_balance_workfn+0x6c0/0xea0 mm/percpu.c:2246 > > process_one_work+0x991/0x1610 kernel/workqueue.c:2289 > > worker_thread+0x665/0x1080 kernel/workqueue.c:2436 > > kthread+0x2e4/0x3a0 kernel/kthread.c:376 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 > > > > > > Allocated by task 26: > > kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 > > kasan_set_track+0x21/0x30 mm/kasan/common.c:52 > > ____kasan_kmalloc mm/kasan/common.c:371 [inline] > > ____kasan_kmalloc mm/kasan/common.c:330 [inline] > > __kasan_kmalloc+0xa1/0xb0 mm/kasan/common.c:380 > > kasan_kmalloc include/linux/kasan.h:211 [inline] > > __do_kmalloc_node mm/slab_common.c:931 [inline] > > __kmalloc+0x54/0xc0 mm/slab_common.c:944 > > kmalloc include/linux/slab.h:565 [inline] > > kzalloc include/linux/slab.h:696 [inline] > > pcpu_mem_zalloc+0x70/0xa0 mm/percpu.c:514 > > pcpu_alloc_chunk mm/percpu.c:1446 [inline] > > pcpu_create_chunk+0x23/0x930 mm/percpu-vm.c:338 > > pcpu_balance_populated mm/percpu.c:2108 [inline] > > pcpu_balance_workfn+0xc4e/0xea0 mm/percpu.c:2246 > > process_one_work+0x991/0x1610 kernel/workqueue.c:2289 > > worker_thread+0x665/0x1080 kernel/workqueue.c:2436 > > kthread+0x2e4/0x3a0 kernel/kthread.c:376 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 > > > > The buggy address belongs to the object at ffff888017576600 > > which belongs to the cache kmalloc-192 of size 192 > > The buggy address is located 184 bytes inside of > > 192-byte region [ffff888017576600, ffff8880175766c0) > > At offset 184 of a 192-byte region. > > So what's wrong with doing that? Does KASAN have an off-by-one? Hi Andrew, all, This is a bug in FIND_NEXT_BIT(). It should be if (idx >= sz / BITS_PER_LONG) \ goto out; \ instead of if (idx > sz / BITS_PER_LONG) \ goto out; \ The fix is in bitmap-for-next, expected to be in -next by tomorrow. Sorry for the noise. Thanks, Yury