syzbot


KASAN: use-after-free Read in generic_perform_write

Status: upstream: reported C repro on 2020/09/24 08:55
Subsystems: hfsplus jfs
[Documentation on labels]
Reported-by: syzbot+ab73f0a75a218956b10e@syzkaller.appspotmail.com
First crash: 1395d, last: 503d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: slab-out-of-bounds Read in generic_perform_write origin:upstream C error 22 22h42m 307d 0/3 upstream: reported C repro on 2023/09/17 14:11
upstream KASAN: slab-out-of-bounds Read in generic_perform_write hfs mm C inconclusive 10262 6d02h 300d 0/27 upstream: reported C repro on 2023/09/24 07:49
linux-6.1 KASAN: use-after-free Read in generic_perform_write origin:lts-only C unreliable 24 3d18h 312d 0/3 upstream: reported C repro on 2023/09/12 02:51
linux-4.14 KASAN: use-after-free Read in generic_perform_write (2) hfsplus jfs C error 20 540d 958d 0/1 upstream: reported C repro on 2021/12/05 01:05
linux-4.14 KASAN: use-after-free Read in generic_perform_write 11 1163d 1393d 0/1 auto-closed as invalid on 2021/09/11 00:48
upstream KASAN: use-after-free Read in generic_perform_write fs mm C error 73 1130d 2193d 0/27 auto-obsoleted due to no activity on 2023/04/14 08:17

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in memcpy_from_page+0x8c/0x120 lib/iov_iter.c:453
Read of size 2048 at addr ffff8880ac5ce080 by task loop0/8111

