syzbot

 sign-in | mailing list | source | docs
🐞 Open [196] 🐞 Fixed [42] 🐞 Invalid [470] 📈 Kernel Health 📈 Bugs/Month 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in shmem_fault

Status: auto-closed as invalid on 2019/06/10 04:57
Reported-by: syzbot+28f55cd2f08f3b885106@syzkaller.appspotmail.com
First crash: 2010d, last: 2010d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in shmem_fault (2) mm 5 1688d 1749d 15/28 fixed on 2019/12/13 00:31
upstream KASAN: use-after-free Read in shmem_fault mm 3 1878d 1944d 0/28 closed as invalid on 2019/08/22 04:16
linux-4.19 KASAN: use-after-free Read in shmem_fault 1 1870d 1870d 0/1 auto-closed as invalid on 2019/10/25 08:45
linux-4.19 KASAN: use-after-free Read in shmem_fault (2) syz error 3 1632d 1636d 0/1 auto-obsoleted due to no activity on 2022/08/26 18:49

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in trace_event_get_offsets_lock_acquire include/trace/events/lock.h:12 [inline]
BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x458/0x530 include/trace/events/lock.h:12
Read of size 8 at addr ffff8801cdc7de28 by task syz-executor3/7584

CPU: 0 PID: 7584 Comm: syz-executor3 Not tainted 4.9.144+ #79
 ffff8801a252f600 ffffffff81b43b89 ffffea0007371f00 ffff8801cdc7de28
 0000000000000000 ffff8801cdc7de28 0000000000000000 ffff8801a252f638
 ffffffff81500c38 ffff8801cdc7de28 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81b43b89>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b43b89>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81500c38>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81501042>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81501042>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff814f32f4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff811ff2c8>] trace_event_get_offsets_lock_acquire include/trace/events/lock.h:12 [inline]
 [<ffffffff811ff2c8>] perf_trace_lock_acquire+0x458/0x530 include/trace/events/lock.h:12
 [<ffffffff8120cb99>] trace_lock_acquire include/trace/events/lock.h:12 [inline]
 [<ffffffff8120cb99>] lock_acquire+0x299/0x3e0 kernel/locking/lockdep.c:3755
 [<ffffffff82818086>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
 [<ffffffff82818086>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81462c31>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81462c31>] shmem_fault+0x4d1/0x6d0 mm/shmem.c:1952
 [<ffffffff81493173>] __do_fault+0x223/0x500 mm/memory.c:2833
 [<ffffffff814a3916>] do_read_fault mm/memory.c:3180 [inline]
 [<ffffffff814a3916>] do_fault mm/memory.c:3315 [inline]
 [<ffffffff814a3916>] handle_pte_fault mm/memory.c:3516 [inline]
 [<ffffffff814a3916>] __handle_mm_fault mm/memory.c:3603 [inline]
 [<ffffffff814a3916>] handle_mm_fault+0x1326/0x2350 mm/memory.c:3640
 [<ffffffff81490686>] faultin_page mm/gup.c:386 [inline]
 [<ffffffff81490686>] __get_user_pages+0x446/0xf80 mm/gup.c:588
 [<ffffffff81491fea>] populate_vma_page_range+0x19a/0x230 mm/gup.c:1106
 [<ffffffff81492257>] __mm_populate+0x1d7/0x320 mm/gup.c:1154
 [<ffffffff8146a1d5>] mm_populate include/linux/mm.h:2041 [inline]
 [<ffffffff8146a1d5>] vm_mmap_pgoff+0x195/0x1b0 mm/util.c:333
 [<ffffffff814af842>] SYSC_mmap_pgoff mm/mmap.c:1555 [inline]
 [<ffffffff814af842>] SyS_mmap_pgoff+0x152/0x1b0 mm/mmap.c:1513
 [<ffffffff8105d476>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline]
 [<ffffffff8105d476>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82818cd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 7584:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
 shmem_alloc_inode+0x1b/0x40 mm/shmem.c:3655
 alloc_inode+0x63/0x180 fs/inode.c:207
 new_inode_pseudo+0x17/0xe0 fs/inode.c:890
 new_inode+0x1c/0x40 fs/inode.c:919
 shmem_get_inode+0x6f/0x6c0 mm/shmem.c:2126
 __shmem_file_setup.part.13+0x33a/0x420 mm/shmem.c:4033
 __shmem_file_setup mm/shmem.c:4109 [inline]
 shmem_zero_setup+0xb5/0x1d0 mm/shmem.c:4109
 mmap_region+0xcad/0xf90 mm/mmap.c:1742
 do_mmap+0x53d/0xbb0 mm/mmap.c:1505
 do_mmap_pgoff include/linux/mm.h:2032 [inline]
 vm_mmap_pgoff+0x168/0x1b0 mm/util.c:329
 SYSC_mmap_pgoff mm/mmap.c:1555 [inline]
 SyS_mmap_pgoff+0x152/0x1b0 mm/mmap.c:1513
 SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline]
 SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87
 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 7590:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xbe/0x310 mm/slub.c:2980
 shmem_destroy_callback+0x5a/0xa0 mm/shmem.c:3666
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037
 __do_softirq+0x20e/0x964 kernel/softirq.c:288

The buggy address belongs to the object at ffff8801cdc7dcb0
 which belongs to the cache shmem_inode_cache of size 1096
The buggy address is located 376 bytes inside of
 1096-byte region [ffff8801cdc7dcb0, ffff8801cdc7e0f8)
The buggy address belongs to the page:
page:ffffea0007371f00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cdc7dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801cdc7dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801cdc7de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8801cdc7de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801cdc7df00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/12 04:56 https://android.googlesource.com/kernel/common android-4.9 605e2ec6d679 7795ae03 .config console log report ci-android-49-kasan-gce-root
* Struck through repros no longer work on HEAD.