syzbot

 sign-in | mailing list | source | docs
🐞 Open [99]
🐞 Fixed [70]
🐞 Invalid [197]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in unaccount_page_cache_page (3)

Status: premoderation: reported on 2024/12/31 14:15
Reported-by: syzbot+29b5af9192239d0a42cc@syzkaller.appspotmail.com
First crash: 21d, last: 3d06h
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: use-after-free Read in unaccount_page_cache_page 118 322d 797d 0/2 auto-obsoleted due to no activity on 2024/05/01 01:14
android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page 150 275d 804d 0/2 auto-obsoleted due to no activity on 2024/06/10 16:28
android-54 KASAN: slab-out-of-bounds Read in unaccount_page_cache_page 2 357d 438d 0/2 auto-obsoleted due to no activity on 2024/04/30 10:15
android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page (2) 1 161d 161d 0/2 auto-obsoleted due to no activity on 2024/11/11 21:33
android-5-15 KASAN: use-after-free Read in unaccount_page_cache_page (2) 6 14d 152d 0/2 premoderation: reported on 2024/08/23 02:36
android-54 KASAN: use-after-free Read in unaccount_page_cache_page 143 588d 801d 0/2 auto-obsoleted due to no activity on 2023/08/23 09:09

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
BUG: KASAN: use-after-free in unaccount_page_cache_page+0x99f/0xa80 mm/filemap.c:175
Read of size 4 at addr ffff888125a9b470 by task syz.6.330/1728

CPU: 1 PID: 1728 Comm: syz.6.330 Tainted: G        W         5.10.232-syzkaller-00746-g49e8ba0a684f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x81/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
 unaccount_page_cache_page+0x99f/0xa80 mm/filemap.c:175
 __delete_from_page_cache+0xd0/0x5d0 mm/filemap.c:243
 __remove_mapping+0x567/0x690 mm/vmscan.c:978
 shrink_page_list+0x1f38/0x4c60 mm/vmscan.c:1491
 shrink_inactive_list+0x591/0x1150 mm/vmscan.c:2068
 shrink_list mm/vmscan.c:2287 [inline]
 shrink_lruvec+0xced/0x3860 mm/vmscan.c:5466
 shrink_node_memcgs mm/vmscan.c:5653 [inline]
 shrink_node+0xded/0x2000 mm/vmscan.c:5683
 shrink_zones mm/vmscan.c:5889 [inline]
 do_try_to_free_pages+0x652/0x1630 mm/vmscan.c:5947
 try_to_free_mem_cgroup_pages+0x369/0x830 mm/vmscan.c:6265
 try_charge+0x4b8/0x15f0 mm/memcontrol.c:2742
 __mem_cgroup_charge+0x147/0x6e0 mm/memcontrol.c:6868
 mem_cgroup_charge include/linux/memcontrol.h:458 [inline]
 shmem_add_to_page_cache+0x6a9/0x10c0 mm/shmem.c:699
 shmem_getpage_gfp+0xa65/0x2480 mm/shmem.c:1952
 shmem_getpage mm/shmem.c:161 [inline]
 shmem_write_begin+0xca/0x1b0 mm/shmem.c:2497
 generic_perform_write+0x2cd/0x570 mm/filemap.c:3509
 __generic_file_write_iter+0x23c/0x560 mm/filemap.c:3638
 generic_file_write_iter+0xaf/0x1c0 mm/filemap.c:3670
 __kernel_write+0x5ab/0x9d0 fs/read_write.c:550
 dump_emit+0x261/0x3a0 fs/coredump.c:849
 dump_user_range+0x71/0x1a0 fs/coredump.c:902
 elf_core_dump+0x33bd/0x3c10 fs/binfmt_elf.c:2290
 do_coredump+0x1eb8/0x2d60 fs/coredump.c:811
 get_signal+0x102c/0x1410 kernel/signal.c:2779
 arch_do_signal_or_restart+0xbd/0x17c0 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop+0x9b/0xd0 kernel/entry/common.c:169
 exit_to_user_mode_prepare kernel/entry/common.c:199 [inline]
 irqentry_exit_to_user_mode+0x4e/0x80 kernel/entry/common.c:287
 irqentry_exit+0x12/0x60 kernel/entry/common.c:375
 exc_general_protection+0x415/0x490 arch/x86/kernel/traps.c:557
 asm_exc_general_protection+0x1e/0x30 arch/x86/include/asm/idtentry.h:565
RIP: 0033:0x7f0926ae6d31
Code: 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 48 3d 01 f0 ff ff 73 01 <c3> 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
RSP: 002b:00000000200000f0 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007f0926cd7160 RCX: 00007f0926ae6d29
RDX: 0000000020000100 RSI: 00000000200000f0 RDI: 0000000004802280
RBP: 00007f0926b62b08 R08: 00000000200001c0 R09: 00000000200001c0
R10: 0000000020000140 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f0926cd7160 R15: 00007ffdefbc9f08

Allocated by task 1409:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:430 [inline]
 ____kasan_kmalloc+0xdb/0x110 mm/kasan/common.c:509
 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:518
 kasan_kmalloc include/linux/kasan.h:254 [inline]
 kmem_cache_alloc_trace+0x18a/0x2e0 mm/slub.c:2974
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:664 [inline]
 alloc_super+0x5d/0x780 fs/super.c:203
 sget+0x1e5/0x4c0 fs/super.c:627
 mount_bdev+0xea/0x370 fs/super.c:1415
 f2fs_mount+0x34/0x40 fs/f2fs/super.c:4548
 legacy_get_tree+0xf1/0x190 fs/fs_context.c:593
 vfs_get_tree+0x88/0x290 fs/super.c:1572
 do_new_mount+0x2ba/0xb30 fs/namespace.c:2917
 path_mount+0x56f/0xcb0 fs/namespace.c:3247
 do_mount fs/namespace.c:3260 [inline]
 __do_sys_mount fs/namespace.c:3468 [inline]
 __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3445
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3445
 do_syscall_64+0x34/0x70
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd3/0x100 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 insert_work+0x56/0x310 kernel/workqueue.c:1352
 __queue_work+0x970/0xd10 kernel/workqueue.c:1518
 queue_work_on+0x105/0x160 kernel/workqueue.c:1545
 queue_work include/linux/workqueue.h:515 [inline]
 schedule_work include/linux/workqueue.h:576 [inline]
 destroy_super_rcu+0xd1/0xe0 fs/super.c:172
 rcu_do_batch+0x597/0xc40 kernel/rcu/tree.c:2494
 rcu_core+0x5ad/0xe40 kernel/rcu/tree.c:2735
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2748
 __do_softirq+0x268/0x5bb kernel/softirq.c:309

Second to last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd3/0x100 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 __call_rcu kernel/rcu/tree.c:2976 [inline]
 call_rcu+0x135/0x11f0 kernel/rcu/tree.c:3050
 __put_super+0x25c/0x2b0 fs/super.c:299
 put_super fs/super.c:313 [inline]
 deactivate_locked_super+0xe1/0x110 fs/super.c:346
 mount_bdev+0x27e/0x370 fs/super.c:1444
 f2fs_mount+0x34/0x40 fs/f2fs/super.c:4548
 legacy_get_tree+0xf1/0x190 fs/fs_context.c:593
 vfs_get_tree+0x88/0x290 fs/super.c:1572
 do_new_mount+0x2ba/0xb30 fs/namespace.c:2917
 path_mount+0x56f/0xcb0 fs/namespace.c:3247
 do_mount fs/namespace.c:3260 [inline]
 __do_sys_mount fs/namespace.c:3468 [inline]
 __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3445
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3445
 do_syscall_64+0x34/0x70
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff888125a9b000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1136 bytes inside of
 2048-byte region [ffff888125a9b000, ffff888125a9b800)
The buggy address belongs to the page:
page:ffffea000496a600 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888125a98000 pfn:0x125a98
head:ffffea000496a600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 ffffea0004956208 ffffea00046ff408 ffff888100042d80
raw: ffff888125a98000 0000000000080003 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 287, ts 20301537691, free_ts 0
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x166/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5348
 allocate_slab mm/slub.c:1808 [inline]
 new_slab+0x80/0x400 mm/slub.c:1869
 new_slab_objects mm/slub.c:2627 [inline]
 ___slab_alloc+0x302/0x4b0 mm/slub.c:2791
 __slab_alloc+0x63/0xa0 mm/slub.c:2831
 slab_alloc_node mm/slub.c:2913 [inline]
 slab_alloc mm/slub.c:2955 [inline]
 __kmalloc_track_caller+0x1f8/0x320 mm/slub.c:4536
 __kmalloc_reserve net/core/skbuff.c:144 [inline]
 pskb_expand_head+0x12b/0x1180 net/core/skbuff.c:1653
 netlink_trim+0x19b/0x230 net/netlink/af_netlink.c:1289
 netlink_broadcast_filtered+0x66/0x1270 net/netlink/af_netlink.c:1494
 netlink_broadcast net/netlink/af_netlink.c:1539 [inline]
 nlmsg_multicast include/net/netlink.h:1033 [inline]
 nlmsg_notify+0x101/0x1c0 net/netlink/af_netlink.c:2528
 rtnl_notify net/core/rtnetlink.c:737 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:3865 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:3880 [inline]
 rtmsg_ifinfo+0xe7/0x120 net/core/rtnetlink.c:3886
 __dev_notify_flags+0xdd/0x610 net/core/dev.c:8567
 __rtnl_newlink net/core/rtnetlink.c:3487 [inline]
 rtnl_newlink+0x18fd/0x2000 net/core/rtnetlink.c:3527
 rtnetlink_rcv_msg+0x955/0xc50 net/core/rtnetlink.c:5607
 netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2485
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888125a9b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888125a9b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888125a9b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff888125a9b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888125a9b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/01/04 23:44 android13-5.10-lts 49e8ba0a684f f3558dbf .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2025/01/01 22:13 android13-5.10-lts 49e8ba0a684f d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2024/12/31 14:14 android13-5.10-lts 49e8ba0a684f d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2025/01/19 04:48 android13-5.10-lts fbe98d68b6b3 f2cb035c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: slab-out-of-bounds Read in unaccount_page_cache_page
2025/01/04 23:21 android13-5.10-lts 49e8ba0a684f f3558dbf .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: slab-out-of-bounds Read in unaccount_page_cache_page
* Struck through repros no longer work on HEAD.