Hello, syzbot found the following issue on: HEAD commit: 17cb8a20bde6 Add linux-next specific files for 20231215 git tree: linux-next console+strace: https://syzkaller.appspot.com/x/log.txt?x=1129f3b6e80000 kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583 dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d23c01e80000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14cfe021e80000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/ae1915546a0a/disk-17cb8a20.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/b0f2ec7a35f4/vmlinux-17cb8a20.xz kernel image: https://storage.googleapis.com/syzbot-assets/619edb9cb864/bzImage-17cb8a20.xz The issue was bisected to: commit 47309ea1359115125d9cab17a279c8df72b47235 Author: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Date: Tue Nov 28 06:52:57 2023 +0000 crypto: arc4 - Add internal state bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=130bb292e80000 final oops: https://syzkaller.appspot.com/x/report.txt?x=108bb292e80000 console output: https://syzkaller.appspot.com/x/log.txt?x=170bb292e80000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8ffb0839a24e9c6bfa76@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 47309ea13591 ("crypto: arc4 - Add internal state") "syz-executor161" (5061) uses obsolete ecb(arc4) skcipher ================================================================== BUG: KASAN: slab-out-of-bounds in arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46 Read of size 4 at addr ffff888079f44ee0 by task syz-executor161/5061 CPU: 1 PID: 5061 Comm: syz-executor161 Not tainted 6.7.0-rc5-next-20231215-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46 crypto_arc4_crypt+0x61/0x70 crypto/arc4.c:37 crypto_lskcipher_crypt_sg+0x28c/0x460 crypto/lskcipher.c:229 crypto_skcipher_decrypt+0xda/0x160 crypto/skcipher.c:693 _skcipher_recvmsg crypto/algif_skcipher.c:199 [inline] skcipher_recvmsg+0xc2b/0x1040 crypto/algif_skcipher.c:221 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0xe2/0x170 net/socket.c:1066 ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2801 ___sys_recvmsg+0x115/0x1a0 net/socket.c:2843 __sys_recvmsg+0x114/0x1e0 net/socket.c:2873 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x62/0x6a RIP: 0033:0x7effab449b79 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff6c0657f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007effab449b79 RDX: 0000000000000000 RSI: 00000000200005c0 RDI: 0000000000000004 RBP: 0000000000003a28 R08: 0000000000000000 R09: 0000000000000006 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 </TASK> Allocated by task 78: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_set_track+0x24/0x30 mm/kasan/common.c:61 ____kasan_kmalloc mm/kasan/common.c:375 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:384 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slub.c:3985 [inline] __kmalloc+0x1f9/0x440 mm/slub.c:3998 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] kobject_get_path+0xce/0x2b0 lib/kobject.c:159 kobject_uevent_env+0x26b/0x1800 lib/kobject_uevent.c:529 kset_register+0x1b6/0x2a0 lib/kobject.c:873 bus_register+0x1bf/0x6a0 drivers/base/bus.c:868 gpiolib_dev_init+0x1b/0x1c0 drivers/gpio/gpiolib.c:4684 do_one_initcall+0x128/0x680 init/main.c:1236 do_initcall_level init/main.c:1298 [inline] do_initcalls init/main.c:1314 [inline] do_basic_setup init/main.c:1333 [inline] kernel_init_freeable+0x692/0xc30 init/main.c:1551 kernel_init+0x1c/0x2a0 init/main.c:1441 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_set_track+0x24/0x30 mm/kasan/common.c:61 ____kasan_kmalloc mm/kasan/common.c:375 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:384 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slub.c:3985 [inline] __kmalloc+0x1f9/0x440 mm/slub.c:3998 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] acpi_os_allocate_zeroed include/acpi/platform/aclinuxex.h:57 [inline] acpi_ns_internalize_name+0x149/0x220 drivers/acpi/acpica/nsutils.c:331 acpi_ns_get_node_unlocked+0x164/0x310 drivers/acpi/acpica/nsutils.c:666 acpi_ns_get_node+0x4c/0x70 drivers/acpi/acpica/nsutils.c:726 acpi_ns_evaluate+0x6eb/0xca0 drivers/acpi/acpica/nseval.c:62 acpi_ut_evaluate_object+0xda/0x490 drivers/acpi/acpica/uteval.c:60 acpi_ut_execute_HID+0x8e/0x3b0 drivers/acpi/acpica/utids.c:45 acpi_ns_get_device_callback+0x182/0x510 drivers/acpi/acpica/nsxfeval.c:679 acpi_ns_walk_namespace+0x3fe/0x5a0 drivers/acpi/acpica/nswalk.c:233 acpi_get_devices+0x135/0x160 drivers/acpi/acpica/nsxfeval.c:805 acpi_ec_dsdt_probe+0x4b/0x160 drivers/acpi/ec.c:1769 acpi_bus_init drivers/acpi/bus.c:1372 [inline] acpi_init+0x2c5/0xb70 drivers/acpi/bus.c:1430 do_one_initcall+0x128/0x680 init/main.c:1236 