KASAN: use-after-free Read in shmem_fault (2)
5 views
Skip to first unread message
syzbot
Dec 21, 2019, 9:57:09 AM12/21/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 672481c2 Linux 4.19.91
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1538a2c6e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=445a712574d168a6
dashboard link: https://syzkaller.appspot.com/bug?extid=246c20cc64a0d4ce268b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+246c20...@syzkaller.appspotmail.com
hfs: can't find a HFS filesystem on dev loop4
hfs: can't find a HFS filesystem on dev loop4
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x34ac/0x49c0
kernel/locking/lockdep.c:3290
Read of size 8 at addr ffff88807a948708 by task syz-executor.2/24168
CPU: 1 PID: 24168 Comm: syz-executor.2 Not tainted 4.19.91-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
__lock_acquire+0x34ac/0x49c0 kernel/locking/lockdep.c:3290
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
shmem_fault+0x5ba/0x760 mm/shmem.c:2016
__do_fault+0x111/0x480 mm/memory.c:3269
do_shared_fault mm/memory.c:3736 [inline]
do_fault mm/memory.c:3814 [inline]
handle_pte_fault mm/memory.c:4041 [inline]
__handle_mm_fault+0x2b0e/0x3f80 mm/memory.c:4165
handle_mm_fault+0x1b5/0x690 mm/memory.c:4202
__do_page_fault+0x62a/0xe90 arch/x86/mm/fault.c:1390
do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1465
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1204
RIP: 0033:0x441b61
Code: 8d 15 e3 c3 0a 00 8b 0c 8a 8b 04 82 29 c8 c3 66 2e 0f 1f 84 00 00 00
00 00 48 83 fa 20 48 89 f8 73 77 f6 c2 01 74 0b 0f b6 0e <88> 0f 48 ff c6
48 ff c7 f6 c2 02 74 12 0f b7 0e 66 89 0f 48 83 c6
RSP: 002b:00007ffd233146a8 EFLAGS: 00010202
RAX: 0000000020000100 RBX: 0000000000000000 RCX: 000000000000002f
RDX: 0000000000000009 RSI: 0000000000760248 RDI: 0000000020000100
RBP: 0000000000760228 R08: 0000000000760228 R09: ffffffffffffffff
R10: 00007ffd23314770 R11: 0000000000000246 R12: 000000000075bfc8
R13: 0000000000000006 R14: 0000000000760230 R15: 000000000075bfd4
Allocated by task 24169:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
kmem_cache_alloc+0x12e/0x700 mm/slab.c:3559
shmem_alloc_inode+0x1c/0x50 mm/shmem.c:3595
alloc_inode+0x64/0x190 fs/inode.c:210
new_inode_pseudo+0x19/0xf0 fs/inode.c:903
new_inode+0x1f/0x40 fs/inode.c:932
shmem_get_inode+0x84/0x780 mm/shmem.c:2192
__shmem_file_setup.part.0+0x1e2/0x2b0 mm/shmem.c:3951
__shmem_file_setup mm/shmem.c:3945 [inline]
shmem_kernel_file_setup mm/shmem.c:3981 [inline]
shmem_zero_setup+0xe2/0x474 mm/shmem.c:4025
mmap_region+0x1364/0x1760 mm/mmap.c:1779
do_mmap+0x8e2/0x1080 mm/mmap.c:1536
do_mmap_pgoff include/linux/mm.h:2314 [inline]
vm_mmap_pgoff+0x1c5/0x230 mm/util.c:357
ksys_mmap_pgoff+0xf7/0x630 mm/mmap.c:1586
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
__x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3765
shmem_destroy_callback+0x6e/0xc0 mm/shmem.c:3606
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
The buggy address belongs to the object at ffff88807a948568
which belongs to the cache shmem_inode_cache(65:syz2) of size 1192
The buggy address is located 416 bytes inside of
1192-byte region [ffff88807a948568, ffff88807a948a10)
The buggy address belongs to the page:
page:ffffea0001ea5200 count:1 mapcount:0 mapping:ffff8880927b6d80
index:0xffff88807a948ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000027ee08 ffffea00018d9048 ffff8880927b6d80
raw: ffff88807a948ffd ffff88807a948040 0000000100000002 ffff888055e4c900
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff888055e4c900
Memory state around the buggy address:
ffff88807a948600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807a948680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88807a948700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807a948780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807a948800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 672481c2 Linux 4.19.91
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1538a2c6e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=445a712574d168a6
dashboard link: https://syzkaller.appspot.com/bug?extid=246c20cc64a0d4ce268b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+246c20...@syzkaller.appspotmail.com
hfs: can't find a HFS filesystem on dev loop4
hfs: can't find a HFS filesystem on dev loop4
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x34ac/0x49c0
kernel/locking/lockdep.c:3290
Read of size 8 at addr ffff88807a948708 by task syz-executor.2/24168
CPU: 1 PID: 24168 Comm: syz-executor.2 Not tainted 4.19.91-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
__lock_acquire+0x34ac/0x49c0 kernel/locking/lockdep.c:3290
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
shmem_fault+0x5ba/0x760 mm/shmem.c:2016
__do_fault+0x111/0x480 mm/memory.c:3269
do_shared_fault mm/memory.c:3736 [inline]
do_fault mm/memory.c:3814 [inline]
handle_pte_fault mm/memory.c:4041 [inline]
__handle_mm_fault+0x2b0e/0x3f80 mm/memory.c:4165
handle_mm_fault+0x1b5/0x690 mm/memory.c:4202
__do_page_fault+0x62a/0xe90 arch/x86/mm/fault.c:1390
do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1465
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1204
RIP: 0033:0x441b61
Code: 8d 15 e3 c3 0a 00 8b 0c 8a 8b 04 82 29 c8 c3 66 2e 0f 1f 84 00 00 00
00 00 48 83 fa 20 48 89 f8 73 77 f6 c2 01 74 0b 0f b6 0e <88> 0f 48 ff c6
48 ff c7 f6 c2 02 74 12 0f b7 0e 66 89 0f 48 83 c6
RSP: 002b:00007ffd233146a8 EFLAGS: 00010202
RAX: 0000000020000100 RBX: 0000000000000000 RCX: 000000000000002f
RDX: 0000000000000009 RSI: 0000000000760248 RDI: 0000000020000100
RBP: 0000000000760228 R08: 0000000000760228 R09: ffffffffffffffff
R10: 00007ffd23314770 R11: 0000000000000246 R12: 000000000075bfc8
R13: 0000000000000006 R14: 0000000000760230 R15: 000000000075bfd4
Allocated by task 24169:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
kmem_cache_alloc+0x12e/0x700 mm/slab.c:3559
shmem_alloc_inode+0x1c/0x50 mm/shmem.c:3595
alloc_inode+0x64/0x190 fs/inode.c:210
new_inode_pseudo+0x19/0xf0 fs/inode.c:903
new_inode+0x1f/0x40 fs/inode.c:932
shmem_get_inode+0x84/0x780 mm/shmem.c:2192
__shmem_file_setup.part.0+0x1e2/0x2b0 mm/shmem.c:3951
__shmem_file_setup mm/shmem.c:3945 [inline]
shmem_kernel_file_setup mm/shmem.c:3981 [inline]
shmem_zero_setup+0xe2/0x474 mm/shmem.c:4025
mmap_region+0x1364/0x1760 mm/mmap.c:1779
do_mmap+0x8e2/0x1080 mm/mmap.c:1536
do_mmap_pgoff include/linux/mm.h:2314 [inline]
vm_mmap_pgoff+0x1c5/0x230 mm/util.c:357
ksys_mmap_pgoff+0xf7/0x630 mm/mmap.c:1586
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
__x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3765
shmem_destroy_callback+0x6e/0xc0 mm/shmem.c:3606
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
The buggy address belongs to the object at ffff88807a948568
which belongs to the cache shmem_inode_cache(65:syz2) of size 1192
The buggy address is located 416 bytes inside of
1192-byte region [ffff88807a948568, ffff88807a948a10)
The buggy address belongs to the page:
page:ffffea0001ea5200 count:1 mapcount:0 mapping:ffff8880927b6d80
index:0xffff88807a948ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000027ee08 ffffea00018d9048 ffff8880927b6d80
raw: ffff88807a948ffd ffff88807a948040 0000000100000002 ffff888055e4c900
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff888055e4c900
Memory state around the buggy address:
ffff88807a948600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807a948680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88807a948700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807a948780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807a948800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 21, 2019, 11:01:09 AM12/21/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 672481c2 Linux 4.19.91
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=133da2b9e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+246c20...@syzkaller.appspotmail.com
CPU: 1 PID: 8862 Comm: syz-executor.5 Not tainted 4.19.91-syzkaller #0
RSP: 002b:00007fff29747238 EFLAGS: 00010202
Freed by task 18:
which belongs to the cache shmem_inode_cache(49:syz5) of size 1192
index:0xffff888090cd1ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a04bda48 ffffea00020db3c8 ffff8880a3f37500
raw: ffff888090cd1ffd ffff888090cd1040 0000000100000003 ffff88809260acc0
Memory state around the buggy address:
ffff888090cd1600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888090cd1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888090cd1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888090cd1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888090cd1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 672481c2 Linux 4.19.91
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=445a712574d168a6
dashboard link: https://syzkaller.appspot.com/bug?extid=246c20cc64a0d4ce268b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1031fa15e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=246c20cc64a0d4ce268b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+246c20...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x34ac/0x49c0
kernel/locking/lockdep.c:3290
Read of size 8 at addr ffff888090cd1708 by task syz-executor.5/8862
BUG: KASAN: use-after-free in __lock_acquire+0x34ac/0x49c0
kernel/locking/lockdep.c:3290
CPU: 1 PID: 8862 Comm: syz-executor.5 Not tainted 4.19.91-syzkaller #0
RAX: 0000000020000100 RBX: 0000000000000000 RCX: 000000000000002f
RDX: 0000000000000009 RSI: 0000000000760248 RDI: 0000000020000100
RBP: 0000000000760228 R08: 0000000000760228 R09: ffffffffffffffff
R10: 00007fff29747300 R11: 0000000000000246 R12: 000000000075bfc8
RDX: 0000000000000009 RSI: 0000000000760248 RDI: 0000000020000100
RBP: 0000000000760228 R08: 0000000000760228 R09: ffffffffffffffff
R13: 0000000000000006 R14: 0000000000760230 R15: 000000000075bfd4
Allocated by task 8863:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3765
shmem_destroy_callback+0x6e/0xc0 mm/shmem.c:3606
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
The buggy address belongs to the object at ffff888090cd1568
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3765
shmem_destroy_callback+0x6e/0xc0 mm/shmem.c:3606
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
which belongs to the cache shmem_inode_cache(49:syz5) of size 1192
The buggy address is located 416 bytes inside of
1192-byte region [ffff888090cd1568, ffff888090cd1a10)
The buggy address belongs to the page:
page:ffffea0002433440 count:1 mapcount:0 mapping:ffff8880a3f37500
index:0xffff888090cd1ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a04bda48 ffffea00020db3c8 ffff8880a3f37500
raw: ffff888090cd1ffd ffff888090cd1040 0000000100000003 ffff88809260acc0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88809260acc0
Memory state around the buggy address:
ffff888090cd1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888090cd1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888090cd1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888090cd1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Aug 26, 2022, 2:49:20 PM8/26/22
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages