syzbot


KASAN: use-after-free Read in generic_perform_write

Status: upstream: reported C repro on 2023/09/12 02:51
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+cc11ec9ae925602af228@syzkaller.appspotmail.com
First crash: 395d, last: 29d
Bug presence (2)
Date Name Commit Repro Result
2024/05/01 linux-6.1.y (ToT) dcbc050cb0d3 C [report] INFO: rcu detected stall in corrupted
2024/05/01 upstream (ToT) 18daea77cca6 C Didn't crash
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: slab-out-of-bounds Read in generic_perform_write origin:upstream C error 27 4d16h 389d 0/3 upstream: reported C repro on 2023/09/17 14:11
upstream KASAN: slab-out-of-bounds Read in generic_perform_write hfs mm C inconclusive 10302 4h41m 382d 0/28 upstream: reported C repro on 2023/09/24 07:49
linux-4.14 KASAN: use-after-free Read in generic_perform_write (2) hfsplus jfs C error 20 623d 1041d 0/1 upstream: reported C repro on 2021/12/05 01:05
linux-4.14 KASAN: use-after-free Read in generic_perform_write 11 1246d 1475d 0/1 auto-closed as invalid on 2021/09/11 00:48
linux-4.19 KASAN: use-after-free Read in generic_perform_write hfsplus jfs C error 68 586d 1477d 0/1 upstream: reported C repro on 2020/09/24 08:55
upstream KASAN: use-after-free Read in generic_perform_write fs mm C error 73 1213d 2275d 0/28 auto-obsoleted due to no activity on 2023/04/14 08:17
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2024/05/24 23:43 5h07m fix candidate upstream OK (1) job log
2023/09/17 05:26 7h40m fix candidate upstream OK (1) job log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0x872/0x1120 lib/iov_iter.c:820
Read of size 4096 at addr ffff888017247000 by task kworker/u4:0/3635

CPU: 0 PID: 3635 Comm: kworker/u4:0 Not tainted 6.1.86-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: loop4 loop_workfn
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 kasan_check_range+0x27f/0x290 mm/kasan/generic.c:189
 memcpy+0x25/0x60 mm/kasan/shadow.c:65
 copy_page_from_iter_atomic+0x872/0x1120 lib/iov_iter.c:820
 generic_perform_write+0x36c/0x5e0 mm/filemap.c:3825
 __generic_file_write_iter+0x176/0x400 mm/filemap.c:3945
 generic_file_write_iter+0xab/0x310 mm/filemap.c:3977
 do_iter_write+0x6e6/0xc50 fs/read_write.c:861
 lo_write_bvec drivers/block/loop.c:247 [inline]
 lo_write_simple drivers/block/loop.c:269 [inline]
 do_req_filebacked drivers/block/loop.c:493 [inline]
 loop_handle_cmd drivers/block/loop.c:1909 [inline]
 loop_process_work+0x13ff/0x2200 drivers/block/loop.c:1944
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>

The buggy address belongs to the physical page:
page:ffffea00005c91c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17247
flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)
raw: 00fff80000000000 ffffea000197b9c8 ffffea00005c9188 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100dc0(GFP_USER|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor161), ts 1094755394022, free_ts 1094799652130
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2513
 prep_new_page mm/page_alloc.c:2520 [inline]
 get_page_from_freelist+0x31a1/0x3320 mm/page_alloc.c:4279
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5547
 lbmLogInit fs/jfs/jfs_logmgr.c:1816 [inline]
 lmLogInit+0x376/0x1c90 fs/jfs/jfs_logmgr.c:1270
 open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
 lmLogOpen+0x552/0x1030 fs/jfs/jfs_logmgr.c:1069
 jfs_mount_rw+0xe3/0x640 fs/jfs/jfs_mount.c:253
 jfs_fill_super+0x67d/0xc40 fs/jfs/super.c:565
 mount_bdev+0x2c9/0x3f0 fs/super.c:1432
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:632
 vfs_get_tree+0x88/0x270 fs/super.c:1562
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3051
 do_mount fs/namespace.c:3394 [inline]
 __do_sys_mount fs/namespace.c:3602 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1440 [inline]
 free_pcp_prepare mm/page_alloc.c:1490 [inline]
 free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3358
 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3453
 lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
 lmLogShutdown+0x4f8/0x960 fs/jfs/jfs_logmgr.c:1684
 lmLogClose+0x293/0x530 fs/jfs/jfs_logmgr.c:1460
 jfs_umount+0x298/0x370 fs/jfs/jfs_umount.c:116
 jfs_put_super+0x86/0x180 fs/jfs/super.c:194
 generic_shutdown_super+0x130/0x340 fs/super.c:501
 kill_block_super+0x7a/0xe0 fs/super.c:1459
 deactivate_locked_super+0xa0/0x110 fs/super.c:332
 cleanup_mnt+0x490/0x520 fs/namespace.c:1186
 task_work_run+0x246/0x300 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:303
 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Memory state around the buggy address:
 ffff888017246f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888017246f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888017247000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888017247080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888017247100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (25):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/15 09:05 linux-6.1.y cd5d98c0556c c8349e48 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan KASAN: use-after-free Read in generic_perform_write
2024/04/02 04:24 linux-6.1.y e5cd595e23c1 6baf5069 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/03/25 07:02 linux-6.1.y d7543167affd 0ea90952 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/02/25 14:44 linux-6.1.y 81e1dc2f7001 8d446f15 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/02/19 19:08 linux-6.1.y 8b4118fabd6e 3af7dd65 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/02/18 23:20 linux-6.1.y 8b4118fabd6e 578f7538 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/01/03 00:22 linux-6.1.y a507f147e6f0 fb427a07 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2023/12/11 00:27 linux-6.1.y 6c6a6c7e211c 28b24332 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2023/12/03 04:29 linux-6.1.y 6ac30d748bb0 f819d6f7 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2023/09/14 17:39 linux-6.1.y 09045dae0d90 0b6a67ac .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan KASAN: use-after-free Read in generic_perform_write
2024/09/11 07:47 linux-6.1.y 5ca5b389fddf 8ab55d0e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in generic_perform_write
2024/04/11 05:00 linux-6.1.y bf1e3b1cb1e0 33b9e058 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in generic_perform_write
2024/02/11 16:57 linux-6.1.y f1bb70486c9c 77b23aa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in generic_perform_write
2023/09/12 02:50 linux-6.1.y 59b13c2b647e 59da8366 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in generic_perform_write
2024/01/21 13:22 linux-6.1.y 8fd7f4462453 9bd8dcda .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in generic_perform_write
2023/11/05 11:14 linux-6.1.y 4a61839152cc 500bfdc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in generic_perform_write
2024/06/06 16:35 linux-6.1.y 88690811da69 121701b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: slab-out-of-bounds Read in generic_perform_write
2024/05/23 00:33 linux-6.1.y 4078fa637fcd 4d098039 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: slab-out-of-bounds Read in generic_perform_write
2024/07/17 00:51 linux-6.1.y cac15753b8ce b66b37bd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/07/05 09:33 linux-6.1.y 7753af06eebf 2a40360c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/07/03 04:20 linux-6.1.y 99e6a620de00 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/05/28 16:40 linux-6.1.y 88690811da69 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/05/28 06:57 linux-6.1.y 88690811da69 f550015e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/05/04 02:46 linux-6.1.y 909ba1f1b414 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
2024/03/07 02:28 linux-6.1.y 61adba85cc40 f39a7eed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in generic_perform_write
* Struck through repros no longer work on HEAD.