do_initcall_level init/main.c:1298 [inline] do_initcalls init/main.c:1314 [inline] do_basic_setup init/main.c:1333 [inline] kernel_init_freeable+0x692/0xc30 init/main.c:1551 kernel_init+0x1c/0x2a0 init/main.c:1441 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Second to last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_set_track+0x24/0x30 mm/kasan/common.c:61 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slub.c:3817 [inline] slab_alloc_node mm/slub.c:3864 [inline] kmem_cache_alloc+0x136/0x320 mm/slub.c:3871 kmem_cache_zalloc include/linux/slab.h:701 [inline] acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline] acpi_ut_allocate_object_desc_dbg drivers/acpi/acpica/utobject.c:359 [inline] acpi_ut_create_internal_object_dbg+0x7b/0x400 drivers/acpi/acpica/utobject.c:69 acpi_ds_create_buffer_field+0x389/0x610 drivers/acpi/acpica/dsfield.c:214 acpi_ds_load2_end_op+0x5d8/0x1070 drivers/acpi/acpica/dswload2.c:475 acpi_ds_exec_end_op+0xbb7/0x1460 drivers/acpi/acpica/dswexec.c:542 acpi_ps_parse_loop+0x429/0x1ce0 drivers/acpi/acpica/psloop.c:525 acpi_ps_parse_aml+0x3c1/0xca0 drivers/acpi/acpica/psparse.c:475 acpi_ps_execute_table+0x37b/0x4c0 drivers/acpi/acpica/psxface.c:295 acpi_ns_execute_table+0x3ee/0x550 drivers/acpi/acpica/nsparse.c:116 acpi_ns_load_table+0x5b/0x130 drivers/acpi/acpica/nsload.c:71 acpi_tb_load_namespace+0x435/0x700 drivers/acpi/acpica/tbxfload.c:186 acpi_load_tables+0x2c/0x110 drivers/acpi/acpica/tbxfload.c:59 acpi_bus_init drivers/acpi/bus.c:1321 [inline] acpi_init+0x123/0xb70 drivers/acpi/bus.c:1430 do_one_initcall+0x128/0x680 init/main.c:1236 do_initcall_level init/main.c:1298 [inline] do_initcalls init/main.c:1314 [inline] do_basic_setup init/main.c:1333 [inline] kernel_init_freeable+0x692/0xc30 init/main.c:1551 kernel_init+0x1c/0x2a0 init/main.c:1441 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 The buggy address belongs to the object at ffff888079f44800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 1024 bytes to the right of allocated 736-byte region [ffff888079f44800, ffff888079f44ae0) The buggy address belongs to the physical page: page:ffffea0001e7d000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79f40 head:ffffea0001e7d000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000840 ffff888013041dc0 0000000000000000 0000000000000001 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4686, tgid 4686 (udevd), ts 39444184156, free_ts 23975115080 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1540 prep_new_page mm/page_alloc.c:1547 [inline] get_page_from_freelist+0xa19/0x3740 mm/page_alloc.c:3355 __alloc_pages+0x22e/0x2410 mm/page_alloc.c:4611 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 alloc_slab_page mm/slub.c:2191 [inline] allocate_slab mm/slub.c:2358 [inline] new_slab+0x283/0x3c0 mm/slub.c:2411 ___slab_alloc+0x4ab/0x1990 mm/slub.c:3544 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3629 __slab_alloc_node mm/slub.c:3682 [inline] slab_alloc_node mm/slub.c:3854 [inline] __do_kmalloc_node mm/slub.c:3984 [inline] __kmalloc+0x3b4/0x440 mm/slub.c:3998 kmalloc include/linux/slab.h:594 [inline] load_elf_phdrs+0x103/0x210 fs/binfmt_elf.c:526 load_elf_binary+0x14ca/0x4e10 fs/binfmt_elf.c:955 search_binary_handler fs/exec.c:1736 [inline] exec_binprm fs/exec.c:1778 [inline] bprm_execve fs/exec.c:1853 [inline] bprm_execve+0x7ef/0x1a80 fs/exec.c:1809 do_execveat_common.isra.0+0x679/0x8e0 fs/exec.c:1974 do_execve fs/exec.c:2048 [inline] __do_sys_execve fs/exec.c:2124 [inline] __se_sys_execve fs/exec.c:2119 [inline] __x64_sys_execve+0x8c/0xb0 fs/exec.c:2119 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x62/0x6a page last free pid 1 tgid 1 stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1140 [inline] free_unref_page_prepare+0x51f/0xb10 mm/page_alloc.c:2390 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2530 free_contig_range+0xb6/0x190 mm/page_alloc.c:6579 destroy_args+0xa69/0xe40 mm/debug_vm_pgtable.c:1028 debug_vm_pgtable+0x16fc/0x3250 mm/debug_vm_pgtable.c:1408 do_one_initcall+0x128/0x680 init/main.c:1236 do_initcall_level init/main.c:1298 [inline] do_initcalls init/main.c:1314 [inline] do_basic_setup init/main.c:1333 [inline] kernel_init_freeable+0x692/0xc30 init/main.c:1551 kernel_init+0x1c/0x2a0 init/main.c:1441 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Memory state around the buggy address: ffff888079f44d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888079f44e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888079f44e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888079f44f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888079f44f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup