syzbot


KASAN: use-after-free Read in do_blockdev_direct_IO

Status: upstream: reported C repro on 2019/10/19 11:48
Reported-by: syzbot+b5cf75aafe675a1200a2@syzkaller.appspotmail.com
First crash: 1702d, last: 1467d
Fix bisection the fix commit could be any of (bisect log):
  b98aebd29824 Linux 4.14.150
  56dfe6252c68 Linux 4.14.188
  
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/01/23 23:32 13m retest repro linux-4.14.y report log
2022/09/06 16:27 10m retest repro linux-4.14.y report log
Fix bisection attempts (8)
Created Duration User Patch Repo Result
2020/07/10 03:01 30m bisect fix linux-4.14.y job log (2)
2020/06/10 02:38 22m bisect fix linux-4.14.y job log (0) log
2020/05/11 02:11 24m bisect fix linux-4.14.y job log (0) log
2020/04/11 01:48 23m bisect fix linux-4.14.y job log (0) log
2020/03/12 01:23 25m bisect fix linux-4.14.y job log (0) log
2020/02/10 22:21 22m bisect fix linux-4.14.y job log (0) log
2020/01/11 21:56 22m bisect fix linux-4.14.y job log (0) log
2019/12/12 19:46 22m bisect fix linux-4.14.y job log (0) log

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
kauditd_printk_skb: 10 callbacks suppressed
audit: type=1400 audit(1571481878.347:36): avc:  denied  { map } for  pid=6857 comm="syz-executor638" path="/root/syz-executor638862518" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in compound_head include/linux/page-flags.h:147 [inline]
BUG: KASAN: use-after-free in get_page include/linux/mm.h:833 [inline]
BUG: KASAN: use-after-free in submit_page_section fs/direct-io.c:890 [inline]
BUG: KASAN: use-after-free in do_direct_IO fs/direct-io.c:1097 [inline]
BUG: KASAN: use-after-free in do_blockdev_direct_IO+0x70c1/0x7fd0 fs/direct-io.c:1336
Read of size 8 at addr ffff8880a5940f08 by task syz-executor638/6857

CPU: 0 PID: 6857 Comm: syz-executor638 Not tainted 4.14.150 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x197 lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 __read_once_size include/linux/compiler.h:183 [inline]
 compound_head include/linux/page-flags.h:147 [inline]
 get_page include/linux/mm.h:833 [inline]
 submit_page_section fs/direct-io.c:890 [inline]
 do_direct_IO fs/direct-io.c:1097 [inline]
 do_blockdev_direct_IO+0x70c1/0x7fd0 fs/direct-io.c:1336
 __blockdev_direct_IO+0xa1/0xca fs/direct-io.c:1422
 ext4_direct_IO_write fs/ext4/inode.c:3703 [inline]
 ext4_direct_IO+0x70d/0x1890 fs/ext4/inode.c:3833
 generic_file_direct_write+0x1e7/0x430 mm/filemap.c:2949
 __generic_file_write_iter+0x2bc/0x5b0 mm/filemap.c:3128
 ext4_file_write_iter+0x2ac/0xe90 fs/ext4/file.c:268
 call_write_iter include/linux/fs.h:1777 [inline]
 do_iter_readv_writev+0x418/0x670 fs/read_write.c:675
 do_iter_write fs/read_write.c:954 [inline]
 do_iter_write+0x154/0x540 fs/read_write.c:935
 vfs_iter_write+0x77/0xb0 fs/read_write.c:967
 iter_file_splice_write+0x572/0xad0 fs/splice.c:749
 do_splice_from fs/splice.c:851 [inline]
 do_splice fs/splice.c:1147 [inline]
 SYSC_splice fs/splice.c:1402 [inline]
 SyS_splice+0xd92/0x1430 fs/splice.c:1382
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440309
RSP: 002b:00007ffe6bef4568 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309
RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90
R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6835:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
 getname_kernel+0x53/0x350 fs/namei.c:218
 open_exec+0x18/0x70 fs/exec.c:877
 load_elf_binary+0x77c/0x4d60 fs/binfmt_elf.c:767
 search_binary_handler fs/exec.c:1638 [inline]
 search_binary_handler+0x149/0x6f0 fs/exec.c:1616
 exec_binprm fs/exec.c:1680 [inline]
 do_execveat_common.isra.0+0x1000/0x1dd0 fs/exec.c:1802
 do_execve fs/exec.c:1847 [inline]
 SYSC_execve fs/exec.c:1928 [inline]
 SyS_execve+0x39/0x50 fs/exec.c:1923
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 6835:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 putname+0xdb/0x120 fs/namei.c:259
 open_exec+0x42/0x70 fs/exec.c:882
 load_elf_binary+0x77c/0x4d60 fs/binfmt_elf.c:767
 search_binary_handler fs/exec.c:1638 [inline]
 search_binary_handler+0x149/0x6f0 fs/exec.c:1616
 exec_binprm fs/exec.c:1680 [inline]
 do_execveat_common.isra.0+0x1000/0x1dd0 fs/exec.c:1802
 do_execve fs/exec.c:1847 [inline]
 SYSC_execve fs/exec.c:1928 [inline]
 SyS_execve+0x39/0x50 fs/exec.c:1923
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8880a59404c0
 which belongs to the cache names_cache of size 4096
The buggy address is located 2632 bytes inside of
 4096-byte region [ffff8880a59404c0, ffff8880a59414c0)
The buggy address belongs to the page:
page:ffffea0002965000 count:1 mapcount:0 mapping:ffff8880a59404c0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffff8880a59404c0 0000000000000000 0000000100000001
raw: ffffea000298b620 ffffea0001f73320 ffff8880aa9e0cc0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a5940e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a5940e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a5940f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8880a5940f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a5941000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/19 10:47 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report syz C ci2-linux-4-14
* Struck through repros no longer work on HEAD.