[BUG] KASAN: slab-out-of-bounds in vsnprintf triggered by large stack frame

From: Shardul Bankar
Date: Tue Jul 01 2025 - 12:48:57 EST

Next message: Nilawar, Badal: "Re: [PATCH v4 02/10] mei: late_bind: add late binding component driver"
Previous message: Sean Anderson: "Re: [PATCH net-next v2 13/18] net: macb: avoid double endianness swap in macb_set_hwaddr()"
Next in thread: Pedro Falcato: "Re: [BUG] KASAN: slab-out-of-bounds in vsnprintf triggered by large stack frame"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I would like to report a slab-out-of-bounds bug that can be reliably
reproduced with a purpose-built kernel module. This report was
initially sent to security@xxxxxxxxxx, and I was advised to move it to
the public lists.

I have confirmed this issue still exists on the latest mainline kernel
(v6.16.0-rc4).

Bug Summary:

The bug is a KASAN-reported slab-out-of-bounds write within vsnprintf.
It appears to be caused by a latent memory corruption issue, likely
related to the names_cache slab.

The vulnerability can be triggered by loading a kernel module that
allocates an unusually large stack frame. When compiling the PoC
module, GCC explicitly warns about this: warning: the frame size of
29760 bytes is larger than 2048 bytes. This "stack grooming" positions
the task's stack to overlap with a stale pointer from a freed
names_cache object. A subsequent call to pr_info() then uses this
corrupted value, leading to the out-of-bounds write.

Reproducer:

The following minimal kernel module reliably reproduces the crash on my
x86-64 test system.

#include <linux/init.h>
#include <linux/module.h>
#include <linux/printk.h>

#define STACK_FOOTPRINT (3677 * sizeof(void *))

static int __init final_poc_init(void)
{
volatile char stack_eater[STACK_FOOTPRINT];
stack_eater[0] = 'A'; // Prevent optimization

pr_info("Final PoC: Triggering bug with controlled stack
layout.\n");

return -EAGAIN;
}

static void __exit final_poc_exit(void) {}

module_init(final_poc_init);
module_exit(final_poc_exit);
MODULE_LICENSE("GPLv2");
MODULE_DESCRIPTION("A PoC to trigger a kernel bug by creating a large
stack frame.");

KASAN Crash Log (on mainline v6.16.0-rc4):

Loading the module produces the following KASAN report and kernel
panic:

[ 214.241371] 006_state_corruption_poc_reduce_size: loading out-of-
tree module taints kernel.
214.242338] Final PoC: Triggering bug with controlled stack layout.
[ 214.242340]
==================================================================
[ 214.242341] BUG: KASAN: slab-out-of-bounds in vsnprintf+0x5a6/0x1400
[ 214.242346] Write of size 1 at addr ffff88814269fee0 by task
insmod/2258
[ 214.242348]
[ 214.242350] CPU: 6 UID: 0 PID: 2258 Comm: insmod Tainted: G
OE 6.16.0-rc4-custombuild #139 PREEMPT(lazy)
[ 214.242353] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 214.242354] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 214.242355] Call Trace:
[ 214.242356] <TASK>
[ 214.242359] ? console_emit_next_record+0x12b/0x450
[ 214.242362] ? __pfx_console_emit_next_record+0x10/0x10
[ 214.242363] ? __asan_memmove+0x3c/0x60
[ 214.242367] ? console_flush_all+0x36c/0x570
[ 214.242368] ? __pfx_console_flush_all+0x10/0x10
[ 214.242370] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242372] ? console_unlock+0xbf/0x240
[ 214.242373] ? __pfx_console_unlock+0x10/0x10
[ 214.242375] ? __down_trylock_console_sem.isra.0+0x2e/0x50
[ 214.242377] ? vprintk_emit+0x412/0x4b0
[ 214.242379] ? __pfx_vprintk_emit+0x10/0x10
[ 214.242380] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242382] ? _printk+0xc7/0x100
[ 214.242384] ? __pfx__printk+0x10/0x10
[ 214.242386] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242388] ? final_poc_init+0xd7/0xff0
[006_state_corruption_poc_reduce_size]
[ 214.242390] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242486] ? do_one_initcall+0xa4/0x380
[ 214.242488] ? __pfx_do_one_initcall+0x10/0x10
[ 214.242490] ? kasan_unpoison+0x44/0x70
[ 214.242492] ? do_init_module+0x2cc/0x8e0
[ 214.242494] ? __pfx_do_init_module+0x10/0x10
[ 214.242495] ? netfs_unbuffered_read_iter_locked+0x47f/0x980 [netfs]
[ 214.242542] ? init_module_from_file+0xe1/0x150
[ 214.242543] ? __pfx_init_module_from_file+0x10/0x10
[ 214.242544] ? vfs_read+0x6da/0xa40
[ 214.242547] ? _raw_spin_lock+0x83/0xe0
[ 214.242549] ? __pfx__raw_spin_lock+0x10/0x10
[ 214.242550] ? cred_has_capability.isra.0+0x12c/0x220
[ 214.242553] ? idempotent_init_module+0x224/0x750
[ 214.242555] ? __pfx_idempotent_init_module+0x10/0x10
[ 214.242557] ? fdget+0x53/0x4a0
[ 214.242558] ? security_capable+0x87/0x150
[ 214.242561] ? __x64_sys_finit_module+0xcd/0x150
[ 214.242562] ? do_syscall_64+0x82/0x2c0
[ 214.242564] ? count_memcg_events+0x1aa/0x410
[ 214.242567] ? handle_mm_fault+0x492/0x910
[ 214.242569] ? do_user_addr_fault+0x4b0/0xa30
[ 214.242571] ? exc_page_fault+0x75/0xd0
[ 214.242573] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 214.242575] </TASK>
[ 214.242576]
[ 214.242577] Allocated by task 2255:
[ 214.242578] kasan_save_stack+0x30/0x50
[ 214.242580] kasan_save_track+0x14/0x30
[ 214.242581] __kasan_slab_alloc+0x7e/0x90
[ 214.242582] kmem_cache_alloc_noprof+0x148/0x420
[ 214.242584] getname_flags.part.0+0x48/0x540
[ 214.242586] do_sys_openat2+0xb1/0x180
[ 214.242588] __x64_sys_openat+0x10e/0x210
[ 214.242590] do_syscall_64+0x82/0x2c0
[ 214.242591] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 214.242592]
[ 214.242592] Freed by task 2255:
[ 214.242593] kasan_save_stack+0x30/0x50
[ 214.242594] kasan_save_track+0x14/0x30
[ 214.242595] kasan_save_free_info+0x3b/0x70
[ 214.242596] __kasan_slab_free+0x52/0x70
[ 214.242598] kmem_cache_free+0x17b/0x540
[ 214.242599] do_sys_openat2+0x109/0x180
[ 214.242601] __x64_sys_openat+0x10e/0x210
[ 214.242602] do_syscall_64+0x82/0x2c0
[ 214.242603] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 214.242604]
[ 214.242605] Last potentially related work creation:
[ 214.242605] ------------[ cut here ]------------
[ 214.242606] pool index 109701 out of bounds (339) for stack id
a1bbac86
[ 214.242623] WARNING: CPU: 6 PID: 2258 at lib/stackdepot.c:451
depot_fetch_stack+0x68/0xb0
[ 214.242626] Modules linked in:
006_state_corruption_poc_reduce_size(OE+) 9p(E) rfkill(E) isofs(E)
binfmt_misc(E) vfat(E) fat(E) ppdev(E) parport_pc(E) snd_pcm(E)
parport(E) snd_timer(E) snd(E) virtio_net(E) soundcore(E)
net_failover(E) joydev(E) bochs(E) failover(E) i2c_piix4(E) pcspkr(E)
i2c_smbus(E) loop(E) nfnetlink(E) vsock_loopback(E)
vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E)
vsock(E) zram(E) vmw_vmci(E) lz4hc_compress(E) lz4_compress(E)
9pnet_virtio(E) 9pnet(E) floppy(E) netfs(E) serio_raw(E) ata_generic(E)
pata_acpi(E) fuse(E) qemu_fw_cfg(E)
[ 214.242652] Unloaded tainted modules: snd_pcsp(E):1 hv_vmbus(E):1
padlock_aes(E):2
[ 214.242657] CPU: 6 UID: 0 PID: 2258 Comm: insmod Tainted: G
OE 6.16.0-rc4-custombuild #139 PREEMPT(lazy)
[ 214.242659] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 214.242660] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 214.242660] RIP: 0010:depot_fetch_stack+0x68/0xb0
[ 214.242663] Code: c1 e7 04 81 e7 f0 3f 00 00 48 01 f8 8b 50 1c 85 d2
74 2a 48 83 c4 10 e9 16 a2 91 01 89 f9 48 c7 c7 08 61 c8 a5 e8 68 2f 58
fe <0f> 0b 31 c0 48 83 c4 10 c3 cc cc cc cc 0f 0b 31 c0 eb f1 0f 0b 31
[ 214.242664] RSP: 0018:ffff88814269faf8 EFLAGS: 00010046
[ 214.242666] RAX: 0000000000000000 RBX: ffffea000509a600 RCX:
0000000000000001
[ 214.242667] RDX: 1ffff110284d3f47 RSI: 0000000000000004 RDI:
ffff88848ab2cf48
[ 214.242668] RBP: ffff88814269fee0 R08: ffffffffa1f4e7dc R09:
ffffed10915659e9
[ 214.242669] R10: ffffed10915659ea R11: 0000000000000001 R12:
ffff88814269fbe0
[ 214.242670] R13: ffffffffa4cf91e6 R14: 00000000fffffffe R15:
ffff88814269fdc8
[ 214.242671] FS: 00007f5dec131740(0000) GS:ffff8884e241d000(0000)
knlGS:0000000000000000
[ 214.242672] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.242673] CR2: 0000558a1aca08c0 CR3: 0000000104536000 CR4:
00000000000006f0
[ 214.242675] Call Trace:
[ 214.242676] <TASK>
[ 214.242678] ? console_emit_next_record+0x12b/0x450
[ 214.242680] ? __pfx_console_emit_next_record+0x10/0x10
[ 214.242681] ? __asan_memmove+0x3c/0x60
[ 214.242684] ? console_flush_all+0x36c/0x570
[ 214.242685] ? __pfx_console_flush_all+0x10/0x10
[ 214.242687] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242689] ? console_unlock+0xbf/0x240
[ 214.242690] ? __pfx_console_unlock+0x10/0x10
[ 214.242692] ? __down_trylock_console_sem.isra.0+0x2e/0x50
[ 214.242694] ? vprintk_emit+0x412/0x4b0
[ 214.242695] ? __pfx_vprintk_emit+0x10/0x10
[ 214.242697] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242699] ? _printk+0xc7/0x100
[ 214.242701] ? __pfx__printk+0x10/0x10
[ 214.242703] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242704] ? final_poc_init+0xd7/0xff0
[006_state_corruption_poc_reduce_size]
[ 214.242706] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242834] ? do_one_initcall+0xa4/0x380
[ 214.242835] ? __pfx_do_one_initcall+0x10/0x10
[ 214.242837] ? kasan_unpoison+0x44/0x70
[ 214.242839] ? do_init_module+0x2cc/0x8e0
[ 214.242841] ? __pfx_do_init_module+0x10/0x10
[ 214.242842] ? netfs_unbuffered_read_iter_locked+0x47f/0x980 [netfs]
[ 214.242855] ? init_module_from_file+0xe1/0x150
[ 214.242856] ? __pfx_init_module_from_file+0x10/0x10
[ 214.242858] ? vfs_read+0x6da/0xa40
[ 214.242859] ? _raw_spin_lock+0x83/0xe0
[ 214.242861] ? __pfx__raw_spin_lock+0x10/0x10
[ 214.242862] ? cred_has_capability.isra.0+0x12c/0x220
[ 214.242864] ? idempotent_init_module+0x224/0x750
[ 214.242866] ? __pfx_idempotent_init_module+0x10/0x10
[ 214.242867] ? fdget+0x53/0x4a0