CPU: 0 PID: 8111 Comm: loop0 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report+0x8f/0xa0 mm/kasan/report.c:412
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:377 [inline]
 memcpy_from_page+0x8c/0x120 lib/iov_iter.c:453
 iov_iter_copy_from_user_atomic+0x701/0xaa0 lib/iov_iter.c:929
 generic_perform_write+0x265/0x4d0 mm/filemap.c:3178
 __generic_file_write_iter+0x24b/0x610 mm/filemap.c:3295
 generic_file_write_iter+0x3f8/0x730 mm/filemap.c:3323
 call_write_iter include/linux/fs.h:1821 [inline]
 do_iter_readv_writev+0x668/0x790 fs/read_write.c:681
 do_iter_write+0x182/0x5d0 fs/read_write.c:960
 vfs_iter_write+0x70/0xa0 fs/read_write.c:973
 lo_write_bvec+0x141/0x370 drivers/block/loop.c:274
 lo_write_simple drivers/block/loop.c:296 [inline]
 do_req_filebacked drivers/block/loop.c:619 [inline]
 loop_handle_cmd drivers/block/loop.c:1926 [inline]
 loop_queue_work+0xa1c/0x20c0 drivers/block/loop.c:1940
 kthread_worker_fn+0x292/0x730 kernel/kthread.c:700
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 8110:
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15a/0x3c0 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 hfsplus_read_wrapper+0x2c7/0xf00 fs/hfsplus/wrapper.c:177
 hfsplus_fill_super+0x30a/0x19e0 fs/hfsplus/super.c:413
 mount_bdev+0x2fc/0x3b0 fs/super.c:1158
 mount_fs+0xa3/0x310 fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2492 [inline]
 do_mount+0x115c/0x2f50 fs/namespace.c:2822
 ksys_mount+0xcf/0x130 fs/namespace.c:3038
 __do_sys_mount fs/namespace.c:3052 [inline]
 __se_sys_mount fs/namespace.c:3049 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3049
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 6374:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 kernfs_fop_release+0x120/0x190 fs/kernfs/file.c:783
 __fput+0x2ce/0x890 fs/file_table.c:278
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880ac5ce080
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 512-byte region [ffff8880ac5ce080, ffff8880ac5ce280)
The buggy address belongs to the page:
page:ffffea0002b17380 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff8880ac5ce800
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002bb28c8 ffffea0002b0d6c8 ffff88813bff0940
raw: ffff8880ac5ce800 ffff8880ac5ce080 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880ac5ce180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880ac5ce200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880ac5ce280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8880ac5ce300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880ac5ce380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (68):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/01/24 09:34 linux-4.19.y 3f8a27f9e27b 9dfcf09c .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: slab-out-of-bounds Read in generic_perform_write
2022/11/26 14:52 linux-4.19.y 3f8a27f9e27b f4470a7b .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: slab-out-of-bounds Read in generic_perform_write
2023/02/26 16:10 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report syz [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2023/01/31 21:33 linux-4.19.y 3f8a27f9e27b b68fb8d6 .config console log report syz [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/12/11 14:26 linux-4.19.y 3f8a27f9e27b 67be1ae7 .config console log report syz [disk image] [vmlinux] [mounted in repro #1] [mounted in repro #2] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/11/11 14:26 linux-4.19.y 3f8a27f9e27b f42ee5d8 .config console log report syz [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/30 09:56 linux-4.19.y 3f8a27f9e27b 2a71366b .config console log report syz [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/06 14:41 linux-4.19.y 3f8a27f9e27b 2c6543ad .config console log report syz [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/04 22:06 linux-4.19.y 3f8a27f9e27b eab8f949 .config console log report syz [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/09/26 04:34 linux-4.19.y 3f8a27f9e27b 0042f2b4 .config console log report syz ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/04/17 17:36 linux-4.19.y 3f8a27f9e27b 8bcc32a6 .config console log report syz ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2023/03/05 01:42 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2023/02/25 01:18 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2023/02/20 11:10 linux-4.19.y 3f8a27f9e27b bcdf85f8 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2023/02/19 14:17 linux-4.19.y 3f8a27f9e27b bcdf85f8 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2023/02/16 06:26 linux-4.19.y 3f8a27f9e27b 6be0f1f5 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2023/02/13 03:43 linux-4.19.y 3f8a27f9e27b 93e26d60 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2023/02/10 10:48 linux-4.19.y 3f8a27f9e27b 07980f9d .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2023/01/11 06:13 linux-4.19.y 3f8a27f9e27b 48bc529a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/12/31 10:01 linux-4.19.y 3f8a27f9e27b ab32d508 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/12/30 23:20 linux-4.19.y 3f8a27f9e27b ab32d508 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/12/13 06:37 linux-4.19.y 3f8a27f9e27b 67be1ae7 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/12/08 18:18 linux-4.19.y 3f8a27f9e27b 1034e5fa .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/11/15 02:23 linux-4.19.y 3f8a27f9e27b 97de9cfc .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/11/15 00:18 linux-4.19.y 3f8a27f9e27b 97de9cfc .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/31 01:40 linux-4.19.y 3f8a27f9e27b 2a71366b .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/30 08:28 linux-4.19.y 3f8a27f9e27b 2a71366b .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/25 18:32 linux-4.19.y 3f8a27f9e27b 45645420 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/15 06:57 linux-4.19.y 3f8a27f9e27b 67cb024c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/12 04:00 linux-4.19.y 3f8a27f9e27b 02b6492e .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/08 00:08 linux-4.19.y 3f8a27f9e27b 79a59635 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/10/06 02:49 linux-4.19.y 3f8a27f9e27b 2c6543ad .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/07/15 00:53 linux-4.19.y 3f8a27f9e27b 5d921b08 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/06/11 10:09 linux-4.19.y 3f8a27f9e27b 0d5abf15 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/05/29 12:32 linux-4.19.y 3f8a27f9e27b a46af346 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/04/22 23:55 linux-4.19.y 3f8a27f9e27b 131df97d .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/04/17 06:38 linux-4.19.y 3f8a27f9e27b 8bcc32a6 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/04/09 22:58 linux-4.19.y 3f8a27f9e27b e22c3da3 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/02/20 01:49 linux-4.19.y 3f8a27f9e27b 3cd800e4 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/01/31 09:52 linux-4.19.y 3f8a27f9e27b a491ad2d .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2022/01/30 17:11 linux-4.19.y 3f8a27f9e27b 495e00c5 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/12/07 05:16 linux-4.19.y 3f8a27f9e27b 0230ba3e .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/12/06 16:53 linux-4.19.y 3f8a27f9e27b 579a8754 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/11/20 14:57 linux-4.19.y 3f8a27f9e27b 4eb20a4e .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/11/19 05:56 linux-4.19.y 3f8a27f9e27b 31a30fc0 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/11/12 13:04 linux-4.19.y 3f8a27f9e27b 75b04091 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/11/09 13:27 linux-4.19.y 3f8a27f9e27b 59bcaf9a .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/11/06 19:02 linux-4.19.y 3f8a27f9e27b 4c1be0be .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/11/05 01:31 linux-4.19.y 3f8a27f9e27b 4c1be0be .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/10/10 15:07 linux-4.19.y e34184f53363 838e7e2c .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/09/07 15:02 linux-4.19.y b172b44fcb17 6ca60148 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/06/17 17:14 linux-4.19.y eb575cd5d7f6 aba2b2fb .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/06/03 23:16 linux-4.19.y 1722257b8ece 0740de69 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/05/25 12:38 linux-4.19.y 1e986fe9ad15 3c7fef33 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/05/11 16:20 linux-4.19.y 3c8c23092588 ca873091 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/03/27 09:45 linux-4.19.y 78fec1611cbf a8529b82 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/03/18 18:51 linux-4.19.y ac3af4beac43 7216542e .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/03/14 10:38 linux-4.19.y 030194a5b292 4a003785 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/03/07 13:07 linux-4.19.y 2cae3e25b706 c599ed12 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/02/01 02:39 linux-4.19.y 811218eceeaa fc9fd31e .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/01/31 23:13 linux-4.19.y 811218eceeaa fc9fd31e .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in generic_perform_write
2021/06/22 08:47 linux-4.19.y eb575cd5d7f6 aba2b2fb .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in generic_perform_write
2021/01/08 02:30 linux-4.19.y 4143d798313f c104d4a3 .config console log report info ci2-linux-4-19
2020/12/28 17:49 linux-4.19.y 13d2ce42de8c 8259d56c .config console log report info ci2-linux-4-19
2020/12/26 18:11 linux-4.19.y 13d2ce42de8c 821e0b09 .config console log report info ci2-linux-4-19
2020/12/12 22:56 linux-4.19.y 13d2ce42de8c bca53db9 .config console log report info ci2-linux-4-19
2020/10/19 09:13 linux-4.19.y ad326970d25c ff4a3345 .config console log report info ci2-linux-4-19
2020/09/24 08:54 linux-4.19.y d09b80172c22 54289b08 .config console log report info ci2-linux-4-19
* Struck through repros no longer work on HEAD.