[PATCH] block: add error handling for device_add_disk / add_disk
25 views
Skip to first unread message
Tadeusz Struk
May 25, 2022, 8:54:03 PM5/25/22
to syzbot+badfd0...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
#syz test: https://android.googlesource.com/kernel/common android12-5.10-lts
==========================================
diff --git a/block/genhd.c b/block/genhd.c
index 796baf761202..d71821c6ad6a 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -692,69 +692,6 @@ static void disk_scan_partitions(struct gendisk *disk)
blkdev_put(bdev, FMODE_READ);
}
-static void register_disk(struct device *parent, struct gendisk *disk,
- const struct attribute_group **groups)
-{
- struct device *ddev = disk_to_dev(disk);
- struct disk_part_iter piter;
- struct hd_struct *part;
- int err;
-
- ddev->parent = parent;
-
- dev_set_name(ddev, "%s", disk->disk_name);
-
- /* delay uevents, until we scanned partition table */
- dev_set_uevent_suppress(ddev, 1);
-
- if (groups) {
- WARN_ON(ddev->groups);
- ddev->groups = groups;
- }
- if (device_add(ddev))
- return;
- if (!sysfs_deprecated) {
- err = sysfs_create_link(block_depr, &ddev->kobj,
- kobject_name(&ddev->kobj));
- if (err) {
- device_del(ddev);
- return;
- }
- }
-
- /*
- * avoid probable deadlock caused by allocating memory with
- * GFP_KERNEL in runtime_resume callback of its all ancestor
- * devices
- */
- pm_runtime_set_memalloc_noio(ddev, true);
-
- disk->part0.holder_dir = kobject_create_and_add("holders", &ddev->kobj);
- disk->slave_dir = kobject_create_and_add("slaves", &ddev->kobj);
-
- if (disk->flags & GENHD_FL_HIDDEN)
- return;
-
- disk_scan_partitions(disk);
-
- /* announce disk after possible partitions are created */
- dev_set_uevent_suppress(ddev, 0);
- kobject_uevent(&ddev->kobj, KOBJ_ADD);
-
- /* announce possible partitions */
- disk_part_iter_init(&piter, disk, 0);
- while ((part = disk_part_iter_next(&piter)))
- kobject_uevent(&part_to_dev(part)->kobj, KOBJ_ADD);
- disk_part_iter_exit(&piter);
-
- if (disk->queue->backing_dev_info->dev) {
- err = sysfs_create_link(&ddev->kobj,
- &disk->queue->backing_dev_info->dev->kobj,
- "bdi");
- WARN_ON(err);
- }
-}
-
/**
* __device_add_disk - add disk information to kernel list
* @parent: parent device for the disk
@@ -764,13 +701,14 @@ static void register_disk(struct device *parent, struct gendisk *disk,
*
* This function registers the partitioning information in @disk
* with the kernel.
- *
- * FIXME: error handling
*/
-static void __device_add_disk(struct device *parent, struct gendisk *disk,
- const struct attribute_group **groups,
- bool register_queue)
+static int __device_add_disk(struct device *parent, struct gendisk *disk,
+ const struct attribute_group **groups,
+ bool register_queue)
{
+ struct device *ddev = disk_to_dev(disk);
+ struct disk_part_iter piter;
+ struct hd_struct *part;
dev_t devt;
int retval;
@@ -794,15 +732,12 @@ static void __device_add_disk(struct device *parent, struct gendisk *disk,
disk->flags |= GENHD_FL_UP;
retval = blk_alloc_devt(&disk->part0, &devt);
- if (retval) {
- WARN_ON(1);
- return;
- }
+ if (retval)
+ return retval;
+
disk->major = MAJOR(devt);
disk->first_minor = MINOR(devt);
-
disk_alloc_events(disk);
-
if (disk->flags & GENHD_FL_HIDDEN) {
/*
* Don't let hidden disks show up in /proc/partitions,
@@ -813,17 +748,71 @@ static void __device_add_disk(struct device *parent, struct gendisk *disk,
} else {
struct backing_dev_info *bdi = disk->queue->backing_dev_info;
struct device *dev = disk_to_dev(disk);
- int ret;
/* Register BDI before referencing it from bdev */
dev->devt = devt;
- ret = bdi_register(bdi, "%u:%u", MAJOR(devt), MINOR(devt));
- WARN_ON(ret);
+ retval = bdi_register(bdi, "%u:%u", MAJOR(devt), MINOR(devt));
+ if (retval)
+ goto out_free_devt;
bdi_set_owner(bdi, dev);
blk_register_region(disk_devt(disk), disk->minors, NULL,
exact_match, exact_lock, disk);
}
- register_disk(parent, disk, groups);
+
+ ddev->parent = parent;
+ dev_set_name(ddev, "%s", disk->disk_name);
+
+ /* delay uevents, until we scanned partition table */
+ dev_set_uevent_suppress(ddev, 1);
+
+ if (groups) {
+ WARN_ON(ddev->groups);
+ ddev->groups = groups;
+ }
+
+ retval = device_add(ddev);
+ if (retval)
+ goto out_unregister_bdi;
+
+ if (!sysfs_deprecated) {
+ retval = sysfs_create_link(block_depr, &ddev->kobj,
+ kobject_name(&ddev->kobj));
+ if (retval)
+ goto out_device_del;
+ }
+
+ /*
+ * avoid probable deadlock caused by allocating memory with
+ * GFP_KERNEL in runtime_resume callback of its all ancestor
+ * devices
+ */
+ pm_runtime_set_memalloc_noio(ddev, true);
+
+ disk->part0.holder_dir = kobject_create_and_add("holders", &ddev->kobj);
+ disk->slave_dir = kobject_create_and_add("slaves", &ddev->kobj);
+
+ if (!(disk->flags & GENHD_FL_HIDDEN)) {
+
+ disk_scan_partitions(disk);
+
+ /* announce disk after possible partitions are created */
+ dev_set_uevent_suppress(ddev, 0);
+ kobject_uevent(&ddev->kobj, KOBJ_ADD);
+
+ /* announce possible partitions */
+ disk_part_iter_init(&piter, disk, 0);
+ while ((part = disk_part_iter_next(&piter)))
+ kobject_uevent(&part_to_dev(part)->kobj, KOBJ_ADD);
+ disk_part_iter_exit(&piter);
+
+ if (disk->queue->backing_dev_info->dev) {
+ retval = sysfs_create_link(&ddev->kobj,
+ &disk->queue->backing_dev_info->dev->kobj, "bdi");
+ if (retval)
+ goto out_put_slave_dir;
+ }
+ }
+
if (register_queue)
blk_register_queue(disk);
@@ -832,16 +821,28 @@ static void __device_add_disk(struct device *parent, struct gendisk *disk,
* so that it sticks around as long as @disk is there.
*/
WARN_ON_ONCE(!blk_get_queue(disk->queue));
-
disk_add_events(disk);
blk_integrity_add(disk);
+ return 0;
+
+out_device_del:
+ device_del(ddev);
+out_put_slave_dir:
+ kobject_put(disk->slave_dir);
+ kobject_put(disk->part0.holder_dir);
+out_unregister_bdi:
+ if (!(disk->flags & GENHD_FL_HIDDEN))
+ bdi_unregister(disk->queue->backing_dev_info);
+out_free_devt:
+ blk_free_devt(devt);
+
+ return retval;
}
-void device_add_disk(struct device *parent, struct gendisk *disk,
+int device_add_disk(struct device *parent, struct gendisk *disk,
const struct attribute_group **groups)
-
{
- __device_add_disk(parent, disk, groups, true);
+ return __device_add_disk(parent, disk, groups, true);
}
EXPORT_SYMBOL(device_add_disk);
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index e4517d483bdc..debda0f5ea11 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,7 +2163,11 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_free_queue;
*l = lo;
return lo->lo_number;
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
index 03da3f603d30..3bcce4864337 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -288,11 +288,11 @@ extern void disk_part_iter_exit(struct disk_part_iter *piter);
extern bool disk_has_partitions(struct gendisk *disk);
/* block/genhd.c */
-extern void device_add_disk(struct device *parent, struct gendisk *disk,
- const struct attribute_group **groups);
-static inline void add_disk(struct gendisk *disk)
+int device_add_disk(struct device *parent, struct gendisk *disk,
+ const struct attribute_group **groups);
+static inline int add_disk(struct gendisk *disk)
{
- device_add_disk(NULL, disk, NULL);
+ return device_add_disk(NULL, disk, NULL);
}
extern void device_add_disk_no_queue_reg(struct device *parent, struct gendisk *disk);
static inline void add_disk_no_queue_reg(struct gendisk *disk)
--
2.36.1
==========================================
diff --git a/block/genhd.c b/block/genhd.c
index 796baf761202..d71821c6ad6a 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -692,69 +692,6 @@ static void disk_scan_partitions(struct gendisk *disk)
blkdev_put(bdev, FMODE_READ);
}
-static void register_disk(struct device *parent, struct gendisk *disk,
- const struct attribute_group **groups)
-{
- struct device *ddev = disk_to_dev(disk);
- struct disk_part_iter piter;
- struct hd_struct *part;
- int err;
-
- ddev->parent = parent;
-
- dev_set_name(ddev, "%s", disk->disk_name);
-
- /* delay uevents, until we scanned partition table */
- dev_set_uevent_suppress(ddev, 1);
-
- if (groups) {
- WARN_ON(ddev->groups);
- ddev->groups = groups;
- }
- if (device_add(ddev))
- return;
- if (!sysfs_deprecated) {
- err = sysfs_create_link(block_depr, &ddev->kobj,
- kobject_name(&ddev->kobj));
- if (err) {
- device_del(ddev);
- return;
- }
- }
-
- /*
- * avoid probable deadlock caused by allocating memory with
- * GFP_KERNEL in runtime_resume callback of its all ancestor
- * devices
- */
- pm_runtime_set_memalloc_noio(ddev, true);
-
- disk->part0.holder_dir = kobject_create_and_add("holders", &ddev->kobj);
- disk->slave_dir = kobject_create_and_add("slaves", &ddev->kobj);
-
- if (disk->flags & GENHD_FL_HIDDEN)
- return;
-
- disk_scan_partitions(disk);
-
- /* announce disk after possible partitions are created */
- dev_set_uevent_suppress(ddev, 0);
- kobject_uevent(&ddev->kobj, KOBJ_ADD);
-
- /* announce possible partitions */
- disk_part_iter_init(&piter, disk, 0);
- while ((part = disk_part_iter_next(&piter)))
- kobject_uevent(&part_to_dev(part)->kobj, KOBJ_ADD);
- disk_part_iter_exit(&piter);
-
- if (disk->queue->backing_dev_info->dev) {
- err = sysfs_create_link(&ddev->kobj,
- &disk->queue->backing_dev_info->dev->kobj,
- "bdi");
- WARN_ON(err);
- }
-}
-
/**
* __device_add_disk - add disk information to kernel list
* @parent: parent device for the disk
@@ -764,13 +701,14 @@ static void register_disk(struct device *parent, struct gendisk *disk,
*
* This function registers the partitioning information in @disk
* with the kernel.
- *
- * FIXME: error handling
*/
-static void __device_add_disk(struct device *parent, struct gendisk *disk,
- const struct attribute_group **groups,
- bool register_queue)
+static int __device_add_disk(struct device *parent, struct gendisk *disk,
+ const struct attribute_group **groups,
+ bool register_queue)
{
+ struct device *ddev = disk_to_dev(disk);
+ struct disk_part_iter piter;
+ struct hd_struct *part;
dev_t devt;
int retval;
@@ -794,15 +732,12 @@ static void __device_add_disk(struct device *parent, struct gendisk *disk,
disk->flags |= GENHD_FL_UP;
retval = blk_alloc_devt(&disk->part0, &devt);
- if (retval) {
- WARN_ON(1);
- return;
- }
+ if (retval)
+ return retval;
+
disk->major = MAJOR(devt);
disk->first_minor = MINOR(devt);
-
disk_alloc_events(disk);
-
if (disk->flags & GENHD_FL_HIDDEN) {
/*
* Don't let hidden disks show up in /proc/partitions,
@@ -813,17 +748,71 @@ static void __device_add_disk(struct device *parent, struct gendisk *disk,
} else {
struct backing_dev_info *bdi = disk->queue->backing_dev_info;
struct device *dev = disk_to_dev(disk);
- int ret;
/* Register BDI before referencing it from bdev */
dev->devt = devt;
- ret = bdi_register(bdi, "%u:%u", MAJOR(devt), MINOR(devt));
- WARN_ON(ret);
+ retval = bdi_register(bdi, "%u:%u", MAJOR(devt), MINOR(devt));
+ if (retval)
+ goto out_free_devt;
bdi_set_owner(bdi, dev);
blk_register_region(disk_devt(disk), disk->minors, NULL,
exact_match, exact_lock, disk);
}
- register_disk(parent, disk, groups);
+
+ ddev->parent = parent;
+ dev_set_name(ddev, "%s", disk->disk_name);
+
+ /* delay uevents, until we scanned partition table */
+ dev_set_uevent_suppress(ddev, 1);
+
+ if (groups) {
+ WARN_ON(ddev->groups);
+ ddev->groups = groups;
+ }
+
+ retval = device_add(ddev);
+ if (retval)
+ goto out_unregister_bdi;
+
+ if (!sysfs_deprecated) {
+ retval = sysfs_create_link(block_depr, &ddev->kobj,
+ kobject_name(&ddev->kobj));
+ if (retval)
+ goto out_device_del;
+ }
+
+ /*
+ * avoid probable deadlock caused by allocating memory with
+ * GFP_KERNEL in runtime_resume callback of its all ancestor
+ * devices
+ */
+ pm_runtime_set_memalloc_noio(ddev, true);
+
+ disk->part0.holder_dir = kobject_create_and_add("holders", &ddev->kobj);
+ disk->slave_dir = kobject_create_and_add("slaves", &ddev->kobj);
+
+ if (!(disk->flags & GENHD_FL_HIDDEN)) {
+
+ disk_scan_partitions(disk);
+
+ /* announce disk after possible partitions are created */
+ dev_set_uevent_suppress(ddev, 0);
+ kobject_uevent(&ddev->kobj, KOBJ_ADD);
+
+ /* announce possible partitions */
+ disk_part_iter_init(&piter, disk, 0);
+ while ((part = disk_part_iter_next(&piter)))
+ kobject_uevent(&part_to_dev(part)->kobj, KOBJ_ADD);
+ disk_part_iter_exit(&piter);
+
+ if (disk->queue->backing_dev_info->dev) {
+ retval = sysfs_create_link(&ddev->kobj,
+ &disk->queue->backing_dev_info->dev->kobj, "bdi");
+ if (retval)
+ goto out_put_slave_dir;
+ }
+ }
+
if (register_queue)
blk_register_queue(disk);
@@ -832,16 +821,28 @@ static void __device_add_disk(struct device *parent, struct gendisk *disk,
* so that it sticks around as long as @disk is there.
*/
WARN_ON_ONCE(!blk_get_queue(disk->queue));
-
disk_add_events(disk);
blk_integrity_add(disk);
+ return 0;
+
+out_device_del:
+ device_del(ddev);
+out_put_slave_dir:
+ kobject_put(disk->slave_dir);
+ kobject_put(disk->part0.holder_dir);
+out_unregister_bdi:
+ if (!(disk->flags & GENHD_FL_HIDDEN))
+ bdi_unregister(disk->queue->backing_dev_info);
+out_free_devt:
+ blk_free_devt(devt);
+
+ return retval;
}
-void device_add_disk(struct device *parent, struct gendisk *disk,
+int device_add_disk(struct device *parent, struct gendisk *disk,
const struct attribute_group **groups)
-
{
- __device_add_disk(parent, disk, groups, true);
+ return __device_add_disk(parent, disk, groups, true);
}
EXPORT_SYMBOL(device_add_disk);
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index e4517d483bdc..debda0f5ea11 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,7 +2163,11 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_free_queue;
*l = lo;
return lo->lo_number;
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
index 03da3f603d30..3bcce4864337 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -288,11 +288,11 @@ extern void disk_part_iter_exit(struct disk_part_iter *piter);
extern bool disk_has_partitions(struct gendisk *disk);
/* block/genhd.c */
-extern void device_add_disk(struct device *parent, struct gendisk *disk,
- const struct attribute_group **groups);
-static inline void add_disk(struct gendisk *disk)
+int device_add_disk(struct device *parent, struct gendisk *disk,
+ const struct attribute_group **groups);
+static inline int add_disk(struct gendisk *disk)
{
- device_add_disk(NULL, disk, NULL);
+ return device_add_disk(NULL, disk, NULL);
}
extern void device_add_disk_no_queue_reg(struct device *parent, struct gendisk *disk);
static inline void add_disk_no_queue_reg(struct gendisk *disk)
--
2.36.1
Tadeusz Struk
May 25, 2022, 8:54:53 PM5/25/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
syzbot
May 26, 2022, 2:25:09 AM5/26/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in process_one_work
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 385 Comm: kworker/1:2 Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: 0x0 (wg-crypt-wg2)
RIP: 0010:process_one_work+0xbc/0xc10 kernel/workqueue.c:2195
Code: df e8 a8 ed 5f 00 4c 89 7d b8 4c 8b 2b 49 8d 5c 24 08 48 89 d9 48 c1 e9 03 48 b8 00 00 00 00 00 fc ff df 48 89 8d 70 ff ff ff <80> 3c 01 00 74 08 48 89 df e8 76 ed 5f 00 41 bf 00 01 00 00 48 89
RSP: 0018:ffffc90000a5fd28 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: 0000000000000001
RDX: ffff888107190000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000a5fdc0 R08: ffffffff814697ab R09: ffffed102443400e
R10: ffffed102443400e R11: 1ffff1102443400d R12: 0000000000000000
R13: ffff8881f7355700 R14: dffffc0000000000 R15: ffff88811ed30500
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd17e3c3b8 CR3: 000000011f3ad000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace e1ecae1cdc3479a8 ]---
RIP: 0010:process_one_work+0xbc/0xc10 kernel/workqueue.c:2195
Code: df e8 a8 ed 5f 00 4c 89 7d b8 4c 8b 2b 49 8d 5c 24 08 48 89 d9 48 c1 e9 03 48 b8 00 00 00 00 00 fc ff df 48 89 8d 70 ff ff ff <80> 3c 01 00 74 08 48 89 df e8 76 ed 5f 00 41 bf 00 01 00 00 48 89
RSP: 0018:ffffc90000a5fd28 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: 0000000000000001
RDX: ffff888107190000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000a5fdc0 R08: ffffffff814697ab R09: ffffed102443400e
R10: ffffed102443400e R11: 1ffff1102443400d R12: 0000000000000000
R13: ffff8881f7355700 R14: dffffc0000000000 R15: ffff88811ed30500
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd17e3c3b8 CR3: 000000011f3ad000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df e8 fucomip %st(0),%st
2: a8 ed test $0xed,%al
4: 5f pop %rdi
5: 00 4c 89 7d add %cl,0x7d(%rcx,%rcx,4)
9: b8 4c 8b 2b 49 mov $0x492b8b4c,%eax
e: 8d 5c 24 08 lea 0x8(%rsp),%ebx
12: 48 89 d9 mov %rbx,%rcx
15: 48 c1 e9 03 shr $0x3,%rcx
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 8d 70 ff ff ff mov %rcx,-0x90(%rbp)
* 2a: 80 3c 01 00 cmpb $0x0,(%rcx,%rax,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 76 ed 5f 00 callq 0x5fedae
38: 41 bf 00 01 00 00 mov $0x100,%r15d
3e: 48 rex.W
3f: 89 .byte 0x89
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=1443e199f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b9b19582654944dd
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=13451de5f00000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in process_one_work
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 385 Comm: kworker/1:2 Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: 0x0 (wg-crypt-wg2)
RIP: 0010:process_one_work+0xbc/0xc10 kernel/workqueue.c:2195
Code: df e8 a8 ed 5f 00 4c 89 7d b8 4c 8b 2b 49 8d 5c 24 08 48 89 d9 48 c1 e9 03 48 b8 00 00 00 00 00 fc ff df 48 89 8d 70 ff ff ff <80> 3c 01 00 74 08 48 89 df e8 76 ed 5f 00 41 bf 00 01 00 00 48 89
RSP: 0018:ffffc90000a5fd28 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: 0000000000000001
RDX: ffff888107190000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000a5fdc0 R08: ffffffff814697ab R09: ffffed102443400e
R10: ffffed102443400e R11: 1ffff1102443400d R12: 0000000000000000
R13: ffff8881f7355700 R14: dffffc0000000000 R15: ffff88811ed30500
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd17e3c3b8 CR3: 000000011f3ad000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace e1ecae1cdc3479a8 ]---
RIP: 0010:process_one_work+0xbc/0xc10 kernel/workqueue.c:2195
Code: df e8 a8 ed 5f 00 4c 89 7d b8 4c 8b 2b 49 8d 5c 24 08 48 89 d9 48 c1 e9 03 48 b8 00 00 00 00 00 fc ff df 48 89 8d 70 ff ff ff <80> 3c 01 00 74 08 48 89 df e8 76 ed 5f 00 41 bf 00 01 00 00 48 89
RSP: 0018:ffffc90000a5fd28 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: 0000000000000001
RDX: ffff888107190000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000a5fdc0 R08: ffffffff814697ab R09: ffffed102443400e
R10: ffffed102443400e R11: 1ffff1102443400d R12: 0000000000000000
R13: ffff8881f7355700 R14: dffffc0000000000 R15: ffff88811ed30500
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd17e3c3b8 CR3: 000000011f3ad000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df e8 fucomip %st(0),%st
2: a8 ed test $0xed,%al
4: 5f pop %rdi
5: 00 4c 89 7d add %cl,0x7d(%rcx,%rcx,4)
9: b8 4c 8b 2b 49 mov $0x492b8b4c,%eax
e: 8d 5c 24 08 lea 0x8(%rsp),%ebx
12: 48 89 d9 mov %rbx,%rcx
15: 48 c1 e9 03 shr $0x3,%rcx
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 8d 70 ff ff ff mov %rcx,-0x90(%rbp)
* 2a: 80 3c 01 00 cmpb $0x0,(%rcx,%rax,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 76 ed 5f 00 callq 0x5fedae
38: 41 bf 00 01 00 00 mov $0x100,%r15d
3e: 48 rex.W
3f: 89 .byte 0x89
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=1443e199f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b9b19582654944dd
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=13451de5f00000
syzbot
May 26, 2022, 2:37:08 AM5/26/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in lo_open
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: use-after-free in lo_open+0x93/0xc0 drivers/block/loop.c:1894
Write of size 4 at addr ffff88810ec98004 by task udevd/426
CPU: 0 PID: 426 Comm: udevd Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3c0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:135 [inline]
kasan_check_range+0x2aa/0x2e0 mm/kasan/generic.c:186
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
lo_open+0x93/0xc0 drivers/block/loop.c:1894
__blkdev_get+0x599/0x1360 fs/block_dev.c:1511
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f966d0e3697
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffe5994ef10 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00005589d5104590 RCX: 00007f966d0e3697
RDX: 00000000000a0800 RSI: 00005589d50fd4a0 RDI: 00000000ffffff9c
RBP: 00005589d50fd4a0 R08: 00000000ffffffff R09: 00007ffe599e90b8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 00005589d5112970 R14: 0000000000000001 R15: 00005589d50d42c0
Allocated by task 460:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:664 [inline]
loop_add+0x5a/0x770 drivers/block/loop.c:2083
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2294
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 460:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
loop_add+0x591/0x770 drivers/block/loop.c:2182
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2294
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88810ec98000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 4 bytes inside of
1024-byte region [ffff88810ec98000, ffff88810ec98400)
The buggy address belongs to the page:
page:ffffea00043b2600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ec98
head:ffffea00043b2600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 456, ts 42959091328, free_ts 42665339927
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc+0x24f/0x360 mm/slub.c:4038
__kmalloc_node include/linux/slab.h:418 [inline]
kmalloc_array_node include/linux/slab.h:627 [inline]
kcalloc_node include/linux/slab.h:632 [inline]
blk_mq_alloc_rq_map+0xa2/0x190 block/blk-mq.c:2428
__blk_mq_alloc_map_and_request block/blk-mq.c:2882 [inline]
__blk_mq_alloc_rq_maps block/blk-mq.c:3396 [inline]
blk_mq_alloc_map_and_requests+0x12e/0x7d0 block/blk-mq.c:3422
blk_mq_alloc_tag_set+0x662/0xd40 block/blk-mq.c:3575
loop_add+0x241/0x770 drivers/block/loop.c:2111
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2294
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
reset_page_owner include/linux/page_owner.h:28 [inline]
free_pages_prepare mm/page_alloc.c:1331 [inline]
__free_pages_ok+0x7f8/0x830 mm/page_alloc.c:1611
free_the_page mm/page_alloc.c:5178 [inline]
__free_pages+0x2d2/0x4c0 mm/page_alloc.c:5184
__free_slab+0xd3/0x190 mm/slub.c:1903
free_slab mm/slub.c:1918 [inline]
discard_slab mm/slub.c:1924 [inline]
unfreeze_partials+0x17d/0x1b0 mm/slub.c:2418
put_cpu_partial+0xc8/0x190 mm/slub.c:2454
__slab_free+0x2d8/0x3a0 mm/slub.c:3104
do_slab_free mm/slub.c:3200 [inline]
___cache_free+0x11f/0x140 mm/slub.c:3219
qlink_free+0x38/0x40 mm/kasan/quarantine.c:146
qlist_free_all+0x4c/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:438
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:583 [inline]
slab_alloc_node mm/slub.c:2956 [inline]
slab_alloc mm/slub.c:2964 [inline]
kmem_cache_alloc+0x16c/0x300 mm/slub.c:2969
getname_flags+0xba/0x510 fs/namei.c:141
user_path_at_empty+0x2d/0x50 fs/namei.c:2726
user_path_at include/linux/namei.h:59 [inline]
ksys_umount fs/namespace.c:1761 [inline]
__do_sys_umount fs/namespace.c:1769 [inline]
__se_sys_umount fs/namespace.c:1767 [inline]
__x64_sys_umount+0xf0/0x170 fs/namespace.c:1767
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
Memory state around the buggy address:
ffff88810ec97f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88810ec97f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88810ec98000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810ec98080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810ec98100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 426 at lib/refcount.c:25 refcount_warn_saturate+0x147/0x1b0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 426 Comm: udevd Tainted: G B 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x147/0x1b0 lib/refcount.c:25
Code: c7 e0 be 43 85 31 c0 e8 57 22 f2 fe 0f 0b eb a1 e8 ee e7 1f ff c6 05 7a 6c 0f 04 01 48 c7 c7 60 bf 43 85 31 c0 e8 39 22 f2 fe <0f> 0b eb 83 e8 d0 e7 1f ff c6 05 5d 6c 0f 04 01 48 c7 c7 c0 bf 43
RSP: 0018:ffffc90000d37670 EFLAGS: 00010246
RAX: 17664f3077409100 RBX: 0000000000000002 RCX: ffff8881065b4f00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000d37680 R08: ffffffff8153a998 R09: ffffed103ee4a5d8
R10: ffffed103ee4a5d8 R11: 1ffff1103ee4a5d7 R12: dffffc0000000000
R13: ffff88810ed96000 R14: 0000000000000002 R15: ffff88810ed96000
FS: 00007f966cf8c840(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f56c0f5b090 CR3: 000000010d77d000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_add include/linux/refcount.h:200 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
bdi_get+0x83/0x90 include/linux/backing-dev.h:24
__blkdev_get+0x120c/0x1360 fs/block_dev.c:1554
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f966d0e3697
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffe5994ef10 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00005589d5104590 RCX: 00007f966d0e3697
RDX: 00000000000a0800 RSI: 00005589d50fd4a0 RDI: 00000000ffffff9c
RBP: 00005589d50fd4a0 R08: 00000000ffffffff R09: 00007ffe599e90b8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 00005589d5112970 R14: 0000000000000001 R15: 00005589d50d42c0
---[ end trace c7267627e521d031 ]---
------------[ cut here ]------------
refcount_t: saturated; leaking memory.
WARNING: CPU: 1 PID: 426 at lib/refcount.c:22 refcount_warn_saturate+0x129/0x1b0 lib/refcount.c:22
Modules linked in:
CPU: 1 PID: 426 Comm: udevd Tainted: G B W 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x129/0x1b0 lib/refcount.c:22
Code: c7 80 c0 43 85 31 c0 e8 75 22 f2 fe 0f 0b eb bf e8 0c e8 1f ff c6 05 97 6c 0f 04 01 48 c7 c7 e0 be 43 85 31 c0 e8 57 22 f2 fe <0f> 0b eb a1 e8 ee e7 1f ff c6 05 7a 6c 0f 04 01 48 c7 c7 60 bf 43
RSP: 0018:ffffc90000d37670 EFLAGS: 00010246
RAX: 17664f3077409100 RBX: 0000000000000001 RCX: ffff8881065b4f00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000d37680 R08: ffffffff8153a998 R09: ffffed103ee6a5d8
R10: ffffed103ee6a5d8 R11: 1ffff1103ee6a5d7 R12: 00000000c0000001
R13: ffff88810eea1000 R14: 0000000000000001 R15: ffff88810eea1000
FS: 00007f966cf8c840(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005589d51578c0 CR3: 000000010d77d000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_add include/linux/refcount.h:200 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
bdi_get+0x83/0x90 include/linux/backing-dev.h:24
__blkdev_get+0x120c/0x1360 fs/block_dev.c:1554
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f966d0e3697
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffe5994ef10 EFLAGS: 00000246
ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00005589d5104590 RCX: 00007f966d0e3697
RDX: 00000000000a0800 RSI: 00005589d50d7f20 RDI: 00000000ffffff9c
RBP: 00005589d50d7f20 R08: 00000000ffffffff R09: 00007ffe599e90b8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 00005589d5112970 R14: 0000000000000001 R15: 00005589d50d42c0
---[ end trace c7267627e521d033 ]---
udevd[426]: inotify_add_watch(7, /dev/loop0, 10) failed: No such file or directory
udevd[426]: inotify_add_watch(7, /dev/loop0, 10) failed: No such file or directory
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1198daf3f00000
Tadeusz Struk
May 26, 2022, 10:32:17 AM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
syzbot
May 26, 2022, 10:41:13 AM5/26/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in lo_open
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: use-after-free in lo_open+0x93/0xc0 drivers/block/loop.c:1894
Write of size 4 at addr ffff88810e1c6804 by task udevd/409
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in lo_open
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: use-after-free in lo_open+0x93/0xc0 drivers/block/loop.c:1894
CPU: 0 PID: 409 Comm: udevd Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffcc496b680 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000055a708caf850 RCX: 00007f6735ee5697
RDX: 00000000000a0800 RSI: 000055a708c834d0 RDI: 00000000ffffff9c
RBP: 000055a708c834d0 R08: 00000000ffffffff R09: 00007ffcc49aa0b8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 000055a708c85b00 R14: 0000000000000001 R15: 000055a708c772c0
Allocated by task 419:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:664 [inline]
loop_add+0x5a/0x770 drivers/block/loop.c:2083
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2294
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 419:
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:664 [inline]
loop_add+0x5a/0x770 drivers/block/loop.c:2083
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2294
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
loop_add+0x591/0x770 drivers/block/loop.c:2182
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2294
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88810e1c6800
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
loop_add+0x591/0x770 drivers/block/loop.c:2182
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2294
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 4 bytes inside of
1024-byte region [ffff88810e1c6800, ffff88810e1c6c00)
The buggy address is located 4 bytes inside of
The buggy address belongs to the page:
page:ffffea0004387000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e1c0
head:ffffea0004387000 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 417, ts 38198213792, free_ts 38194810139
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc+0x24f/0x360 mm/slub.c:4038
__kmalloc_node include/linux/slab.h:418 [inline]
kmalloc_node include/linux/slab.h:575 [inline]
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc+0x24f/0x360 mm/slub.c:4038
__kmalloc_node include/linux/slab.h:418 [inline]
kzalloc_node include/linux/slab.h:675 [inline]
blk_mq_alloc_hctx block/blk-mq.c:2786 [inline]
blk_mq_alloc_and_init_hctx block/blk-mq.c:3217 [inline]
blk_mq_realloc_hw_ctxs+0x4bb/0x1840 block/blk-mq.c:3269
blk_mq_init_allocated_queue+0x41a/0x1a30 block/blk-mq.c:3331
blk_mq_init_queue_data block/blk-mq.c:3150 [inline]
blk_mq_init_queue+0x6c/0xc0 block/blk-mq.c:3160
loop_add+0x26c/0x770 drivers/block/loop.c:2115
ffff88810e1c6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88810e1c6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810e1c6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810e1c6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 409 at lib/refcount.c:25 refcount_warn_saturate+0x147/0x1b0 lib/refcount.c:25
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
Modules linked in:
CPU: 0 PID: 409 Comm: udevd Tainted: G B 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x147/0x1b0 lib/refcount.c:25
Code: c7 a0 bc 43 85 31 c0 e8 57 22 f2 fe 0f 0b eb a1 e8 ee e7 1f ff c6 05 7a 6c 0f 04 01 48 c7 c7 20 bd 43 85 31 c0 e8 39 22 f2 fe <0f> 0b eb 83 e8 d0 e7 1f ff c6 05 5d 6c 0f 04 01 48 c7 c7 80 bd 43
RIP: 0010:refcount_warn_saturate+0x147/0x1b0 lib/refcount.c:25
RSP: 0018:ffffc90000cc7670 EFLAGS: 00010246
RAX: eb619ca7038f9500 RBX: 0000000000000002 RCX: ffff88810b8c2780
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000cc7680 R08: ffffffff8153a998 R09: fffff52000198df5
R10: fffff52000198df5 R11: 1ffff92000198df4 R12: dffffc0000000000
R13: ffff88810e196000 R14: 0000000000000002 R15: ffff88810e196000
FS: 00007f6735d8e840(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f340fa3aff8 CR3: 000000010d780000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_add include/linux/refcount.h:200 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
bdi_get+0x83/0x90 include/linux/backing-dev.h:24
__blkdev_get+0x120c/0x1360 fs/block_dev.c:1554
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f6735ee5697
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_add include/linux/refcount.h:200 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
bdi_get+0x83/0x90 include/linux/backing-dev.h:24
__blkdev_get+0x120c/0x1360 fs/block_dev.c:1554
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffcc496b680 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000055a708caf850 RCX: 00007f6735ee5697
RDX: 00000000000a0800 RSI: 000055a708c834d0 RDI: 00000000ffffff9c
RBP: 000055a708c834d0 R08: 00000000ffffffff R09: 00007ffcc49aa0b8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 000055a708c85b00 R14: 0000000000000001 R15: 000055a708c772c0
---[ end trace 2c2d8a6f4678f13e ]---
udevd[409]: inotify_add_watch(7, /dev/loop0, 10) failed: No such file or directory
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=13d9a1d3f00000
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Tadeusz Struk
May 26, 2022, 11:25:06 AM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org, Luis Chamberlain
From: Luis Chamberlain <mcg...@kernel.org>
---
block/genhd.c | 165 +++++++++++++++++++++---------------------
drivers/block/loop.c | 7 +-
include/linux/genhd.h | 8 +-
3 files changed, 93 insertions(+), 87 deletions(-)
index e4517d483bdc..2b648bcc3b72 100644
out_free_dev:
kfree(lo);
out:
+ *l = NULL;
return err;
---
block/genhd.c | 165 +++++++++++++++++++++---------------------
drivers/block/loop.c | 7 +-
include/linux/genhd.h | 8 +-
3 files changed, 93 insertions(+), 87 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,7 +2163,11 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_free_queue;
*l = lo;
return lo->lo_number;
@@ -2176,6 +2180,7 @@ static int loop_add(struct loop_device **l, int i)
+++ b/drivers/block/loop.c
@@ -2163,7 +2163,11 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_free_queue;
*l = lo;
return lo->lo_number;
out_free_dev:
kfree(lo);
out:
+ *l = NULL;
return err;
syzbot
May 26, 2022, 11:34:12 AM5/26/22
to mcg...@kernel.org, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in lo_open
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: use-after-free in lo_open+0x93/0xc0 drivers/block/loop.c:1894
Write of size 4 at addr ffff88810e41c004 by task udevd/411
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in lo_open
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: use-after-free in lo_open+0x93/0xc0 drivers/block/loop.c:1894
CPU: 0 PID: 411 Comm: udevd Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffc3f192300 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00005602287fee30 RCX: 00007f07efacb697
RDX: 00000000000a0800 RSI: 00005602287d5670 RDI: 00000000ffffff9c
RBP: 00005602287d5670 R08: 00000000ffffffff R09: 00007ffc3f19b0b8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 00005602287d7b00 R14: 0000000000000001 R15: 00005602287c92c0
Allocated by task 421:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:664 [inline]
loop_add+0x5a/0x7b0 drivers/block/loop.c:2083
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:664 [inline]
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2295
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 421:
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
loop_add+0x5af/0x7b0 drivers/block/loop.c:2182
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2295
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88810e41c000
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 4 bytes inside of
1024-byte region [ffff88810e41c000, ffff88810e41c400)
The buggy address is located 4 bytes inside of
The buggy address belongs to the page:
page:ffffea0004390600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e418
head:ffffea0004390600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 24, ts 39093316016, free_ts 39057416619
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc_track_caller+0x23e/0x350 mm/slub.c:4545
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc_reserve net/core/skbuff.c:143 [inline]
__alloc_skb+0xbe/0x580 net/core/skbuff.c:211
alloc_skb include/linux/skbuff.h:1101 [inline]
ndisc_alloc_skb+0xf0/0x2d0 net/ipv6/ndisc.c:420
ndisc_send_rs+0x269/0x680 net/ipv6/ndisc.c:686
addrconf_dad_completed+0x8fe/0xdd0 net/ipv6/addrconf.c:4241
addrconf_dad_work+0xd72/0x15d0 net/ipv6/addrconf.c:4006
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
page last free stack trace:
reset_page_owner include/linux/page_owner.h:28 [inline]
free_pages_prepare mm/page_alloc.c:1331 [inline]
__free_pages_ok+0x7f8/0x830 mm/page_alloc.c:1611
free_the_page mm/page_alloc.c:5178 [inline]
__free_pages+0x2d2/0x4c0 mm/page_alloc.c:5184
__free_slab+0xd3/0x190 mm/slub.c:1903
free_slab mm/slub.c:1918 [inline]
discard_slab mm/slub.c:1924 [inline]
unfreeze_partials+0x17d/0x1b0 mm/slub.c:2418
put_cpu_partial+0xc8/0x190 mm/slub.c:2454
__slab_free+0x2d8/0x3a0 mm/slub.c:3104
do_slab_free mm/slub.c:3200 [inline]
___cache_free+0x11f/0x140 mm/slub.c:3219
qlink_free+0x38/0x40 mm/kasan/quarantine.c:146
qlist_free_all+0x4c/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:438
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:583 [inline]
slab_alloc_node mm/slub.c:2956 [inline]
slab_alloc mm/slub.c:2964 [inline]
kmem_cache_alloc+0x16c/0x300 mm/slub.c:2969
getname_flags+0xba/0x510 fs/namei.c:141
getname+0x19/0x20 fs/namei.c:212
reset_page_owner include/linux/page_owner.h:28 [inline]
free_pages_prepare mm/page_alloc.c:1331 [inline]
__free_pages_ok+0x7f8/0x830 mm/page_alloc.c:1611
free_the_page mm/page_alloc.c:5178 [inline]
__free_pages+0x2d2/0x4c0 mm/page_alloc.c:5184
__free_slab+0xd3/0x190 mm/slub.c:1903
free_slab mm/slub.c:1918 [inline]
discard_slab mm/slub.c:1924 [inline]
unfreeze_partials+0x17d/0x1b0 mm/slub.c:2418
put_cpu_partial+0xc8/0x190 mm/slub.c:2454
__slab_free+0x2d8/0x3a0 mm/slub.c:3104
do_slab_free mm/slub.c:3200 [inline]
___cache_free+0x11f/0x140 mm/slub.c:3219
qlink_free+0x38/0x40 mm/kasan/quarantine.c:146
qlist_free_all+0x4c/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:438
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:583 [inline]
slab_alloc_node mm/slub.c:2956 [inline]
slab_alloc mm/slub.c:2964 [inline]
kmem_cache_alloc+0x16c/0x300 mm/slub.c:2969
getname_flags+0xba/0x510 fs/namei.c:141
do_sys_openat2+0xd2/0x470 fs/open.c:1205
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
Memory state around the buggy address:
ffff88810e41bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88810e41bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88810e41c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810e41c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810e41c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 411 at lib/refcount.c:25 refcount_warn_saturate+0x147/0x1b0 lib/refcount.c:25
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
Modules linked in:
CPU: 0 PID: 411 Comm: udevd Tainted: G B 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x147/0x1b0 lib/refcount.c:25
Code: c7 a0 bf 43 85 31 c0 e8 57 22 f2 fe 0f 0b eb a1 e8 ee e7 1f ff c6 05 7a 6c 0f 04 01 48 c7 c7 20 c0 43 85 31 c0 e8 39 22 f2 fe <0f> 0b eb 83 e8 d0 e7 1f ff c6 05 5d 6c 0f 04 01 48 c7 c7 80 c0 43
RIP: 0010:refcount_warn_saturate+0x147/0x1b0 lib/refcount.c:25
RSP: 0018:ffffc90000ce7670 EFLAGS: 00010246
RAX: 8fcc05fe89a2a200 RBX: 0000000000000002 RCX: ffff88810c97bb40
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000ce7680 R08: ffffffff8153a998 R09: ffffed103ee4a5d8
R10: ffffed103ee4a5d8 R11: 1ffff1103ee4a5d7 R12: dffffc0000000000
R13: ffff88810e434000 R14: 0000000000000002 R15: ffff88810e434000
FS: 00007f07ef974840(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f14478f3ff8 CR3: 000000010d6e3000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_add include/linux/refcount.h:200 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
bdi_get+0x83/0x90 include/linux/backing-dev.h:24
__blkdev_get+0x120c/0x1360 fs/block_dev.c:1554
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f07efacb697
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_add include/linux/refcount.h:200 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
bdi_get+0x83/0x90 include/linux/backing-dev.h:24
__blkdev_get+0x120c/0x1360 fs/block_dev.c:1554
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffc3f192300 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00005602287fee30 RCX: 00007f07efacb697
RDX: 00000000000a0800 RSI: 00005602287d5670 RDI: 00000000ffffff9c
RBP: 00005602287d5670 R08: 00000000ffffffff R09: 00007ffc3f19b0b8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 00005602287d7b00 R14: 0000000000000001 R15: 00005602287c92c0
---[ end trace 100c67114ae8d3b3 ]---
------------[ cut here ]------------
refcount_t: saturated; leaking memory.
WARNING: CPU: 0 PID: 411 at lib/refcount.c:22 refcount_warn_saturate+0x129/0x1b0 lib/refcount.c:22
Modules linked in:
CPU: 0 PID: 411 Comm: udevd Tainted: G B W 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x129/0x1b0 lib/refcount.c:22
Code: c7 40 c1 43 85 31 c0 e8 75 22 f2 fe 0f 0b eb bf e8 0c e8 1f ff c6 05 97 6c 0f 04 01 48 c7 c7 a0 bf 43 85 31 c0 e8 57 22 f2 fe <0f> 0b eb a1 e8 ee e7 1f ff c6 05 7a 6c 0f 04 01 48 c7 c7 20 c0 43
RSP: 0018:ffffc90000ce7670 EFLAGS: 00010246
RAX: 8fcc05fe89a2a200 RBX: 0000000000000001 RCX: ffff88810c97bb40
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000ce7680 R08: ffffffff8153a998 R09: ffffed103ee4a5d8
R10: ffffed103ee4a5d8 R11: 1ffff1103ee4a5d7 R12: 00000000c0000001
R13: ffff88810f3c1000 R14: 0000000000000001 R15: ffff88810f3c1000
FS: 00007f07ef974840(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056022880c098 CR3: 000000010d6e3000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_add include/linux/refcount.h:200 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
bdi_get+0x83/0x90 include/linux/backing-dev.h:24
__blkdev_get+0x120c/0x1360 fs/block_dev.c:1554
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_add include/linux/refcount.h:200 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
bdi_get+0x83/0x90 include/linux/backing-dev.h:24
__blkdev_get+0x120c/0x1360 fs/block_dev.c:1554
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=14e3e9d5f00000
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17e27775f00000
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Tadeusz Struk
May 26, 2022, 12:37:54 PM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org, Luis Chamberlain
From: Luis Chamberlain <mcg...@kernel.org>
#syz test: https://android.googlesource.com/kernel/common android12-5.10-lts
==========================================
#syz test: https://android.googlesource.com/kernel/common android12-5.10-lts
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,17 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
*l = lo;
+
return lo->lo_number;
+out_put_disk:
+ put_disk(struct gendisk *disk)
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
@@ -2176,6 +2183,7 @@ static int loop_add(struct loop_device **l, int i)
syzbot
May 26, 2022, 12:43:08 PM5/26/22
to mcg...@kernel.org, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
drivers/block/loop.c:2177:11: error: expected expression
drivers/block/loop.c:2135:8: error: use of undeclared label 'out_free_queue'
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
syzbot tried to test the proposed patch but the build/boot failed:
drivers/block/loop.c:2177:11: error: expected expression
drivers/block/loop.c:2135:8: error: use of undeclared label 'out_free_queue'
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1096b9f9f00000
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Tadeusz Struk
May 26, 2022, 12:46:38 PM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org, Luis Chamberlain
Tadeusz Struk
May 26, 2022, 12:48:44 PM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org, Luis Chamberlain
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,17 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+
return lo->lo_number;
+out_put_disk:
+ put_disk(disk);
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,17 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+
return lo->lo_number;
+out_put_disk:
syzbot
May 26, 2022, 12:51:11 PM5/26/22
to mcg...@kernel.org, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
drivers/block/loop.c:2177:11: error: expected expression
syzbot tried to test the proposed patch but the build/boot failed:
drivers/block/loop.c:2177:11: error: expected expression
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12f5c555f00000
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
May 26, 2022, 12:59:12 PM5/26/22
to mcg...@kernel.org, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in blk_mq_run_hw_queues
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
RAX: ffffffffffffffda RBX: 00007f3c6e6a1f60 RCX: 00007f3c6e58f0e9
RDX: 0000000000000000 RSI: 0000000000004c80 RDI: 0000000000000003
RBP: 00007f3c6e5051d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffce774604f R14: 00007f3c6e505300 R15: 0000000000022000
---[ end trace b283e9c563a2f98a ]---
==================================================================
BUG: KASAN: use-after-free in blk_mq_run_hw_queues+0x298/0x450 block/blk-mq.c:1704
Read of size 8 at addr ffff88810b78c050 by task syz-executor.0/411
CPU: 0 PID: 411 Comm: syz-executor.0 Tainted: G W 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3c0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3c0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
blk_mq_run_hw_queues+0x298/0x450 block/blk-mq.c:1704
blk_freeze_queue_start+0xad/0xe0 block/blk-mq.c:143
blk_set_queue_dying block/blk-core.c:357 [inline]
blk_cleanup_queue+0x88/0x210 block/blk-core.c:384
loop_add+0x613/0x840 drivers/block/loop.c:2179
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2298
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f3c6e58f0e9
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3c6e505168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f3c6e6a1f60 RCX: 00007f3c6e58f0e9
RDX: 0000000000000000 RSI: 0000000000004c80 RDI: 0000000000000003
RBP: 00007f3c6e5051d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffce774604f R14: 00007f3c6e505300 R15: 0000000000022000
Allocated by task 411:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
__kmalloc+0x1f7/0x360 mm/slub.c:4042
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
__kmalloc_node include/linux/slab.h:418 [inline]
kmalloc_array_node include/linux/slab.h:627 [inline]
kcalloc_node include/linux/slab.h:632 [inline]
blk_mq_realloc_hw_ctxs+0xca/0x1840 block/blk-mq.c:3241
kmalloc_array_node include/linux/slab.h:627 [inline]
kcalloc_node include/linux/slab.h:632 [inline]
blk_mq_init_allocated_queue+0x41a/0x1a30 block/blk-mq.c:3331
blk_mq_init_queue_data block/blk-mq.c:3150 [inline]
blk_mq_init_queue+0x6c/0xc0 block/blk-mq.c:3160
loop_add+0x284/0x840 drivers/block/loop.c:2115
blk_mq_init_queue_data block/blk-mq.c:3150 [inline]
blk_mq_init_queue+0x6c/0xc0 block/blk-mq.c:3160
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2298
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 411:
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
blk_mq_release+0x2d0/0x310 block/blk-mq.c:3127
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
blk_release_queue+0x314/0x430 block/blk-sysfs.c:808
kobject_cleanup lib/kobject.c:705 [inline]
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x163/0x240 lib/kobject.c:753
blk_put_queue+0x19/0x20 block/blk-core.c:344
disk_release+0x231/0x2a0 block/genhd.c:1568
device_release+0x9c/0x1d0 drivers/base/core.c:2114
kobject_cleanup lib/kobject.c:705 [inline]
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x163/0x240 lib/kobject.c:753
put_disk+0x23/0x30 block/genhd.c:1816
loop_add+0x5e6/0x840 drivers/block/loop.c:2177
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2298
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88810b78c050
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff88810b78c050, ffff88810b78c058)
The buggy address belongs to the page:
page:ffffea00042de300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b78c
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea00042de200 0000001900000019 ffff888100043c80
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2728514769, free_ts 0
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc_track_caller+0x23e/0x350 mm/slub.c:4545
kstrdup+0x34/0x70 mm/util.c:63
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc_track_caller+0x23e/0x350 mm/slub.c:4545
get_permissions_callback+0x43/0xa0 security/selinux/ss/services.c:3427
hashtab_map+0x100/0x200 security/selinux/ss/hashtab.c:96
security_get_permissions+0x10d/0x380 security/selinux/ss/services.c:3458
sel_make_perm_files security/selinux/selinuxfs.c:1872 [inline]
sel_make_class_dir_entries security/selinux/selinuxfs.c:1933 [inline]
sel_make_classes security/selinux/selinuxfs.c:1964 [inline]
sel_make_policy_nodes+0xfc5/0x1b40 security/selinux/selinuxfs.c:571
sel_write_load+0x38c/0x540 security/selinux/selinuxfs.c:651
vfs_write+0x369/0xf40 fs/read_write.c:603
ksys_write+0x198/0x2c0 fs/read_write.c:658
__do_sys_write fs/read_write.c:670 [inline]
__se_sys_write fs/read_write.c:667 [inline]
__x64_sys_write+0x7b/0x90 fs/read_write.c:667
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
page_owner free stack trace missing
Memory state around the buggy address:
ffff88810b78bf80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>ffff88810b78c000: 00 fc fc fc fc 00 fc fc fc fc fa fc fc fc fc fa
^
ffff88810b78c080: fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc fa fc
ffff88810b78c100: fc fc fc 00 fc fc fc fc 00 fc fc fc fc fa fc fc
==================================================================
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 411 at lib/refcount.c:28 refcount_warn_saturate+0x165/0x1b0 lib/refcount.c:28
Modules linked in:
CPU: 0 PID: 411 Comm: syz-executor.0 Tainted: G B W 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x165/0x1b0 lib/refcount.c:28
Code: c7 20 be 43 85 31 c0 e8 39 22 f2 fe 0f 0b eb 83 e8 d0 e7 1f ff c6 05 5d 6c 0f 04 01 48 c7 c7 80 be 43 85 31 c0 e8 1b 22 f2 fe <0f> 0b e9 62 ff ff ff e8 af e7 1f ff c6 05 3d 6c 0f 04 01 48 c7 c7
RSP: 0018:ffffc90000c87ca0 EFLAGS: 00010246
RAX: cf2493813e566600 RBX: 0000000000000003 RCX: ffff88810c560000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000c87cb0 R08: ffffffff8153a998 R09: ffffed103ee44e83
R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff88810a85e010
R13: ffff88810a85e048 R14: 0000000000000003 R15: dffffc0000000000
FS: 00007f3c6e505700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556182e1e858 CR3: 000000010d649000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_sub_and_test include/linux/refcount.h:283 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
kref_put include/linux/kref.h:64 [inline]
kobject_put+0x206/0x240 lib/kobject.c:753
blk_put_queue block/blk-core.c:344 [inline]
blk_cleanup_queue+0x1ec/0x210 block/blk-core.c:426
loop_add+0x613/0x840 drivers/block/loop.c:2179
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2298
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f3c6e58f0e9
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3c6e505168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f3c6e6a1f60 RCX: 00007f3c6e58f0e9
RDX: 0000000000000000 RSI: 0000000000004c80 RDI: 0000000000000003
RBP: 00007f3c6e5051d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffce774604f R14: 00007f3c6e505300 R15: 0000000000022000
---[ end trace b283e9c563a2f98b ]---
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=116c66cbf00000
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Tadeusz Struk
May 26, 2022, 1:23:03 PM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org, Luis Chamberlain
From: Luis Chamberlain <mcg...@kernel.org>
#syz test: https://android.googlesource.com/kernel/common android12-5.10-lts
#syz test: https://android.googlesource.com/kernel/common android12-5.10-lts
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,18 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+
return lo->lo_number;
+out_put_disk:
+ disk->queue = NULL;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+
return lo->lo_number;
+out_put_disk:
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
@@ -2176,6 +2184,9 @@ static int loop_add(struct loop_device **l, int i)
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
out_free_dev:
kfree(lo);
out:
+ *l = NULL;
+ disk->private_data = NULL;
kfree(lo);
out:
+ *l = NULL;
+
syzbot
May 26, 2022, 1:34:08 PM5/26/22
to mcg...@kernel.org, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in loop_add
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
kobject_add_internal failed for loop0 (error: -12 parent: block)
==================================================================
BUG: KASAN: use-after-free in loop_add+0x65f/0x850 drivers/block/loop.c:2189
Write of size 8 at addr ffff88810dc18460 by task syz-executor.0/413
CPU: 0 PID: 413 Comm: syz-executor.0 Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3c0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report_generic.c:314
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3c0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
loop_add+0x65f/0x850 drivers/block/loop.c:2189
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2301
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7ff069f800e9
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff069ef6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff06a092f60 RCX: 00007ff069f800e9
RDX: 0000000000000000 RSI: 0000000000004c80 RDI: 0000000000000003
RBP: 00007ff069ef61d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffe9c321c4f R14: 00007ff069ef6300 R15: 0000000000022000
Allocated by task 413:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_node_trace include/linux/slab.h:440 [inline]
kmalloc_node include/linux/slab.h:570 [inline]
kzalloc_node include/linux/slab.h:675 [inline]
__alloc_disk_node+0x75/0x330 block/genhd.c:1728
loop_add+0x365/0x850 drivers/block/loop.c:2133
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2301
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 413:
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
disk_release+0x240/0x2a0 block/genhd.c:1569
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
device_release+0x9c/0x1d0 drivers/base/core.c:2114
kobject_cleanup lib/kobject.c:705 [inline]
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x163/0x240 lib/kobject.c:753
put_disk+0x23/0x30 block/genhd.c:1816
loop_add+0x5cc/0x850 drivers/block/loop.c:2178
kobject_cleanup lib/kobject.c:705 [inline]
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x163/0x240 lib/kobject.c:753
put_disk+0x23/0x30 block/genhd.c:1816
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2301
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88810dc18000
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1120 bytes inside of
2048-byte region [ffff88810dc18000, ffff88810dc18800)
The buggy address belongs to the page:
page:ffffea0004370600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10dc18
head:ffffea0004370600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042d80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 0, ts 37541524615, free_ts 37506235118
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc_track_caller+0x23e/0x350 mm/slub.c:4545
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc_track_caller+0x23e/0x350 mm/slub.c:4545
__kmalloc_reserve net/core/skbuff.c:143 [inline]
__alloc_skb+0xbe/0x580 net/core/skbuff.c:211
alloc_skb include/linux/skbuff.h:1101 [inline]
alloc_skb_with_frags+0xac/0x5a0 net/core/skbuff.c:5887
__alloc_skb+0xbe/0x580 net/core/skbuff.c:211
alloc_skb include/linux/skbuff.h:1101 [inline]
sock_alloc_send_pskb+0x848/0x970 net/core/sock.c:2347
sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2364
mld_newpack+0x1b4/0x9c0 net/ipv6/mcast.c:1604
add_grhead net/ipv6/mcast.c:1707 [inline]
add_grec+0xf55/0x13d0 net/ipv6/mcast.c:1838
mld_send_cr net/ipv6/mcast.c:1964 [inline]
mld_ifc_timer_expire+0x781/0xc50 net/ipv6/mcast.c:2471
call_timer_fn+0x35/0x270 kernel/time/timer.c:1420
expire_timers+0x21b/0x3a0 kernel/time/timer.c:1465
__run_timers+0x598/0x6f0 kernel/time/timer.c:1759
page last free stack trace:
reset_page_owner include/linux/page_owner.h:28 [inline]
free_pages_prepare mm/page_alloc.c:1331 [inline]
__free_pages_ok+0x7f8/0x830 mm/page_alloc.c:1611
free_the_page mm/page_alloc.c:5178 [inline]
__free_pages+0x2d2/0x4c0 mm/page_alloc.c:5184
__free_slab+0xd3/0x190 mm/slub.c:1903
free_slab mm/slub.c:1918 [inline]
discard_slab mm/slub.c:1924 [inline]
unfreeze_partials+0x17d/0x1b0 mm/slub.c:2418
put_cpu_partial+0xc8/0x190 mm/slub.c:2454
__slab_free+0x2d8/0x3a0 mm/slub.c:3104
do_slab_free mm/slub.c:3200 [inline]
___cache_free+0x11f/0x140 mm/slub.c:3219
qlink_free+0x38/0x40 mm/kasan/quarantine.c:146
qlist_free_all+0x4c/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:438
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:583 [inline]
slab_alloc_node mm/slub.c:2956 [inline]
reset_page_owner include/linux/page_owner.h:28 [inline]
free_pages_prepare mm/page_alloc.c:1331 [inline]
__free_pages_ok+0x7f8/0x830 mm/page_alloc.c:1611
free_the_page mm/page_alloc.c:5178 [inline]
__free_pages+0x2d2/0x4c0 mm/page_alloc.c:5184
__free_slab+0xd3/0x190 mm/slub.c:1903
free_slab mm/slub.c:1918 [inline]
discard_slab mm/slub.c:1924 [inline]
unfreeze_partials+0x17d/0x1b0 mm/slub.c:2418
put_cpu_partial+0xc8/0x190 mm/slub.c:2454
__slab_free+0x2d8/0x3a0 mm/slub.c:3104
do_slab_free mm/slub.c:3200 [inline]
___cache_free+0x11f/0x140 mm/slub.c:3219
qlink_free+0x38/0x40 mm/kasan/quarantine.c:146
qlist_free_all+0x4c/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:438
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:583 [inline]
slab_alloc mm/slub.c:2964 [inline]
kmem_cache_alloc+0x16c/0x300 mm/slub.c:2969
getname_flags+0xba/0x510 fs/namei.c:141
user_path_at_empty+0x2d/0x50 fs/namei.c:2726
getname_flags+0xba/0x510 fs/namei.c:141
do_readlinkat+0x11b/0x3b0 fs/stat.c:414
__do_sys_readlink fs/stat.c:447 [inline]
__se_sys_readlink fs/stat.c:444 [inline]
__x64_sys_readlink+0x7f/0x90 fs/stat.c:444
Memory state around the buggy address:
ffff88810dc18380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810dc18400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810dc18480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810dc18500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=115b2ecbf00000
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Tadeusz Struk
May 26, 2022, 1:37:01 PM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,18 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+
return lo->lo_number;
+out_put_disk:
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
@@ -2176,6 +2184,7 @@ static int loop_add(struct loop_device **l, int i)
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,18 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+
return lo->lo_number;
+out_put_disk:
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
out_free_dev:
kfree(lo);
out:
+ *l = NULL;
kfree(lo);
out:
+ *l = NULL;
syzbot
May 26, 2022, 1:48:16 PM5/26/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in exact_lock
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
==================================================================
BUG: KASAN: use-after-free in get_disk_and_module block/genhd.c:1788 [inline]
BUG: KASAN: use-after-free in exact_lock+0x38/0xc0 block/genhd.c:677
Read of size 8 at addr ffff88810e20f450 by task udevd/409
CPU: 1 PID: 409 Comm: udevd Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3c0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3c0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
get_disk_and_module block/genhd.c:1788 [inline]
exact_lock+0x38/0xc0 block/genhd.c:677
kobj_lookup+0x2a7/0x440 drivers/base/map.c:119
get_gendisk+0xf6/0x3c0 block/genhd.c:1002
bdev_get_gendisk fs/block_dev.c:1108 [inline]
__blkdev_get+0x1a4/0x1360 fs/block_dev.c:1472
blkdev_get fs/block_dev.c:1651 [inline]
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
blkdev_open+0x21a/0x450 fs/block_dev.c:1768
do_dentry_open+0x7a2/0x1090 fs/open.c:819
vfs_open+0x73/0x80 fs/open.c:942
do_open fs/namei.c:3327 [inline]
path_openat+0x2638/0x2fd0 fs/namei.c:3444
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fbe00609697
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffd9b83f650 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000056422fc1fe30 RCX: 00007fbe00609697
RDX: 00000000000a0800 RSI: 000056422fc1ab00 RDI: 00000000ffffff9c
RBP: 000056422fc1ab00 R08: 00000000ffffffff R09: 00007ffd9b9e80b8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 000056422fbf8b00 R14: 0000000000000001 R15: 000056422fbea2c0
Allocated by task 422:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kmem_cache_alloc_node_trace include/linux/slab.h:440 [inline]
kmalloc_node include/linux/slab.h:570 [inline]
kzalloc_node include/linux/slab.h:675 [inline]
__alloc_disk_node+0x75/0x330 block/genhd.c:1728
loop_add+0x372/0x870 drivers/block/loop.c:2133
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kmem_cache_alloc_node_trace include/linux/slab.h:440 [inline]
kmalloc_node include/linux/slab.h:570 [inline]
kzalloc_node include/linux/slab.h:675 [inline]
__alloc_disk_node+0x75/0x330 block/genhd.c:1728
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2299
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 422:
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
disk_release+0x240/0x2a0 block/genhd.c:1569
device_release+0x9c/0x1d0 drivers/base/core.c:2114
kobject_cleanup lib/kobject.c:705 [inline]
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x163/0x240 lib/kobject.c:753
put_disk+0x23/0x30 block/genhd.c:1816
loop_add+0x61d/0x870 drivers/block/loop.c:2178
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
disk_release+0x240/0x2a0 block/genhd.c:1569
device_release+0x9c/0x1d0 drivers/base/core.c:2114
kobject_cleanup lib/kobject.c:705 [inline]
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x163/0x240 lib/kobject.c:753
put_disk+0x23/0x30 block/genhd.c:1816
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2299
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88810e20f000
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1104 bytes inside of
2048-byte region [ffff88810e20f000, ffff88810e20f800)
The buggy address belongs to the page:
page:ffffea0004388200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e208
head:ffffea0004388200 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042d80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 19, ts 42366525015, free_ts 42020874765
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042d80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc_track_caller+0x23e/0x350 mm/slub.c:4545
__kmalloc_reserve net/core/skbuff.c:143 [inline]
__alloc_skb+0xbe/0x580 net/core/skbuff.c:211
alloc_skb include/linux/skbuff.h:1101 [inline]
alloc_skb_with_frags+0xac/0x5a0 net/core/skbuff.c:5887
sock_alloc_send_pskb+0x848/0x970 net/core/sock.c:2347
sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2364
mld_newpack+0x1b4/0x9c0 net/ipv6/mcast.c:1604
add_grhead net/ipv6/mcast.c:1707 [inline]
add_grec+0xf55/0x13d0 net/ipv6/mcast.c:1838
mld_send_initial_cr+0x1f8/0x2c0 net/ipv6/mcast.c:2088
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
__kmalloc_track_caller+0x23e/0x350 mm/slub.c:4545
__kmalloc_reserve net/core/skbuff.c:143 [inline]
__alloc_skb+0xbe/0x580 net/core/skbuff.c:211
alloc_skb include/linux/skbuff.h:1101 [inline]
alloc_skb_with_frags+0xac/0x5a0 net/core/skbuff.c:5887
sock_alloc_send_pskb+0x848/0x970 net/core/sock.c:2347
sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2364
mld_newpack+0x1b4/0x9c0 net/ipv6/mcast.c:1604
add_grhead net/ipv6/mcast.c:1707 [inline]
add_grec+0xf55/0x13d0 net/ipv6/mcast.c:1838
ipv6_mc_dad_complete+0x70/0x3b0 net/ipv6/mcast.c:2100
addrconf_dad_completed+0x66c/0xdd0 net/ipv6/addrconf.c:4221
addrconf_dad_work+0xd72/0x15d0 net/ipv6/addrconf.c:4006
user_path_at include/linux/namei.h:59 [inline]
ksys_umount fs/namespace.c:1761 [inline]
__do_sys_umount fs/namespace.c:1769 [inline]
__se_sys_umount fs/namespace.c:1767 [inline]
__x64_sys_umount+0xf0/0x170 fs/namespace.c:1767
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
ksys_umount fs/namespace.c:1761 [inline]
__do_sys_umount fs/namespace.c:1769 [inline]
__se_sys_umount fs/namespace.c:1767 [inline]
__x64_sys_umount+0xf0/0x170 fs/namespace.c:1767
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
Memory state around the buggy address:
ffff88810e20f300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810e20f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810e20f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810e20f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810e20f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=175b7323f00000
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14301b19f00000
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Tadeusz Struk
May 26, 2022, 2:00:20 PM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,19 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+ptinrk("loop_add OK return %d\n", lo->lo_number);
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
return lo->lo_number;
+ptinrk("loop_add NOT OK return %d\n", err);
+out_put_disk:
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
@@ -2176,6 +2185,7 @@ static int loop_add(struct loop_device **l, int i)
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
Tadeusz Struk
May 26, 2022, 2:02:05 PM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,18 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+ptinrk("loop_add OK return %d\n", lo->lo_number);
return lo->lo_number;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+ptinrk("loop_add OK return %d\n", lo->lo_number);
return lo->lo_number;
+out_put_disk:
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
@@ -2176,6 +2184,8 @@ static int loop_add(struct loop_device **l, int i)
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
out_free_dev:
kfree(lo);
out:
+ptinrk("loop_add NOT OK return %d\n", err);
syzbot
May 26, 2022, 2:05:13 PM5/26/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
drivers/block/loop.c:2173:1: error: implicit declaration of function 'ptinrk' [-Werror,-Wimplicit-function-declaration]
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
syzbot tried to test the proposed patch but the build/boot failed:
drivers/block/loop.c:2173:1: error: implicit declaration of function 'ptinrk' [-Werror,-Wimplicit-function-declaration]
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=128d92b9f00000
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
May 26, 2022, 2:09:14 PM5/26/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Tadeusz Struk
May 26, 2022, 2:12:56 PM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,18 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+ptintk("loop_add OK return %d\n", lo->lo_number);
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,18 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
return lo->lo_number;
+out_put_disk:
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
@@ -2176,6 +2184,8 @@ static int loop_add(struct loop_device **l, int i)
out_free_dev:
kfree(lo);
out:
+ptintk("loop_add NOT OK return %d\n", err);
+out_put_disk:
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
@@ -2176,6 +2184,8 @@ static int loop_add(struct loop_device **l, int i)
out_free_dev:
kfree(lo);
out:
syzbot
May 26, 2022, 2:17:08 PM5/26/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
drivers/block/loop.c:2173:1: error: implicit declaration of function 'ptintk' [-Werror,-Wimplicit-function-declaration]
syzbot tried to test the proposed patch but the build/boot failed:
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Tadeusz Struk
May 26, 2022, 2:22:52 PM5/26/22
to syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,18 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
+printk("loop_add OK return %d\n", lo->lo_number);
+++ b/drivers/block/loop.c
@@ -2163,10 +2163,18 @@ static int loop_add(struct loop_device **l, int i)
disk->private_data = lo;
disk->queue = lo->lo_queue;
sprintf(disk->disk_name, "loop%d", i);
- add_disk(disk);
+
+ /* Make this loop device reachable from pathname. */
+ err = add_disk(disk);
+ if (err)
+ goto out_put_disk;
*l = lo;
return lo->lo_number;
+out_put_disk:
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
@@ -2176,6 +2184,8 @@ static int loop_add(struct loop_device **l, int i)
out_free_dev:
kfree(lo);
out:
+printk("loop_add NOT OK return %d\n", err);
+out_put_disk:
+ disk->queue = NULL;
+ put_disk(disk);
out_free_queue:
blk_cleanup_queue(lo->lo_queue);
out_cleanup_tags:
@@ -2176,6 +2184,8 @@ static int loop_add(struct loop_device **l, int i)
out_free_dev:
kfree(lo);
out:
syzbot
May 26, 2022, 2:31:16 PM5/26/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in exact_lock
==================================================================
BUG: KASAN: use-after-free in get_disk_and_module block/genhd.c:1788 [inline]
BUG: KASAN: use-after-free in exact_lock+0x38/0xc0 block/genhd.c:677
Read of size 8 at addr ffff88810e66e450 by task udevd/409
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in exact_lock
==================================================================
BUG: KASAN: use-after-free in get_disk_and_module block/genhd.c:1788 [inline]
BUG: KASAN: use-after-free in exact_lock+0x38/0xc0 block/genhd.c:677
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffc15f88c10 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000056408f1df6a0 RCX: 00007f211039b697
RDX: 00000000000a0800 RSI: 000056408f1b7810 RDI: 00000000ffffff9c
RBP: 000056408f1b7810 R08: 00000000ffffffff R09: 00007ffc15ff00b8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 000056408f1b9b00 R14: 0000000000000001 R15: 000056408f1ab2c0
Allocated by task 429:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kmem_cache_alloc_node_trace include/linux/slab.h:440 [inline]
kmalloc_node include/linux/slab.h:570 [inline]
kzalloc_node include/linux/slab.h:675 [inline]
__alloc_disk_node+0x75/0x330 block/genhd.c:1728
loop_add+0x36a/0x8a0 drivers/block/loop.c:2133
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x1dd/0x330 mm/slub.c:2983
kmem_cache_alloc_node_trace include/linux/slab.h:440 [inline]
kmalloc_node include/linux/slab.h:570 [inline]
kzalloc_node include/linux/slab.h:675 [inline]
__alloc_disk_node+0x75/0x330 block/genhd.c:1728
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2300
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 429:
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
disk_release+0x240/0x2a0 block/genhd.c:1569
device_release+0x9c/0x1d0 drivers/base/core.c:2114
kobject_cleanup lib/kobject.c:705 [inline]
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x163/0x240 lib/kobject.c:753
put_disk+0x23/0x30 block/genhd.c:1816
loop_add+0x666/0x8a0 drivers/block/loop.c:2178
kasan_set_track+0x4c/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1604 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630
slab_free mm/slub.c:3212 [inline]
kfree+0xc3/0x290 mm/slub.c:4200
disk_release+0x240/0x2a0 block/genhd.c:1569
device_release+0x9c/0x1d0 drivers/base/core.c:2114
kobject_cleanup lib/kobject.c:705 [inline]
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x163/0x240 lib/kobject.c:753
put_disk+0x23/0x30 block/genhd.c:1816
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2300
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88810e66e000
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1104 bytes inside of
2048-byte region [ffff88810e66e000, ffff88810e66e800)
The buggy address is located 1104 bytes inside of
The buggy address belongs to the page:
page:ffffea0004399a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e668
head:ffffea0004399a00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042d80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 427, ts 41081903773, free_ts 40319206011
raw: 8000000000010200 dead000000000100 dead000000000122 ffff888100042d80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
kmem_cache_alloc_trace+0x20e/0x330 mm/slub.c:2981
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067
__alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117
alloc_slab_page mm/slub.c:1815 [inline]
allocate_slab+0x78/0x540 mm/slub.c:1817
new_slab mm/slub.c:1878 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x131/0x2e0 mm/slub.c:2800
__slab_alloc+0x63/0xa0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
slab_alloc mm/slub.c:2964 [inline]
kmem_cache_alloc_node_trace include/linux/slab.h:440 [inline]
kmalloc_node include/linux/slab.h:570 [inline]
kzalloc_node include/linux/slab.h:675 [inline]
bdi_alloc+0x4e/0x110 mm/backing-dev.c:738
kmalloc_node include/linux/slab.h:570 [inline]
kzalloc_node include/linux/slab.h:675 [inline]
blk_alloc_queue+0x111/0x640 block/blk-core.c:543
blk_mq_init_queue_data block/blk-mq.c:3141 [inline]
blk_mq_init_queue+0x35/0xc0 block/blk-mq.c:3160
loop_add+0x26e/0x8a0 drivers/block/loop.c:2115
loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2300
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0x115/0x190 fs/ioctl.c:739
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
reset_page_owner include/linux/page_owner.h:28 [inline]
free_pages_prepare mm/page_alloc.c:1331 [inline]
__free_pages_ok+0x7f8/0x830 mm/page_alloc.c:1611
free_the_page mm/page_alloc.c:5178 [inline]
__free_pages+0x2d2/0x4c0 mm/page_alloc.c:5184
__free_slab+0xd3/0x190 mm/slub.c:1903
free_slab mm/slub.c:1918 [inline]
discard_slab mm/slub.c:1924 [inline]
unfreeze_partials+0x17d/0x1b0 mm/slub.c:2418
put_cpu_partial+0xc8/0x190 mm/slub.c:2454
__slab_free+0x2d8/0x3a0 mm/slub.c:3104
do_slab_free mm/slub.c:3200 [inline]
___cache_free+0x11f/0x140 mm/slub.c:3219
qlink_free+0x38/0x40 mm/kasan/quarantine.c:146
qlist_free_all+0x4c/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:438
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:583 [inline]
slab_alloc_node mm/slub.c:2956 [inline]
slab_alloc mm/slub.c:2964 [inline]
kmem_cache_alloc+0x16c/0x300 mm/slub.c:2969
kmem_cache_alloc_node include/linux/slab.h:423 [inline]
reset_page_owner include/linux/page_owner.h:28 [inline]
free_pages_prepare mm/page_alloc.c:1331 [inline]
__free_pages_ok+0x7f8/0x830 mm/page_alloc.c:1611
free_the_page mm/page_alloc.c:5178 [inline]
__free_pages+0x2d2/0x4c0 mm/page_alloc.c:5184
__free_slab+0xd3/0x190 mm/slub.c:1903
free_slab mm/slub.c:1918 [inline]
discard_slab mm/slub.c:1924 [inline]
unfreeze_partials+0x17d/0x1b0 mm/slub.c:2418
put_cpu_partial+0xc8/0x190 mm/slub.c:2454
__slab_free+0x2d8/0x3a0 mm/slub.c:3104
do_slab_free mm/slub.c:3200 [inline]
___cache_free+0x11f/0x140 mm/slub.c:3219
qlink_free+0x38/0x40 mm/kasan/quarantine.c:146
qlist_free_all+0x4c/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x15a/0x170 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:438
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:583 [inline]
slab_alloc_node mm/slub.c:2956 [inline]
slab_alloc mm/slub.c:2964 [inline]
kmem_cache_alloc+0x16c/0x300 mm/slub.c:2969
__alloc_skb+0x7e/0x580 net/core/skbuff.c:199
alloc_skb include/linux/skbuff.h:1101 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1185 [inline]
netlink_sendmsg+0x7a4/0xd00 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg net/socket.c:672 [inline]
____sys_sendmsg+0x597/0x8e0 net/socket.c:2343
___sys_sendmsg net/socket.c:2397 [inline]
__sys_sendmsg+0x37b/0x460 net/socket.c:2430
Memory state around the buggy address:
ffff88810e66e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810e66e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810e66e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810e66e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=7308a6f9b7c24d5cf1d5
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=168d92b9f00000
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Luis Chamberlain
May 26, 2022, 2:45:50 PM5/26/22
to Tadeusz Struk, Christoph Hellwig, syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
Are you *sure* all the required work to backport this is in place
for a kernel such as v5.10?
Luis
for a kernel such as v5.10?
Luis
Tadeusz Struk
May 26, 2022, 3:03:14 PM5/26/22
to Luis Chamberlain, Christoph Hellwig, syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
On 5/26/22 11:45, Luis Chamberlain wrote:
> Are you *sure* all the required work to backport this is in place
> for a kernel such as v5.10?
>
Hi Luis,
> Are you *sure* all the required work to backport this is in place
> for a kernel such as v5.10?
>
I'm just trying different options to see what would it take to fix [1],
but, unfortunately there is lots of missing pieces.
At first I though that I would just need to back-port these two:
83cbce957446 - block: add error handling for device_add_disk / add_disk
905705f083a9 - loop: add error handling support for add_disk()
but that doesn't really work. BTW, sorry for the spam, I cherry-picked your
commits and it adds your email to the From: field into the patch I'm testing.
An alternative approach would be to go with extra checks on the device_del() path
like in [2]. This does fix the issue, but I'm not sure if it is good for stable.
Any hints?
--
Thanks,
Tadeusz
[1] https://syzkaller.appspot.com/bug?id=bbc6f41a343e193d4daa46f2ad49b191c90db18c
[2] https://syzkaller.appspot.com/text?tag=Patch&x=10cb88f3f00000
Luis Chamberlain
May 26, 2022, 3:19:16 PM5/26/22
to Tadeusz Struk, Christoph Hellwig, syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
Christoph did *huge* spring cleaning on the code paths, and without that all backported I'm not sure if you could end up with something sensible without risks of other regressions.
So sadly I'd say it's a lot of work, and brace yourself for a lot of work. Maybe look at kernel-source for openSUSE and see if they're already backported to a similar kernel on SUSE Enterprise releases. Otherwise, good luck!
Luis
Christoph Hellwig
May 27, 2022, 4:08:18 AM5/27/22
to Luis Chamberlain, Tadeusz Struk, Christoph Hellwig, syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
On Thu, May 26, 2022 at 03:19:00PM -0400, Luis Chamberlain wrote:
> Christoph did *huge* spring cleaning on the code paths, and without that
> all backported I'm not sure if you could end up with something sensible
> without risks of other regressions.
.. and you did a fair amount too.
> Christoph did *huge* spring cleaning on the code paths, and without that
> all backported I'm not sure if you could end up with something sensible
> without risks of other regressions.
>
> So sadly I'd say it's a lot of work, and brace yourself for a lot of work.
> Maybe look at kernel-source for openSUSE and see if they're already
> backported to a similar kernel on SUSE Enterprise releases. Otherwise, good
> luck!
enough about the add_disk error handling upgrae to a kernel that has it.
Tadeusz Struk
May 27, 2022, 10:38:26 AM5/27/22
to Christoph Hellwig, Luis Chamberlain, syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
--
Thanks,
Tadeusz
Christoph Hellwig
May 27, 2022, 11:05:25 AM5/27/22
to Tadeusz Struk, Christoph Hellwig, Luis Chamberlain, syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
On Fri, May 27, 2022 at 07:38:13AM -0700, Tadeusz Struk wrote:
> It's not for me. It's for android12, which comes with kernel v5.10.
Then maybe "Android 12" should upgrade to a recent kernel instead of
> It's not for me. It's for android12, which comes with kernel v5.10.
staying on a totally outdated version.
Tadeusz Struk
May 27, 2022, 12:24:46 PM5/27/22
to Christoph Hellwig, Luis Chamberlain, syzbot+7308a6...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com
--
Thanks,
Tadeusz
syzbot
Jun 2, 2022, 2:24:13 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+badfd0...@syzkaller.appspotmail.com
Tested on:
commit: 66c53422 css_put imbalance
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=8c961ca7dc723ff8
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+badfd0...@syzkaller.appspotmail.com
Tested on:
commit: 66c53422 css_put imbalance
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=8c961ca7dc723ff8
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
syzbot
Jun 3, 2022, 2:03:13 PM6/3/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+badfd0...@syzkaller.appspotmail.com
Tested on:
commit: eda02c37 cgroup: kill and release paths serialize
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+badfd0...@syzkaller.appspotmail.com
Tested on:
Lee Jones
Jun 6, 2022, 4:26:26 AM6/6/22
to syzbot, Dmitry Vyukov, mcg...@kernel.org, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Is there any way of disabling this one please? It's taking over my inbox.
--
You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/000000000000d1264c05dfed98b6%40google.com.
Reply all
Reply to author
Forward
0 new messages