syzbot


KASAN: use-after-free Read in p9_client_clunk

Status: upstream: reported C repro on 2019/04/20 00:12
Reported-by: syzbot+cf09ac84eeb8ec9efd46@syzkaller.appspotmail.com
First crash: 1893d, last: 476d
Fix bisection: failed (error log, bisect log)
  

Sample crash report:
 SYSC_mount fs/namespace.c:3121 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3098
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
9pnet: Found fid 0 not clunked
==================================================================
BUG: KASAN: use-after-free in p9_client_clunk+0x1fc/0x240 net/9p/client.c:1503
Read of size 8 at addr ffff8880ae6e1f00 by task syz-executor613/8454

CPU: 1 PID: 8454 Comm: syz-executor613 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
 p9_client_clunk+0x1fc/0x240 net/9p/client.c:1503
 v9fs_mount+0x69f/0x860 fs/9p/vfs_super.c:200
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2572 [inline]
 do_mount+0xe65/0x2a30 fs/namespace.c:2905
 SYSC_mount fs/namespace.c:3121 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3098
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

Allocated by task 8454:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 p9_fid_create+0x47/0x360 net/9p/client.c:918
 p9_client_attach+0x6d/0x750 net/9p/client.c:1156
 v9fs_session_init+0xc03/0x1540 fs/9p/v9fs.c:471
 v9fs_mount+0x73/0x860 fs/9p/vfs_super.c:135
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2572 [inline]
 do_mount+0xe65/0x2a30 fs/namespace.c:2905
 SYSC_mount fs/namespace.c:3121 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3098
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

Freed by task 8454:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 p9_client_destroy.cold+0x67/0xaa net/9p/client.c:1119
 v9fs_session_close+0x45/0x2c0 fs/9p/v9fs.c:511
 v9fs_kill_super+0x49/0x90 fs/9p/vfs_super.c:233
 deactivate_locked_super+0x6c/0xd0 fs/super.c:319
 sget_userns+0x9c4/0xc10 fs/super.c:537
 sget+0xd1/0x110 fs/super.c:572
 v9fs_mount+0x9e/0x860 fs/9p/vfs_super.c:141
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2572 [inline]
 do_mount+0xe65/0x2a30 fs/namespace.c:2905
 SYSC_mount fs/namespace.c:3121 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3098
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

The buggy address belongs to the object at ffff8880ae6e1f00
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 0 bytes inside of
 96-byte region [ffff8880ae6e1f00, ffff8880ae6e1f60)
The buggy address belongs to the page:
page:ffffea0002b9b840 count:1 mapcount:0 mapping:ffff8880ae6e1000 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880ae6e1000 0000000000000000 0000000100000020
raw: ffffea0002cd4220 ffffea00027dcca0 ffff88813fe744c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880ae6e1e00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8880ae6e1e80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff8880ae6e1f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                   ^
 ffff8880ae6e1f80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8880ae6e2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (291):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/11/27 21:53 linux-4.14.y 179ef7fe8677 f4470a7b .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2022/07/31 16:35 linux-4.14.y b641242202ed fef302b1 .config console log report syz C ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2019/04/21 08:45 linux-4.14.y 68d7a45eec10 b0e8efcb .config console log report syz C ci2-linux-4-14
2019/04/20 00:30 linux-4.14.y 58b454ebf81e b0e8efcb .config console log report syz ci2-linux-4-14
2023/03/06 01:39 linux-4.14.y 7878a41b6cc1 f8902b57 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2023/01/01 00:15 linux-4.14.y c4215ee4771b ab32d508 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2022/11/27 21:05 linux-4.14.y 179ef7fe8677 f4470a7b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2022/09/23 10:56 linux-4.14.y 4edbf74132a4 0042f2b4 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2022/09/19 06:23 linux-4.14.y 5df8b4735177 dd9a85ff .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2022/09/07 10:08 linux-4.14.y 65640c873dcf 5fc30c37 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2022/08/23 09:32 linux-4.14.y b641242202ed 26a13b38 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2022/07/31 16:22 linux-4.14.y b641242202ed fef302b1 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/12/11 14:32 linux-4.14.y c01d4d1b885d 49ca1f59 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/05/16 14:05 linux-4.14.y 7d7d1c0ab3eb f54a5c09 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/05/12 01:06 linux-4.14.y 7d7d1c0ab3eb b3c3bb8e .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/05/11 00:39 linux-4.14.y 7d7d1c0ab3eb ca873091 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/05/10 23:22 linux-4.14.y 7d7d1c0ab3eb ca873091 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/04/15 01:47 linux-4.14.y 958e517f4e16 fcdb12ba .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/04/09 13:56 linux-4.14.y 0cc244011f40 6a81331a .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/04/01 06:50 linux-4.14.y bd634aa64163 6a81331a .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/03/29 08:18 linux-4.14.y 670d6552eda8 a8529b82 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/03/17 10:36 linux-4.14.y c7150cd2fa8c fdb2bb2c .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/03/08 11:36 linux-4.14.y 1d177c0872ab 09fbf400 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/02/28 21:18 linux-4.14.y 3242aa3a635c 4c37c133 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/02/22 11:06 linux-4.14.y 29c52025152b a659b3f1 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/02/19 20:53 linux-4.14.y 29c52025152b f689d40a .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/02/19 06:19 linux-4.14.y 2c8a3fceddf0 14052202 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/01/24 09:59 linux-4.14.y 2d2791fce891 52e37319 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/01/22 05:55 linux-4.14.y 2762b48e9611 d4f4eca5 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/01/19 10:07 linux-4.14.y 2762b48e9611 63631df1 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in p9_client_clunk
2021/01/16 00:51 linux-4.14.y f79dc86058bc 65a7a854 .config console log report info ci2-linux-4-14
2021/01/13 07:04 linux-4.14.y f79dc86058bc 0cdd6185 .config console log report info ci2-linux-4-14
2021/01/02 10:36 linux-4.14.y 1752938529c6 79264ae3 .config console log report info ci2-linux-4-14
2021/01/01 08:07 linux-4.14.y 1752938529c6 79264ae3 .config console log report info ci2-linux-4-14
2020/12/16 18:45 linux-4.14.y 3f2ecb86cb90 649595c6 .config console log report info ci2-linux-4-14
2020/12/16 09:55 linux-4.14.y 3f2ecb86cb90 649595c6 .config console log report info ci2-linux-4-14
2020/12/09 04:37 linux-4.14.y 47cbf4cc32db 40cc414d .config console log report info ci2-linux-4-14
2020/12/05 13:01 linux-4.14.y c196b3a9c83a 0ef84591 .config console log report info ci2-linux-4-14
2020/11/29 06:02 linux-4.14.y 87335852c5d9 a0092f9d .config console log report info ci2-linux-4-14
2020/11/24 07:13 linux-4.14.y 0df445b0f0da 1ab681a4 .config console log report info ci2-linux-4-14
2020/11/19 05:38 linux-4.14.y 8961076ed318 0767f13f .config console log report info ci2-linux-4-14
2020/11/18 12:12 linux-4.14.y 27ce4f2a6817 09323409 .config console log report info ci2-linux-4-14
2020/11/15 04:59 linux-4.14.y 27ce4f2a6817 1bf9a662 .config console log report info ci2-linux-4-14
2020/11/15 01:37 linux-4.14.y 27ce4f2a6817 1bf9a662 .config console log report info ci2-linux-4-14
2020/11/14 17:41 linux-4.14.y 27ce4f2a6817 1bf9a662 .config console log report info ci2-linux-4-14
2020/11/09 13:12 linux-4.14.y 6b6446efedb2 cba33199 .config console log report info ci2-linux-4-14
2020/10/31 19:23 linux-4.14.y 2b7915014161 8bc4594f .config console log report info ci2-linux-4-14
2019/04/19 23:12 linux-4.14.y 58b454ebf81e b0e8efcb .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.