> #syz upstream Can't upstream, this is final destination. > > On Fri, Jul 18, 2025 at 3:06 AM syzbot > <syzbot+4ff165b9251e4d295690@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: >> >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit: 5d5d62298b8b Merge tag 'x86_urgent_for_v6.16_rc6' of git:/.. >> git tree: upstream >> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1655418c580000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=b309c907eaab29da >> dashboard link: https://syzkaller.appspot.com/bug?extid=4ff165b9251e4d295690 >> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=156787d4580000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136787d4580000 >> >> Downloadable assets: >> disk image: https://storage.googleapis.com/syzbot-assets/621a2e2bbe6e/disk-5d5d6229.raw.xz >> vmlinux: https://storage.googleapis.com/syzbot-assets/1822022cd8cb/vmlinux-5d5d6229.xz >> kernel image: https://storage.googleapis.com/syzbot-assets/10cee653a6cd/bzImage-5d5d6229.xz >> >> The issue was bisected to: >> >> commit 6001a930ce0378b62210d4f83583fc88a903d89d >> Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> >> Date: Mon Feb 15 11:28:07 2021 +0000 >> >> netfilter: nftables: introduce table ownership >> >> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=133e518c580000 >> final oops: https://syzkaller.appspot.com/x/report.txt?x=10be518c580000 >> console output: https://syzkaller.appspot.com/x/log.txt?x=173e518c580000 >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+4ff165b9251e4d295690@xxxxxxxxxxxxxxxxxxxxxxxxx >> Fixes: 6001a930ce03 ("netfilter: nftables: introduce table ownership") >> >> ================================================================== >> BUG: KASAN: slab-out-of-bounds in string_nocheck lib/vsprintf.c:639 [inline] >> BUG: KASAN: slab-out-of-bounds in string+0x231/0x2b0 lib/vsprintf.c:721 >> Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851 >> >> CPU: 0 UID: 0 PID: 5851 Comm: syz-executor183 Not tainted 6.16.0-rc5-syzkaller-00276-g5d5d62298b8b #0 PREEMPT(full) >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 >> Call Trace: >> <TASK> >> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 >> print_address_description mm/kasan/report.c:378 [inline] >> print_report+0xca/0x230 mm/kasan/report.c:480 >> kasan_report+0x118/0x150 mm/kasan/report.c:593 >> string_nocheck lib/vsprintf.c:639 [inline] >> string+0x231/0x2b0 lib/vsprintf.c:721 >> vsnprintf+0x739/0xf00 lib/vsprintf.c:2874 >> vprintk_store+0x3c7/0xd00 kernel/printk/printk.c:2279 >> vprintk_emit+0x21e/0x7a0 kernel/printk/printk.c:2426 >> _printk+0xcf/0x120 kernel/printk/printk.c:2475 >> nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41 >> xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523 >> __nft_match_init+0x63a/0x840 net/netfilter/nft_compat.c:520 >> nf_tables_newexpr net/netfilter/nf_tables_api.c:3493 [inline] >> nf_tables_newrule+0x178c/0x2890 net/netfilter/nf_tables_api.c:4324 >> nfnetlink_rcv_batch net/netfilter/nfnetlink.c:525 [inline] >> nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:648 [inline] >> nfnetlink_rcv+0x1132/0x2520 net/netfilter/nfnetlink.c:666 >> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] >> netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346 >> netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 >> sock_sendmsg_nosec net/socket.c:712 [inline] >> __sock_sendmsg+0x219/0x270 net/socket.c:727 >> ____sys_sendmsg+0x505/0x830 net/socket.c:2566 >> ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 >> __sys_sendmsg net/socket.c:2652 [inline] >> __do_sys_sendmsg net/socket.c:2657 [inline] >> __se_sys_sendmsg net/socket.c:2655 [inline] >> __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> RIP: 0033:0x7fa7bbf1c6a9 >> Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:00007fff7139c908 EFLAGS: 00000246 ORIG_RAX: 000000000000002e >> RAX: ffffffffffffffda RBX: 00007fff7139cad8 RCX: 00007fa7bbf1c6a9 >> RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000003 >> RBP: 00007fa7bbf8f610 R08: 0000000000000002 R09: 00007fff7139cad8 >> R10: 0000000000000009 R11: 0000000000000246 R12: 0000000000000001 >> R13: 00007fff7139cac8 R14: 0000000000000001 R15: 0000000000000001 >> </TASK> >> >> Allocated by task 5851: >> kasan_save_stack mm/kasan/common.c:47 [inline] >> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 >> poison_kmalloc_redzone mm/kasan/common.c:377 [inline] >> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 >> kasan_kmalloc include/linux/kasan.h:260 [inline] >> __do_kmalloc_node mm/slub.c:4328 [inline] >> __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4340 >> kmalloc_noprof include/linux/slab.h:909 [inline] >> kzalloc_noprof include/linux/slab.h:1039 [inline] >> nf_tables_newrule+0x1506/0x2890 net/netfilter/nf_tables_api.c:4306 >> nfnetlink_rcv_batch net/netfilter/nfnetlink.c:525 [inline] >> nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:648 [inline] >> nfnetlink_rcv+0x1132/0x2520 net/netfilter/nfnetlink.c:666 >> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] >> netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346 >> netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 >> sock_sendmsg_nosec net/socket.c:712 [inline] >> __sock_sendmsg+0x219/0x270 net/socket.c:727 >> ____sys_sendmsg+0x505/0x830 net/socket.c:2566 >> ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 >> __sys_sendmsg net/socket.c:2652 [inline] >> __do_sys_sendmsg net/socket.c:2657 [inline] >> __se_sys_sendmsg net/socket.c:2655 [inline] >> __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> The buggy address belongs to the object at ffff88801eac9580 >> which belongs to the cache kmalloc-cg-96 of size 96 >> The buggy address is located 0 bytes to the right of >> allocated 72-byte region [ffff88801eac9580, ffff88801eac95c8) >> >> The buggy address belongs to the physical page: >> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eac9 >> flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) >> page_type: f5(slab) >> raw: 00fff00000000000 ffff88801a449640 dead000000000122 0000000000000000 >> raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 >> page dumped because: kasan: bad access detected >> page_owner tracks the page as allocated >> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 2776913905, free_ts 0 >> set_page_owner include/linux/page_owner.h:32 [inline] >> post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704 >> prep_new_page mm/page_alloc.c:1712 [inline] >> get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669 >> __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959 >> alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419 >> alloc_slab_page mm/slub.c:2451 [inline] >> allocate_slab+0x8a/0x3b0 mm/slub.c:2619 >> new_slab mm/slub.c:2673 [inline] >> ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859 >> __slab_alloc mm/slub.c:3949 [inline] >> __slab_alloc_node mm/slub.c:4024 [inline] >> slab_alloc_node mm/slub.c:4185 [inline] >> __do_kmalloc_node mm/slub.c:4327 [inline] >> __kmalloc_noprof+0x305/0x4f0 mm/slub.c:4340 >> kmalloc_noprof include/linux/slab.h:909 [inline] >> kzalloc_noprof include/linux/slab.h:1039 [inline] >> __register_sysctl_table+0x72/0x1340 fs/proc/proc_sysctl.c:1380 >> user_namespace_sysctl_init+0x25/0x150 kernel/ucount.c:355 >> do_one_initcall+0x233/0x820 init/main.c:1274 >> do_initcall_level+0x137/0x1f0 init/main.c:1336 >> do_initcalls+0x69/0xd0 init/main.c:1352 >> kernel_init_freeable+0x3d9/0x570 init/main.c:1584 >> kernel_init+0x1d/0x1d0 init/main.c:1474 >> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 >> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 >> page_owner free stack trace missing >> >> Memory state around the buggy address: >> ffff88801eac9480: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >> ffff88801eac9500: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >> >ffff88801eac9580: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc >> ^ >> ffff88801eac9600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> ffff88801eac9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> ================================================================== >> >> >> --- >> This report is generated by a bot. It may contain errors. >> See https://goo.gl/tpsmEJ for more information about syzbot. >> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. >> >> syzbot will keep track of this issue. See: >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot. >> For information about bisection process see: https://goo.gl/tpsmEJ#bisection >> >> If the report is already addressed, let syzbot know by replying with: >> #syz fix: exact-commit-title >> >> If you want syzbot to run the reproducer, reply with: >> #syz test: git://repo/address.git branch-or-commit-hash >> If you attach or paste a git patch, syzbot will apply it before testing. >> >> If you want to overwrite report's subsystems, reply with: >> #syz set subsystems: new-subsystem >> (See the list of subsystem names on the web dashboard) >> >> If the report is a duplicate of another one, reply with: >> #syz dup: exact-subject-of-another-report >> >> If you want to undo deduplication, reply with: >> #syz undup >> >> -- >> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx. >> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/68799e14.a00a0220.3af5df.0025.GAE%40google.com.
