syzbot


KASAN: use-after-free Read in idr_for_each (2)

Status: fixed on 2021/04/19 22:36
Subsystems: io-uring fs
[Documentation on labels]
Reported-by: syzbot+12056a09a0311d758e60@syzkaller.appspotmail.com
Fix commit: 61cf93700fe6 io_uring: Convert personality_idr to XArray
First crash: 1263d, last: 1098d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 61cf93700fe6359552848ed5e3becba6cd760efa
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date: Mon Mar 8 14:16:16 2021 +0000

  io_uring: Convert personality_idr to XArray

  
Discussions (2)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in idr_for_each (2) 3 (8) 2021/04/19 12:09
Re: KASAN: use-after-free Read in idr_for_each (2) 2 (2) 2020/11/30 17:43
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in idr_for_each fs io-uring C 4 1295d 1313d 0/26 closed as dup on 2020/08/13 18:43
Last patch testing requests (4)
Created Duration User Patch Repo Result
2021/03/19 10:42 19m asml.silence@gmail.com git://git.kernel.dk/linux-block io_uring-5.12 OK
2021/03/12 12:33 19m mail@anirudhrb.com linux-next OK
2021/03/11 19:27 18m mail@anirudhrb.com upstream report log
2020/12/18 15:47 17m asml.silence@gmail.com git://git.kernel.dk/linux-block dfea9fce29fda6f2f91161677e0e0d9b671bc099 report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in radix_tree_next_slot include/linux/radix-tree.h:422 [inline]
BUG: KASAN: use-after-free in idr_for_each+0x206/0x220 lib/idr.c:202
Read of size 8 at addr ffff88803da186b8 by task syz-executor716/4856

CPU: 0 PID: 4856 Comm: syz-executor716 Not tainted 5.11.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 radix_tree_next_slot include/linux/radix-tree.h:422 [inline]
 idr_for_each+0x206/0x220 lib/idr.c:202
 io_ring_ctx_wait_and_kill+0x1bd/0x600 fs/io_uring.c:8795
 io_uring_release+0x3e/0x50 fs/io_uring.c:8820
 __fput+0x283/0x920 fs/file_table.c:280
 task_work_run+0xdd/0x190 kernel/task_work.c:140
 exit_task_work include/linux/task_work.h:30 [inline]
 do_exit+0xc5c/0x2ae0 kernel/exit.c:825
 do_group_exit+0x125/0x310 kernel/exit.c:922
 get_signal+0x427/0x20f0 kernel/signal.c:2773
 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811
 handle_signal_work kernel/entry/common.c:147 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:201
 irqentry_exit_to_user_mode+0x5/0x30 kernel/entry/common.c:315
 exc_page_fault+0xc6/0x180 arch/x86/mm/fault.c:1509
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580
RIP: 0033:0x401994
Code: Unable to access opcode bytes at RIP 0x40196a.
RSP: 002b:00007ffcab01c3f0 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000010
RDX: 0000000000000007 RSI: 0000000000000000 RDI: 00000000000001c0
RBP: 0000000000000000 R08: 0000000020ffc000 R09: 0000000000100140
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000003373e
R13: 00007ffcab01c3fc R14: 00007ffcab01c410 R15: 00007ffcab01c400

Allocated by task 4856:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:401 [inline]
 ____kasan_kmalloc.constprop.0+0x7f/0xa0 mm/kasan/common.c:429
 kasan_slab_alloc include/linux/kasan.h:209 [inline]
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc mm/slab.c:3315 [inline]
 kmem_cache_alloc+0x1ab/0x4c0 mm/slab.c:3486
 radix_tree_node_alloc.constprop.0+0x7c/0x350 lib/radix-tree.c:274
 idr_get_free+0x554/0xa60 lib/radix-tree.c:1504
 idr_alloc_u32+0x170/0x2d0 lib/idr.c:46
 idr_alloc_cyclic+0x102/0x230 lib/idr.c:125
 io_register_personality fs/io_uring.c:9873 [inline]
 __io_uring_register fs/io_uring.c:10102 [inline]
 __do_sys_io_uring_register+0x162f/0x4080 fs/io_uring.c:10152
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 12:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356
 ____kasan_slab_free+0xb0/0xe0 mm/kasan/common.c:362
 kasan_slab_free include/linux/kasan.h:192 [inline]
 __cache_free mm/slab.c:3424 [inline]
 kmem_cache_free+0x58/0x1c0 mm/slab.c:3697
 rcu_do_batch kernel/rcu/tree.c:2489 [inline]
 rcu_core+0x5eb/0xf00 kernel/rcu/tree.c:2723
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0x87/0xb0 mm/kasan/generic.c:344
 __call_rcu kernel/rcu/tree.c:2965 [inline]
 call_rcu+0xbb/0x700 kernel/rcu/tree.c:3038
 radix_tree_node_free lib/radix-tree.c:308 [inline]
 delete_node+0x591/0x8c0 lib/radix-tree.c:571
 __radix_tree_delete+0x190/0x370 lib/radix-tree.c:1377
 radix_tree_delete_item+0xe7/0x230 lib/radix-tree.c:1428
 io_remove_personalities+0x1d/0x170 fs/io_uring.c:8740
 idr_for_each+0x113/0x220 lib/idr.c:208
 io_ring_ctx_wait_and_kill+0x1bd/0x600 fs/io_uring.c:8795
 io_uring_release+0x3e/0x50 fs/io_uring.c:8820
 __fput+0x283/0x920 fs/file_table.c:280
 task_work_run+0xdd/0x190 kernel/task_work.c:140
 exit_task_work include/linux/task_work.h:30 [inline]
 do_exit+0xc5c/0x2ae0 kernel/exit.c:825
 do_group_exit+0x125/0x310 kernel/exit.c:922
 get_signal+0x427/0x20f0 kernel/signal.c:2773
 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811
 handle_signal_work kernel/entry/common.c:147 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:201
 irqentry_exit_to_user_mode+0x5/0x30 kernel/entry/common.c:315
 exc_page_fault+0xc6/0x180 arch/x86/mm/fault.c:1509
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580

Second to last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0x87/0xb0 mm/kasan/generic.c:344
 __call_rcu kernel/rcu/tree.c:2965 [inline]
 call_rcu+0xbb/0x700 kernel/rcu/tree.c:3038
 xa_node_free lib/xarray.c:258 [inline]
 xas_delete_node lib/xarray.c:494 [inline]
 update_node lib/xarray.c:756 [inline]
 xas_store+0xbcc/0x1bb0 lib/xarray.c:841
 __xa_erase lib/xarray.c:1489 [inline]
 xa_erase+0xb0/0x170 lib/xarray.c:1510
 io_uring_del_task_file fs/io_uring.c:9044 [inline]
 io_uring_remove_task_files+0xc8/0x1a0 fs/io_uring.c:9055
 __io_uring_files_cancel+0x15a/0x1b0 fs/io_uring.c:9071
 io_uring_files_cancel include/linux/io_uring.h:51 [inline]
 do_exit+0x2fe/0x2ae0 kernel/exit.c:780
 do_group_exit+0x125/0x310 kernel/exit.c:922
 get_signal+0x427/0x20f0 kernel/signal.c:2773
 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811
 handle_signal_work kernel/entry/common.c:147 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:201
 irqentry_exit_to_user_mode+0x5/0x30 kernel/entry/common.c:315
 exc_page_fault+0xc6/0x180 arch/x86/mm/fault.c:1509
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580