[ 214.242868] ? security_capable+0x87/0x150
[ 214.242871] ? __x64_sys_finit_module+0xcd/0x150
[ 214.242872] ? do_syscall_64+0x82/0x2c0
[ 214.242874] ? count_memcg_events+0x1aa/0x410
[ 214.242875] ? handle_mm_fault+0x492/0x910
[ 214.242877] ? do_user_addr_fault+0x4b0/0xa30
[ 214.242879] ? exc_page_fault+0x75/0xd0
[ 214.242880] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 214.242882] </TASK>
[ 214.242883] ---[ end trace 0000000000000000 ]---
[ 214.242884] ------------[ cut here ]------------
[ 214.242885] corrupt handle or use after stack_depot_put()
[ 214.242892] WARNING: CPU: 6 PID: 2258 at lib/stackdepot.c:723
stack_depot_print+0x43/0x50
[ 214.242895] Modules linked in:
006_state_corruption_poc_reduce_size(OE+) 9p(E) rfkill(E) isofs(E)
binfmt_misc(E) vfat(E) fat(E) ppdev(E) parport_pc(E) snd_pcm(E)
parport(E) snd_timer(E) snd(E) virtio_net(E) soundcore(E)
net_failover(E) joydev(E) bochs(E) failover(E) i2c_piix4(E) pcspkr(E)
i2c_smbus(E) loop(E) nfnetlink(E) vsock_loopback(E)
vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E)
vsock(E) zram(E) vmw_vmci(E) lz4hc_compress(E) lz4_compress(E)
9pnet_virtio(E) 9pnet(E) floppy(E) netfs(E) serio_raw(E) ata_generic(E)
pata_acpi(E) fuse(E) qemu_fw_cfg(E)
[ 214.242915] Unloaded tainted modules: snd_pcsp(E):1 hv_vmbus(E):1
padlock_aes(E):2
[ 214.242919] CPU: 6 UID: 0 PID: 2258 Comm: insmod Tainted: G W
OE 6.16.0-rc4-custombuild #139 PREEMPT(lazy)
[ 214.242921] Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 214.242921] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 214.242922] RIP: 0010:stack_depot_print+0x43/0x50
[ 214.242924] Code: ff ff 48 85 c0 74 17 8b 70 14 85 f6 74 0b 48 8d 78
20 31 d2 e9 2e eb 85 fe c3 cc cc cc cc 48 c7 c7 40 61 c8 a5 e8 8d 28 58
fe <0f> 0b c3 cc cc cc cc 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90
[ 214.242925] RSP: 0018:ffff88814269fb10 EFLAGS: 00010046
[ 214.242926] RAX: 0000000000000000 RBX: ffffea000509a600 RCX:
0000000000000001
[ 214.242927] RDX: 1ffff110284d3f4a RSI: 0000000000000004 RDI:
ffff88848ab2cf48
[ 214.242928] RBP: ffff88814269fee0 R08: ffffffffa1f4e7dc R09:
ffffed10915659e9
[ 214.242929] R10: ffffed10915659ea R11: ffffffffa87b4d46 R12:
ffff88814269fbe0
[ 214.242930] R13: ffffffffa4cf91e6 R14: 00000000fffffffe R15:
ffff88814269fdc8
[ 214.242931] FS: 00007f5dec131740(0000) GS:ffff8884e241d000(0000)
knlGS:0000000000000000
[ 214.242932] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.242933] CR2: 0000558a1aca08c0 CR3: 0000000104536000 CR4:
00000000000006f0
[ 214.242935] Call Trace:
[ 214.242935] <TASK>
[ 214.242937] ? console_emit_next_record+0x12b/0x450
[ 214.242939] ? __pfx_console_emit_next_record+0x10/0x10
[ 214.242940] ? __asan_memmove+0x3c/0x60
[ 214.242942] ? console_flush_all+0x36c/0x570
[ 214.242944] ? __pfx_console_flush_all+0x10/0x10
[ 214.242946] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242947] ? console_unlock+0xbf/0x240
[ 214.242949] ? __pfx_console_unlock+0x10/0x10
[ 214.242950] ? __down_trylock_console_sem.isra.0+0x2e/0x50
[ 214.242952] ? vprintk_emit+0x412/0x4b0
[ 214.242954] ? __pfx_vprintk_emit+0x10/0x10
[ 214.242956] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242958] ? _printk+0xc7/0x100
[ 214.242959] ? __pfx__printk+0x10/0x10
[ 214.242961] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.242963] ? final_poc_init+0xd7/0xff0
[006_state_corruption_poc_reduce_size]
[ 214.242965] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.243090] ? do_one_initcall+0xa4/0x380
[ 214.243091] ? __pfx_do_one_initcall+0x10/0x10
[ 214.243093] ? kasan_unpoison+0x44/0x70
[ 214.243095] ? do_init_module+0x2cc/0x8e0
[ 214.243097] ? __pfx_do_init_module+0x10/0x10
[ 214.243098] ? netfs_unbuffered_read_iter_locked+0x47f/0x980 [netfs]
[ 214.243110] ? init_module_from_file+0xe1/0x150
[ 214.243111] ? __pfx_init_module_from_file+0x10/0x10
[ 214.243113] ? vfs_read+0x6da/0xa40
[ 214.243114] ? _raw_spin_lock+0x83/0xe0
[ 214.243116] ? __pfx__raw_spin_lock+0x10/0x10
[ 214.243117] ? cred_has_capability.isra.0+0x12c/0x220
[ 214.243119] ? idempotent_init_module+0x224/0x750
[ 214.243121] ? __pfx_idempotent_init_module+0x10/0x10
[ 214.243122] ? fdget+0x53/0x4a0
[ 214.243123] ? security_capable+0x87/0x150
[ 214.243126] ? __x64_sys_finit_module+0xcd/0x150
[ 214.243127] ? do_syscall_64+0x82/0x2c0
[ 214.243129] ? count_memcg_events+0x1aa/0x410
[ 214.243130] ? handle_mm_fault+0x492/0x910
[ 214.243132] ? do_user_addr_fault+0x4b0/0xa30
[ 214.243134] ? exc_page_fault+0x75/0xd0
[ 214.243135] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 214.243137] </TASK>
[ 214.243138] ---[ end trace 0000000000000000 ]---
[ 214.243138]
[ 214.243139] Second to last potentially related work creation:
[ 214.243139] ------------[ cut here ]------------
[ 214.243140] pool index 131070 out of bounds (339) for stack id
ffffffff
[ 214.243148] WARNING: CPU: 6 PID: 2258 at lib/stackdepot.c:451
depot_fetch_stack+0x68/0xb0
[ 214.243150] Modules linked in:
006_state_corruption_poc_reduce_size(OE+) 9p(E) rfkill(E) isofs(E)
binfmt_misc(E) vfat(E) fat(E) ppdev(E) parport_pc(E) snd_pcm(E)
parport(E) snd_timer(E) snd(E) virtio_net(E) soundcore(E)
net_failover(E) joydev(E) bochs(E) failover(E) i2c_piix4(E) pcspkr(E)
i2c_smbus(E) loop(E) nfnetlink(E) vsock_loopback(E)
vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E)
vsock(E) zram(E) vmw_vmci(E) lz4hc_compress(E) lz4_compress(E)
9pnet_virtio(E) 9pnet(E) floppy(E) netfs(E) serio_raw(E) ata_generic(E)
pata_acpi(E) fuse(E) qemu_fw_cfg(E)
[ 214.243171] Unloaded tainted modules: snd_pcsp(E):1 hv_vmbus(E):1
padlock_aes(E):2
[ 214.243174] CPU: 6 UID: 0 PID: 2258 Comm: insmod Tainted: G W
OE 6.16.0-rc4-custombuild #139 PREEMPT(lazy)
[ 214.243176] Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 214.243176] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 214.243177] RIP: 0010:depot_fetch_stack+0x68/0xb0
[ 214.243179] Code: c1 e7 04 81 e7 f0 3f 00 00 48 01 f8 8b 50 1c 85 d2
74 2a 48 83 c4 10 e9 16 a2 91 01 89 f9 48 c7 c7 08 61 c8 a5 e8 68 2f 58
fe <0f> 0b 31 c0 48 83 c4 10 c3 cc cc cc cc 0f 0b 31 c0 eb f1 0f 0b 31
[ 214.243180] RSP: 0018:ffff88814269faf8 EFLAGS: 00010046
[ 214.243181] RAX: 0000000000000000 RBX: ffffea000509a600 RCX:
0000000000000001
[ 214.243182] RDX: 1ffff110284d3f47 RSI: 0000000000000004 RDI:
ffff88848ab2cf48
[ 214.243183] RBP: ffff88814269fee0 R08: ffffffffa1f4e7dc R09:
ffffed10915659e9
[ 214.243184] R10: ffffed10915659ea R11: 0000000000000001 R12:
ffff88814269fbe0
[ 214.243185] R13: ffffffffa4cf91e6 R14: 00000000fffffffe R15:
ffff88814269fdc8
[ 214.243186] FS: 00007f5dec131740(0000) GS:ffff8884e241d000(0000)
knlGS:0000000000000000
[ 214.243187] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.243187] CR2: 0000558a1aca08c0 CR3: 0000000104536000 CR4:
00000000000006f0
[ 214.243189] Call Trace:
[ 214.243190] <TASK>
[ 214.243192] ? console_emit_next_record+0x12b/0x450
[ 214.243193] ? __pfx_console_emit_next_record+0x10/0x10
[ 214.243194] ? __asan_memmove+0x3c/0x60
[ 214.243197] ? console_flush_all+0x36c/0x570
[ 214.243198] ? __pfx_console_flush_all+0x10/0x10
[ 214.243200] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.243202] ? console_unlock+0xbf/0x240
[ 214.243203] ? __pfx_console_unlock+0x10/0x10
[ 214.243205] ? __down_trylock_console_sem.isra.0+0x2e/0x50
[ 214.243207] ? vprintk_emit+0x412/0x4b0
[ 214.243208] ? __pfx_vprintk_emit+0x10/0x10
[ 214.243210] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.243212] ? _printk+0xc7/0x100
[ 214.243214] ? __pfx__printk+0x10/0x10
[ 214.243216] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.243217] ? final_poc_init+0xd7/0xff0
[006_state_corruption_poc_reduce_size]
[ 214.243219] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.243344] ? do_one_initcall+0xa4/0x380
[ 214.243346] ? __pfx_do_one_initcall+0x10/0x10
[ 214.243347] ? kasan_unpoison+0x44/0x70
[ 214.243350] ? do_init_module+0x2cc/0x8e0
[ 214.243351] ? __pfx_do_init_module+0x10/0x10
[ 214.243353] ? netfs_unbuffered_read_iter_locked+0x47f/0x980 [netfs]
[ 214.243364] ? init_module_from_file+0xe1/0x150
[ 214.243365] ? __pfx_init_module_from_file+0x10/0x10
[ 214.243367] ? vfs_read+0x6da/0xa40
[ 214.243369] ? _raw_spin_lock+0x83/0xe0
[ 214.243370] ? __pfx__raw_spin_lock+0x10/0x10
[ 214.243371] ? cred_has_capability.isra.0+0x12c/0x220
[ 214.243373] ? idempotent_init_module+0x224/0x750
[ 214.243375] ? __pfx_idempotent_init_module+0x10/0x10
[ 214.243376] ? fdget+0x53/0x4a0
[ 214.243377] ? security_capable+0x87/0x150
[ 214.243380] ? __x64_sys_finit_module+0xcd/0x150
[ 214.243381] ? do_syscall_64+0x82/0x2c0
[ 214.243383] ? count_memcg_events+0x1aa/0x410
[ 214.243384] ? handle_mm_fault+0x492/0x910
[ 214.243386] ? do_user_addr_fault+0x4b0/0xa30
[ 214.243388] ? exc_page_fault+0x75/0xd0
[ 214.243389] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 214.243391] </TASK>
[ 214.243392] ---[ end trace 0000000000000000 ]---
[ 214.243392] ------------[ cut here ]------------
[ 214.243393] corrupt handle or use after stack_depot_put()
[ 214.243401] WARNING: CPU: 6 PID: 2258 at lib/stackdepot.c:723
stack_depot_print+0x43/0x50
[ 214.243403] Modules linked in:
006_state_corruption_poc_reduce_size(OE+) 9p(E) rfkill(E) isofs(E)
binfmt_misc(E) vfat(E) fat(E) ppdev(E) parport_pc(E) snd_pcm(E)
parport(E) snd_timer(E) snd(E) virtio_net(E) soundcore(E)
net_failover(E) joydev(E) bochs(E) failover(E) i2c_piix4(E) pcspkr(E)
i2c_smbus(E) loop(E) nfnetlink(E) vsock_loopback(E)
vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E)
vsock(E) zram(E) vmw_vmci(E) lz4hc_compress(E) lz4_compress(E)
9pnet_virtio(E) 9pnet(E) floppy(E) netfs(E) serio_raw(E) ata_generic(E)
pata_acpi(E) fuse(E) qemu_fw_cfg(E)
[ 214.243423] Unloaded tainted modules: snd_pcsp(E):1 hv_vmbus(E):1
padlock_aes(E):2
[ 214.243426] CPU: 6 UID: 0 PID: 2258 Comm: insmod Tainted: G W
OE 6.16.0-rc4-custombuild #139 PREEMPT(lazy)
[ 214.243428] Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 214.243429] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 214.243429] RIP: 0010:stack_depot_print+0x43/0x50
[ 214.243431] Code: ff ff 48 85 c0 74 17 8b 70 14 85 f6 74 0b 48 8d 78
20 31 d2 e9 2e eb 85 fe c3 cc cc cc cc 48 c7 c7 40 61 c8 a5 e8 8d 28 58
fe <0f> 0b c3 cc cc cc cc 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90
[ 214.243432] RSP: 0018:ffff88814269fb10 EFLAGS: 00010046
[ 214.243433] RAX: 0000000000000000 RBX: ffffea000509a600 RCX:
0000000000000001
[ 214.243434] RDX: 1ffff110284d3f4a RSI: 0000000000000004 RDI:
ffff88848ab2cf48
[ 214.243435] RBP: ffff88814269fee0 R08: ffffffffa1f4e7dc R09:
ffffed10915659e9
[ 214.243436] R10: ffffed10915659ea R11: ffffffffa87b6f46 R12:
ffff88814269fbe0
[ 214.243437] R13: ffffffffa4cf91e6 R14: 00000000fffffffe R15:
ffff88814269fdc8
[ 214.243438] FS: 00007f5dec131740(0000) GS:ffff8884e241d000(0000)
knlGS:0000000000000000
[ 214.243439] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.243440] CR2: 0000558a1aca08c0 CR3: 0000000104536000 CR4:
00000000000006f0
[ 214.243441] Call Trace:
[ 214.243442] <TASK>
[ 214.243444] ? console_emit_next_record+0x12b/0x450
[ 214.243445] ? __pfx_console_emit_next_record+0x10/0x10
[ 214.243446] ? __asan_memmove+0x3c/0x60
[ 214.243449] ? console_flush_all+0x36c/0x570
[ 214.243450] ? __pfx_console_flush_all+0x10/0x10
[ 214.243452] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.243454] ? console_unlock+0xbf/0x240
[ 214.243455] ? __pfx_console_unlock+0x10/0x10
[ 214.243457] ? __down_trylock_console_sem.isra.0+0x2e/0x50
[ 214.243459] ? vprintk_emit+0x412/0x4b0
[ 214.243460] ? __pfx_vprintk_emit+0x10/0x10
[ 214.243462] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.243464] ? _printk+0xc7/0x100
[ 214.243466] ? __pfx__printk+0x10/0x10
[ 214.243468] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.243469] ? final_poc_init+0xd7/0xff0
[006_state_corruption_poc_reduce_size]
[ 214.243471] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.243596] ? do_one_initcall+0xa4/0x380
[ 214.243598] ? __pfx_do_one_initcall+0x10/0x10
[ 214.243600] ? kasan_unpoison+0x44/0x70
[ 214.243602] ? do_init_module+0x2cc/0x8e0
[ 214.243603] ? __pfx_do_init_module+0x10/0x10
[ 214.243605] ? netfs_unbuffered_read_iter_locked+0x47f/0x980 [netfs]
[ 214.243616] ? init_module_from_file+0xe1/0x150
[ 214.243617] ? __pfx_init_module_from_file+0x10/0x10
[ 214.243618] ? vfs_read+0x6da/0xa40
[ 214.243620] ? _raw_spin_lock+0x83/0xe0
[ 214.243622] ? __pfx__raw_spin_lock+0x10/0x10
[ 214.243623] ? cred_has_capability.isra.0+0x12c/0x220
[ 214.243625] ? idempotent_init_module+0x224/0x750
[ 214.243626] ? __pfx_idempotent_init_module+0x10/0x10
[ 214.243628] ? fdget+0x53/0x4a0
[ 214.243629] ? security_capable+0x87/0x150
[ 214.243631] ? __x64_sys_finit_module+0xcd/0x150
[ 214.243633] ? do_syscall_64+0x82/0x2c0
[ 214.243634] ? count_memcg_events+0x1aa/0x410
[ 214.243636] ? handle_mm_fault+0x492/0x910
[ 214.243638] ? do_user_addr_fault+0x4b0/0xa30
[ 214.243640] ? exc_page_fault+0x75/0xd0
[ 214.243641] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 214.243643] </TASK>
[ 214.243643] ---[ end trace 0000000000000000 ]---
[ 214.243644]
[ 214.243645] The buggy address belongs to the object at
ffff88814269e600
[ 214.243645] which belongs to the cache names_cache of size 4096
[ 214.243646] The buggy address is located 2272 bytes to the right of
[ 214.243646] allocated 4096-byte region [ffff88814269e600,
ffff88814269f600)
[ 214.243648]
[ 214.243648] The buggy address belongs to the physical page:
[ 214.243649] page: refcount:0 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x142698
[ 214.243651] head: order:3 mapcount:0 entire_mapcount:0
nr_pages_mapped:0 pincount:0
[ 214.243652] anon flags:
0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[ 214.243654] page_type: f5(slab)
[ 214.243656] raw: 0017ffffc0000040 ffff88810039d680 0000000000000000
dead000000000001
[ 214.243658] raw: 0000000000000000 0000000000070007 00000000f5000000
0000000000000000
[ 214.243659] head: 0017ffffc0000040 ffff88810039d680 0000000000000000
dead000000000001
[ 214.243660] head: 0000000000000000 0000000000070007 00000000f5000000
0000000000000000
[ 214.243661] head: 0017ffffc0000003 ffffea000509a601 00000000ffffffff
00000000ffffffff
[ 214.243662] head: ffffffffffffffff 0000000000000000 00000000ffffffff
0000000000000008
[ 214.243663] page dumped because: kasan: bad access detected
[ 214.243663]
[ 214.243664] Memory state around the buggy address:
[ 214.243665] ffff88814269fd80: 00 00 00 00 00 f1 f1 f1 f1 00 00 00
f3 f3 f3 f3
[ 214.243666] ffff88814269fe00: f3 fc fc fc fc fc 00 00 00 00 00 00
00 00 00 00
[ 214.243667] >ffff88814269fe80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1
fc fc fc fc
[ 214.243668] ^
[ 214.243669] ffff88814269ff00: f3 f3 f3 f3 00 00 00 00 00 00 00 00
00 00 00 00
[ 214.243670] ffff88814269ff80: 00 00 f1 f1 f1 f1 00 00 00 f2 f2 f2
f2 f2 00 00
[ 214.243671]
==================================================================
[ 214.243695] Disabling lock debugging due to kernel taint
[ 214.403690] Kernel panic - not syncing: corrupted stack end detected
inside scheduler
[ 214.404200] CPU: 6 UID: 0 PID: 2258 Comm: insmod Tainted: G B W
OE 6.16.0-rc4-custombuild #139 PREEMPT(lazy)
[ 214.404904] Tainted: [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE,
[E]=UNSIGNED_MODULE
[ 214.405459] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 214.406193] Call Trace:
[ 214.406558] <TASK>
[ 214.406910] ? dump_stack_lvl+0x5d/0x80
[ 214.407336] ? panic+0x257/0x4eb
[ 214.407738] ? __pfx_panic+0x10/0x10
[ 214.408147] ? __asan_memcpy+0x3c/0x60
[ 214.408564] ? this_cpu_in_panic+0x1a/0x70
[ 214.408994] ? _prb_read_valid+0x166/0x2e0
[ 214.409423] ? this_cpu_in_panic+0x1a/0x70
[ 214.409855] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.410438] ? __schedule+0x17b1/0x17c0
[ 214.410865] ? __pfx___schedule+0x10/0x10
[ 214.411296] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.411889] ? __pfx_prb_read_valid+0x10/0x10
[ 214.412341] ? console_unlock+0xe5/0x240
[ 214.412776] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.413368] ? preempt_schedule+0x53/0x90
[ 214.413811] ? preempt_schedule_thunk+0x16/0x30
[ 214.414273] ? this_cpu_in_panic+0x1a/0x70
[ 214.414714] ? vprintk_emit+0x35c/0x4b0
[ 214.415144] ? __pfx_vprintk_emit+0x10/0x10
[ 214.415584] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.416176] ? _printk+0xc7/0x100
[ 214.416582] ? __pfx__printk+0x10/0x10
[ 214.417006] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.417591] ? final_poc_init+0xd7/0xff0
[006_state_corruption_poc_reduce_size]
[ 214.418160] ? __pfx_final_poc_init+0x10/0x10
[006_state_corruption_poc_reduce_size]
[ 214.418871] ? do_one_initcall+0xa4/0x380
[ 214.419302] ? __pfx_do_one_initcall+0x10/0x10
[ 214.419752] ? kasan_unpoison+0x44/0x70
[ 214.420174] ? do_init_module+0x2cc/0x8e0
[ 214.420599] ? __pfx_do_init_module+0x10/0x10
[ 214.421043] ? netfs_unbuffered_read_iter_locked+0x47f/0x980 [netfs]
[ 214.421580] ? init_module_from_file+0xe1/0x150
[ 214.422033] ? __pfx_init_module_from_file+0x10/0x10
[ 214.422497] ? vfs_read+0x6da/0xa40
[ 214.422904] ? _raw_spin_lock+0x83/0xe0
[ 214.423322] ? __pfx__raw_spin_lock+0x10/0x10
[ 214.423760] ? cred_has_capability.isra.0+0x12c/0x220
[ 214.424225] ? idempotent_init_module+0x224/0x750
[ 214.424675] ? __pfx_idempotent_init_module+0x10/0x10
[ 214.425139] ? fdget+0x53/0x4a0
[ 214.425520] ? security_capable+0x87/0x150
[ 214.425942] ? __x64_sys_finit_module+0xcd/0x150
[ 214.426380] ? do_syscall_64+0x82/0x2c0
[ 214.426787] ? count_memcg_events+0x1aa/0x410
[ 214.427210] ? handle_mm_fault+0x492/0x910
[ 214.427614] ? do_user_addr_fault+0x4b0/0xa30
[ 214.428026] ? exc_page_fault+0x75/0xd0
[ 214.428407] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 214.428841] </TASK>
[ 214.429413] Kernel Offset: 0x20400000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 214.430091] ---[ end Kernel panic - not syncing: corrupted stack end
detected inside scheduler ]---

This is my first time reporting a bug on the mailing list, so please
let me know if any additional information or formatting is required.

Thank you,
Shardul Bankar

Next message: Nilawar, Badal: "Re: [PATCH v4 02/10] mei: late_bind: add late binding component driver"
Previous message: Sean Anderson: "Re: [PATCH net-next v2 13/18] net: macb: avoid double endianness swap in macb_set_hwaddr()"
Next in thread: Pedro Falcato: "Re: [BUG] KASAN: slab-out-of-bounds in vsnprintf triggered by large stack frame"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]