syzbot

 sign-in | mailing list | source | docs
🐞 Open [1418]
Subsystems
🐞 Fixed [5828]
🐞 Invalid [14219]
Missing Backports [92]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in debugfs_remove (3)

Status: closed as dup on 2020/06/28 17:08
Reported-by: syzbot+903b72a010ad6b7a40f2@syzkaller.appspotmail.com
First crash: 2236d, last: 1768d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in tracepoint_probe_register (log)
Repro: C syz .config
  
Fix bisection: failed (error log, bisect log)
  
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: use-after-free Read in lockref_get fs 7 1630d 1730d
Discussions (7)
Title Replies (including bot) Last reply
[PATCH V3] block: rename 'q->debugfs_dir' and 'q->blk_trace->dir' in blk_unregister_queue() 1 (1) 2020/03/24 13:23
[PATCH V2] block: rename 'q->debugfs_dir' and 'q->blk_trace->dir' in blk_unregister_queue() 4 (4) 2020/02/29 02:50
[PATCH] block: rename 'q->debugfs_dir' in blk_unregister_queue() 5 (5) 2020/02/13 11:39
[PATCH] block: revert pushing the final release of request_queue to a workqueue. 14 (14) 2020/02/10 08:49
Reminder: 11 open syzbot bugs in block subsystem 1 (1) 2019/07/24 02:26
Reminder: 11 open syzbot bugs in block subsystem 1 (1) 2019/06/25 06:17
KASAN: use-after-free Read in debugfs_remove (3) 0 (3) 2018/12/02 02:13
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in debugfs_remove (2) fs 1 2406d 2404d 5/28 fixed on 2018/05/17 10:02
linux-4.19 KASAN: use-after-free Read in debugfs_remove C done 15 1481d 1978d 1/1 fixed on 2020/12/01 11:25
upstream KASAN: use-after-free Read in debugfs_remove fs 1 2427d 2426d 0/28 closed as invalid on 2018/04/10 15:18
linux-4.14 KASAN: use-after-free Read in debugfs_remove C inconclusive 14 1490d 2045d 0/1 upstream: reported C repro on 2019/04/17 06:08

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in debugfs_remove+0x10d/0x130 /fs/debugfs/inode.c:705
Read of size 8 at addr ffff8880aa0c4300 by task kworker/0:2/2622

CPU: 0 PID: 2622 Comm: kworker/0:2 Not tainted 5.2.0+ #71
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events __blk_release_queue
Call Trace:
 __dump_stack /lib/dump_stack.c:77 [inline]
 dump_stack+0x16f/0x1f0 /lib/dump_stack.c:113
 print_address_description.cold+0xd4/0x306 /mm/kasan/report.c:351
 __kasan_report.cold+0x1b/0x36 /mm/kasan/report.c:482
 kasan_report+0x12/0x17 /mm/kasan/common.c:612
 __asan_report_load8_noabort+0x14/0x20 /mm/kasan/generic_report.c:132
 debugfs_remove+0x10d/0x130 /fs/debugfs/inode.c:705
 blk_trace_free+0x38/0x140 /kernel/trace/blktrace.c:312
 blk_trace_cleanup /kernel/trace/blktrace.c:339 [inline]
 __blk_trace_remove+0x78/0xa0 /kernel/trace/blktrace.c:352
 blk_trace_shutdown+0x67/0x90 /kernel/trace/blktrace.c:747
 __blk_release_queue+0x1de/0x340 /block/blk-sysfs.c:902
 process_one_work+0x9af/0x16d0 /kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 /kernel/workqueue.c:2415
 kthread+0x361/0x430 /kernel/kthread.c:255
 ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:352

Allocated by task 9284:
 save_stack+0x23/0x90 /mm/kasan/common.c:69
 set_track /mm/kasan/common.c:77 [inline]
 __kasan_kmalloc /mm/kasan/common.c:487 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 /mm/kasan/common.c:460
 kasan_slab_alloc+0xf/0x20 /mm/kasan/common.c:495
 slab_post_alloc_hook /mm/slab.h:520 [inline]
 slab_alloc /mm/slab.c:3319 [inline]
 kmem_cache_alloc+0x121/0x700 /mm/slab.c:3483
 __d_alloc+0x2e/0x8c0 /fs/dcache.c:1688
 d_alloc+0x4d/0x280 /fs/dcache.c:1767
 d_alloc_parallel+0xf4/0x1b90 /fs/dcache.c:2519
 __lookup_slow+0x1ab/0x500 /fs/namei.c:1652
 lookup_one_len+0x16d/0x1a0 /fs/namei.c:2541
 start_creating+0xc5/0x1d0 /fs/debugfs/inode.c:312
 __debugfs_create_file+0x65/0x3c0 /fs/debugfs/inode.c:357
 debugfs_create_file+0x5a/0x70 /fs/debugfs/inode.c:413
 do_blk_trace_setup+0x361/0xb50 /kernel/trace/blktrace.c:524
 __blk_trace_setup+0xe3/0x190 /kernel/trace/blktrace.c:571
 blk_trace_ioctl+0x170/0x300 /kernel/trace/blktrace.c:710
 blkdev_ioctl+0x126/0x1c1a /block/ioctl.c:592
 block_ioctl+0xee/0x130 /fs/block_dev.c:1918
 vfs_ioctl /fs/ioctl.c:46 [inline]
 file_ioctl /fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0xdb6/0x13e0 /fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 /fs/ioctl.c:713
 __do_sys_ioctl /fs/ioctl.c:720 [inline]
 __se_sys_ioctl /fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 /fs/ioctl.c:718
 do_syscall_64+0xfd/0x6a0 /arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
 save_stack+0x23/0x90 /mm/kasan/common.c:69
 set_track /mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x102/0x150 /mm/kasan/common.c:449
 kasan_slab_free+0xe/0x10 /mm/kasan/common.c:457
 __cache_free /mm/slab.c:3425 [inline]
 kmem_cache_free+0x86/0x310 /mm/slab.c:3693
 __d_free+0x20/0x30 /fs/dcache.c:271
 __rcu_reclaim /kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch /kernel/rcu/tree.c:2114 [inline]
 rcu_core+0x66a/0x1470 /kernel/rcu/tree.c:2314
 rcu_core_si+0x9/0x10 /kernel/rcu/tree.c:2323
 __do_softirq+0x30d/0x970 /kernel/softirq.c:292

The buggy address belongs to the object at ffff8880aa0c42c0
 which belongs to the cache dentry of size 288
The buggy address is located 64 bytes inside of
 288-byte region [ffff8880aa0c42c0, ffff8880aa0c43e0)
The buggy address belongs to the page:
page:ffffea0002a83100 refcount:1 mapcount:0 mapping:ffff88821bc46540 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002250388 ffffea0002a81308 ffff88821bc46540
raw: 0000000000000000 ffff8880aa0c4000 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880aa0c4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880aa0c4280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880aa0c4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880aa0c4380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8880aa0c4400: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (88):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/22 13:14 upstream c6dd78fcb8ee b3c615f5 .config console log report syz C ci-upstream-kasan-gce-root
2019/07/22 05:26 upstream abdfd52a295f 1656845f .config console log report syz C ci-upstream-kasan-gce
2019/06/24 10:27 upstream 241e39004581 472f0082 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/06/23 22:04 upstream 241e39004581 472f0082 .config console log report syz C ci-upstream-kasan-gce-root
2018/12/02 02:54 upstream d8f190ee836a 5a581673 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2018/12/02 02:40 upstream d8f190ee836a 5a581673 .config console log report syz C ci-upstream-kasan-gce
2018/12/02 02:38 upstream d8f190ee836a 5a581673 .config console log report syz C ci-upstream-kasan-gce-smack-root
2018/12/02 02:12 upstream d8f190ee836a 5a581673 .config console log report syz C ci-upstream-kasan-gce-root
2019/07/01 10:57 linux-next 48568d8c7f47 699d6448 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/07/22 15:39 upstream c6dd78fcb8ee b3c615f5 .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/07/22 08:21 upstream c6dd78fcb8ee b3c615f5 .config console log report syz ci-upstream-kasan-gce-smack-root
2019/06/24 13:44 upstream 241e39004581 472f0082 .config console log report syz ci-upstream-kasan-gce-smack-root
2019/06/23 18:39 upstream 241e39004581 472f0082 .config console log report syz ci-upstream-kasan-gce
2018/10/22 12:18 upstream 467e050e9760 ecb386fe .config console log report syz ci-upstream-kasan-gce-root
2018/10/20 16:31 upstream 270b77a0f30e ecb386fe .config console log report syz ci-upstream-kasan-gce-selinux-root
2018/10/21 19:03 linux-next 8c60c36d0b8c ecb386fe .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/01/19 20:11 upstream 8f8972a3127f 0342f8c7 .config console log report ci-upstream-kasan-gce-smack-root
2019/10/16 16:31 upstream 3b1f00aceb7a d4ea592f .config console log report ci-upstream-kasan-gce
2019/10/03 13:11 upstream 0f1a7b3fac05 fc17ba49 .config console log report ci-upstream-kasan-gce-selinux-root
2019/09/26 05:16 upstream f41def397161 24d405a3 .config console log report ci-upstream-kasan-gce-smack-root
2019/09/23 00:06 upstream f7c3bf8fa7e5 d96e88f3 .config console log report ci-upstream-kasan-gce
2019/09/15 20:11 upstream 1609d7604b84 32d59357 .config console log report ci-upstream-kasan-gce
2019/09/04 08:22 upstream 089cf7f6ecb2 12381952 .config console log report ci-upstream-kasan-gce
2019/09/03 16:51 upstream 089cf7f6ecb2 48448e71 .config console log report ci-upstream-kasan-gce
2019/08/18 15:34 upstream 8fde2832bd0b 55bf8926 .config console log report ci-upstream-kasan-gce-selinux-root
2019/08/14 20:43 upstream a8dba0531bc0 5576551b .config console log report ci-upstream-kasan-gce-selinux-root
2019/08/09 04:16 upstream ecb095bff5d4 ede31a9b .config console log report ci-upstream-kasan-gce-smack-root
2019/08/04 15:48 upstream d8778f13b73f 6affd8e8 .config console log report ci-upstream-kasan-gce
2019/08/03 21:06 upstream dcb8cfbd8fe9 6affd8e8 .config console log report ci-upstream-kasan-gce-root
2019/07/31 22:54 upstream 4010b622f1d2 c692b5bd .config console log report ci-upstream-kasan-gce
2019/07/29 12:10 upstream 609488bc979f c85e1c5b .config console log report ci-upstream-kasan-gce-selinux-root
2019/06/30 02:52 upstream 728254541ebc 7509bf36 .config console log report ci-upstream-kasan-gce-smack-root
2019/06/26 01:12 upstream 249155c20f9b 0a8d1a96 .config console log report ci-upstream-kasan-gce
2019/06/20 22:15 upstream abf02e2964b3 34bf9440 .config console log report ci-upstream-kasan-gce
2019/06/12 13:29 upstream aa7235483a83 794a1ad7 .config console log report ci-upstream-kasan-gce-selinux-root
2019/04/27 18:08 upstream baf76f0c58ae b617407b .config console log report ci-upstream-kasan-gce-selinux-root
2019/04/27 07:08 upstream baf76f0c58ae b617407b .config console log report ci-upstream-kasan-gce
2019/04/26 22:12 upstream d0473f978e61 b617407b .config console log report ci-upstream-kasan-gce
2019/04/26 06:23 upstream 8113a85f8720 b617407b .config console log report ci-upstream-kasan-gce
2019/04/25 14:59 upstream cd8dead0c394 8e3c52b1 .config console log report ci-upstream-kasan-gce-root
2019/04/24 05:42 upstream 7142eaa58b49 4d3d6a50 .config console log report ci-upstream-kasan-gce
2019/04/21 04:38 upstream 9e5de623a0cb b0e8efcb .config console log report ci-upstream-kasan-gce-selinux-root
2019/04/15 03:45 upstream dc4060a5dc25 505ab413 .config console log report ci-upstream-kasan-gce-selinux-root
2019/04/15 03:29 upstream dc4060a5dc25 505ab413 .config console log report ci-upstream-kasan-gce
2019/04/12 04:02 upstream 2d06b235815e 13030ef8 .config console log report ci-upstream-kasan-gce-smack-root
2019/04/12 02:57 upstream 2d06b235815e 13030ef8 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/25 17:39 upstream 8c2ffd917477 2c86e0a5 .config console log report ci-upstream-kasan-gce
2019/03/18 17:37 upstream 9e98c678c2d6 4656beca .config console log report ci-upstream-kasan-gce-root
2019/03/12 06:58 upstream a089e4fed5c5 12365b99 .config console log report ci-upstream-kasan-gce-root
2019/03/05 20:15 upstream 63bdf4284c38 16559f86 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/02 09:00 upstream a215ce8f0e00 1c0e457a .config console log report ci-upstream-kasan-gce
2019/02/22 21:57 upstream 6ee2846cb4e7 6a5fcca4 .config console log report ci-upstream-kasan-gce-selinux-root
2018/10/08 19:12 upstream 0854ba5ff5c9 8b311eaf .config console log report ci-upstream-kasan-gce-root
2019/08/29 14:48 upstream 6525771f58cb fd37b39e .config console log report ci-upstream-kasan-gce-386
2019/08/23 17:38 upstream e3fb13b7e47c 78ded196 .config console log report ci-upstream-kasan-gce-386
2019/08/10 13:21 upstream 7f20fd23377a acb51638 .config console log report ci-upstream-kasan-gce-386
2019/06/02 04:43 upstream 3ab4436f688c 53c81ea5 .config console log report ci-upstream-kasan-gce-386
2019/05/30 20:01 upstream bec7550cca10 d9aaf3c2 .config console log report ci-upstream-kasan-gce-386
2019/05/16 19:17 upstream 83f3ef3de625 f59a9cb5 .config console log report ci-upstream-kasan-gce-386
2019/04/14 03:28 upstream b60bc0665e6a c402d8f1 .config console log report ci-upstream-kasan-gce-386
2019/04/11 17:24 upstream 582549e3fbe1 13030ef8 .config console log report ci-upstream-kasan-gce-386
2019/09/04 21:15 linux-next 6d028043b55e 040fda58 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/08/17 08:02 linux-next 0c3d3d648b3e 8fd428a1 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/06/25 04:27 linux-next 9ffadb46f3db 82c13b6b .config console log report ci-upstream-linux-next-kasan-gce-root
2019/04/28 00:27 linux-next 3ddfa8af5dc9 b617407b .config console log report ci-upstream-linux-next-kasan-gce-root
2019/04/16 01:50 linux-next f9221a7a1014 505ab413 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/27 14:20 linux-next a392ee45bae7 4e668495 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/05 21:32 linux-next baf5a9d1f9b9 16559f86 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/14 22:38 linux-next b3418f8bddf4 76dd003f .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/07 15:20 linux-next 1bd831d68d55 aa4feb03 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.