The buggy address belongs to the object at ffff88803da18680
 which belongs to the cache radix_tree_node of size 576
The buggy address is located 56 bytes inside of
 576-byte region [ffff88803da18680, ffff88803da188c0)
The buggy address belongs to the page:
page:000000006c86c827 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803da18ffb pfn:0x3da18
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea0000f685c8 ffffea0000f68688 ffff888010c6f000
raw: ffff88803da18ffb ffff88803da18100 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88803da18580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88803da18600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88803da18680: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88803da18700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88803da18780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (86):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/02/05 20:33 upstream dd86e7fa07a3 23a562df .config console log report syz C ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in idr_for_each
2020/11/28 17:18 upstream c84e1efae022 76b4dcc7 .config console log report syz C ci-upstream-kasan-gce-root
2021/01/17 08:22 upstream 0da0a8a0a0e1 65a7a854 .config console log report syz ci-upstream-kasan-gce-smack-root
2021/03/09 03:26 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce KASAN: use-after-free Read in idr_for_each
2021/03/03 02:49 upstream 7a7fd0de4a98 e5b64d68 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in idr_for_each
2021/02/26 14:45 upstream 2c87f7a38f93 4c37c133 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in idr_for_each
2021/02/26 05:09 upstream 29c395c77a9a 76f7fc95 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in idr_for_each
2021/02/24 23:27 upstream 719bbd4a509f fcc6d71b .config console log report info ci-upstream-kasan-gce KASAN: use-after-free Read in idr_for_each
2021/02/22 19:11 upstream a99163e9e708 c26fb06b .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in idr_for_each
2021/02/22 06:18 upstream 55f62bc87347 a659b3f1 .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in idr_for_each
2021/02/19 23:22 upstream f40ddce88593 f689d40a .config console log report info ci-upstream-kasan-gce KASAN: use-after-free Read in idr_for_each
2021/02/18 14:05 upstream f40ddce88593 14052202 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in idr_for_each
2021/02/18 02:17 upstream f40ddce88593 14052202 .config console log report info ci-upstream-kasan-gce KASAN: use-after-free Read in idr_for_each
2021/02/16 23:09 upstream f40ddce88593 98682e5e .config console log report info ci-upstream-kasan-gce KASAN: use-after-free Read in idr_for_each
2021/02/11 12:39 upstream 291009f656e8 a52ee10a .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in idr_for_each
2021/02/10 15:48 upstream e0756cfc7d7c 2bd9619f .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in idr_for_each
2021/02/09 15:33 upstream e0756cfc7d7c 2bd9619f .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in idr_for_each
2021/02/08 23:08 upstream e0756cfc7d7c 2bd9619f .config console log report info ci-upstream-kasan-gce KASAN: use-after-free Read in idr_for_each
2021/02/04 22:41 upstream 61556703b610 42b90a7c .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in idr_for_each
2021/02/04 10:56 upstream 61556703b610 42b90a7c .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in idr_for_each
2021/02/03 09:54 upstream 3aaf0a27ffc2 624dad51 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in idr_for_each
2021/01/31 12:58 upstream 6642d600b541 fc9fd31e .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in idr_for_each
2021/01/26 17:06 upstream 13391c60da33 55a7d4df .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in idr_for_each
2021/01/26 08:23 upstream f8ad8187c3b5 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in idr_for_each
2021/01/25 19:24 upstream 6ee1d745b7c9 52e37319 .config console log report info ci-upstream-kasan-gce KASAN: use-after-free Read in idr_for_each
2021/01/24 08:20 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in idr_for_each
2021/01/24 01:47 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in idr_for_each
2021/01/21 00:14 upstream 75439bc439e0 d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in idr_for_each
2021/01/20 17:01 upstream 45dfb8a5659a d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in idr_for_each
2021/01/19 23:02 upstream 1e2a199f6ccd 63631df1 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in idr_for_each
2021/01/19 13:18 upstream 1e2a199f6ccd 63631df1 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in idr_for_each
2021/03/10 21:59 upstream 05a59d79793d 764067f3 .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/03/08 05:49 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-386 KASAN: use-after-free Read in idr_for_each
2021/03/08 04:47 upstream 144c79ef3353 09fbf400 .config console log report info ci-qemu2-arm64 KASAN: use-after-free Read in idr_for_each
2021/02/28 06:22 upstream 5695e5161974 4c37c133 .config console log report info ci-qemu2-arm64 KASAN: use-after-free Read in idr_for_each
2021/02/27 20:33 upstream 3fb6d0e00efc 4c37c133 .config console log report info ci-qemu2-arm64 KASAN: use-after-free Read in idr_for_each
2021/02/25 21:32 upstream 29c395c77a9a 76f7fc95 .config console log report info ci-qemu2-arm64 KASAN: use-after-free Read in idr_for_each
2021/02/25 12:35 upstream 29c395c77a9a fcc6d71b .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/02/22 08:47 upstream 31caf8b2a847 a659b3f1 .config console log report info ci-qemu2-arm64 KASAN: use-after-free Read in idr_for_each
2021/02/15 01:38 upstream f40ddce88593 98682e5e .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/02/12 21:24 upstream dcc0b49040c7 98682e5e .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/02/12 07:46 upstream dcc0b49040c7 a5f86b15 .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/02/11 18:35 upstream 291009f656e8 a5f86b15 .config console log report info ci-qemu2-arm64 KASAN: use-after-free Read in idr_for_each
2021/02/07 23:21 upstream b75dba7f472c 2ce644fc .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/02/07 07:42 upstream 825b5991a46e 2ce644fc .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/02/06 12:40 upstream 1e0d27fce010 0655e081 .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/02/06 08:34 upstream 1e0d27fce010 23a562df .config console log report info ci-upstream-kasan-gce-386 KASAN: use-after-free Read in idr_for_each
2021/02/02 15:08 upstream 88bb507a74ea 19e09687 .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/01/30 23:35 upstream 8c947645151c fc9fd31e .config console log report info ci-upstream-kasan-gce-386 KASAN: use-after-free Read in idr_for_each
2021/01/30 00:46 upstream bec4c2968fce 93d04185 .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/01/28 11:51 upstream 76c057c84d28 eefc07f2 .config console log report info ci-qemu2-arm64-compat KASAN: use-after-free Read in idr_for_each
2021/02/06 07:10 linux-next aa2b88209686 23a562df .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in idr_for_each
2021/02/03 01:50 linux-next fb2a9c320987 624dad51 .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in idr_for_each
2021/01/18 07:27 linux-next b3a3cbdec55b fd103621 .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in idr_for_each
2021/03/16 13:32 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0d7588ab9ef9 fdb2bb2c .config console log report info ci-qemu2-riscv64 KASAN: use-after-free Read in idr_for_each
2021/03/13 01:23 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0d7588ab9ef9 429d8a6b .config console log report info ci-qemu2-riscv64 KASAN: use-after-free Read in idr_for_each
2021/03/11 01:11 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0d7588ab9ef9 764067f3 .config console log report info ci-qemu2-riscv64 KASAN: use-after-free Read in idr_for_each
2021/01/17 10:32 upstream 0da0a8a0a0e1 65a7a854 .config console log report info ci-upstream-kasan-gce
2020/11/22 03:53 upstream a349e4c65960 0d27f508 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/11/17 13:45 upstream 9c87c9f41245 bd2a760b .config console log report info ci-upstream-kasan-gce-root
2020/11/14 18:20 upstream f01c30de86f1 1bf9a662 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/11/02 22:12 upstream 3cea11cd5e3b 8bc4594f .config console log report info ci-upstream-kasan-gce-root
2021/02/23 11:17 upstream a99163e9e708 fcc6d71b .config console log report info ci-qemu2-arm64-mte KASAN: invalid-access Read in idr_for_each
2021/02/10 19:49 upstream e0756cfc7d7c 9c8b8541 .config console log report info ci-qemu2-arm64-mte KASAN: invalid-access Read in idr_for_each
2020/10/03 01:53 upstream 472e5b056f00 4969d6ca .config console log report info ci-upstream-kasan-gce-386
* Struck through repros no longer work on HEAD.