Hello, When using fuzzer tool to fuzz the latest Linux kernel, the following crash was triggered. HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8 git tree: upstream Console output: https://drive.google.com/file/d/1pviuAgkWIVfra8dE2JLEcnUhHX3_inDL/view?usp=sharing Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=sharing C reproducer: / Syzlang reproducer: / Unfortunately, we're getting a stable reproduction of the program. If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx> ================================================================== BUG: KASAN: slab-out-of-bounds in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-out-of-bounds in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-out-of-bounds in mapping_inaccessible include/linux/pagemap.h:335 [inline] BUG: KASAN: slab-out-of-bounds in isolate_migratepages_block+0x31dc/0x43c0 mm/compaction.c:1180 Read of size 8 at addr ff1100000750bea0 by task kcompactd0/48 CPU: 2 UID: 0 PID: 48 Comm: kcompactd0 Not tainted 6.13.0-rc3 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x5f0 mm/kasan/report.c:489 kasan_report+0x93/0xc0 mm/kasan/report.c:602 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xf6/0x1b0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] mapping_inaccessible include/linux/pagemap.h:335 [inline] isolate_migratepages_block+0x31dc/0x43c0 mm/compaction.c:1180 isolate_migratepages mm/compaction.c:2164 [inline] compact_zone+0x1987/0x3ee0 mm/compaction.c:2611 compact_node+0x19c/0x2d0 mm/compaction.c:2910 kcompactd+0x3ca/0xa00 mm/compaction.c:3208 kthread+0x345/0x450 kernel/kthread.c:389 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 469: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_track_caller_noprof+0x1ef/0x560 mm/slub.c:4317 kmalloc_reserve+0xeb/0x2b0 net/core/skbuff.c:609 __alloc_skb+0x162/0x370 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline] nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline] nsim_dev_trap_report_work+0x358/0xd20 drivers/net/netdevsim/dev.c:851 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0x5ee/0x1ba0 kernel/workqueue.c:3310 worker_thread+0x59f/0xcf0 kernel/workqueue.c:3391 kthread+0x345/0x450 kernel/kthread.c:389 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 469: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3a/0x60 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x54/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x120/0x3e0 mm/slub.c:4761 skb_kfree_head net/core/skbuff.c:1086 [inline] skb_free_head+0xe0/0x1d0 net/core/skbuff.c:1098 skb_release_data+0x782/0x900 net/core/skbuff.c:1125 skb_release_all+0x4e/0x60 net/core/skbuff.c:1190 __kfree_skb net/core/skbuff.c:1204 [inline] consume_skb net/core/skbuff.c:1436 [inline] consume_skb+0xf5/0x2c0 net/core/skbuff.c:1430 nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline] nsim_dev_trap_report_work+0x263/0xd20 drivers/net/netdevsim/dev.c:851 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0x5ee/0x1ba0 kernel/workqueue.c:3310 worker_thread+0x59f/0xcf0 kernel/workqueue.c:3391 kthread+0x345/0x450 kernel/kthread.c:389 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ff1100000750a000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3744 bytes to the right of allocated 4096-byte region [ff1100000750a000, ff1100000750b000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7508 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0100000000000040 ff1100000103d040 ffd400000026ea00 dead000000000002 raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 head: 0100000000000040 ff1100000103d040 ffd400000026ea00 dead000000000002 head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 head: 0100000000000003 ffd40000001d4201 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ff1100000750bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ff1100000750be00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ff1100000750be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ff1100000750bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ff1100000750bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Oops: general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067] CPU: 2 UID: 0 PID: 48 Comm: kcompactd0 Tainted: G B 6.13.0-rc3 #8 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:move_to_new_folio+0x1a7/0x720 mm/migrate.c:1052 Code: 48 c1 ea 03 80 3c 02 00 0f 85 ea 03 00 00 49 8b 9d 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 60 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d9 03 00 00 48 8b 5b 60 48 85 db 0f 84 e9 00 00 RSP: 0018:ffa00000003574f8 EFLAGS: 00010216 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff9a06ee21 RDX: 000000000000000c RSI: 0000000000000008 RDI: 0000000000000060 RBP: ffd4000000196bc0 R08: ff1100000750be98 R09: ffe21c0000ea17d5 R10: ffe21c0000ea17d4 R11: 0000000000000007 R12: ffd40000018435c0 R13: ff1100000750bd80 R14: 0000000000000000 R15: ffd4000000196bd8 FS: 0000000000000000(0000) GS:ff1100006a300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fffd86e5d80 CR3: 0000000037902004 CR4: 0000000000771ef0 PKRU: 55555554 Call Trace: <TASK> migrate_folio_move mm/migrate.c:1368 [inline] migrate_pages_batch+0x1861/0x2590 mm/migrate.c:1899 migrate_pages_sync+0x10d/0x8d0 mm/migrate.c:1965 migrate_pages+0x1988/0x2130 mm/migrate.c:2074 compact_zone+0x1bac/0x3ee0 mm/compaction.c:2641 compact_node+0x19c/0x2d0 mm/compaction.c:2910 kcompactd+0x3ca/0xa00 mm/compaction.c:3208 kthread+0x345/0x450 kernel/kthread.c:389 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:move_to_new_folio+0x1a7/0x720 mm/migrate.c:1052 Code: 48 c1 ea 03 80 3c 02 00 0f 85 ea 03 00 00 49 8b 9d 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 60 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d9 03 00 00 48 8b 5b 60 48 85 db 0f 84 e9 00 00 RSP: 0018:ffa00000003574f8 EFLAGS: 00010216 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff9a06ee21 RDX: 000000000000000c RSI: 0000000000000008 RDI: 0000000000000060 RBP: ffd4000000196bc0 R08: ff1100000750be98 R09: ffe21c0000ea17d5 R10: ffe21c0000ea17d4 R11: 0000000000000007 R12: ffd40000018435c0 R13: ff1100000750bd80 R14: 0000000000000000 R15: ffd4000000196bd8 FS: 0000000000000000(0000) GS:ff1100006a300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fffd86e5d80 CR3: 0000000037902004 CR4: 0000000000771ef0 PKRU: 55555554 ---------------- Code disassembly (best guess): 0: 48 c1 ea 03 shr $0x3,%rdx 4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 8: 0f 85 ea 03 00 00 jne 0x3f8 e: 49 8b 9d 18 01 00 00 mov 0x118(%r13),%rbx 15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1c: fc ff df 1f: 48 8d 7b 60 lea 0x60(%rbx),%rdi 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 d9 03 00 00 jne 0x40d 34: 48 8b 5b 60 mov 0x60(%rbx),%rbx 38: 48 85 db test %rbx,%rbx 3b: 0f .byte 0xf 3c: 84 e9 test %ch,%cl --------------- thanks, Kun Hu
