syzbot


KASAN: invalid-free in anon_vma_name_free

Status: upstream: reported C repro on 2022/10/13 08:08
Bug presence: origin:downstream
[Documentation on labels]
Reported-by: syzbot+3d8afebe2dc2c4a80d8e@syzkaller.appspotmail.com
First crash: 640d, last: 9d07h
Cause bisection: failed (error log, bisect log)
  
Bug presence (3)
Date Name Commit Repro Result
2023/09/28 android13-5.15-lts (ToT) ea586874d2f9 C [report] KASAN: invalid-free in anon_vma_name_free
2023/09/28 lts (merge base) aff03380bda4 C Didn't crash
2023/09/28 upstream (ToT) 633b47cb009d C Didn't crash
Last patch testing requests (15)
Created Duration User Patch Repo Result
2024/07/05 16:52 6m retest repro android13-5.15-lts report log
2024/07/03 07:26 16m retest repro android13-5.15-lts report log
2024/06/22 06:00 12m retest repro android13-5.15-lts report log
2024/06/07 20:02 5m retest repro android13-5.15-lts report log
2024/06/07 20:02 5m retest repro android13-5.15-lts report log
2024/06/07 20:02 4m retest repro android13-5.15-lts report log
2024/06/07 20:02 5m retest repro android13-5.15-lts report log
2024/05/24 17:44 9m retest repro android13-5.15-lts report log
2024/05/24 17:44 6m retest repro android13-5.15-lts report log
2024/05/24 17:44 7m retest repro android13-5.15-lts report log
2023/04/06 08:26 27m tudor.ambarus@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git v5.15.80 OK log
2023/04/04 10:50 11m tudor.ambarus@linaro.org android13-5.15-lts report log
2022/12/12 17:34 7m tudor.ambarus@linaro.org android13-5.15-lts report log
2022/12/09 16:05 15m tudor.ambarus@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.15.y OK log
2022/12/09 16:04 16m tudor.ambarus@linaro.org upstream OK log
Fix bisection attempts (6)
Created Duration User Patch Repo Result
2024/04/03 01:56 5h11m bisect fix android13-5.15-lts OK (0) job log log
2024/01/21 19:42 1h36m bisect fix android13-5.15-lts OK (0) job log log
2023/06/16 20:14 35m bisect fix android13-5.15-lts OK (0) job log log
2023/05/02 08:22 18m bisect fix android13-5.15-lts OK (0) job log log
2023/03/07 13:15 21m bisect fix android13-5.15-lts OK (0) job log log
2022/11/12 08:31 19m bisect fix android13-5.15-lts OK (0) job log log

Sample crash report:
RBP: 00007f01523bc3c0 R08: 0000000000000000 R09: 0000000000003336
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f01523bc3cc
R13: 00007f01522f1210 R14: 0000000000000002 R15: 00007f015238901d
 </TASK>
==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3519 [inline]
BUG: KASAN: double-free or invalid-free in kfree+0xc8/0x220 mm/slub.c:4579

CPU: 1 PID: 307 Comm: syz-executor879 Not tainted 5.15.147-syzkaller-00327-g1c3a1f32bcbd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 kasan_report_invalid_free+0x6b/0xa0 mm/kasan/report.c:370
 ____kasan_slab_free+0x13e/0x160
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373
 kasan_slab_free include/linux/kasan.h:193 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0xbd/0x190 mm/slub.c:1749
 slab_free mm/slub.c:3519 [inline]
 kfree+0xc8/0x220 mm/slub.c:4579
 anon_vma_name_free+0x15/0x20 mm/madvise.c:90
 kref_put include/linux/kref.h:65 [inline]
 anon_vma_name_put include/linux/mm_inline.h:365 [inline]
 free_anon_vma_name include/linux/mm_inline.h:396 [inline]
 vm_area_free_no_check+0xa6/0x130 kernel/fork.c:405
 vm_area_free kernel/fork.c:418 [inline]
 dup_mmap kernel/fork.c:681 [inline]
 dup_mm kernel/fork.c:1521 [inline]
 copy_mm+0xefb/0x13e0 kernel/fork.c:1573
 copy_process+0x12bc/0x3260 kernel/fork.c:2264
 kernel_clone+0x21e/0x9e0 kernel/fork.c:2662
 __do_sys_clone kernel/fork.c:2788 [inline]
 __se_sys_clone kernel/fork.c:2772 [inline]
 __x64_sys_clone+0x23f/0x290 kernel/fork.c:2772
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f0152332169
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01522f1208 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007f01523bc3c8 RCX: 00007f0152332169
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007f01523bc3c0 R08: 0000000000000000 R09: 0000000000003336
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f01523bc3cc
R13: 00007f01522f1210 R14: 0000000000000002 R15: 00007f015238901d
 </TASK>

Allocated by task 293:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:433 [inline]
 __kasan_slab_alloc+0xb1/0xe0 mm/kasan/common.c:466
 kasan_slab_alloc include/linux/kasan.h:217 [inline]
 slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:550
 slab_alloc_node mm/slub.c:3240 [inline]
 slab_alloc mm/slub.c:3248 [inline]
 kmem_cache_alloc+0xf5/0x200 mm/slub.c:3253
 vm_area_dup+0x26/0x230 kernel/fork.c:367
 dup_mmap kernel/fork.c:601 [inline]
 dup_mm kernel/fork.c:1521 [inline]
 copy_mm+0x9a1/0x13e0 kernel/fork.c:1573
 copy_process+0x12bc/0x3260 kernel/fork.c:2264
 kernel_clone+0x21e/0x9e0 kernel/fork.c:2662
 __do_sys_clone kernel/fork.c:2788 [inline]
 __se_sys_clone kernel/fork.c:2772 [inline]
 __x64_sys_clone+0x23f/0x290 kernel/fork.c:2772
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff88811e662cb8
 which belongs to the cache vm_area_struct of size 232
The buggy address is located 88 bytes inside of
 232-byte region [ffff88811e662cb8, ffff88811e662da0)
The buggy address belongs to the page:
page:ffffea0004799880 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e662
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881001bdc80
raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 293, ts 22510329837, free_ts 0
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2604
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2610
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4484
 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5776
 allocate_slab mm/slub.c:1932 [inline]
 new_slab+0x9a/0x4e0 mm/slub.c:1995
 ___slab_alloc+0x39e/0x830 mm/slub.c:3028
 __slab_alloc+0x4a/0x90 mm/slub.c:3115
 slab_alloc_node mm/slub.c:3206 [inline]
 slab_alloc mm/slub.c:3248 [inline]
 kmem_cache_alloc+0x134/0x200 mm/slub.c:3253
 vm_area_dup+0x26/0x230 kernel/fork.c:367
 dup_mmap kernel/fork.c:601 [inline]
 dup_mm kernel/fork.c:1521 [inline]
 copy_mm+0x9a1/0x13e0 kernel/fork.c:1573
 copy_process+0x12bc/0x3260 kernel/fork.c:2264
 kernel_clone+0x21e/0x9e0 kernel/fork.c:2662
 __do_sys_clone kernel/fork.c:2788 [inline]
 __se_sys_clone kernel/fork.c:2772 [inline]
 __x64_sys_clone+0x23f/0x290 kernel/fork.c:2772
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88811e662c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
 ffff88811e662c80: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00
>ffff88811e662d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                         ^
 ffff88811e662d80: 00 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb
 ffff88811e662e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (26):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/30 21:14 android13-5.15-lts 1c3a1f32bcbd 7f400fcb .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/11/24 11:00 android13-5.15-lts 61cfd264993d 5b429f39 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2023/11/23 22:22 android13-5.15-lts 61cfd264993d 5b429f39 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/11/18 16:27 android13-5.15-lts 61cfd264993d cb976f63 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/10/11 14:16 android13-5.15-lts ea586874d2f9 83165b57 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2023/10/11 13:57 android13-5.15-lts ea586874d2f9 83165b57 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2023/10/11 03:17 android13-5.15-lts ea586874d2f9 83165b57 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/10/11 02:38 android13-5.15-lts ea586874d2f9 83165b57 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/10/06 04:45 android13-5.15-lts ea586874d2f9 db17ad9f .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/09/28 10:17 android13-5.15-lts ea586874d2f9 c2ab1e5d .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2023/08/13 10:55 android13-5.15-lts 1463976ddc64 39990d51 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2023/06/22 23:23 android13-5.15-lts 565c3abfa129 79782afc .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2023/01/22 06:50 android13-5.15-lts 72d681a01da5 cc0f9968 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/01/22 02:27 android13-5.15-lts 72d681a01da5 cc0f9968 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2022/12/27 21:56 android13-5.15-lts c73b4619ad86 44712fbc .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2022/10/13 08:07 android13-5.15-lts 43eb03f7ce81 3f6b40a1 .config strace log report syz C [disk image] [vmlinux] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2024/02/18 13:15 android13-5.15-lts 993bed180178 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/10/10 21:32 android13-5.15-lts ea586874d2f9 c9be5398 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
2023/09/16 18:25 android13-5.15-lts ea586874d2f9 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/05/17 20:00 android13-5.15-lts 19c0ed55a470 eaac4681 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/04/02 07:10 android13-5.15-lts 7364b7abbafb f325deb0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/02/05 10:53 android13-5.15-lts 7e0097918ff8 be607b78 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2023/01/02 03:13 android13-5.15-lts c73b4619ad86 ab32d508 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2022/12/22 18:43 android13-5.15-lts c73b4619ad86 9da18ae8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2022/12/04 23:18 android13-5.15-lts 92f701cae0bc e080de16 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf KASAN: invalid-free in anon_vma_name_free
2022/11/17 13:48 android13-5.15-lts 4ec71a9ec769 3a127a31 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: invalid-free in anon_vma_name_free
* Struck through repros no longer work on HEAD.