Hello, kernel test robot noticed "BUG:KASAN:global-out-of-bounds_in__cgroup_bpf_check_dev_permission" on: commit: fa410b506a9aa6faf7277cd478e670670d73a206 ("[PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array") url: https://github.com/intel-lab-lkp/linux/commits/Philipp-Hortmann/include-linux-Fix-flex-array-member-not-at-the-end-in-bpf_empty_prog_array/20241001-022346 base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git master patch link: https://lore.kernel.org/all/20240930181700.22839-1-philipp.g.hortmann@xxxxxxxxx/ patch subject: [PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array in testcase: boot compiler: gcc-12 test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G (please refer to attached dmesg/kmsg for entire log/backtrace) +--------------------------------------------------------------------+------------+------------+ | | 93eeaab456 | fa410b506a | +--------------------------------------------------------------------+------------+------------+ | BUG:KASAN:global-out-of-bounds_in__cgroup_bpf_check_dev_permission | 0 | 12 | +--------------------------------------------------------------------+------------+------------+ If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <oliver.sang@xxxxxxxxx> | Closes: https://lore.kernel.org/oe-lkp/202410062215.255fb5b7-oliver.sang@xxxxxxxxx [ 23.682727][ T112] BUG: KASAN: global-out-of-bounds in __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) [ 23.683467][ T112] Read of size 8 at addr ffffffffa8495ff8 by task (modprobe)/112 [ 23.684089][ T112] [ 23.684349][ T112] CPU: 1 UID: 0 PID: 112 Comm: (modprobe) Not tainted 6.11.0-10575-gfa410b506a9a #1 [ 23.685081][ T112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 23.685872][ T112] Call Trace: [ 23.686179][ T112] <TASK> [ 23.686457][ T112] dump_stack_lvl (lib/dump_stack.c:123 (discriminator 1)) [ 23.686839][ T112] print_address_description+0x2c/0x3a0 [ 23.687351][ T112] ? __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) [ 23.687856][ T112] print_report (mm/kasan/report.c:489) [ 23.688241][ T112] ? kasan_addr_to_slab (mm/kasan/common.c:37) [ 23.688648][ T112] ? __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) [ 23.689148][ T112] kasan_report (mm/kasan/report.c:603) [ 23.689523][ T112] ? __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) [ 23.690028][ T112] __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) [ 23.690524][ T112] ? __pfx_make_vfsuid (fs/mnt_idmapping.c:82) [ 23.690932][ T112] ? read_word_at_a_time (include/asm-generic/rwonce.h:86) [ 23.691342][ T112] ? __pfx___cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:1534) [ 23.691867][ T112] ? __pfx_make_vfsuid (fs/mnt_idmapping.c:82) [ 23.692282][ T112] ? generic_permission (fs/namei.c:353 fs/namei.c:414) [ 23.692700][ T112] devcgroup_check_permission (security/device_cgroup.c:864) [ 23.693150][ T112] inode_permission (fs/namei.c:540 fs/namei.c:510) [ 23.693549][ T112] ? try_to_unlazy (fs/namei.c:793) [ 23.693941][ T112] may_open (fs/namei.c:3365) [ 23.694288][ T112] do_open (fs/namei.c:3772) [ 23.694638][ T112] path_openat (fs/namei.c:3934) [ 23.695008][ T112] ? __pfx_path_openat (fs/namei.c:3915) [ 23.695410][ T112] do_filp_open (fs/namei.c:3960) [ 23.695788][ T112] ? __pfx_do_filp_open (fs/namei.c:3954) [ 23.696201][ T112] ? alloc_fd (fs/file.c:556 (discriminator 10)) [ 23.696580][ T112] ? getname_flags (include/linux/audit.h:316) [ 23.697003][ T112] do_sys_openat2 (fs/open.c:1415) [ 23.697390][ T112] ? __pfx_do_sys_openat2 (fs/open.c:1401) [ 23.697810][ T112] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91) [ 23.698231][ T112] ? sched_clock (arch/x86/include/asm/preempt.h:94 arch/x86/kernel/tsc.c:285) [ 23.698602][ T112] ? sched_clock_cpu (kernel/sched/clock.c:394) [ 23.698999][ T112] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91) [ 23.699420][ T112] ? sched_clock (arch/x86/include/asm/preempt.h:94 arch/x86/kernel/tsc.c:285) [ 23.699793][ T112] ? sched_clock_cpu (kernel/sched/clock.c:394) [ 23.700190][ T112] __x64_sys_openat (fs/open.c:1441) [ 23.700608][ T112] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389) [ 23.701030][ T112] ? __pfx___x64_sys_openat (fs/open.c:1441) [ 23.701462][ T112] ? kmem_cache_free (mm/slub.c:2308 mm/slub.c:4580 mm/slub.c:4682) [ 23.701869][ T112] ? irqtime_account_irq (kernel/sched/cputime.c:64) [ 23.702291][ T112] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 23.702666][ T112] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 23.703132][ T112] RIP: 0033:0x7efe9635df01 [ 23.703505][ T112] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d ea 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 All code ======== 0: 75 57 jne 0x59 2: 89 f0 mov %esi,%eax 4: 25 00 00 41 00 and $0x410000,%eax 9: 3d 00 00 41 00 cmp $0x410000,%eax e: 74 49 je 0x59 10: 80 3d ea 26 0e 00 00 cmpb $0x0,0xe26ea(%rip) # 0xe2701 17: 74 6d je 0x86 19: 89 da mov %ebx,%edx 1b: 48 89 ee mov %rbp,%rsi 1e: bf 9c ff ff ff mov $0xffffff9c,%edi 23: b8 01 01 00 00 mov $0x101,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 0f 87 93 00 00 00 ja 0xc9 36: 48 8b 54 24 28 mov 0x28(%rsp),%rdx 3b: 64 fs 3c: 48 rex.W 3d: 2b .byte 0x2b 3e: 14 25 adc $0x25,%al Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 0f 87 93 00 00 00 ja 0x9f c: 48 8b 54 24 28 mov 0x28(%rsp),%rdx 11: 64 fs 12: 48 rex.W 13: 2b .byte 0x2b 14: 14 25 adc $0x25,%al [ 23.704934][ T112] RSP: 002b:00007ffdf04d5790 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 23.705595][ T112] RAX: ffffffffffffffda RBX: 0000000000000100 RCX: 00007efe9635df01 [ 23.708307][ T112] RDX: 0000000000000100 RSI: 00007efe968bd74b RDI: 00000000ffffff9c [ 23.708942][ T112] RBP: 00007efe968bd74b R08: 0000000000000007 R09: 000055d1f2bf6cc0 [ 23.709571][ T112] R10: 0000000000000000 R11: 0000000000000202 R12: 000055d1f2bf6cc0 [ 23.710203][ T112] R13: 000055d1f2b45540 R14: 00007ffdf04d5d50 R15: 000055d1f2b42520 [ 23.710833][ T112] </TASK> [ 23.711116][ T112] [ 23.711351][ T112] The buggy address belongs to the variable: [ 23.711816][ T112] bpf_empty_prog_array+0x18/0x40 [ 23.712227][ T112] [ 23.712471][ T112] The buggy address belongs to the physical page: [ 23.712963][ T112] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17e695 [ 23.713649][ T112] flags: 0x17ffffc0002000(reserved|node=0|zone=2|lastcpupid=0x1fffff) [ 23.714299][ T112] raw: 0017ffffc0002000 ffffea0005f9a548 ffffea0005f9a548 0000000000000000 [ 23.714968][ T112] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.715641][ T112] page dumped because: kasan: bad access detected [ 23.716134][ T112] page_owner info is not present (never set?) [ 23.716613][ T112] [ 23.716851][ T112] Memory state around the buggy address: [ 23.717296][ T112] ffffffffa8495e80: 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 [ 23.717932][ T112] ffffffffa8495f00: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 23.718573][ T112] >ffffffffa8495f80: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 00 f9 [ 23.719207][ T112] ^ [ 23.719841][ T112] ffffffffa8496000: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 [ 23.720480][ T112] ffffffffa8496080: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 [ 23.721119][ T112] ================================================================== [ 23.721795][ T112] Disabling lock debugging due to kernel taint The kernel config and materials to reproduce are available at: https://download.01.org/0day-ci/archive/20241006/202410062215.255fb5b7-oliver.sang@xxxxxxxxx -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki