KASAN: global-out-of-bounds Read in __blockdev_direct_IO
5 views
Skip to first unread message
syzbot
Aug 17, 2019, 3:43:06 AM8/17/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1568b25a600000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=91b58f4242136fb7bf50
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e403ee600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1390a3ee600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+91b58f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in __read_once_size
include/linux/compiler.h:218 [inline]
BUG: KASAN: global-out-of-bounds in PageTail include/linux/page-flags.h:400
[inline]
BUG: KASAN: global-out-of-bounds in get_page include/linux/mm.h:508 [inline]
BUG: KASAN: global-out-of-bounds in submit_page_section fs/direct-io.c:813
[inline]
BUG: KASAN: global-out-of-bounds in do_direct_IO fs/direct-io.c:1033
[inline]
BUG: KASAN: global-out-of-bounds in do_blockdev_direct_IO
fs/direct-io.c:1256 [inline]
BUG: KASAN: global-out-of-bounds in __blockdev_direct_IO+0x9209/0xb030
fs/direct-io.c:1342
Read of size 8 at addr ffffffff8284b220 by task syz-executor533/2057
CPU: 0 PID: 2057 Comm: syz-executor533 Not tainted 4.4.174+ #4
0000000000000000 394af2dd16140742 ffff8800b72c71d0 ffffffff81aad1a1
0000000000000000 0000000000000000 ffffffff8284b220 0000000000000008
ffff8800b6c34000 ffff8800b72c7208 ffffffff81490120 0000000000000000
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff81490120>] print_address_description+0x6f/0x21b
mm/kasan/report.c:252
[<ffffffff81490358>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff81490358>] kasan_report mm/kasan/report.c:408 [inline]
[<ffffffff81490358>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
[<ffffffff81484ed4>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:429
[<ffffffff8155cfa9>] __read_once_size include/linux/compiler.h:218 [inline]
[<ffffffff8155cfa9>] PageTail include/linux/page-flags.h:400 [inline]
[<ffffffff8155cfa9>] get_page include/linux/mm.h:508 [inline]
[<ffffffff8155cfa9>] submit_page_section fs/direct-io.c:813 [inline]
[<ffffffff8155cfa9>] do_direct_IO fs/direct-io.c:1033 [inline]
[<ffffffff8155cfa9>] do_blockdev_direct_IO fs/direct-io.c:1256 [inline]
[<ffffffff8155cfa9>] __blockdev_direct_IO+0x9209/0xb030 fs/direct-io.c:1342
[<ffffffff8173cf01>] blockdev_direct_IO include/linux/fs.h:2789 [inline]
[<ffffffff8173cf01>] ext4_ind_direct_IO+0x3e1/0xb90 fs/ext4/indirect.c:709
[<ffffffff8163fe21>] ext4_ext_direct_IO fs/ext4/inode.c:3233 [inline]
[<ffffffff8163fe21>] ext4_direct_IO+0x8c1/0x2a80 fs/ext4/inode.c:3405
[<ffffffff813bcae6>] generic_file_direct_write+0x276/0x4f0
mm/filemap.c:2493
[<ffffffff813bcfa5>] __generic_file_write_iter+0x245/0x540
mm/filemap.c:2673
[<ffffffff81633d3c>] ext4_file_write_iter+0x9ec/0xc70 fs/ext4/file.c:171
[<ffffffff81496220>] vfs_iter_write+0x1d0/0x3f0 fs/read_write.c:364
[<ffffffff81534731>] iter_file_splice_write+0x5c1/0xb30 fs/splice.c:1024
[<ffffffff81537d31>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81537d31>] do_splice fs/splice.c:1404 [inline]
[<ffffffff81537d31>] SYSC_splice fs/splice.c:1707 [inline]
[<ffffffff81537d31>] SyS_splice+0xd71/0x13a0 fs/splice.c:1690
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
The buggy address belongs to the variable:
sched_tunable_scaling_names+0x380/0x4740
Memory state around the buggy address:
ffffffff8284b100: 00 00 00 00 00 01 fa fa fa fa fa fa 00 00 07 fa
ffffffff8284b180: fa fa fa fa 00 00 00 00 00 04 fa fa fa fa fa fa
> ffffffff8284b200: 00 00 00 03 fa fa fa fa 00 07 fa fa fa fa fa fa
^
ffffffff8284b280: 00 00 00 fa fa fa fa fa 00 00 07 fa fa fa fa fa
ffffffff8284b300: 00 06 fa fa fa fa fa fa 00 00 05 fa fa fa fa fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1568b25a600000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=91b58f4242136fb7bf50
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e403ee600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1390a3ee600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+91b58f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in __read_once_size
include/linux/compiler.h:218 [inline]
BUG: KASAN: global-out-of-bounds in PageTail include/linux/page-flags.h:400
[inline]
BUG: KASAN: global-out-of-bounds in get_page include/linux/mm.h:508 [inline]
BUG: KASAN: global-out-of-bounds in submit_page_section fs/direct-io.c:813
[inline]
BUG: KASAN: global-out-of-bounds in do_direct_IO fs/direct-io.c:1033
[inline]
BUG: KASAN: global-out-of-bounds in do_blockdev_direct_IO
fs/direct-io.c:1256 [inline]
BUG: KASAN: global-out-of-bounds in __blockdev_direct_IO+0x9209/0xb030
fs/direct-io.c:1342
Read of size 8 at addr ffffffff8284b220 by task syz-executor533/2057
CPU: 0 PID: 2057 Comm: syz-executor533 Not tainted 4.4.174+ #4
0000000000000000 394af2dd16140742 ffff8800b72c71d0 ffffffff81aad1a1
0000000000000000 0000000000000000 ffffffff8284b220 0000000000000008
ffff8800b6c34000 ffff8800b72c7208 ffffffff81490120 0000000000000000
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff81490120>] print_address_description+0x6f/0x21b
mm/kasan/report.c:252
[<ffffffff81490358>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff81490358>] kasan_report mm/kasan/report.c:408 [inline]
[<ffffffff81490358>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
[<ffffffff81484ed4>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:429
[<ffffffff8155cfa9>] __read_once_size include/linux/compiler.h:218 [inline]
[<ffffffff8155cfa9>] PageTail include/linux/page-flags.h:400 [inline]
[<ffffffff8155cfa9>] get_page include/linux/mm.h:508 [inline]
[<ffffffff8155cfa9>] submit_page_section fs/direct-io.c:813 [inline]
[<ffffffff8155cfa9>] do_direct_IO fs/direct-io.c:1033 [inline]
[<ffffffff8155cfa9>] do_blockdev_direct_IO fs/direct-io.c:1256 [inline]
[<ffffffff8155cfa9>] __blockdev_direct_IO+0x9209/0xb030 fs/direct-io.c:1342
[<ffffffff8173cf01>] blockdev_direct_IO include/linux/fs.h:2789 [inline]
[<ffffffff8173cf01>] ext4_ind_direct_IO+0x3e1/0xb90 fs/ext4/indirect.c:709
[<ffffffff8163fe21>] ext4_ext_direct_IO fs/ext4/inode.c:3233 [inline]
[<ffffffff8163fe21>] ext4_direct_IO+0x8c1/0x2a80 fs/ext4/inode.c:3405
[<ffffffff813bcae6>] generic_file_direct_write+0x276/0x4f0
mm/filemap.c:2493
[<ffffffff813bcfa5>] __generic_file_write_iter+0x245/0x540
mm/filemap.c:2673
[<ffffffff81633d3c>] ext4_file_write_iter+0x9ec/0xc70 fs/ext4/file.c:171
[<ffffffff81496220>] vfs_iter_write+0x1d0/0x3f0 fs/read_write.c:364
[<ffffffff81534731>] iter_file_splice_write+0x5c1/0xb30 fs/splice.c:1024
[<ffffffff81537d31>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81537d31>] do_splice fs/splice.c:1404 [inline]
[<ffffffff81537d31>] SYSC_splice fs/splice.c:1707 [inline]
[<ffffffff81537d31>] SyS_splice+0xd71/0x13a0 fs/splice.c:1690
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
The buggy address belongs to the variable:
sched_tunable_scaling_names+0x380/0x4740
Memory state around the buggy address:
ffffffff8284b100: 00 00 00 00 00 01 fa fa fa fa fa fa 00 00 07 fa
ffffffff8284b180: fa fa fa fa 00 00 00 00 00 04 fa fa fa fa fa fa
> ffffffff8284b200: 00 00 00 03 fa fa fa fa 00 07 fa fa fa fa fa fa
^
ffffffff8284b280: 00 00 00 fa fa fa fa fa 00 00 07 fa fa fa fa fa
ffffffff8284b300: 00 06 fa fa fa fa fa fa 00 00 05 fa fa fa fa fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages