* [syzbot] [kernel?] KASAN: slab-out-of-bounds Read in __cpa_addr
@ 2025-10-05 23:30 syzbot
2025-10-06 3:48 ` [PATCH] x86/mm: fix overflow " Rik van Riel
0 siblings, 1 reply; 5+ messages in thread
From: syzbot @ 2025-10-05 23:30 UTC (permalink / raw)
To: bp, dave.hansen, hpa, kas, kevin.brodsky, linux-kernel, luto,
mingo, peterz, riel, rppt, syzkaller-bugs, tglx, wei.liu, x86,
yu-cheng.yu
Hello,
syzbot found the following issue on:
HEAD commit: d104e3d17f7b Merge tag 'cxl-for-6.18' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14c1d334580000
kernel config: https://syzkaller.appspot.com/x/.config?x=fc69e404f541b2c8
dashboard link: https://syzkaller.appspot.com/bug?extid=afec6555eef563c66c97
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1420585b980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15455ee2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a74b5722a024/disk-d104e3d1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f30801cac4ea/vmlinux-d104e3d1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6b4de16badcd/bzImage-d104e3d1.xz
The issue was bisected to:
commit 86e6815b316ec0ea8c4bb3c16a033219a52b6060
Author: Yu-cheng Yu <yu-cheng.yu@intel.com>
Date: Fri Jun 6 17:10:35 2025 +0000
x86/mm: Change cpa_flush() to call flush_kernel_range() directly
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17bbb942580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=147bb942580000
console output: https://syzkaller.appspot.com/x/log.txt?x=107bb942580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+afec6555eef563c66c97@syzkaller.appspotmail.com
Fixes: 86e6815b316e ("x86/mm: Change cpa_flush() to call flush_kernel_range() directly")
==================================================================
BUG: KASAN: slab-out-of-bounds in __cpa_addr arch/x86/mm/pat/set_memory.c:309 [inline]
BUG: KASAN: slab-out-of-bounds in __cpa_addr+0x1d3/0x220 arch/x86/mm/pat/set_memory.c:306
Read of size 8 at addr ffff88801f75e8f8 by task syz.0.17/5978
CPU: 0 UID: 0 PID: 5978 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
__cpa_addr arch/x86/mm/pat/set_memory.c:309 [inline]
__cpa_addr+0x1d3/0x220 arch/x86/mm/pat/set_memory.c:306
cpa_flush+0x28b/0x8a0 arch/x86/mm/pat/set_memory.c:449
change_page_attr_set_clr+0x34e/0x4a0 arch/x86/mm/pat/set_memory.c:2115
cpa_set_pages_array arch/x86/mm/pat/set_memory.c:2137 [inline]
_set_pages_array+0x1ab/0x2c0 arch/x86/mm/pat/set_memory.c:2521
drm_gem_shmem_get_pages_locked+0x384/0x490 drivers/gpu/drm/drm_gem_shmem_helper.c:214
drm_gem_shmem_mmap drivers/gpu/drm/drm_gem_shmem_helper.c:646 [inline]
drm_gem_shmem_mmap+0xc9/0x550 drivers/gpu/drm/drm_gem_shmem_helper.c:620
drm_gem_mmap_obj+0x1b5/0x560 drivers/gpu/drm/drm_gem.c:1167
drm_gem_mmap+0x40b/0x620 drivers/gpu/drm/drm_gem.c:1245
vfs_mmap include/linux/fs.h:2404 [inline]
mmap_file mm/internal.h:167 [inline]
__mmap_new_file_vma mm/vma.c:2413 [inline]
__mmap_new_vma mm/vma.c:2476 [inline]
__mmap_region+0x1306/0x27a0 mm/vma.c:2670
mmap_region+0x1ab/0x3f0 mm/vma.c:2740
do_mmap+0xa3e/0x1210 mm/mmap.c:558
vm_mmap_pgoff+0x29e/0x470 mm/util.c:580
ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:604
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f825658eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcee652688 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f82567e5fa0 RCX: 00007f825658eec9
RDX: 0000000000000004 RSI: 0000000000004000 RDI: 0000200000001000
RBP: 00007f8256611f91 R08: 0000000000000003 R09: 0000000100000000
R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f82567e5fa0 R14: 00007f82567e5fa0 R15: 0000000000000006
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88801f75fc00 pfn:0x1f75c
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f8(unknown)
raw: 00fff00000000040 0000000000000000 dead000000000122 0000000000000000
raw: ffff88801f75fc00 0000000000000000 00000000f8000000 0000000000000000
head: 00fff00000000040 0000000000000000 dead000000000122 0000000000000000
head: ffff88801f75fc00 0000000000000000 00000000f8000000 0000000000000000
head: 00fff00000000002 ffffea00007dd701 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x428c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_COMP), pid 5978, tgid 5978 (syz.0.17), ts 72327313076, free_ts 72326414796
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x10a3/0x3a30 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x25f/0x2470 mm/page_alloc.c:5183
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
___kmalloc_large_node+0xed/0x160 mm/slub.c:5544
__kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:5575
__do_kmalloc_node mm/slub.c:5591 [inline]
__kvmalloc_node_noprof.cold+0xf/0x66 mm/slub.c:7036
kvmalloc_array_node_noprof include/linux/slab.h:1122 [inline]
drm_gem_get_pages+0x144/0xa10 drivers/gpu/drm/drm_gem.c:647
drm_gem_shmem_get_pages_locked+0x1e6/0x490 drivers/gpu/drm/drm_gem_shmem_helper.c:200
drm_gem_shmem_mmap drivers/gpu/drm/drm_gem_shmem_helper.c:646 [inline]
drm_gem_shmem_mmap+0xc9/0x550 drivers/gpu/drm/drm_gem_shmem_helper.c:620
drm_gem_mmap_obj+0x1b5/0x560 drivers/gpu/drm/drm_gem.c:1167
drm_gem_mmap+0x40b/0x620 drivers/gpu/drm/drm_gem.c:1245
vfs_mmap include/linux/fs.h:2404 [inline]
mmap_file mm/internal.h:167 [inline]
__mmap_new_file_vma mm/vma.c:2413 [inline]
__mmap_new_vma mm/vma.c:2476 [inline]
__mmap_region+0x1306/0x27a0 mm/vma.c:2670
mmap_region+0x1ab/0x3f0 mm/vma.c:2740
do_mmap+0xa3e/0x1210 mm/mmap.c:558
vm_mmap_pgoff+0x29e/0x470 mm/util.c:580
page last free pid 5978 tgid 5978 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2906
stack_depot_save_flags+0x352/0x9c0 lib/stackdepot.c:727
kasan_save_stack+0x42/0x60 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__do_kmalloc_node mm/slub.c:5603 [inline]
__kmalloc_node_noprof+0x347/0x8a0 mm/slub.c:5609
kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]
alloc_slab_obj_exts+0x3a/0xd0 mm/slub.c:2115
__memcg_slab_post_alloc_hook+0x251/0x940 mm/memcontrol.c:3172
memcg_slab_post_alloc_hook mm/slub.c:2313 [inline]
slab_post_alloc_hook mm/slub.c:4957 [inline]
slab_alloc_node mm/slub.c:5245 [inline]
kmem_cache_alloc_noprof+0x550/0x6e0 mm/slub.c:5252
anon_vma_chain_alloc mm/rmap.c:141 [inline]
anon_vma_clone+0xd8/0x5c0 mm/rmap.c:287
__split_vma+0x65e/0x1070 mm/vma.c:535
vms_gather_munmap_vmas+0x1cb/0x1340 mm/vma.c:1359
__mmap_prepare mm/vma.c:2359 [inline]
__mmap_region+0x434/0x27a0 mm/vma.c:2652
mmap_region+0x1ab/0x3f0 mm/vma.c:2740
do_mmap+0xa3e/0x1210 mm/mmap.c:558
vm_mmap_pgoff+0x29e/0x470 mm/util.c:580
Memory state around the buggy address:
ffff88801f75e780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801f75e800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801f75e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe
^
ffff88801f75e900: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff88801f75e980: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] x86/mm: fix overflow in __cpa_addr
2025-10-05 23:30 [syzbot] [kernel?] KASAN: slab-out-of-bounds Read in __cpa_addr syzbot
@ 2025-10-06 3:48 ` Rik van Riel
2025-10-06 11:58 ` Kiryl Shutsemau
2025-10-06 22:22 ` Dave Hansen
0 siblings, 2 replies; 5+ messages in thread
From: Rik van Riel @ 2025-10-06 3:48 UTC (permalink / raw)
To: syzbot
Cc: bp, dave.hansen, hpa, kas, kevin.brodsky, linux-kernel, luto,
mingo, peterz, rppt, syzkaller-bugs, tglx, wei.liu, x86,
yu-cheng.yu
On Sun, 05 Oct 2025 16:30:24 -0700
syzbot <syzbot+afec6555eef563c66c97@syzkaller.appspotmail.com> wrote:
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in __cpa_addr arch/x86/mm/pat/set_memory.c:309 [inline]
> BUG: KASAN: slab-out-of-bounds in __cpa_addr+0x1d3/0x220 arch/x86/mm/pat/set_memory.c:306
> Read of size 8 at addr ffff88801f75e8f8 by task syz.0.17/5978
This should fix it, unless syzbot finds an unexpected new way to
torture things.
---8<---
From e32cd734444d9a95bb2d1067d934f33ab66f050b Mon Sep 17 00:00:00 2001
From: Rik van Riel <riel@surriel.com>
Date: Sun, 5 Oct 2025 23:32:48 -0400
Subject: [PATCH] x86/mm: fix overflow in __cpa_addr
The change to have cpa_flush() call flush_kernel_pages() introduced
a bug where __cpa_addr() can access an address one larger than the
largest one in the cpa->pages array.
KASAN reports the issue like this:
BUG: KASAN: slab-out-of-bounds in __cpa_addr arch/x86/mm/pat/set_memory.c:309 [inline]
BUG: KASAN: slab-out-of-bounds in __cpa_addr+0x1d3/0x220 arch/x86/mm/pat/set_memory.c:306
Read of size 8 at addr ffff88801f75e8f8 by task syz.0.17/5978
This bug could cause cpa_flush() to not properly flush memory,
which somehow never showed any symptoms in my tests, possibly
because cpa_flush() is called so rarely, but could potentially
cause issues for other people.
Fix the issue by directly calculating the flush end address
from the start address.
Signed-off-by: Rik van Riel <riel@surriel.com>
Cc: stable@kernel.org
Reported-by: syzbot+afec6555eef563c66c97@syzkaller.appspotmail.com
Fixes: 86e6815b316e ("x86/mm: Change cpa_flush() to call flush_kernel_range() directly")
---
arch/x86/mm/pat/set_memory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c
index d2d54b8c4dbb..970981893c9b 100644
--- a/arch/x86/mm/pat/set_memory.c
+++ b/arch/x86/mm/pat/set_memory.c
@@ -446,7 +446,7 @@ static void cpa_flush(struct cpa_data *cpa, int cache)
}
start = fix_addr(__cpa_addr(cpa, 0));
- end = fix_addr(__cpa_addr(cpa, cpa->numpages));
+ end = start + cpa->numpages * PAGE_SIZE;
if (cpa->force_flush_all)
end = TLB_FLUSH_ALL;
--
2.51.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] x86/mm: fix overflow in __cpa_addr
2025-10-06 3:48 ` [PATCH] x86/mm: fix overflow " Rik van Riel
@ 2025-10-06 11:58 ` Kiryl Shutsemau
2025-10-06 22:22 ` Dave Hansen
1 sibling, 0 replies; 5+ messages in thread
From: Kiryl Shutsemau @ 2025-10-06 11:58 UTC (permalink / raw)
To: Rik van Riel
Cc: syzbot, bp, dave.hansen, hpa, kevin.brodsky, linux-kernel, luto,
mingo, peterz, rppt, syzkaller-bugs, tglx, wei.liu, x86,
yu-cheng.yu
On Sun, Oct 05, 2025 at 11:48:05PM -0400, Rik van Riel wrote:
> On Sun, 05 Oct 2025 16:30:24 -0700
> syzbot <syzbot+afec6555eef563c66c97@syzkaller.appspotmail.com> wrote:
>
>
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in __cpa_addr arch/x86/mm/pat/set_memory.c:309 [inline]
> > BUG: KASAN: slab-out-of-bounds in __cpa_addr+0x1d3/0x220 arch/x86/mm/pat/set_memory.c:306
> > Read of size 8 at addr ffff88801f75e8f8 by task syz.0.17/5978
>
> This should fix it, unless syzbot finds an unexpected new way to
> torture things.
>
> ---8<---
> From e32cd734444d9a95bb2d1067d934f33ab66f050b Mon Sep 17 00:00:00 2001
> From: Rik van Riel <riel@surriel.com>
> Date: Sun, 5 Oct 2025 23:32:48 -0400
> Subject: [PATCH] x86/mm: fix overflow in __cpa_addr
>
> The change to have cpa_flush() call flush_kernel_pages() introduced
> a bug where __cpa_addr() can access an address one larger than the
> largest one in the cpa->pages array.
>
> KASAN reports the issue like this:
>
> BUG: KASAN: slab-out-of-bounds in __cpa_addr arch/x86/mm/pat/set_memory.c:309 [inline]
> BUG: KASAN: slab-out-of-bounds in __cpa_addr+0x1d3/0x220 arch/x86/mm/pat/set_memory.c:306
> Read of size 8 at addr ffff88801f75e8f8 by task syz.0.17/5978
>
> This bug could cause cpa_flush() to not properly flush memory,
> which somehow never showed any symptoms in my tests, possibly
> because cpa_flush() is called so rarely, but could potentially
> cause issues for other people.
>
> Fix the issue by directly calculating the flush end address
> from the start address.
>
> Signed-off-by: Rik van Riel <riel@surriel.com>
> Cc: stable@kernel.org
> Reported-by: syzbot+afec6555eef563c66c97@syzkaller.appspotmail.com
> Fixes: 86e6815b316e ("x86/mm: Change cpa_flush() to call flush_kernel_range() directly")
Reviewed-by: Kiryl Shutsemau <kas@kernel.org>
--
Kiryl Shutsemau / Kirill A. Shutemov
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] x86/mm: fix overflow in __cpa_addr
2025-10-06 3:48 ` [PATCH] x86/mm: fix overflow " Rik van Riel
2025-10-06 11:58 ` Kiryl Shutsemau
@ 2025-10-06 22:22 ` Dave Hansen
2025-10-07 17:23 ` Rik van Riel
1 sibling, 1 reply; 5+ messages in thread
From: Dave Hansen @ 2025-10-06 22:22 UTC (permalink / raw)
To: Rik van Riel, syzbot
Cc: bp, dave.hansen, hpa, kas, kevin.brodsky, linux-kernel, luto,
mingo, peterz, rppt, syzkaller-bugs, tglx, wei.liu, x86,
yu-cheng.yu
On 10/5/25 20:48, Rik van Riel wrote:
> Signed-off-by: Rik van Riel <riel@surriel.com>
> Cc: stable@kernel.org
> Reported-by: syzbot+afec6555eef563c66c97@syzkaller.appspotmail.com
> Fixes: 86e6815b316e ("x86/mm: Change cpa_flush() to call flush_kernel_range() directly")
Hi Folks,
Thanks for the quick fix here!
But this doesn't need to go to stable, right? I think it just went to
Linus during the merge window last week so it never made it to a
release, so won't need a stable backport.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] x86/mm: fix overflow in __cpa_addr
2025-10-06 22:22 ` Dave Hansen
@ 2025-10-07 17:23 ` Rik van Riel
0 siblings, 0 replies; 5+ messages in thread
From: Rik van Riel @ 2025-10-07 17:23 UTC (permalink / raw)
To: Dave Hansen, syzbot
Cc: bp, dave.hansen, hpa, kas, kevin.brodsky, linux-kernel, luto,
mingo, peterz, rppt, syzkaller-bugs, tglx, wei.liu, x86,
yu-cheng.yu
On Mon, 2025-10-06 at 15:22 -0700, Dave Hansen wrote:
> On 10/5/25 20:48, Rik van Riel wrote:
> > Signed-off-by: Rik van Riel <riel@surriel.com>
> > Cc: stable@kernel.org
> > Reported-by: syzbot+afec6555eef563c66c97@syzkaller.appspotmail.com
> > Fixes: 86e6815b316e ("x86/mm: Change cpa_flush() to call
> > flush_kernel_range() directly")
>
> Hi Folks,
>
> Thanks for the quick fix here!
>
> But this doesn't need to go to stable, right? I think it just went to
> Linus during the merge window last week so it never made it to a
> release, so won't need a stable backport.
>
Oh good point.
I had totally lost track of when the problem
was merged upstream in the first place.
--
All Rights Reversed.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-10-07 17:24 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-05 23:30 [syzbot] [kernel?] KASAN: slab-out-of-bounds Read in __cpa_addr syzbot
2025-10-06 3:48 ` [PATCH] x86/mm: fix overflow " Rik van Riel
2025-10-06 11:58 ` Kiryl Shutsemau
2025-10-06 22:22 ` Dave Hansen
2025-10-07 17:23 ` Rik van Riel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome