syzbot


KASAN: use-after-free Write in vma_put_file_ref

Status: auto-obsoleted due to no activity on 2023/05/17 19:35
Reported-by: syzbot+c3320a0afab5b6faf75d@syzkaller.appspotmail.com
First crash: 693d, last: 670d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 47dbf249699049c4c4b9ac4deb77170663bcbbc1
Author: Mika Westerberg <mika.westerberg@linux.intel.com>
Date: Sun Nov 14 15:20:59 2021 +0000

  thunderbolt: Tear down existing tunnels when resuming from hibernate

  

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:542 [inline]
BUG: KASAN: use-after-free in vma_put_file_ref+0x25/0x90 include/linux/mm.h:3397
Write of size 4 at addr ffff88811c41d1e8 by task syz-executor.2/16900

CPU: 0 PID: 16900 Comm: syz-executor.2 Not tainted 5.15.78-syzkaller-00911-gc73b4619ad86 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3d0 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452
 kasan_check_range+0x2aa/0x2e0 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:542 [inline]
 vma_put_file_ref+0x25/0x90 include/linux/mm.h:3397
 do_user_addr_fault+0xb69/0x1220 arch/x86/mm/fault.c:1379
 handle_page_fault arch/x86/mm/fault.c:1561 [inline]
 exc_page_fault+0x68/0x1a0 arch/x86/mm/fault.c:1617
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568
RIP: 0033:0x7f0f677ecc1f
Code: 83 f8 04 0f 84 07 02 00 00 0f 87 9f 00 00 00 48 83 f8 01 75 49 48 8b 44 24 20 48 0b 44 24 28 0f 84 99 01 00 00 48 8b 44 24 10 <0f> b6 30 48 8b 04 24 48 85 c0 0f 84 6b 02 00 00 48 83 f8 01 0f 85
RSP: 002b:00007ffe192301b0 EFLAGS: 00010206
RAX: 0000000020000599 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 519bb7535d9ddbdc RSI: 0000000000000000 RDI: 00005555568812e8
RBP: 00007ffe192302a8 R08: 0000000000000000 R09: 0000000000000003
R10: 00007f0f673c5990 R11: 0000000000000246 R12: 00007f0f6796d12c
R13: 00007f0f673c1608 R14: 00007f0f6796d120 R15: 0000000000000002
 </TASK>

Allocated by task 16901:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:433 [inline]
 __kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:466
 kasan_slab_alloc include/linux/kasan.h:244 [inline]
 slab_post_alloc_hook mm/slab.h:550 [inline]
 slab_alloc_node mm/slub.c:3236 [inline]
 slab_alloc mm/slub.c:3244 [inline]
 kmem_cache_alloc+0x189/0x2f0 mm/slub.c:3249
 vm_area_alloc+0x24/0x130 kernel/fork.c:359
 mmap_region+0xb80/0x1af0 mm/mmap.c:1780
 do_mmap+0x785/0xe40 mm/mmap.c:1584
 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554
 ksys_mmap_pgoff+0x15d/0x1e0 mm/mmap.c:1633
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Freed by task 25:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:365
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373
 kasan_slab_free include/linux/kasan.h:220 [inline]
 slab_free_hook mm/slub.c:1721 [inline]
 slab_free_freelist_hook+0xc9/0x1a0 mm/slub.c:1747
 slab_free mm/slub.c:3515 [inline]
 kmem_cache_free+0x11a/0x2e0 mm/slub.c:3531
 ____vm_area_free kernel/fork.c:386 [inline]
 __vm_area_free+0x1c/0x20 kernel/fork.c:394
 rcu_do_batch+0x55b/0xbe0 kernel/rcu/tree.c:2509
 rcu_core+0x506/0x1000 kernel/rcu/tree.c:2749
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2762
 __do_softirq+0x27e/0x5dc kernel/softirq.c:565

Last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd3/0xf0 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 __call_rcu kernel/rcu/tree.c:2993 [inline]
 call_rcu+0x140/0x1400 kernel/rcu/tree.c:3073
 vm_area_free+0x1e7/0x230 kernel/fork.c:406
 remove_vma mm/mmap.c:190 [inline]
 remove_vma_list mm/mmap.c:2638 [inline]
 __do_munmap+0x16ea/0x1ad0 mm/mmap.c:2914
 do_munmap mm/mmap.c:2922 [inline]
 munmap_vma_range mm/mmap.c:605 [inline]
 mmap_region+0x9ec/0x1af0 mm/mmap.c:1755
 do_mmap+0x785/0xe40 mm/mmap.c:1584
 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554
 ksys_mmap_pgoff+0x15d/0x1e0 mm/mmap.c:1633
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Second to last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd3/0xf0 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 __call_rcu kernel/rcu/tree.c:2993 [inline]
 call_rcu+0x140/0x1400 kernel/rcu/tree.c:3073
 vm_area_free+0x1e7/0x230 kernel/fork.c:406
 remove_vma mm/mmap.c:190 [inline]
 remove_vma_list mm/mmap.c:2638 [inline]
 __do_munmap+0x16ea/0x1ad0 mm/mmap.c:2914
 do_munmap mm/mmap.c:2922 [inline]
 munmap_vma_range mm/mmap.c:605 [inline]
 mmap_region+0x9ec/0x1af0 mm/mmap.c:1755
 do_mmap+0x785/0xe40 mm/mmap.c:1584
 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554
 ksys_mmap_pgoff+0x15d/0x1e0 mm/mmap.c:1633
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff88811c41d128
 which belongs to the cache vm_area_struct of size 232
The buggy address is located 192 bytes inside of
 232-byte region [ffff88811c41d128, ffff88811c41d210)
The buggy address belongs to the page:
page:ffffea0004710740 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c41d
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 ffffea0004a4e540 0000000300000003 ffff888100274900
raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 318, ts 12946200565, free_ts 12946069531
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1ab/0x1b0 mm/page_alloc.c:2495
 prep_new_page mm/page_alloc.c:2501 [inline]
 get_page_from_freelist+0x38b/0x400 mm/page_alloc.c:4281
 __alloc_pages+0x3a8/0x7c0 mm/page_alloc.c:5548
 allocate_slab+0x62/0x580 mm/slub.c:1928
 new_slab mm/slub.c:1991 [inline]
 ___slab_alloc+0x2e2/0x6f0 mm/slub.c:3024
 __slab_alloc+0x4a/0x90 mm/slub.c:3111
 slab_alloc_node mm/slub.c:3202 [inline]
 slab_alloc mm/slub.c:3244 [inline]
 kmem_cache_alloc+0x205/0x2f0 mm/slub.c:3249
 vm_area_alloc+0x24/0x130 kernel/fork.c:359
 mmap_region+0xb80/0x1af0 mm/mmap.c:1780
 do_mmap+0x785/0xe40 mm/mmap.c:1584
 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554
 ksys_mmap_pgoff+0xed/0x1e0 mm/mmap.c:1633
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1364 [inline]
 free_pcp_prepare+0x448/0x450 mm/page_alloc.c:1435
 free_unref_page_prepare mm/page_alloc.c:3433 [inline]
 free_unref_page+0x9c/0x370 mm/page_alloc.c:3513
 free_the_page mm/page_alloc.c:706 [inline]
 __free_pages+0xd8/0x100 mm/page_alloc.c:5621
 free_pages+0x7c/0x90 mm/page_alloc.c:5632
 tlb_batch_list_free mm/mmu_gather.c:61 [inline]
 tlb_finish_mmu+0x123/0x1f0 mm/mmu_gather.c:343
 unmap_region+0x327/0x370 mm/mmap.c:2679
 __do_munmap+0x1468/0x1ad0 mm/mmap.c:2911
 __vm_munmap mm/mmap.c:2934 [inline]
 __do_sys_munmap+0x15e/0x280 mm/mmap.c:2960
 __se_sys_munmap mm/mmap.c:2956 [inline]
 __x64_sys_munmap+0x5b/0x70 mm/mmap.c:2956
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff88811c41d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff88811c41d100: fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb
>ffff88811c41d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff88811c41d200: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
 ffff88811c41d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/12/28 21:11 android13-5.15-lts c73b4619ad86 44712fbc .config console log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Write in vma_put_file_ref
2023/01/21 11:21 android13-5.15-lts 72d681a01da5 cc0f9968 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Write in vma_put_file_ref
* Struck through repros no longer work on HEAD.