syzbot

 sign-in | mailing list | source | docs
🐞 Open [1556]
Subsystems
🐞 Fixed [6198]
🐞 Invalid [15554]
Missing Backports [179]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in iov_iter_revert

Status: closed as invalid on 2017/11/05 09:00
Reported-by: syzbot+4aae4dea58c5b592b8938c690547ac65f080cf9d@syzkaller.appspotmail.com
First crash: 2823d, last: 2780d

Sample crash report:
device syz4.0 left promiscuous mode
device syz4 left promiscuous mode
device syz4.0 entered promiscuous mode
device syz4 entered promiscuous mode
==================================================================
BUG: KASAN: use-after-free in iov_iter_revert+0x976/0x9d0 lib/iov_iter.c:890
Read of size 4 at addr ffff8801ccd18988 by task loop6/4544

CPU: 1 PID: 4544 Comm: loop6 Not tainted 4.13.0+ #73
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x24e/0x340 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 iov_iter_revert+0x976/0x9d0 lib/iov_iter.c:890
 generic_file_read_iter+0x1883/0x26c0 mm/filemap.c:2197
 blkdev_read_iter+0x105/0x170 fs/block_dev.c:1918
 call_read_iter include/linux/fs.h:1737 [inline]
 lo_rw_aio+0x9e9/0xc20 drivers/block/loop.c:501
 do_req_filebacked drivers/block/loop.c:539 [inline]
 loop_handle_cmd drivers/block/loop.c:1694 [inline]
 loop_queue_work+0x1f91/0x3900 drivers/block/loop.c:1708
 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635
 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:850
 kthread+0x39c/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Allocated by task 17199:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3561
 mempool_alloc_slab+0x44/0x60 mm/mempool.c:449
 mempool_alloc+0x16a/0x4b0 mm/mempool.c:329
 bio_alloc_bioset+0x3c7/0x750 block/bio.c:486
 bio_alloc include/linux/bio.h:417 [inline]
 submit_bh_wbc+0x104/0x680 fs/buffer.c:3110
 submit_bh fs/buffer.c:3142 [inline]
 block_read_full_page+0x6cf/0x950 fs/buffer.c:2355
 blkdev_readpage+0x1c/0x20 fs/block_dev.c:583
 do_generic_file_read mm/filemap.c:2082 [inline]
 generic_file_read_iter+0x1286/0x26c0 mm/filemap.c:2213
 blkdev_read_iter+0x105/0x170 fs/block_dev.c:1918
 call_read_iter include/linux/fs.h:1737 [inline]
 new_sync_read fs/read_write.c:400 [inline]
 __vfs_read+0x6ad/0xa00 fs/read_write.c:412
 vfs_read+0x124/0x360 fs/read_write.c:433
 SYSC_read fs/read_write.c:549 [inline]
 SyS_read+0xef/0x220 fs/read_write.c:542
 entry_SYSCALL_64_fastpath+0x1f/0xbe

Freed by task 5655:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x77/0x280 mm/slab.c:3763
 mempool_free_slab+0x1d/0x30 mm/mempool.c:456
 mempool_free+0xd4/0x1d0 mm/mempool.c:438
 bio_free+0x11c/0x190 block/bio.c:265
 bio_put+0x14f/0x180 block/bio.c:558
 end_bio_bh_io_sync+0xcd/0x110 fs/buffer.c:3038
 bio_endio+0x2f8/0x8d0 block/bio.c:1843
 req_bio_endio block/blk-core.c:204 [inline]
 blk_update_request+0x2a6/0xe20 block/blk-core.c:2738
 blk_mq_end_request+0x54/0x120 block/blk-mq.c:509
 lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:460
 __blk_mq_complete_request+0x38f/0x6c0 block/blk-mq.c:550
 blk_mq_complete_request+0x4f/0x60 block/blk-mq.c:570
 lo_rw_aio_complete+0x5e/0x80 drivers/block/loop.c:468
 blkdev_bio_end_io+0x22a/0x700 fs/block_dev.c:309
 bio_endio+0x2f8/0x8d0 block/bio.c:1843
 req_bio_endio block/blk-core.c:204 [inline]
 blk_update_request+0x2a6/0xe20 block/blk-core.c:2738
 blk_mq_end_request+0x54/0x120 block/blk-mq.c:509
 lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:460
 __blk_mq_complete_request+0x38f/0x6c0 block/blk-mq.c:550
 blk_mq_complete_request+0x4f/0x60 block/blk-mq.c:570
 loop_handle_cmd drivers/block/loop.c:1699 [inline]
 loop_queue_work+0x26b/0x3900 drivers/block/loop.c:1708
 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635
 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:850
 kthread+0x39c/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the object at ffff8801ccd18900
 which belongs to the cache bio-0 of size 192
The buggy address is located 136 bytes inside of
 192-byte region [ffff8801ccd18900, ffff8801ccd189c0)
The buggy address belongs to the page:
page:ffffea0007334600 count:1 mapcount:0 mapping:ffff8801ccd18000 index:0x0
flags: 0x200000000000100(slab)
raw: 0200000000000100 ffff8801ccd18000 0000000000000000 0000000100000010
raw: ffffea00072f3ba0 ffff8801d7d19950 ffff8801d9880680 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ccd18880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff8801ccd18900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801ccd18980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                      ^
 ffff8801ccd18a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ccd18a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (111):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/09/08 02:36 upstream 8dc5b3a6cb2f 0ed1da4a .config console log report ci-upstream-kasan-gce
2017/09/06 16:04 upstream e7d0c41ecc2e 0ed1da4a .config console log report ci-upstream-kasan-gce
2017/09/04 03:47 upstream 5e3b19d8165c a54dce00 .config console log report ci-upstream-kasan-gce
2017/08/24 23:08 upstream 4898b99c261e 3f1aca48 .config console log report ci-upstream-kasan-gce
2017/08/24 08:55 upstream 143c97cc6529 3f1aca48 .config console log report ci-upstream-kasan-gce
2017/08/02 13:26 upstream 26c5cebfdb6c f5040a63 .config console log report ci-upstream-kasan-gce
2017/07/30 05:06 upstream 0a07b238e5f4 fe8ced11 .config console log report ci-upstream-kasan-gce
2017/07/27 06:45 upstream da08f35b0f82 b0d23a5c .config console log report ci-upstream-kasan-gce
2017/09/03 15:30 linux-next 1d53d908b79d a54dce00 .config console log report ci-upstream-next-kasan-gce
2017/09/02 09:34 linux-next 1d53d908b79d a54dce00 .config console log report ci-upstream-next-kasan-gce
2017/09/01 16:10 linux-next 1d53d908b79d a54dce00 .config console log report ci-upstream-next-kasan-gce
2017/08/31 20:09 linux-next e8b684315214 4ccdd782 .config console log report ci-upstream-next-kasan-gce
2017/08/31 13:55 linux-next e8b684315214 4ccdd782 .config console log report ci-upstream-next-kasan-gce
2017/08/31 00:14 linux-next 9458bf6edfa8 ed7f9598 .config console log report ci-upstream-next-kasan-gce
2017/08/30 21:27 linux-next 9458bf6edfa8 ed7f9598 .config console log report ci-upstream-next-kasan-gce
2017/08/29 05:02 linux-next adc4148c101c be291771 .config console log report ci-upstream-next-kasan-gce
2017/08/29 02:10 linux-next adc4148c101c be291771 .config console log report ci-upstream-next-kasan-gce
2017/08/28 18:21 linux-next adc4148c101c be291771 .config console log report ci-upstream-next-kasan-gce
2017/08/28 09:11 linux-next 7159188b70e3 4074aed7 .config console log report ci-upstream-next-kasan-gce
2017/08/16 06:05 linux-next 5d51332f20b2 f93be584 .config console log report ci-upstream-next-kasan-gce
* Struck through repros no longer work on HEAD.