KASAN: slab-out-of-bounds Read in get_block
5 views
Skip to first unread message
syzbot
Apr 18, 2020, 8:41:15 AM4/18/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8488c3f3 Linux 4.19.116
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=130070bbe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f57eb167d8072371
dashboard link: https://syzkaller.appspot.com/bug?extid=f77070592e2450481fe2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f77070...@syzkaller.appspotmail.com
loop5: rw=2049, want=6434, limit=52
Buffer I/O error on dev loop5, logical block 3216, lost async page write
minix_free_inode: bit 1 already cleared
MINIX-fs: mounting unchecked file system, running fsck is recommended
==================================================================
BUG: KASAN: slab-out-of-bounds in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: slab-out-of-bounds in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: slab-out-of-bounds in get_block+0x1047/0x1300 fs/minix/itree_common.c:160
Read of size 2 at addr ffff88804f7e1000 by task syz-executor.0/24044
CPU: 0 PID: 24044 Comm: syz-executor.0 Not tainted 4.19.116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0x1047/0x1300 fs/minix/itree_common.c:160
minix_get_block+0xe5/0x110 fs/minix/inode.c:379
block_read_full_page+0x28e/0xef0 fs/buffer.c:2248
do_read_cache_page+0x916/0x1700 mm/filemap.c:2828
read_mapping_page include/linux/pagemap.h:402 [inline]
dir_get_page.isra.0+0x62/0xb0 fs/minix/dir.c:70
minix_find_entry+0x200/0x7b0 fs/minix/dir.c:170
minix_inode_by_name+0x6d/0x452 fs/minix/dir.c:454
minix_lookup fs/minix/namei.c:30 [inline]
minix_lookup+0x103/0x190 fs/minix/namei.c:22
lookup_open+0x681/0x19b0 fs/namei.c:3214
do_last fs/namei.c:3327 [inline]
path_openat+0x13cb/0x4200 fs/namei.c:3537
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c889
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f46b0906c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f46b09076d4 RCX: 000000000045c889
RDX: 0000000000000000 RSI: 0000000000020040 RDI: 0000000020000040
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000773 R14: 000000000050443f R15: 000000000076bf0c
Allocated by task 23965:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
kmem_cache_alloc+0x127/0x710 mm/slab.c:3559
kmem_cache_zalloc include/linux/slab.h:699 [inline]
__alloc_file+0x21/0x330 fs/file_table.c:100
alloc_empty_file+0x6d/0x170 fs/file_table.c:150
path_openat+0xf2/0x4200 fs/namei.c:3526
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 18:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xb2d/0x17f0 kernel/rcu/tree.c:2881
__do_softirq+0x26c/0x93c kernel/softirq.c:292
The buggy address belongs to the object at ffff88804f7e1080
which belongs to the cache filp of size 456
The buggy address is located 128 bytes to the left of
456-byte region [ffff88804f7e1080, ffff88804f7e1248)
The buggy address belongs to the page:
page:ffffea00013df840 count:1 mapcount:0 mapping:ffff88821bc46b00 index:0xffff88804f7e1d00
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000148f688 ffffea00010a5988 ffff88821bc46b00
raw: ffff88804f7e1d00 ffff88804f7e1080 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88804f7e0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88804f7e0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804f7e1000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88804f7e1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804f7e1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 8488c3f3 Linux 4.19.116
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=130070bbe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f57eb167d8072371
dashboard link: https://syzkaller.appspot.com/bug?extid=f77070592e2450481fe2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f77070...@syzkaller.appspotmail.com
loop5: rw=2049, want=6434, limit=52
Buffer I/O error on dev loop5, logical block 3216, lost async page write
minix_free_inode: bit 1 already cleared
MINIX-fs: mounting unchecked file system, running fsck is recommended
==================================================================
BUG: KASAN: slab-out-of-bounds in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: slab-out-of-bounds in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: slab-out-of-bounds in get_block+0x1047/0x1300 fs/minix/itree_common.c:160
Read of size 2 at addr ffff88804f7e1000 by task syz-executor.0/24044
CPU: 0 PID: 24044 Comm: syz-executor.0 Not tainted 4.19.116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0x1047/0x1300 fs/minix/itree_common.c:160
minix_get_block+0xe5/0x110 fs/minix/inode.c:379
block_read_full_page+0x28e/0xef0 fs/buffer.c:2248
do_read_cache_page+0x916/0x1700 mm/filemap.c:2828
read_mapping_page include/linux/pagemap.h:402 [inline]
dir_get_page.isra.0+0x62/0xb0 fs/minix/dir.c:70
minix_find_entry+0x200/0x7b0 fs/minix/dir.c:170
minix_inode_by_name+0x6d/0x452 fs/minix/dir.c:454
minix_lookup fs/minix/namei.c:30 [inline]
minix_lookup+0x103/0x190 fs/minix/namei.c:22
lookup_open+0x681/0x19b0 fs/namei.c:3214
do_last fs/namei.c:3327 [inline]
path_openat+0x13cb/0x4200 fs/namei.c:3537
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c889
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f46b0906c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f46b09076d4 RCX: 000000000045c889
RDX: 0000000000000000 RSI: 0000000000020040 RDI: 0000000020000040
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000773 R14: 000000000050443f R15: 000000000076bf0c
Allocated by task 23965:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
kmem_cache_alloc+0x127/0x710 mm/slab.c:3559
kmem_cache_zalloc include/linux/slab.h:699 [inline]
__alloc_file+0x21/0x330 fs/file_table.c:100
alloc_empty_file+0x6d/0x170 fs/file_table.c:150
path_openat+0xf2/0x4200 fs/namei.c:3526
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 18:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xb2d/0x17f0 kernel/rcu/tree.c:2881
__do_softirq+0x26c/0x93c kernel/softirq.c:292
The buggy address belongs to the object at ffff88804f7e1080
which belongs to the cache filp of size 456
The buggy address is located 128 bytes to the left of
456-byte region [ffff88804f7e1080, ffff88804f7e1248)
The buggy address belongs to the page:
page:ffffea00013df840 count:1 mapcount:0 mapping:ffff88821bc46b00 index:0xffff88804f7e1d00
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000148f688 ffffea00010a5988 ffff88821bc46b00
raw: ffff88804f7e1d00 ffff88804f7e1080 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88804f7e0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88804f7e0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804f7e1000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88804f7e1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804f7e1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jul 12, 2020, 3:51:16 PM7/12/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: dce0f886 Linux 4.19.132
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=112b9167100000
kernel config: https://syzkaller.appspot.com/x/.config?x=630ac1b7a61d1805
dashboard link: https://syzkaller.appspot.com/bug?extid=f77070592e2450481fe2
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a7869f100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143ff9af100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f77070...@syzkaller.appspotmail.com
audit: type=1800 audit(1594583227.723:9): pid=6661 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor291" name="file0" dev="sda1" ino=15707 res=0
Read of size 2 at addr ffff88809546a18a by task syz-executor291/6661
CPU: 0 PID: 6661 Comm: syz-executor291 Not tainted 4.19.132-syzkaller #0
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load2_noabort+0x88/0x90 mm/kasan/report.c:431
minix_get_block+0xe5/0x110 fs/minix/inode.c:379
__block_write_begin_int+0x46c/0x17b0 fs/buffer.c:1978
__block_write_begin fs/buffer.c:2028 [inline]
block_write_begin+0x58/0x2e0 fs/buffer.c:2087
minix_write_begin+0x35/0x220 fs/minix/inode.c:415
generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3162
__generic_file_write_iter+0x24b/0x610 mm/filemap.c:3287
generic_file_write_iter+0x3f8/0x729 mm/filemap.c:3315
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
__kernel_write+0x109/0x370 fs/read_write.c:506
do_acct_process+0xcbe/0x10c0 kernel/acct.c:520
slow_acct_process kernel/acct.c:579 [inline]
acct_process+0x49f/0x5e2 kernel/acct.c:605
do_exit+0x15fb/0x2b70 kernel/exit.c:877
do_group_exit+0x125/0x310 kernel/exit.c:990
__do_sys_exit_group kernel/exit.c:1001 [inline]
__se_sys_exit_group kernel/exit.c:999 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:999
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447dc8
Code: Bad RIP value.
RSP: 002b:00007ffd73729388 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000447dc8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004caf10 R08: 00000000000000e7 R09: ffffffffffffffd4
R10: 00007ffd737292a0 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006e47e0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
do_sys_open+0x26c/0x520 fs/open.c:1079
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 1:
do_sys_open+0x2ba/0x520 fs/open.c:1094
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809546ae80
which belongs to the cache names_cache of size 4096
The buggy address is located 3318 bytes to the left of
4096-byte region [ffff88809546ae80, ffff88809546be80)
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002526588 ffffea0002510608 ffff8880aa00ab40
raw: 0000000000000000 ffff88809546ae80 0000000100000001 0000000000000000
ffff88809546a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809546a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88809546a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809546a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
HEAD commit: dce0f886 Linux 4.19.132
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=112b9167100000
kernel config: https://syzkaller.appspot.com/x/.config?x=630ac1b7a61d1805
dashboard link: https://syzkaller.appspot.com/bug?extid=f77070592e2450481fe2
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a7869f100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143ff9af100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f77070...@syzkaller.appspotmail.com
MINIX-fs: mounting unchecked file system, running fsck is recommended
Process accounting resumed
==================================================================
BUG: KASAN: slab-out-of-bounds in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: slab-out-of-bounds in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: slab-out-of-bounds in get_block+0x1085/0x1340 fs/minix/itree_common.c:160
BUG: KASAN: slab-out-of-bounds in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: slab-out-of-bounds in get_branch fs/minix/itree_common.c:52 [inline]
Read of size 2 at addr ffff88809546a18a by task syz-executor291/6661
CPU: 0 PID: 6661 Comm: syz-executor291 Not tainted 4.19.132-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load2_noabort+0x88/0x90 mm/kasan/report.c:431
add_chain fs/minix/itree_common.c:14 [inline]
get_branch fs/minix/itree_common.c:52 [inline]
get_block+0x1085/0x1340 fs/minix/itree_common.c:160
get_branch fs/minix/itree_common.c:52 [inline]
minix_get_block+0xe5/0x110 fs/minix/inode.c:379
__block_write_begin_int+0x46c/0x17b0 fs/buffer.c:1978
__block_write_begin fs/buffer.c:2028 [inline]
block_write_begin+0x58/0x2e0 fs/buffer.c:2087
minix_write_begin+0x35/0x220 fs/minix/inode.c:415
generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3162
__generic_file_write_iter+0x24b/0x610 mm/filemap.c:3287
generic_file_write_iter+0x3f8/0x729 mm/filemap.c:3315
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
__kernel_write+0x109/0x370 fs/read_write.c:506
do_acct_process+0xcbe/0x10c0 kernel/acct.c:520
slow_acct_process kernel/acct.c:579 [inline]
acct_process+0x49f/0x5e2 kernel/acct.c:605
do_exit+0x15fb/0x2b70 kernel/exit.c:877
do_group_exit+0x125/0x310 kernel/exit.c:990
__do_sys_exit_group kernel/exit.c:1001 [inline]
__se_sys_exit_group kernel/exit.c:999 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:999
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447dc8
Code: Bad RIP value.
RSP: 002b:00007ffd73729388 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000447dc8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004caf10 R08: 00000000000000e7 R09: ffffffffffffffd4
R10: 00007ffd737292a0 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006e47e0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
do_sys_open+0x26c/0x520 fs/open.c:1079
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 1:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
putname+0xe1/0x120 fs/namei.c:261
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
do_sys_open+0x2ba/0x520 fs/open.c:1094
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809546ae80
which belongs to the cache names_cache of size 4096
The buggy address is located 3318 bytes to the left of
4096-byte region [ffff88809546ae80, ffff88809546be80)
The buggy address belongs to the page:
page:ffffea0002551a80 count:1 mapcount:0 mapping:ffff8880aa00ab40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002526588 ffffea0002510608 ffff8880aa00ab40
raw: 0000000000000000 ffff88809546ae80 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809546a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff88809546a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809546a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88809546a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809546a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
syzbot
Sep 11, 2020, 11:22:06 AM9/11/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d
Author: Eric Biggers <ebig...@google.com>
Date: Wed Aug 12 01:35:30 2020 +0000
fs/minix: reject too-large maximum file size
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13afd053900000
start commit: dce0f886 Linux 4.19.132
git tree: linux-4.19.y
#syz fix: fs/minix: reject too-large maximum file size
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d
Author: Eric Biggers <ebig...@google.com>
Date: Wed Aug 12 01:35:30 2020 +0000
fs/minix: reject too-large maximum file size
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13afd053900000
start commit: dce0f886 Linux 4.19.132
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=630ac1b7a61d1805
dashboard link: https://syzkaller.appspot.com/bug?extid=f77070592e2450481fe2
dashboard link: https://syzkaller.appspot.com/bug?extid=f77070592e2450481fe2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a7869f100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143ff9af100000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143ff9af100000
#syz fix: fs/minix: reject too-large maximum file size
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages