KASAN: use-after-free Read in vma_interval_tree

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-5-15	KASAN: use-after-free Read in vma_interval_tree_insert (2)				1	363d	363d	0/2	auto-obsoleted due to no activity on 2024/02/21 22:06

==================================================================
BUG: KASAN: use-after-free in __rb_insert lib/rbtree.c:115 [inline]
BUG: KASAN: use-after-free in __rb_insert_augmented+0xaa/0x670 lib/rbtree.c:459
Read of size 8 at addr ffff8881c0000008 by task syz-executor.0/17308

CPU: 0 PID: 17308 Comm: syz-executor.0 Tainted: G        W         5.15.75-syzkaller-00546-gd9d889009b78 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3d0 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
 __rb_insert lib/rbtree.c:115 [inline]
 __rb_insert_augmented+0xaa/0x670 lib/rbtree.c:459
 rb_insert_augmented include/linux/rbtree_augmented.h:50 [inline]
 rb_insert_augmented_cached include/linux/rbtree_augmented.h:60 [inline]
 vma_interval_tree_insert+0x2f3/0x310 mm/interval_tree.c:23
 __vma_link_file mm/mmap.c:674 [inline]
 vma_link+0x18a/0x1f0 mm/mmap.c:700
 mmap_region+0x16dd/0x1af0 mm/mmap.c:1853
 do_mmap+0x785/0xe40 mm/mmap.c:1584
 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554
 vm_mmap+0x8d/0xb0 mm/util.c:574
 elf_map+0x1b1/0x310 fs/binfmt_elf.c:392
 load_elf_binary+0x101c/0x27c0 fs/binfmt_elf.c:1141
 search_binary_handler fs/exec.c:1739 [inline]
 exec_binprm+0x2a8/0xbc0 fs/exec.c:1780
 bprm_execve+0x4f0/0x7f0 fs/exec.c:1849
 do_execveat_common+0xa92/0xc80 fs/exec.c:1954
 do_execve fs/exec.c:2024 [inline]
 __do_sys_execve fs/exec.c:2100 [inline]
 __se_sys_execve fs/exec.c:2095 [inline]
 __x64_sys_execve+0x92/0xb0 fs/exec.c:2095
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x4ae0d6
Code: Unable to access opcode bytes at RIP 0x4ae0ac.
RSP: 002b:000000c00336b288 EFLAGS: 00000206 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004ae0d6
RDX: 000000c01319c960 RSI: 000000c00b5e6048 RDI: 000000c01bcbe318
RBP: 000000c00336b430 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 00000000004a4aef
R13: 0000000000000001 R14: 000000c0004bb040 R15: ffffffffffffffff
 </TASK>

The buggy address belongs to the page:
page:ffffea0007000000 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1c0000
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea0007010008 ffffea0006ff0008 0000000000000000
raw: 0000000000000000 000000000000000a 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8881bfffff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881bfffff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881c0000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff8881c0000080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881c0000100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2022/11/30 17:19	android13-5.15-lts	d9d889009b78	4c2a66e8	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-15	KASAN: use-after-free Read in vma_interval_tree_insert
2022/12/27 21:28	android13-5.15-lts	c73b4619ad86	44712fbc	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-15	general protection fault in vma_interval_tree_insert