Bug: slab-out-of-bounds Read in isolate_migratepages_block

From: Kun Hu
Date: Thu Dec 26 2024 - 00:08:25 EST


Hello,

When using fuzzer tool to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8
git tree: upstream
Console output: https://drive.google.com/file/d/1pviuAgkWIVfra8dE2JLEcnUhHX3_inDL/view?usp=sharing
Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=sharing
C reproducer: /
Syzlang reproducer: /

Unfortunately, we're getting a stable reproduction of the program. If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx>


==================================================================
BUG: KASAN: slab-out-of-bounds in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-out-of-bounds in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-out-of-bounds in mapping_inaccessible include/linux/pagemap.h:335 [inline]
BUG: KASAN: slab-out-of-bounds in isolate_migratepages_block+0x31dc/0x43c0 mm/compaction.c:1180
Read of size 8 at addr ff1100000750bea0 by task kcompactd0/48

CPU: 2 UID: 0 PID: 48 Comm: kcompactd0 Not tainted 6.13.0-rc3 #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcf/0x5f0 mm/kasan/report.c:489
kasan_report+0x93/0xc0 mm/kasan/report.c:602
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xf6/0x1b0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
mapping_inaccessible include/linux/pagemap.h:335 [inline]
isolate_migratepages_block+0x31dc/0x43c0 mm/compaction.c:1180
isolate_migratepages mm/compaction.c:2164 [inline]
compact_zone+0x1987/0x3ee0 mm/compaction.c:2611
compact_node+0x19c/0x2d0 mm/compaction.c:2910
kcompactd+0x3ca/0xa00 mm/compaction.c:3208
kthread+0x345/0x450 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Allocated by task 469:
kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4298 [inline]
__kmalloc_node_track_caller_noprof+0x1ef/0x560 mm/slub.c:4317
kmalloc_reserve+0xeb/0x2b0 net/core/skbuff.c:609
__alloc_skb+0x162/0x370 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1323 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x358/0xd20 drivers/net/netdevsim/dev.c:851
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0x5ee/0x1ba0 kernel/workqueue.c:3310
worker_thread+0x59f/0xcf0 kernel/workqueue.c:3391
kthread+0x345/0x450 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 469:
kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3a/0x60 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x54/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4613 [inline]
kfree+0x120/0x3e0 mm/slub.c:4761
skb_kfree_head net/core/skbuff.c:1086 [inline]
skb_free_head+0xe0/0x1d0 net/core/skbuff.c:1098
skb_release_data+0x782/0x900 net/core/skbuff.c:1125
skb_release_all+0x4e/0x60 net/core/skbuff.c:1190
__kfree_skb net/core/skbuff.c:1204 [inline]
consume_skb net/core/skbuff.c:1436 [inline]
consume_skb+0xf5/0x2c0 net/core/skbuff.c:1430
nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
nsim_dev_trap_report_work+0x263/0xd20 drivers/net/netdevsim/dev.c:851
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0x5ee/0x1ba0 kernel/workqueue.c:3310
worker_thread+0x59f/0xcf0 kernel/workqueue.c:3391
kthread+0x345/0x450 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ff1100000750a000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 3744 bytes to the right of
allocated 4096-byte region [ff1100000750a000, ff1100000750b000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7508
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ff1100000103d040 ffd400000026ea00 dead000000000002
raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 0100000000000040 ff1100000103d040 ffd400000026ea00 dead000000000002
head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 0100000000000003 ffd40000001d4201 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ff1100000750bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ff1100000750be00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ff1100000750be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ff1100000750bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ff1100000750bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]
CPU: 2 UID: 0 PID: 48 Comm: kcompactd0 Tainted: G B 6.13.0-rc3 #8
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:move_to_new_folio+0x1a7/0x720 mm/migrate.c:1052
Code: 48 c1 ea 03 80 3c 02 00 0f 85 ea 03 00 00 49 8b 9d 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 60 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d9 03 00 00 48 8b 5b 60 48 85 db 0f 84 e9 00 00
RSP: 0018:ffa00000003574f8 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff9a06ee21
RDX: 000000000000000c RSI: 0000000000000008 RDI: 0000000000000060
RBP: ffd4000000196bc0 R08: ff1100000750be98 R09: ffe21c0000ea17d5
R10: ffe21c0000ea17d4 R11: 0000000000000007 R12: ffd40000018435c0
R13: ff1100000750bd80 R14: 0000000000000000 R15: ffd4000000196bd8
FS: 0000000000000000(0000) GS:ff1100006a300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffd86e5d80 CR3: 0000000037902004 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
<TASK>
migrate_folio_move mm/migrate.c:1368 [inline]
migrate_pages_batch+0x1861/0x2590 mm/migrate.c:1899
migrate_pages_sync+0x10d/0x8d0 mm/migrate.c:1965
migrate_pages+0x1988/0x2130 mm/migrate.c:2074
compact_zone+0x1bac/0x3ee0 mm/compaction.c:2641
compact_node+0x19c/0x2d0 mm/compaction.c:2910
kcompactd+0x3ca/0xa00 mm/compaction.c:3208
kthread+0x345/0x450 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:move_to_new_folio+0x1a7/0x720 mm/migrate.c:1052
Code: 48 c1 ea 03 80 3c 02 00 0f 85 ea 03 00 00 49 8b 9d 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 60 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d9 03 00 00 48 8b 5b 60 48 85 db 0f 84 e9 00 00
RSP: 0018:ffa00000003574f8 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff9a06ee21
RDX: 000000000000000c RSI: 0000000000000008 RDI: 0000000000000060
RBP: ffd4000000196bc0 R08: ff1100000750be98 R09: ffe21c0000ea17d5
R10: ffe21c0000ea17d4 R11: 0000000000000007 R12: ffd40000018435c0
R13: ff1100000750bd80 R14: 0000000000000000 R15: ffd4000000196bd8
FS: 0000000000000000(0000) GS:ff1100006a300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffd86e5d80 CR3: 0000000037902004 CR4: 0000000000771ef0
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 ea 03 00 00 jne 0x3f8
e: 49 8b 9d 18 01 00 00 mov 0x118(%r13),%rbx
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 48 8d 7b 60 lea 0x60(%rbx),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 d9 03 00 00 jne 0x40d
34: 48 8b 5b 60 mov 0x60(%rbx),%rbx
38: 48 85 db test %rbx,%rbx
3b: 0f .byte 0xf
3c: 84 e9 test %ch,%cl


---------------
thanks,
Kun Hu