KASAN: global-out-of-bounds Read in psi_group_change

From: Strforexc yn
Date: Sun Mar 02 2025 - 19:31:43 EST

Dear Maintainers, When using our customized Syzkaller to fuzz the
latest Linux kernel, the following crash was triggered.

Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025)
Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config
Kernel Log: attachment


The out-of-bounds access appears to occur in the runnable_avg_yN_inv
array, which is likely used in the scheduler's PSI (Pressure Stall
Information) or related accounting. The issue is triggered during a
write to a cgroup file (__cgroup_procs_write), leading to a task
wakeup (try_to_wake_up) and subsequent printk activity (vprintk_emit).
The root cause seems to be an invalid string operation in vsnprintf,
possibly due to a buffer overflow or incorrect pointer handling in
string_nocheck.

Our knowledge of the kernel is somewhat limited, and we'd appreciate
it if you could determine if there is such an issue. If this issue
doesn't have an impact, please ignore it ☺.
If you fix this issue, please add the following tag to the commit:
Reported-by: Zhizhuo Tang <strforexctzzchange@xxxxxxxxxxx>, Jianzhou
Zhao <xnxc22xnxc22@xxxxxx>, Haoran Liu <cherest_san@xxxxxxx>
==================================================================
BUG: KASAN: global-out-of-bounds in string_nocheck lib/vsprintf.c:632 [inline]
BUG: KASAN: global-out-of-bounds in string+0x4b3/0x500 lib/vsprintf.c:714
Read of size 1 at addr ffffffff8b8cc77d by task systemd/1

CPU: 1 UID: 0 PID: 1 Comm: systemd Not tainted 6.14.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description.constprop.0+0x2c/0x420 mm/kasan/report.c:408
print_report+0xaa/0x270 mm/kasan/report.c:521
kasan_report+0xbd/0x100 mm/kasan/report.c:634
string_nocheck lib/vsprintf.c:632 [inline]
string+0x4b3/0x500 lib/vsprintf.c:714
vsnprintf+0x620/0x1120 lib/vsprintf.c:2843
vprintk_store+0x34f/0xb90 kernel/printk/printk.c:2279
vprintk_emit+0x151/0x330 kernel/printk/printk.c:2408
__warn_printk+0x162/0x320 kernel/panic.c:797
look_up_lock_class+0xad/0x160 kernel/locking/lockdep.c:938
register_lock_class+0xb2/0xfc0 kernel/locking/lockdep.c:1292
__lock_acquire+0xc3/0x16a0 kernel/locking/lockdep.c:5103
lock_acquire+0x181/0x3a0 kernel/locking/lockdep.c:5851
do_write_seqcount_begin_nested include/linux/seqlock.h:477 [inline]
do_write_seqcount_begin include/linux/seqlock.h:503 [inline]
psi_group_change+0x264/0xc70 kernel/sched/psi.c:792
psi_task_change+0x1ba/0x2f0 kernel/sched/psi.c:912
psi_enqueue kernel/sched/stats.h:166 [inline]
enqueue_task+0x1d1/0x4a0 kernel/sched/core.c:2077
activate_task kernel/sched/core.c:2117 [inline]
ttwu_do_activate+0x18e/0x9c0 kernel/sched/core.c:3729
ttwu_queue kernel/sched/core.c:4002 [inline]
try_to_wake_up+0x6bf/0xfc0 kernel/sched/core.c:4330
wake_up_process kernel/sched/core.c:4463 [inline]
wake_up_q+0x9c/0x170 kernel/sched/core.c:1075
raw_spin_unlock_irqrestore_wake include/linux/sched/wake_q.h:96 [inline]
__mutex_unlock_slowpath+0x208/0x400 kernel/locking/mutex.c:933
cgroup_unlock include/linux/cgroup.h:373 [inline]
cgroup_kn_unlock+0xbf/0x420 kernel/cgroup/cgroup.c:1617
__cgroup_procs_write+0x361/0x620 kernel/cgroup/cgroup.c:5228
cgroup_procs_write+0x26/0x60 kernel/cgroup/cgroup.c:5236
cgroup_file_write+0x215/0x770 kernel/cgroup/cgroup.c:4138
kernfs_fop_write_iter+0x344/0x510 fs/kernfs/file.c:334
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0xc18/0x10f0 fs/read_write.c:679
ksys_write+0x122/0x240 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff2631ee54f
Code: Unable to access opcode bytes at 0x7ff2631ee525.
RSP: 002b:00007ffdd9842750 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007ff2631ee54f
RDX: 0000000000000006 RSI: 00007ffdd984294a RDI: 0000000000000019
RBP: 00007ffdd984294a R08: 0000000000000000 R09: 00007ffdd98427d0
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000006
R13: 0000555eb69d73b0 R14: 0000000000000006 R15: 00007ff2632cd880
</TASK>

The buggy address belongs to the variable:
runnable_avg_yN_inv+0x14fd/0x20c0

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb8cc
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea00002e3308 ffffea00002e3308 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
ffffffff8b8cc600: 00 00 02 f9 f9 f9 f9 f9 00 00 00 00 00 06 f9 f9
ffffffff8b8cc680: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 04
>ffffffff8b8cc700: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 07 f9
^
ffffffff8b8cc780: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
ffffffff8b8cc800: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9
==================================================================

Thanks,
Zhizhuo Tang

Attachment: log
Description: Binary data