lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <202508110616.33657b6c-lkp@intel.com>
Date: Mon, 11 Aug 2025 13:19:22 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Steven Rostedt <rostedt@...nel.org>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <linux-kernel@...r.kernel.org>,
	<linux-trace-kernel@...r.kernel.org>, Masami Hiramatsu <mhiramat@...nel.org>,
	Mark Rutland <mark.rutland@....com>, Mathieu Desnoyers
	<mathieu.desnoyers@...icios.com>, Andrew Morton <akpm@...ux-foundation.org>,
	Peter Zijlstra <peterz@...radead.org>, Namhyung Kim <namhyung@...nel.org>,
	Takaya Saeki <takayas@...gle.com>, Tom Zanussi <zanussi@...nel.org>, "Thomas
 Gleixner" <tglx@...utronix.de>, Ian Rogers <irogers@...gle.com>,
	<aahringo@...hat.com>, Douglas Raillard <douglas.raillard@....com>,
	<oliver.sang@...el.com>
Subject: Re: [PATCH 3/7] tracing: Have syscall trace events read user space
 string



Hello,

kernel test robot noticed "BUG:KASAN:slab-out-of-bounds_in_syscall_fault_buffer_enable" on:

commit: 6bc850d6f8f7308a184edfd60ee1acdd89ced128 ("[PATCH 3/7] tracing: Have syscall trace events read user space string")
url: https://github.com/intel-lab-lkp/linux/commits/Steven-Rostedt/tracing-Replace-syscall-RCU-pointer-assignment-with-READ-WRITE_ONCE/20250806-122312
base: https://git.kernel.org/cgit/linux/kernel/git/trace/linux-trace for-next
patch link: https://lore.kernel.org/all/20250805193235.080757106@kernel.org/
patch subject: [PATCH 3/7] tracing: Have syscall trace events read user space string

in testcase: boot

config: x86_64-rhel-9.4-kunit
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)


+---------------------------------------------------------------+------------+------------+
|                                                               | 63f89ba6a0 | 6bc850d6f8 |
+---------------------------------------------------------------+------------+------------+
| BUG:KASAN:slab-out-of-bounds_in_syscall_fault_buffer_enable   | 0          | 24         |
+---------------------------------------------------------------+------------+------------+


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202508110616.33657b6c-lkp@intel.com


[ 47.226292][ T1] BUG: KASAN: slab-out-of-bounds in syscall_fault_buffer_enable (kernel/trace/trace_syscalls.c:430) 
[   47.227603][    T1] Write of size 8 at addr ffff8881baea5f10 by task swapper/0/1
[   47.228735][    T1]
[   47.229107][    T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc7-00138-g6bc850d6f8f7 #1 PREEMPT(voluntary)
[   47.229114][    T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   47.229117][    T1] Call Trace:
[   47.229121][    T1]  <TASK>
[ 47.229124][ T1] dump_stack_lvl (lib/dump_stack.c:123 (discriminator 1)) 
[ 47.229134][ T1] print_address_description+0x2c/0x380 
[ 47.229142][ T1] ? syscall_fault_buffer_enable (kernel/trace/trace_syscalls.c:430) 
[ 47.229146][ T1] print_report (mm/kasan/report.c:481) 
[ 47.229150][ T1] ? syscall_fault_buffer_enable (kernel/trace/trace_syscalls.c:430) 
[ 47.229153][ T1] ? kasan_addr_to_slab (mm/kasan/common.c:37) 
[ 47.229156][ T1] ? syscall_fault_buffer_enable (kernel/trace/trace_syscalls.c:430) 
[ 47.229159][ T1] kasan_report (mm/kasan/report.c:595) 
[ 47.229164][ T1] ? syscall_fault_buffer_enable (kernel/trace/trace_syscalls.c:430) 
[ 47.229167][ T1] syscall_fault_buffer_enable (kernel/trace/trace_syscalls.c:430) 
[ 47.229171][ T1] ? mutex_unlock (arch/x86/include/asm/atomic64_64.h:101 include/linux/atomic/atomic-arch-fallback.h:4329 include/linux/atomic/atomic-long.h:1506 include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:167 kernel/locking/mutex.c:537) 
[ 47.229177][ T1] syscall_enter_register (kernel/trace/trace_syscalls.c:729 kernel/trace/trace_syscalls.c:1259) 
[ 47.229181][ T1] __ftrace_event_enable_disable (kernel/trace/trace_events.c:860) 
[ 47.229186][ T1] ? __pfx__printk (kernel/printk/printk.c:2470) 
[ 47.229192][ T1] __ftrace_set_clr_event_nolock (kernel/trace/trace_events.c:890 kernel/trace/trace_events.c:1353) 
[ 47.229197][ T1] event_trace_self_tests (kernel/trace/trace_events.c:1384 (discriminator 1) kernel/trace/trace_events.c:4779 (discriminator 1)) 
[ 47.229203][ T1] ? __pfx_event_trace_self_tests_init (kernel/trace/trace_events.c:4892) 
[ 47.229208][ T1] event_trace_self_tests_init (include/linux/list.h:373 kernel/trace/trace.h:487 kernel/trace/trace_events.c:4871 kernel/trace/trace_events.c:4894) 
[ 47.229212][ T1] do_one_initcall (init/main.c:1274) 
[ 47.229216][ T1] ? __pfx_do_one_initcall (init/main.c:1265) 
[ 47.229219][ T1] ? __pfx_parse_args (kernel/params.c:168) 
[ 47.229223][ T1] ? __kasan_kmalloc (include/linux/kfence.h:58 mm/kasan/common.c:390) 
[ 47.229227][ T1] ? do_initcalls (include/linux/slab.h:909 include/linux/slab.h:1039 init/main.c:1345) 
[ 47.229232][ T1] do_initcalls (init/main.c:1335 init/main.c:1352) 
[ 47.229236][ T1] kernel_init_freeable (init/main.c:1586) 
[ 47.229241][ T1] ? __pfx_kernel_init (init/main.c:1466) 
[ 47.229247][ T1] kernel_init (init/main.c:1476) 
[ 47.229251][ T1] ? calculate_sigpending (kernel/signal.c:194) 
[ 47.229256][ T1] ? __pfx_kernel_init (init/main.c:1466) 
[ 47.229259][ T1] ret_from_fork (arch/x86/kernel/process.c:154) 
[ 47.229265][ T1] ? __pfx_kernel_init (init/main.c:1466) 
[ 47.229269][ T1] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) 
[   47.229275][    T1]  </TASK>
[   47.229276][    T1]
[   47.262431][    T1] Allocated by task 1:
[ 47.263075][ T1] kasan_save_stack (mm/kasan/common.c:48) 
[ 47.263810][ T1] kasan_save_track (arch/x86/include/asm/current.h:25 mm/kasan/common.c:60 mm/kasan/common.c:69) 
[ 47.264530][ T1] __kasan_kmalloc (mm/kasan/common.c:377 mm/kasan/common.c:394) 
[ 47.265210][ T1] syscall_fault_buffer_enable (include/linux/slab.h:905 kernel/trace/trace_syscalls.c:426) 
[ 47.266034][ T1] syscall_enter_register (kernel/trace/trace_syscalls.c:729 kernel/trace/trace_syscalls.c:1259) 
[ 47.266825][ T1] __ftrace_event_enable_disable (kernel/trace/trace_events.c:860) 
[ 47.267743][ T1] __ftrace_set_clr_event_nolock (kernel/trace/trace_events.c:890 kernel/trace/trace_events.c:1353) 
[ 47.268609][ T1] event_trace_self_tests (kernel/trace/trace_events.c:1384 (discriminator 1) kernel/trace/trace_events.c:4779 (discriminator 1)) 
[ 47.269392][ T1] event_trace_self_tests_init (include/linux/list.h:373 kernel/trace/trace.h:487 kernel/trace/trace_events.c:4871 kernel/trace/trace_events.c:4894) 
[ 47.270229][ T1] do_one_initcall (init/main.c:1274) 
[ 47.270971][ T1] do_initcalls (init/main.c:1335 init/main.c:1352) 
[ 47.271669][ T1] kernel_init_freeable (init/main.c:1586) 
[ 47.272429][ T1] kernel_init (init/main.c:1476) 
[ 47.273127][ T1] ret_from_fork (arch/x86/kernel/process.c:154) 
[ 47.273817][ T1] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) 
[   47.274547][    T1]
[   47.274977][    T1] The buggy address belongs to the object at ffff8881baea5f00
[   47.274977][    T1]  which belongs to the cache kmalloc-8 of size 8
[   47.277002][    T1] The buggy address is located 8 bytes to the right of
[   47.277002][    T1]  allocated 8-byte region [ffff8881baea5f00, ffff8881baea5f08)
[   47.279110][    T1]
[   47.279551][    T1] The buggy address belongs to the physical page:
[   47.280447][    T1] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1baea5
[   47.281773][    T1] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[   47.282819][    T1] page_type: f5(slab)
[   47.283449][    T1] raw: 0017ffffc0000000 ffff888100041500 dead000000000122 0000000000000000
[   47.284709][    T1] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   47.286003][    T1] page dumped because: kasan: bad access detected
[   47.286854][    T1] page_owner tracks the page as allocated
[   47.287710][    T1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 35802055637, free_ts 0
[ 47.290101][ T1] post_alloc_hook (include/linux/page_owner.h:32 mm/page_alloc.c:1704) 
[ 47.290799][ T1] get_page_from_freelist (mm/page_alloc.c:1714 mm/page_alloc.c:3669) 
[ 47.291594][ T1] __alloc_frozen_pages_noprof (mm/page_alloc.c:4959) 
[ 47.292391][ T1] alloc_pages_mpol (mm/mempolicy.c:2421) 
[ 47.293117][ T1] allocate_slab (mm/slub.c:2451 mm/slub.c:2619) 
[ 47.293768][ T1] ___slab_alloc (mm/slub.c:3859 (discriminator 3)) 
[ 47.294447][ T1] __kmalloc_node_track_caller_noprof (mm/slub.c:3949 mm/slub.c:4024 mm/slub.c:4185 mm/slub.c:4327 mm/slub.c:4347) 
[ 47.295322][ T1] kstrdup (mm/util.c:63 mm/util.c:83) 
[ 47.295898][ T1] __kernfs_new_node (fs/kernfs/dir.c:634) 
[ 47.296626][ T1] kernfs_new_node (fs/kernfs/dir.c:713) 
[ 47.297380][ T1] kernfs_create_dir_ns (fs/kernfs/dir.c:1085) 
[ 47.298159][ T1] sysfs_create_dir_ns (fs/sysfs/dir.c:61) 
[ 47.298933][ T1] kobject_add_internal (lib/kobject.c:73 lib/kobject.c:240) 
[ 47.299712][ T1] kobject_init_and_add (lib/kobject.c:374 lib/kobject.c:457) 
[ 47.300448][ T1] net_rx_queue_update_kobjects (net/core/net-sysfs.c:1239 net/core/net-sysfs.c:1301) 
[ 47.301292][ T1] netdev_register_kobject (net/core/net-sysfs.c:2093 net/core/net-sysfs.c:2340) 
[   47.302015][    T1] page_owner free stack trace missing
[   47.302748][    T1]
[   47.303126][    T1] Memory state around the buggy address:
[   47.303914][    T1]  ffff8881baea5e00: 06 fc fc fc 06 fc fc fc 04 fc fc fc 06 fc fc fc
[   47.305085][    T1]  ffff8881baea5e80: 05 fc fc fc 05 fc fc fc 06 fc fc fc fc fc fc fc
[   47.306239][    T1] >ffff8881baea5f00: 00 fc fc fc 07 fc fc fc 00 fc fc fc fa fc fc fc
[   47.307378][    T1]                          ^
[   47.308014][    T1]  ffff8881baea5f80: fa fc fc fc fc fc fc fc 06 fc fc fc 06 fc fc fc
[   47.309220][    T1]  ffff8881baea6000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   47.310929][    T1] ==================================================================
[   47.312186][    T1] Disabling lock debugging due to kernel taint
[   47.318329][    T1] OK
[   47.318896][    T1] Testing event system hyperv: OK


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250811/202508110616.33657b6c-lkp@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