[v6.1] KASAN: use-after-free Read in generic_perform_write
7 views
Skip to first unread message
syzbot
Sep 11, 2023, 10:51:59 PM9/11/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 59b13c2b647e Linux 6.1.52
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16cae1b4680000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e161b7571806ac8
dashboard link: https://syzkaller.appspot.com/bug?extid=cc11ec9ae925602af228
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9337ea48258d/disk-59b13c2b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/baf3218feb51/vmlinux-59b13c2b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e0faa5f64bea/bzImage-59b13c2b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cc11ec...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0x872/0x1100 lib/iov_iter.c:820
Read of size 4096 at addr ffff8880a1040000 by task kworker/u4:3/51
CPU: 0 PID: 51 Comm: kworker/u4:3 Not tainted 6.1.52-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: loop5 loop_workfn
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
kasan_check_range+0x27f/0x290 mm/kasan/generic.c:189
memcpy+0x25/0x60 mm/kasan/shadow.c:65
copy_page_from_iter_atomic+0x872/0x1100 lib/iov_iter.c:820
generic_perform_write+0x36c/0x5e0 mm/filemap.c:3762
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3882
generic_file_write_iter+0xab/0x310 mm/filemap.c:3914
do_iter_write+0x6e6/0xc50 fs/read_write.c:861
lo_write_bvec drivers/block/loop.c:249 [inline]
lo_write_simple drivers/block/loop.c:271 [inline]
do_req_filebacked drivers/block/loop.c:495 [inline]
loop_handle_cmd drivers/block/loop.c:1882 [inline]
loop_process_work+0x13ff/0x2200 drivers/block/loop.c:1917
process_one_work+0x8aa/0x11f0 kernel/workqueue.c:2292
worker_thread+0xa5f/0x1210 kernel/workqueue.c:2439
kthread+0x26e/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
The buggy address belongs to the physical page:
page:ffffea0002841000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa1040
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001e6c548 ffffea0001f3a9c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100dc0(GFP_USER|__GFP_ZERO), pid 7970, tgid 7957 (syz-executor.5), ts 309795443051, free_ts 309939044170
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
lbmLogInit fs/jfs/jfs_logmgr.c:1816 [inline]
lmLogInit+0x376/0x1c90 fs/jfs/jfs_logmgr.c:1270
open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
lmLogOpen+0x552/0x1030 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe3/0x640 fs/jfs/jfs_mount.c:253
jfs_fill_super+0x67d/0xc40 fs/jfs/super.c:565
mount_bdev+0x2c9/0x3f0 fs/super.c:1432
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1562
do_new_mount+0x28b/0xae0 fs/namespace.c:3040
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page+0x98/0x570 mm/page_alloc.c:3484
lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
lmLogShutdown+0x4f8/0x960 fs/jfs/jfs_logmgr.c:1684
lmLogClose+0x293/0x530 fs/jfs/jfs_logmgr.c:1460
jfs_umount+0x298/0x370 fs/jfs/jfs_umount.c:116
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x340 fs/super.c:501
kill_block_super+0x7a/0xe0 fs/super.c:1459
deactivate_locked_super+0xa0/0x110 fs/super.c:332
cleanup_mnt+0x490/0x520 fs/namespace.c:1186
task_work_run+0x246/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xd9/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:297
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880a103ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a103ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880a1040000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880a1040080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a1040100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 59b13c2b647e Linux 6.1.52
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16cae1b4680000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e161b7571806ac8
dashboard link: https://syzkaller.appspot.com/bug?extid=cc11ec9ae925602af228
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9337ea48258d/disk-59b13c2b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/baf3218feb51/vmlinux-59b13c2b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e0faa5f64bea/bzImage-59b13c2b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cc11ec...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0x872/0x1100 lib/iov_iter.c:820
Read of size 4096 at addr ffff8880a1040000 by task kworker/u4:3/51
CPU: 0 PID: 51 Comm: kworker/u4:3 Not tainted 6.1.52-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: loop5 loop_workfn
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
kasan_check_range+0x27f/0x290 mm/kasan/generic.c:189
memcpy+0x25/0x60 mm/kasan/shadow.c:65
copy_page_from_iter_atomic+0x872/0x1100 lib/iov_iter.c:820
generic_perform_write+0x36c/0x5e0 mm/filemap.c:3762
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3882
generic_file_write_iter+0xab/0x310 mm/filemap.c:3914
do_iter_write+0x6e6/0xc50 fs/read_write.c:861
lo_write_bvec drivers/block/loop.c:249 [inline]
lo_write_simple drivers/block/loop.c:271 [inline]
do_req_filebacked drivers/block/loop.c:495 [inline]
loop_handle_cmd drivers/block/loop.c:1882 [inline]
loop_process_work+0x13ff/0x2200 drivers/block/loop.c:1917
process_one_work+0x8aa/0x11f0 kernel/workqueue.c:2292
worker_thread+0xa5f/0x1210 kernel/workqueue.c:2439
kthread+0x26e/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
The buggy address belongs to the physical page:
page:ffffea0002841000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa1040
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001e6c548 ffffea0001f3a9c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100dc0(GFP_USER|__GFP_ZERO), pid 7970, tgid 7957 (syz-executor.5), ts 309795443051, free_ts 309939044170
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
lbmLogInit fs/jfs/jfs_logmgr.c:1816 [inline]
lmLogInit+0x376/0x1c90 fs/jfs/jfs_logmgr.c:1270
open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
lmLogOpen+0x552/0x1030 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe3/0x640 fs/jfs/jfs_mount.c:253
jfs_fill_super+0x67d/0xc40 fs/jfs/super.c:565
mount_bdev+0x2c9/0x3f0 fs/super.c:1432
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1562
do_new_mount+0x28b/0xae0 fs/namespace.c:3040
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page+0x98/0x570 mm/page_alloc.c:3484
lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
lmLogShutdown+0x4f8/0x960 fs/jfs/jfs_logmgr.c:1684
lmLogClose+0x293/0x530 fs/jfs/jfs_logmgr.c:1460
jfs_umount+0x298/0x370 fs/jfs/jfs_umount.c:116
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x340 fs/super.c:501
kill_block_super+0x7a/0xe0 fs/super.c:1459
deactivate_locked_super+0xa0/0x110 fs/super.c:332
cleanup_mnt+0x490/0x520 fs/namespace.c:1186
task_work_run+0x246/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xd9/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:297
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880a103ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a103ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880a1040000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880a1040080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a1040100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Sep 14, 2023, 1:41:19 PM9/14/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 09045dae0d90 Linux 6.1.53
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16057038680000
kernel config: https://syzkaller.appspot.com/x/.config?x=195b6ef285251409
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c3b1bb820e74/disk-09045dae.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4c5cfb0563d9/vmlinux-09045dae.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c682edb60d96/bzImage-09045dae.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5debede81b78/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cc11ec...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0x872/0x1100 lib/iov_iter.c:820
Read of size 4096 at addr ffff888020dc4000 by task kworker/u4:0/3658
CPU: 0 PID: 3658 Comm: kworker/u4:0 Not tainted 6.1.53-syzkaller #0
page:ffffea0000837100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20dc4
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 4967, tgid 4967 (syz-executor.3), ts 1183111175123, free_ts 1183060115080
kasan_populate_vmalloc_pte+0x35/0xf0 mm/kasan/shadow.c:271
apply_to_pte_range mm/memory.c:2635 [inline]
apply_to_pmd_range mm/memory.c:2679 [inline]
apply_to_pud_range mm/memory.c:2715 [inline]
apply_to_p4d_range mm/memory.c:2751 [inline]
__apply_to_page_range+0x9c5/0xcc0 mm/memory.c:2785
alloc_vmap_area+0x1977/0x1ac0 mm/vmalloc.c:1646
__get_vm_area_node+0x16c/0x360 mm/vmalloc.c:2505
__vmalloc_node_range+0x394/0x1460 mm/vmalloc.c:3183
alloc_thread_stack_node kernel/fork.c:311 [inline]
dup_task_struct+0x3e5/0x6d0 kernel/fork.c:980
copy_process+0x637/0x4020 kernel/fork.c:2090
kernel_clone+0x222/0x920 kernel/fork.c:2674
__do_sys_clone3 kernel/fork.c:2973 [inline]
__se_sys_clone3+0x373/0x410 kernel/fork.c:2957
reconfigure_super+0x43a/0x870 fs/super.c:966
vfs_fsconfig_locked fs/fsopen.c:254 [inline]
__do_sys_fsconfig fs/fsopen.c:439 [inline]
__se_sys_fsconfig+0x98b/0xec0 fs/fsopen.c:314
ffff888020dc3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888020dc4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888020dc4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888020dc4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 09045dae0d90 Linux 6.1.53
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16057038680000
kernel config: https://syzkaller.appspot.com/x/.config?x=195b6ef285251409
dashboard link: https://syzkaller.appspot.com/bug?extid=cc11ec9ae925602af228
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c21bbfa80000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c3b1bb820e74/disk-09045dae.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4c5cfb0563d9/vmlinux-09045dae.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c682edb60d96/bzImage-09045dae.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5debede81b78/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cc11ec...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0x872/0x1100 lib/iov_iter.c:820
CPU: 0 PID: 3658 Comm: kworker/u4:0 Not tainted 6.1.53-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: loop4 loop_workfn
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 4967, tgid 4967 (syz-executor.3), ts 1183111175123, free_ts 1183060115080
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
__get_free_pages+0x8/0x30 mm/page_alloc.c:5609
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
kasan_populate_vmalloc_pte+0x35/0xf0 mm/kasan/shadow.c:271
apply_to_pte_range mm/memory.c:2635 [inline]
apply_to_pmd_range mm/memory.c:2679 [inline]
apply_to_pud_range mm/memory.c:2715 [inline]
apply_to_p4d_range mm/memory.c:2751 [inline]
__apply_to_page_range+0x9c5/0xcc0 mm/memory.c:2785
alloc_vmap_area+0x1977/0x1ac0 mm/vmalloc.c:1646
__get_vm_area_node+0x16c/0x360 mm/vmalloc.c:2505
__vmalloc_node_range+0x394/0x1460 mm/vmalloc.c:3183
alloc_thread_stack_node kernel/fork.c:311 [inline]
dup_task_struct+0x3e5/0x6d0 kernel/fork.c:980
copy_process+0x637/0x4020 kernel/fork.c:2090
kernel_clone+0x222/0x920 kernel/fork.c:2674
__do_sys_clone3 kernel/fork.c:2973 [inline]
__se_sys_clone3+0x373/0x410 kernel/fork.c:2957
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page+0x98/0x570 mm/page_alloc.c:3484
lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
lmLogShutdown+0x4f8/0x960 fs/jfs/jfs_logmgr.c:1684
lmLogClose+0x293/0x530 fs/jfs/jfs_logmgr.c:1460
jfs_remount+0x431/0x6a0 fs/jfs/super.c:466
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page+0x98/0x570 mm/page_alloc.c:3484
lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
lmLogShutdown+0x4f8/0x960 fs/jfs/jfs_logmgr.c:1684
lmLogClose+0x293/0x530 fs/jfs/jfs_logmgr.c:1460
reconfigure_super+0x43a/0x870 fs/super.c:966
vfs_fsconfig_locked fs/fsopen.c:254 [inline]
__do_sys_fsconfig fs/fsopen.c:439 [inline]
__se_sys_fsconfig+0x98b/0xec0 fs/fsopen.c:314
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff888020dc3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888020dc3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888020dc4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888020dc4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888020dc4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Dec 2, 2023, 11:30:20 PM12/2/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 6ac30d748bb0 Linux 6.1.64
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1429fbaae80000
kernel config: https://syzkaller.appspot.com/x/.config?x=beed2108229c44d7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d0358ce80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157bcf64e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/046a5345b629/disk-6ac30d74.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/64ee5e3e0403/vmlinux-6ac30d74.xz
kernel image: https://storage.googleapis.com/syzbot-assets/604c5f1b0b58/Image-6ac30d74.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a354fd9c1328/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cc11ec...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0x9a4/0x1104 lib/iov_iter.c:820
Read of size 2048 at addr ffff0000cf71c800 by task kworker/u4:0/9
CPU: 1 PID: 9 Comm: kworker/u4:0 Not tainted 6.1.64-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Workqueue: loop0 loop_rootcg_workfn
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x48/0x90 mm/kasan/shadow.c:65
copy_page_from_iter_atomic+0x9a4/0x1104 lib/iov_iter.c:820
generic_perform_write+0x2fc/0x55c mm/filemap.c:3816
__generic_file_write_iter+0x168/0x388 mm/filemap.c:3936
generic_file_write_iter+0xb8/0x2b4 mm/filemap.c:3968
do_iter_write+0x534/0x964 fs/read_write.c:861
vfs_iter_write+0x88/0xac fs/read_write.c:902
loop_rootcg_workfn+0x28/0x38 drivers/block/loop.c:1948
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
Allocated by task 4221:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
kmalloc include/linux/slab.h:558 [inline]
hfsplus_read_wrapper+0x3ac/0xfcc fs/hfsplus/wrapper.c:178
hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:413
mount_bdev+0x274/0x370 fs/super.c:1432
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1562
do_new_mount+0x25c/0x8c4 fs/namespace.c:3040
path_mount+0x590/0xe5c fs/namespace.c:3370
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000cf71c800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
512-byte region [ffff0000cf71c800, ffff0000cf71ca00)
The buggy address belongs to the physical page:
page:000000009475095a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f71c
head:000000009475095a order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000001 ffff0000c0002600
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
ffff0000cf71c980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cf71ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000cf71ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000cf71cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
HEAD commit: 6ac30d748bb0 Linux 6.1.64
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1429fbaae80000
kernel config: https://syzkaller.appspot.com/x/.config?x=beed2108229c44d7
dashboard link: https://syzkaller.appspot.com/bug?extid=cc11ec9ae925602af228
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d0358ce80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157bcf64e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/046a5345b629/disk-6ac30d74.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/64ee5e3e0403/vmlinux-6ac30d74.xz
kernel image: https://storage.googleapis.com/syzbot-assets/604c5f1b0b58/Image-6ac30d74.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a354fd9c1328/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cc11ec...@syzkaller.appspotmail.com
==================================================================
Read of size 2048 at addr ffff0000cf71c800 by task kworker/u4:0/9
CPU: 1 PID: 9 Comm: kworker/u4:0 Not tainted 6.1.64-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Workqueue: loop0 loop_rootcg_workfn
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x48/0x90 mm/kasan/shadow.c:65
copy_page_from_iter_atomic+0x9a4/0x1104 lib/iov_iter.c:820
generic_perform_write+0x2fc/0x55c mm/filemap.c:3816
__generic_file_write_iter+0x168/0x388 mm/filemap.c:3936
generic_file_write_iter+0xb8/0x2b4 mm/filemap.c:3968
do_iter_write+0x534/0x964 fs/read_write.c:861
vfs_iter_write+0x88/0xac fs/read_write.c:902
lo_write_bvec drivers/block/loop.c:249 [inline]
lo_write_simple drivers/block/loop.c:271 [inline]
do_req_filebacked drivers/block/loop.c:495 [inline]
loop_handle_cmd drivers/block/loop.c:1882 [inline]
loop_process_work+0x15b4/0x24a4 drivers/block/loop.c:1917
lo_write_simple drivers/block/loop.c:271 [inline]
do_req_filebacked drivers/block/loop.c:495 [inline]
loop_handle_cmd drivers/block/loop.c:1882 [inline]
loop_rootcg_workfn+0x28/0x38 drivers/block/loop.c:1948
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
Allocated by task 4221:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
kmalloc include/linux/slab.h:558 [inline]
hfsplus_read_wrapper+0x3ac/0xfcc fs/hfsplus/wrapper.c:178
hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:413
mount_bdev+0x274/0x370 fs/super.c:1432
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1562
do_new_mount+0x25c/0x8c4 fs/namespace.c:3040
path_mount+0x590/0xe5c fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000cf71c800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
512-byte region [ffff0000cf71c800, ffff0000cf71ca00)
The buggy address belongs to the physical page:
head:000000009475095a order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000001 ffff0000c0002600
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000cf71c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000cf71c980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cf71ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000cf71ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000cf71cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Reply all
Reply to author
Forward
0 new messages