[moderation] [fuse?] KASAN: slab-use-after-free Read in fuse_copy_do

0 views
Skip to first unread message

syzbot

unread,
2:07 AM (18 hours ago) 2:07 AM
to syzkaller-upst...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 92e3f6ef4ffb Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=117200d6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4a42e870a0b0ae0
dashboard link: https://syzkaller.appspot.com/bug?extid=5373c08d744f8fe8f41f
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
userspace arch: arm64
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org mik...@szeredi.hu]

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/75ce25b4a6ef/disk-92e3f6ef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/14bda28d7d38/vmlinux-92e3f6ef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/247283a18992/Image-92e3f6ef.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5373c0...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in fuse_copy_do+0x1a0/0x38c fs/fuse/dev.c:-1
Read of size 64 at addr ffff0000cbe00888 by task syz.7.1148/9889

CPU: 1 UID: 0 PID: 9889 Comm: syz.7.1148 Tainted: G L syzkaller #0 PREEMPT
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xb0/0x238 mm/kasan/report.c:378
print_report+0x68/0x84 mm/kasan/report.c:482
kasan_report+0x8c/0xc4 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x17c/0x1ac mm/kasan/generic.c:200
__asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105
fuse_copy_do+0x1a0/0x38c fs/fuse/dev.c:-1
fuse_copy_one+0xc4/0x130 fs/fuse/dev.c:1215
fuse_copy_args+0x2a8/0x398 fs/fuse/dev.c:1233
fuse_dev_do_read+0xac8/0xfe8 fs/fuse/dev.c:1507
fuse_dev_read+0x140/0x1c8 fs/fuse/dev.c:1586
new_sync_read fs/read_write.c:493 [inline]
vfs_read+0x498/0x8c8 fs/read_write.c:574
ksys_read+0x12c/0x228 fs/read_write.c:717
__do_sys_read fs/read_write.c:726 [inline]
__se_sys_read fs/read_write.c:724 [inline]
__arm64_sys_read+0x7c/0x90 fs/read_write.c:724
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

Allocated by task 9885:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:78
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x2d4/0x624 mm/slub.c:5420
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
fuse_new_init fs/fuse/inode.c:1519 [inline]
fuse_send_init+0x64/0x630 fs/fuse/inode.c:1579
fuse_fill_super+0x100/0x124 fs/fuse/inode.c:1990
vfs_get_super+0xb8/0x148 fs/super.c:1327
get_tree_nodev+0x2c/0x3c fs/super.c:1346
fuse_get_tree+0x240/0x324 fs/fuse/inode.c:2055
vfs_get_tree+0x90/0x28c fs/super.c:1754
fc_mount+0x24/0xac fs/namespace.c:1193
do_new_mount_fc fs/namespace.c:3758 [inline]
do_new_mount+0x2a4/0x538 fs/namespace.c:3834
path_mount+0x5f0/0xa88 fs/namespace.c:4154
do_mount+0xe8/0x148 fs/namespace.c:4167
__do_sys_mount fs/namespace.c:4383 [inline]
__se_sys_mount fs/namespace.c:4360 [inline]
__arm64_sys_mount+0x334/0x380 fs/namespace.c:4360
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

Freed by task 9885:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:78
kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6251 [inline]
kfree+0x188/0x690 mm/slub.c:6566
process_init_reply+0xdc/0x1b30 fs/fuse/inode.c:1503
fuse_send_init+0x378/0x630 fs/fuse/inode.c:1594
fuse_fill_super+0x100/0x124 fs/fuse/inode.c:1990
vfs_get_super+0xb8/0x148 fs/super.c:1327
get_tree_nodev+0x2c/0x3c fs/super.c:1346
fuse_get_tree+0x240/0x324 fs/fuse/inode.c:2055
vfs_get_tree+0x90/0x28c fs/super.c:1754
fc_mount+0x24/0xac fs/namespace.c:1193
do_new_mount_fc fs/namespace.c:3758 [inline]
do_new_mount+0x2a4/0x538 fs/namespace.c:3834
path_mount+0x5f0/0xa88 fs/namespace.c:4154
do_mount+0xe8/0x148 fs/namespace.c:4167
__do_sys_mount fs/namespace.c:4383 [inline]
__se_sys_mount fs/namespace.c:4360 [inline]
__arm64_sys_mount+0x334/0x380 fs/namespace.c:4360
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

The buggy address belongs to the object at ffff0000cbe00800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 136 bytes inside of
freed 512-byte region [ffff0000cbe00800, ffff0000cbe00a00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10be00
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0001c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0001c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 05ffc00000000002 fffffdffc32f8001 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff0000cbe00780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000cbe00800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000cbe00880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000cbe00900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000cbe00980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages