[syzbot] KASAN: use-after-free Read in io_fallback_tw
14 views
Skip to first unread message
syzbot
Jan 12, 2023, 5:12:41 AM1/12/23
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11419c5e480000
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8111a570d6cb/disk-0a093b28.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecc135b7fc9a/vmlinux-0a093b28.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca8d73b446ea/bzImage-0a093b28.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ebcc33...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119 io_uring/io_uring.c:1249
Read of size 8 at addr ffff88804ae3f088 by task syz-executor.0/9602
CPU: 0 PID: 9602 Comm: syz-executor.0 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
io_fallback_tw+0x6d/0x119 io_uring/io_uring.c:1249
tctx_task_work.cold+0xf/0x2c io_uring/io_uring.c:1219
task_work_run+0x16f/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb17/0x2a90 kernel/exit.c:867
do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
get_signal+0x225f/0x24f0 kernel/signal.c:2859
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd3d3a8c0c9
Code: Unable to access opcode bytes at 0x7fd3d3a8c09f.
RSP: 002b:00007fd3d47c8218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fd3d3babf88 RCX: 00007fd3d3a8c0c9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fd3d3babf88
RBP: 00007fd3d3babf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd3d3babf8c
R13: 00007fffea21180f R14: 00007fd3d47c8300 R15: 0000000000022000
</TASK>
Allocated by task 9602:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:769 [inline]
kmem_cache_alloc_bulk+0x3aa/0x730 mm/slub.c:4033
__io_alloc_req_refill+0xcc/0x40b io_uring/io_uring.c:1062
io_alloc_req_refill io_uring/io_uring.h:348 [inline]
io_submit_sqes.cold+0x7c/0xc2 io_uring/io_uring.c:2407
__do_sys_io_uring_enter+0x9e4/0x2c10 io_uring/io_uring.c:3429
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 9123:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0xec/0x4e0 mm/slub.c:3809
io_req_caches_free+0x1a9/0x1e6 io_uring/io_uring.c:2737
io_ring_exit_work+0x2e7/0xc80 io_uring/io_uring.c:2967
process_one_work+0x9bf/0x1750 kernel/workqueue.c:2293
worker_thread+0x669/0x1090 kernel/workqueue.c:2440
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
The buggy address belongs to the object at ffff88804ae3f000
which belongs to the cache io_kiocb of size 216
The buggy address is located 136 bytes inside of
216-byte region [ffff88804ae3f000, ffff88804ae3f0d8)
The buggy address belongs to the physical page:
page:ffffea00012b8fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ae3f
memcg:ffff88807dd24601
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff88801c182b40 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff88807dd24601
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 8866, tgid 8865 (syz-executor.2), ts 589707217229, free_ts 589630456902
prep_new_page mm/page_alloc.c:2549 [inline]
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2281
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__kmem_cache_alloc_bulk mm/slub.c:3951 [inline]
kmem_cache_alloc_bulk+0x23d/0x730 mm/slub.c:4026
__io_alloc_req_refill+0xcc/0x40b io_uring/io_uring.c:1062
io_alloc_req_refill io_uring/io_uring.h:348 [inline]
io_submit_sqes.cold+0x7c/0xc2 io_uring/io_uring.c:2407
__do_sys_io_uring_enter+0x9e4/0x2c10 io_uring/io_uring.c:3429
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1451 [inline]
free_pcp_prepare+0x4d0/0x910 mm/page_alloc.c:1501
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page_list+0x176/0xcd0 mm/page_alloc.c:3528
release_pages+0xcb1/0x1330 mm/swap.c:1072
tlb_batch_pages_flush+0xa8/0x1a0 mm/mmu_gather.c:97
tlb_flush_mmu_free mm/mmu_gather.c:292 [inline]
tlb_flush_mmu mm/mmu_gather.c:299 [inline]
tlb_finish_mmu+0x14b/0x7e0 mm/mmu_gather.c:391
exit_mmap+0x202/0x7c0 mm/mmap.c:3100
__mmput+0x128/0x4c0 kernel/fork.c:1212
mmput+0x60/0x70 kernel/fork.c:1234
exit_mm kernel/exit.c:563 [inline]
do_exit+0x9ac/0x2a90 kernel/exit.c:854
do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1021
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88804ae3ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88804ae3f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804ae3f080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
^
ffff88804ae3f100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff88804ae3f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11419c5e480000
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8111a570d6cb/disk-0a093b28.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecc135b7fc9a/vmlinux-0a093b28.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca8d73b446ea/bzImage-0a093b28.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ebcc33...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119 io_uring/io_uring.c:1249
Read of size 8 at addr ffff88804ae3f088 by task syz-executor.0/9602
CPU: 0 PID: 9602 Comm: syz-executor.0 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
io_fallback_tw+0x6d/0x119 io_uring/io_uring.c:1249
tctx_task_work.cold+0xf/0x2c io_uring/io_uring.c:1219
task_work_run+0x16f/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb17/0x2a90 kernel/exit.c:867
do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
get_signal+0x225f/0x24f0 kernel/signal.c:2859
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd3d3a8c0c9
Code: Unable to access opcode bytes at 0x7fd3d3a8c09f.
RSP: 002b:00007fd3d47c8218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fd3d3babf88 RCX: 00007fd3d3a8c0c9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fd3d3babf88
RBP: 00007fd3d3babf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd3d3babf8c
R13: 00007fffea21180f R14: 00007fd3d47c8300 R15: 0000000000022000
</TASK>
Allocated by task 9602:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:769 [inline]
kmem_cache_alloc_bulk+0x3aa/0x730 mm/slub.c:4033
__io_alloc_req_refill+0xcc/0x40b io_uring/io_uring.c:1062
io_alloc_req_refill io_uring/io_uring.h:348 [inline]
io_submit_sqes.cold+0x7c/0xc2 io_uring/io_uring.c:2407
__do_sys_io_uring_enter+0x9e4/0x2c10 io_uring/io_uring.c:3429
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 9123:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0xec/0x4e0 mm/slub.c:3809
io_req_caches_free+0x1a9/0x1e6 io_uring/io_uring.c:2737
io_ring_exit_work+0x2e7/0xc80 io_uring/io_uring.c:2967
process_one_work+0x9bf/0x1750 kernel/workqueue.c:2293
worker_thread+0x669/0x1090 kernel/workqueue.c:2440
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
The buggy address belongs to the object at ffff88804ae3f000
which belongs to the cache io_kiocb of size 216
The buggy address is located 136 bytes inside of
216-byte region [ffff88804ae3f000, ffff88804ae3f0d8)
The buggy address belongs to the physical page:
page:ffffea00012b8fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ae3f
memcg:ffff88807dd24601
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff88801c182b40 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff88807dd24601
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 8866, tgid 8865 (syz-executor.2), ts 589707217229, free_ts 589630456902
prep_new_page mm/page_alloc.c:2549 [inline]
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2281
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__kmem_cache_alloc_bulk mm/slub.c:3951 [inline]
kmem_cache_alloc_bulk+0x23d/0x730 mm/slub.c:4026
__io_alloc_req_refill+0xcc/0x40b io_uring/io_uring.c:1062
io_alloc_req_refill io_uring/io_uring.h:348 [inline]
io_submit_sqes.cold+0x7c/0xc2 io_uring/io_uring.c:2407
__do_sys_io_uring_enter+0x9e4/0x2c10 io_uring/io_uring.c:3429
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1451 [inline]
free_pcp_prepare+0x4d0/0x910 mm/page_alloc.c:1501
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page_list+0x176/0xcd0 mm/page_alloc.c:3528
release_pages+0xcb1/0x1330 mm/swap.c:1072
tlb_batch_pages_flush+0xa8/0x1a0 mm/mmu_gather.c:97
tlb_flush_mmu_free mm/mmu_gather.c:292 [inline]
tlb_flush_mmu mm/mmu_gather.c:299 [inline]
tlb_finish_mmu+0x14b/0x7e0 mm/mmu_gather.c:391
exit_mmap+0x202/0x7c0 mm/mmap.c:3100
__mmput+0x128/0x4c0 kernel/fork.c:1212
mmput+0x60/0x70 kernel/fork.c:1234
exit_mm kernel/exit.c:563 [inline]
do_exit+0x9ac/0x2a90 kernel/exit.c:854
do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1021
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88804ae3ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88804ae3f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804ae3f080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
^
ffff88804ae3f100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff88804ae3f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Pavel Begunkov
Jan 12, 2023, 5:39:04 AM1/12/23
to syzbot, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 1/12/23 10:12, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=11419c5e480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
> dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
#syz test: git://git.kernel.dk/linux.git syztest
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=11419c5e480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
> dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
Pavel Begunkov
syzbot
Jan 12, 2023, 5:39:04 AM1/12/23
to asml.s...@gmail.com, asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> On 1/12/23 10:12, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
>> git tree: linux-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=11419c5e480000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
>> dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>
> #syz test: git://git.kernel.dk/linux.git syztest
This crash does not have a reproducer. I cannot test it.
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
>> git tree: linux-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=11419c5e480000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
>> dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>
> #syz test: git://git.kernel.dk/linux.git syztest
syzbot
Jan 12, 2023, 10:24:44 AM1/12/23
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14b3995a480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101a000e480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8111a570d6cb/disk-0a093b28.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecc135b7fc9a/vmlinux-0a093b28.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca8d73b446ea/bzImage-0a093b28.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ebcc33...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119 io_uring/io_uring.c:1249
Read of size 8 at addr ffff88802b270448 by task syz-executor235/5078
CPU: 0 PID: 5078 Comm: syz-executor235 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
Code: Unable to access opcode bytes at 0x7f38f865519f.
RSP: 002b:00007ffce433d688 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f38f86c9350 RCX: 00007f38f86551c9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f38f86c9350
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Allocated by task 5078:
The buggy address belongs to the physical page:
page:ffffea0000ac9c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b270
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
exec_mmap fs/exec.c:1034 [inline]
begin_new_exec+0x1027/0x2f80 fs/exec.c:1293
load_elf_binary+0x801/0x4ff0 fs/binfmt_elf.c:1001
search_binary_handler fs/exec.c:1736 [inline]
exec_binprm fs/exec.c:1778 [inline]
bprm_execve fs/exec.c:1853 [inline]
bprm_execve+0x7fd/0x1ae0 fs/exec.c:1809
do_execveat_common+0x72c/0x880 fs/exec.c:1960
do_execve fs/exec.c:2034 [inline]
__do_sys_execve fs/exec.c:2110 [inline]
__se_sys_execve fs/exec.c:2105 [inline]
__x64_sys_execve+0x93/0xc0 fs/exec.c:2105
ffff88802b270380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff88802b270400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802b270480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802b270500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11613181480000
dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101a000e480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8111a570d6cb/disk-0a093b28.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecc135b7fc9a/vmlinux-0a093b28.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca8d73b446ea/bzImage-0a093b28.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ebcc33...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119 io_uring/io_uring.c:1249
CPU: 0 PID: 5078 Comm: syz-executor235 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
io_fallback_tw+0x6d/0x119 io_uring/io_uring.c:1249
tctx_task_work.cold+0xf/0x2c io_uring/io_uring.c:1219
task_work_run+0x16f/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb17/0x2a90 kernel/exit.c:867
do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
io_fallback_tw+0x6d/0x119 io_uring/io_uring.c:1249
tctx_task_work.cold+0xf/0x2c io_uring/io_uring.c:1219
task_work_run+0x16f/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb17/0x2a90 kernel/exit.c:867
do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1021
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f38f86551c9
__se_sys_exit_group kernel/exit.c:1021 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1021
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7f38f865519f.
RSP: 002b:00007ffce433d688 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f38f86c9350 RCX: 00007f38f86551c9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f38f86c9350
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Allocated by task 5078:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:769 [inline]
kmem_cache_alloc_bulk+0x3aa/0x730 mm/slub.c:4033
__io_alloc_req_refill+0xcc/0x40b io_uring/io_uring.c:1062
io_alloc_req_refill io_uring/io_uring.h:348 [inline]
io_submit_sqes.cold+0x7c/0xc2 io_uring/io_uring.c:2407
__do_sys_io_uring_enter+0x9e4/0x2c10 io_uring/io_uring.c:3429
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 33:
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:769 [inline]
kmem_cache_alloc_bulk+0x3aa/0x730 mm/slub.c:4033
__io_alloc_req_refill+0xcc/0x40b io_uring/io_uring.c:1062
io_alloc_req_refill io_uring/io_uring.h:348 [inline]
io_submit_sqes.cold+0x7c/0xc2 io_uring/io_uring.c:2407
__do_sys_io_uring_enter+0x9e4/0x2c10 io_uring/io_uring.c:3429
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0xec/0x4e0 mm/slub.c:3809
io_req_caches_free+0x1a9/0x1e6 io_uring/io_uring.c:2737
io_ring_exit_work+0x2e7/0xc80 io_uring/io_uring.c:2967
process_one_work+0x9bf/0x1750 kernel/workqueue.c:2293
worker_thread+0x669/0x1090 kernel/workqueue.c:2440
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
The buggy address belongs to the object at ffff88802b2703c0
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0xec/0x4e0 mm/slub.c:3809
io_req_caches_free+0x1a9/0x1e6 io_uring/io_uring.c:2737
io_ring_exit_work+0x2e7/0xc80 io_uring/io_uring.c:2967
process_one_work+0x9bf/0x1750 kernel/workqueue.c:2293
worker_thread+0x669/0x1090 kernel/workqueue.c:2440
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
which belongs to the cache io_kiocb of size 216
The buggy address is located 136 bytes inside of
216-byte region [ffff88802b2703c0, ffff88802b270498)
The buggy address is located 136 bytes inside of
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff88801c4e3280 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5078, tgid 5078 (syz-executor235), ts 57698640196, free_ts 57658994184
page_owner tracks the page as allocated
begin_new_exec+0x1027/0x2f80 fs/exec.c:1293
load_elf_binary+0x801/0x4ff0 fs/binfmt_elf.c:1001
search_binary_handler fs/exec.c:1736 [inline]
exec_binprm fs/exec.c:1778 [inline]
bprm_execve fs/exec.c:1853 [inline]
bprm_execve+0x7fd/0x1ae0 fs/exec.c:1809
do_execveat_common+0x72c/0x880 fs/exec.c:1960
do_execve fs/exec.c:2034 [inline]
__do_sys_execve fs/exec.c:2110 [inline]
__se_sys_execve fs/exec.c:2105 [inline]
__x64_sys_execve+0x93/0xc0 fs/exec.c:2105
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88802b270300: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88802b270380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff88802b270400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802b270480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802b270500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Jens Axboe
Jan 12, 2023, 12:42:14 PM1/12/23
to syzbot, asml.s...@gmail.com, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 1/12/23 8:24 AM, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14b3995a480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
> dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11613181480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101a000e480000
#syz test: git://git.kernel.dk/linux.git for-next
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14b3995a480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
> dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11613181480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101a000e480000
--
Jens Axboe
syzbot
Jan 12, 2023, 9:04:24 PM1/12/23
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ebcc33...@syzkaller.appspotmail.com
Tested on:
commit: 73f41663 Merge branch 'for-6.3/iter-ubuf' into for-next
git tree: git://git.kernel.dk/linux.git for-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16cc1236480000
kernel config: https://syzkaller.appspot.com/x/.config?x=2b6ecad960fc703e
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ebcc33...@syzkaller.appspotmail.com
Tested on:
commit: 73f41663 Merge branch 'for-6.3/iter-ubuf' into for-next
git tree: git://git.kernel.dk/linux.git for-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16cc1236480000
kernel config: https://syzkaller.appspot.com/x/.config?x=2b6ecad960fc703e
dashboard link: https://syzkaller.appspot.com/bug?extid=ebcc33c1e81093c9224f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: testing is done by a robot and is best-effort only.
syzbot
Jul 5, 2023, 7:51:33 AM7/5/23
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages