KASAN: use-after-free Read in get_block
14 views
Skip to first unread message
syzbot
Apr 1, 2020, 10:00:13 PM4/1/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 54b4fa6d Linux 4.19.113
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16e9adcbe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7b1a0bc5526ebc49
dashboard link: https://syzkaller.appspot.com/bug?extid=85e4c58d4e1f0fd8fd0d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15547747e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12410697e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+85e4c5...@syzkaller.appspotmail.com
audit: type=1400 audit(1585792453.371:40): avc: denied { associate } for pid=8195 comm="syz-executor516" name="file0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
NOHZ: local_softirq_pending 08
NOHZ: local_softirq_pending 08
==================================================================
BUG: KASAN: use-after-free in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: use-after-free in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: use-after-free in get_block+0x1047/0x1300 fs/minix/itree_common.c:160
Read of size 2 at addr ffff88808fbd1130 by task syz-executor516/8195
CPU: 0 PID: 8195 Comm: syz-executor516 Not tainted 4.19.113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0x1047/0x1300 fs/minix/itree_common.c:160
minix_get_block+0xe5/0x110 fs/minix/inode.c:379
block_read_full_page+0x28e/0xef0 fs/buffer.c:2248
do_read_cache_page+0x916/0x1700 mm/filemap.c:2828
read_mapping_page include/linux/pagemap.h:402 [inline]
dir_get_page.isra.0+0x62/0xb0 fs/minix/dir.c:70
minix_find_entry+0x200/0x7b0 fs/minix/dir.c:170
minix_inode_by_name+0x6d/0x452 fs/minix/dir.c:454
minix_lookup fs/minix/namei.c:30 [inline]
minix_lookup+0x103/0x190 fs/minix/namei.c:22
lookup_open+0x681/0x19b0 fs/namei.c:3214
do_last fs/namei.c:3327 [inline]
path_openat+0x13cb/0x4200 fs/namei.c:3537
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4481b9
Code: dd d1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d1 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc05065848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004481b9
RDX: 0000000000000000 RSI: 0000000000020040 RDI: 0000000020000040
RBP: 00007ffc05065870 R08: 00007ffc05065870 R09: 0000000000000000
R10: 00007ffc05065730 R11: 0000000000000246 R12: 00007ffc050658a0
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00023ef440 count:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0xfffe0000000000()
raw: 00fffe0000000000 dead000000000100 dead000000000200 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808fbd1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808fbd1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88808fbd1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808fbd1180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808fbd1200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 54b4fa6d Linux 4.19.113
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16e9adcbe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7b1a0bc5526ebc49
dashboard link: https://syzkaller.appspot.com/bug?extid=85e4c58d4e1f0fd8fd0d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15547747e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12410697e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+85e4c5...@syzkaller.appspotmail.com
audit: type=1400 audit(1585792453.371:40): avc: denied { associate } for pid=8195 comm="syz-executor516" name="file0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
NOHZ: local_softirq_pending 08
NOHZ: local_softirq_pending 08
==================================================================
BUG: KASAN: use-after-free in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: use-after-free in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: use-after-free in get_block+0x1047/0x1300 fs/minix/itree_common.c:160
Read of size 2 at addr ffff88808fbd1130 by task syz-executor516/8195
CPU: 0 PID: 8195 Comm: syz-executor516 Not tainted 4.19.113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0x1047/0x1300 fs/minix/itree_common.c:160
minix_get_block+0xe5/0x110 fs/minix/inode.c:379
block_read_full_page+0x28e/0xef0 fs/buffer.c:2248
do_read_cache_page+0x916/0x1700 mm/filemap.c:2828
read_mapping_page include/linux/pagemap.h:402 [inline]
dir_get_page.isra.0+0x62/0xb0 fs/minix/dir.c:70
minix_find_entry+0x200/0x7b0 fs/minix/dir.c:170
minix_inode_by_name+0x6d/0x452 fs/minix/dir.c:454
minix_lookup fs/minix/namei.c:30 [inline]
minix_lookup+0x103/0x190 fs/minix/namei.c:22
lookup_open+0x681/0x19b0 fs/namei.c:3214
do_last fs/namei.c:3327 [inline]
path_openat+0x13cb/0x4200 fs/namei.c:3537
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4481b9
Code: dd d1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d1 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc05065848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004481b9
RDX: 0000000000000000 RSI: 0000000000020040 RDI: 0000000020000040
RBP: 00007ffc05065870 R08: 00007ffc05065870 R09: 0000000000000000
R10: 00007ffc05065730 R11: 0000000000000246 R12: 00007ffc050658a0
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00023ef440 count:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0xfffe0000000000()
raw: 00fffe0000000000 dead000000000100 dead000000000200 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808fbd1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808fbd1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88808fbd1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808fbd1180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808fbd1200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 8, 2020, 5:22:17 PM4/8/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4520f06b Linux 4.14.175
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10c7cd5de00000
kernel config: https://syzkaller.appspot.com/x/.config?x=93cf891381c0c347
dashboard link: https://syzkaller.appspot.com/bug?extid=9520ccd94ee573ff7e5f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
1965979 pages RAM
0 pages HighMem/MovableOnly
339049 pages reserved
0 pages cma reserved
==================================================================
BUG: KASAN: use-after-free in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: use-after-free in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: use-after-free in get_block+0xe7c/0x10f0 fs/minix/itree_common.c:160
BUG: KASAN: use-after-free in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: use-after-free in get_branch fs/minix/itree_common.c:52 [inline]
Read of size 2 at addr ffff8881bcbb3356 by task syz-executor.5/25048
CPU: 1 PID: 25048 Comm: syz-executor.5 Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Call Trace:
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0xe7c/0x10f0 fs/minix/itree_common.c:160
get_branch fs/minix/itree_common.c:52 [inline]
minix_get_block+0xd6/0x100 fs/minix/inode.c:379
block_read_full_page+0x243/0x920 fs/buffer.c:2305
do_read_cache_page+0x6f3/0x12a0 mm/filemap.c:2713
read_mapping_page include/linux/pagemap.h:398 [inline]
dir_get_page.isra.0+0x60/0xa0 fs/minix/dir.c:70
minix_find_entry+0x1f5/0x6f0 fs/minix/dir.c:170
minix_inode_by_name+0x5b/0x3b0 fs/minix/dir.c:454
minix_lookup fs/minix/namei.c:30 [inline]
minix_lookup+0xf0/0x180 fs/minix/namei.c:22
lookup_open+0x5d1/0x1750 fs/namei.c:3220
do_last fs/namei.c:3334 [inline]
path_openat+0xfc1/0x3c50 fs/namei.c:3569
do_filp_open+0x18e/0x250 fs/namei.c:3603
do_sys_open+0x29d/0x3f0 fs/open.c:1081
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c889
RSP: 002b:00007f9cb9c5dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f9cb9c5e6d4 RCX: 000000000045c889
RDX: 0000000000000000 RSI: 0000000000030040 RDI: 0000000020000040
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000771 R14: 00000000005043df R15: 000000000076bf0c
The buggy address belongs to the page:
flags: 0x57ffe0000000000()
raw: 057ffe0000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881bcbb3200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Memory state around the buggy address:
ffff8881bcbb3280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881bcbb3300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881bcbb3380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881bcbb3400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
syzbot
May 2, 2020, 1:39:14 AM5/2/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 050272a0 Linux 4.14.177
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13b22f90100000
kernel config: https://syzkaller.appspot.com/x/.config?x=b24dc669afb42f8b
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11257d40100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9520cc...@syzkaller.appspotmail.com
audit: type=1800 audit(1588397732.318:9): pid=6595 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="syz-executor162" name="file0" dev="sda1" ino=15712 res=0
MINIX-fs: mounting unchecked file system, running fsck is recommended
Process accounting resumed
CPU: 0 PID: 6595 Comm: syz-executor162 Not tainted 4.14.177-syzkaller #0
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x260 fs/buffer.c:2147
minix_write_begin+0x35/0xc0 fs/minix/inode.c:415
generic_perform_write+0x1c9/0x420 mm/filemap.c:3047
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3172
generic_file_write_iter+0x2fa/0x650 mm/filemap.c:3200
call_write_iter include/linux/fs.h:1778 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x44e/0x630 fs/read_write.c:482
__kernel_write+0xf5/0x330 fs/read_write.c:501
do_acct_process+0xb49/0xf60 kernel/acct.c:520
slow_acct_process kernel/acct.c:579 [inline]
acct_process+0x38a/0x422 kernel/acct.c:605
do_exit+0x1712/0x2b00 kernel/exit.c:848
do_group_exit+0x100/0x310 kernel/exit.c:955
SYSC_exit_group kernel/exit.c:966 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:964
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x448648
RSP: 002b:00007ffc6f8ec8d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000448648
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004cb9d0 R08: 00000000000000e7 R09: ffffffffffffffd4
R10: 00007ffc6f8ec7f0 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006e47e0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc+0x127/0x770 mm/slab.c:3552
kmem_cache_zalloc include/linux/slab.h:651 [inline]
get_empty_filp+0x86/0x3e0 fs/file_table.c:123
path_openat+0x8d/0x3c50 fs/namei.c:3545
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
__rcu_reclaim kernel/rcu/rcu.h:195 [inline]
rcu_do_batch kernel/rcu/tree.c:2699 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
rcu_process_callbacks+0x792/0x1190 kernel/rcu/tree.c:2946
__do_softirq+0x254/0x9bf kernel/softirq.c:288
The buggy address belongs to the object at ffff8880a34d3a80
which belongs to the cache filp of size 456
The buggy address is located 312 bytes inside of
456-byte region [ffff8880a34d3a80, ffff8880a34d3c48)
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a34d3080 0000000000000000 0000000100000006
raw: ffffea00028d3520 ffffea0002983860 ffff8880aa587b40 0000000000000000
ffff8880a34d3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a34d3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a34d3c00: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
ffff8880a34d3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
HEAD commit: 050272a0 Linux 4.14.177
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13b22f90100000
kernel config: https://syzkaller.appspot.com/x/.config?x=b24dc669afb42f8b
dashboard link: https://syzkaller.appspot.com/bug?extid=9520ccd94ee573ff7e5f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=156ff540100000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11257d40100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9520cc...@syzkaller.appspotmail.com
MINIX-fs: mounting unchecked file system, running fsck is recommended
Process accounting resumed
==================================================================
BUG: KASAN: use-after-free in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: use-after-free in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: use-after-free in get_block+0xe7c/0x10f0 fs/minix/itree_common.c:160
Read of size 2 at addr ffff8880a34d3bb8 by task syz-executor162/6595
BUG: KASAN: use-after-free in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: use-after-free in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: use-after-free in get_block+0xe7c/0x10f0 fs/minix/itree_common.c:160
CPU: 0 PID: 6595 Comm: syz-executor162 Not tainted 4.14.177-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0xe7c/0x10f0 fs/minix/itree_common.c:160
minix_get_block+0xd6/0x100 fs/minix/inode.c:379
__block_write_begin_int+0x337/0x1030 fs/buffer.c:2038
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0xe7c/0x10f0 fs/minix/itree_common.c:160
minix_get_block+0xd6/0x100 fs/minix/inode.c:379
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x260 fs/buffer.c:2147
minix_write_begin+0x35/0xc0 fs/minix/inode.c:415
generic_perform_write+0x1c9/0x420 mm/filemap.c:3047
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3172
generic_file_write_iter+0x2fa/0x650 mm/filemap.c:3200
call_write_iter include/linux/fs.h:1778 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x44e/0x630 fs/read_write.c:482
__kernel_write+0xf5/0x330 fs/read_write.c:501
do_acct_process+0xb49/0xf60 kernel/acct.c:520
slow_acct_process kernel/acct.c:579 [inline]
acct_process+0x38a/0x422 kernel/acct.c:605
do_exit+0x1712/0x2b00 kernel/exit.c:848
do_group_exit+0x100/0x310 kernel/exit.c:955
SYSC_exit_group kernel/exit.c:966 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:964
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x448648
RSP: 002b:00007ffc6f8ec8d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000448648
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004cb9d0 R08: 00000000000000e7 R09: ffffffffffffffd4
R10: 00007ffc6f8ec7f0 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006e47e0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc+0x127/0x770 mm/slab.c:3552
kmem_cache_zalloc include/linux/slab.h:651 [inline]
get_empty_filp+0x86/0x3e0 fs/file_table.c:123
path_openat+0x8d/0x3c50 fs/namei.c:3545
do_filp_open+0x18e/0x250 fs/namei.c:3603
do_sys_open+0x29d/0x3f0 fs/open.c:1081
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 17:
do_sys_open+0x29d/0x3f0 fs/open.c:1081
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
__rcu_reclaim kernel/rcu/rcu.h:195 [inline]
rcu_do_batch kernel/rcu/tree.c:2699 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
rcu_process_callbacks+0x792/0x1190 kernel/rcu/tree.c:2946
__do_softirq+0x254/0x9bf kernel/softirq.c:288
The buggy address belongs to the object at ffff8880a34d3a80
which belongs to the cache filp of size 456
The buggy address is located 312 bytes inside of
456-byte region [ffff8880a34d3a80, ffff8880a34d3c48)
The buggy address belongs to the page:
page:ffffea00028d34c0 count:1 mapcount:0 mapping:ffff8880a34d3080 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a34d3080 0000000000000000 0000000100000006
raw: ffffea00028d3520 ffffea0002983860 ffff8880aa587b40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a34d3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880a34d3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a34d3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a34d3c00: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
ffff8880a34d3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
syzbot
Sep 11, 2020, 5:29:09 AM9/11/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d
Author: Eric Biggers <ebig...@google.com>
Date: Wed Aug 12 01:35:30 2020 +0000
fs/minix: reject too-large maximum file size
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=126cfdb3900000
start commit: dce0f886 Linux 4.19.132
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=630ac1b7a61d1805
dashboard link: https://syzkaller.appspot.com/bug?extid=85e4c58d4e1f0fd8fd0d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17e9ff33100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1599531f100000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fs/minix: reject too-large maximum file size
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d
Author: Eric Biggers <ebig...@google.com>
Date: Wed Aug 12 01:35:30 2020 +0000
fs/minix: reject too-large maximum file size
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=126cfdb3900000
start commit: dce0f886 Linux 4.19.132
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=630ac1b7a61d1805
dashboard link: https://syzkaller.appspot.com/bug?extid=85e4c58d4e1f0fd8fd0d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17e9ff33100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1599531f100000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fs/minix: reject too-large maximum file size
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Sep 11, 2020, 3:30:06 PM9/11/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 0900097ef667097b0a4afb0155a4f5add77ece19
Author: Eric Biggers <ebig...@google.com>
Date: Wed Aug 12 01:35:30 2020 +0000
fs/minix: reject too-large maximum file size
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=148b773e900000
Date: Wed Aug 12 01:35:30 2020 +0000
fs/minix: reject too-large maximum file size
start commit: b850307b Linux 4.14.184
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=ddc0f08dd6b981c5
dashboard link: https://syzkaller.appspot.com/bug?extid=9520ccd94ee573ff7e5f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169d9957100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11eb2957100000
Reply all
Reply to author
Forward
0 new messages