Title | Replies (including bot) | Last reply |
---|---|---|
[syzbot] [crypto?] KASAN: use-after-free Read in crypto_poly1305_update | 1 (3) | 2025/02/18 22:05 |
syzbot |
sign-in | mailing list | source | docs |
Title | Replies (including bot) | Last reply |
---|---|---|
[syzbot] [crypto?] KASAN: use-after-free Read in crypto_poly1305_update | 1 (3) | 2025/02/18 22:05 |
bcachefs (loop0): Version upgrade required: Version upgrade from 0.19: freespace to 1.7: mi_btree_bitmap incomplete Doing incompatible version upgrade from 0.19: freespace to 1.20: directory_size running recovery passes: check_allocations,check_alloc_info,check_lrus,check_btree_backpointers,check_backpointers_to_extents,check_extents_to_backpointers,check_alloc_to_lru_refs,bucket_gens_init,check_snapshot_trees,check_snapshots,check_subvols,check_subvol_children,delete_dead_snapshots,check_inodes,check_extents,check_indirect_extents,check_dirents,check_xattrs,check_root,check_unreachable_inodes,check_subvolume_structure,check_directory_structure,check_nlinks,set_fs_needs_rebalance ================================================================== BUG: KASAN: use-after-free in crypto_poly1305_update+0x28/0x40 arch/x86/crypto/poly1305_glue.c:230 Read of size 8 at addr ffff8880722b7390 by task syz-executor360/5822 CPU: 1 UID: 0 PID: 5822 Comm: syz-executor360 Not tainted 6.14.0-rc3-syzkaller-00012-g2408a807bfc3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 crypto_poly1305_update+0x28/0x40 arch/x86/crypto/poly1305_glue.c:230 bch2_checksum+0x5fa/0x780 fs/bcachefs/checksum.c:239 bch2_btree_node_read_done+0x1402/0x6180 fs/bcachefs/btree_io.c:1130 btree_node_read_work+0x6dc/0x1380 fs/bcachefs/btree_io.c:1358 bch2_btree_node_read+0x2433/0x29f0 __bch2_btree_root_read fs/bcachefs/btree_io.c:1789 [inline] bch2_btree_root_read+0x626/0x7b0 fs/bcachefs/btree_io.c:1811 read_btree_roots+0x3d3/0xa70 fs/bcachefs/recovery.c:581 bch2_fs_recovery+0x260f/0x3de0 fs/bcachefs/recovery.c:928 bch2_fs_start+0x37c/0x610 fs/bcachefs/super.c:1041 bch2_fs_get_tree+0xdb7/0x17a0 fs/bcachefs/fs.c:2203 vfs_get_tree+0x90/0x2b0 fs/super.c:1814 do_new_mount+0x2be/0xb40 fs/namespace.c:3560 do_mount fs/namespace.c:3900 [inline] __do_sys_mount fs/namespace.c:4111 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4088 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa91570a73a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa9156c0088 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fa9156c00a0 RCX: 00007fa91570a73a RDX: 0000400000000000 RSI: 0000400000000200 RDI: 00007fa9156c00a0 RBP: 0000400000000000 R08: 00007fa9156c00e0 R09: 000000000000f634 R10: 0000000002a08414 R11: 0000000000000282 R12: 0000400000000200 R13: 00007fa9156c00e0 R14: 0000000000000003 R15: 0000000002a08414 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x722b7 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0xcc0(GFP_KERNEL), pid 1, tgid 1 (swapper/0), ts 14383469870, free_ts 15548215805 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1551 split_free_pages+0xe1/0x2d0 mm/page_alloc.c:6355 alloc_contig_range_noprof+0x10eb/0x1770 mm/page_alloc.c:6532 __alloc_contig_pages mm/page_alloc.c:6562 [inline] alloc_contig_pages_noprof+0x4b3/0x5c0 mm/page_alloc.c:6644 debug_vm_pgtable_alloc_huge_page+0xaf/0x100 mm/debug_vm_pgtable.c:1084 init_args+0x83b/0xb20 mm/debug_vm_pgtable.c:1266 debug_vm_pgtable+0xe4/0x590 mm/debug_vm_pgtable.c:1304 do_one_initcall+0x248/0x930 init/main.c:1257 do_initcall_level+0x157/0x210 init/main.c:1319 do_initcalls+0x71/0xd0 init/main.c:1335 kernel_init_freeable+0x435/0x5d0 init/main.c:1568 kernel_init+0x1d/0x2b0 init/main.c:1457 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 page last free pid 1 tgid 1 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_frozen_pages+0xe04/0x10e0 mm/page_alloc.c:2660 free_contig_range+0x14c/0x430 mm/page_alloc.c:6678 destroy_args+0x94/0x4b0 mm/debug_vm_pgtable.c:1017 debug_vm_pgtable+0x551/0x590 mm/debug_vm_pgtable.c:1397 do_one_initcall+0x248/0x930 init/main.c:1257 do_initcall_level+0x157/0x210 init/main.c:1319 do_initcalls+0x71/0xd0 init/main.c:1335 kernel_init_freeable+0x435/0x5d0 init/main.c:1568 kernel_init+0x1d/0x2b0 init/main.c:1457 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Memory state around the buggy address: ffff8880722b7280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880722b7300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880722b7380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880722b7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880722b7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2025/02/18 08:09 | upstream | 2408a807bfc3 | 429ea007 | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-upstream-fs | KASAN: use-after-free Read in crypto_poly1305_update | |
2025/02/17 00:41 | upstream | ba643b6d8440 | 40a34ec9 | .config | console log | report | syz / log | C | [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |
2025/04/10 07:30 | upstream | 3b07108ada81 | 988b336c | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/04/07 01:39 | upstream | 0af2f6be1b42 | 1c65791e | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/30 10:05 | upstream | 93d52288679e | d3999433 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/28 22:58 | upstream | acb4f33713b9 | 9a1a9e31 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/27 03:09 | upstream | f6e0150b2003 | 20510e88 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/23 11:53 | upstream | 183601b78a9b | 4e8d3850 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/16 20:09 | upstream | cb82ca153949 | e2826670 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/11 04:09 | upstream | 4d872d51bc9d | 16256247 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/08 05:28 | upstream | 21e4543a2e2f | 7e3bd60d | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/06 16:30 | upstream | 848e07631744 | 831e3629 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/02 11:05 | upstream | ece144f151ac | c3901742 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/03/01 08:45 | upstream | 276f98efb64a | 67cf5345 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/02/27 16:19 | upstream | dd83757f6e68 | 6a8fcbc4 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/02/26 12:54 | upstream | ac9c34d1e45a | d34966d1 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/02/21 05:22 | upstream | e9a8cac0bf89 | 0808a665 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/02/20 09:47 | upstream | 87a132e73910 | 50668798 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/02/17 00:15 | upstream | ba643b6d8440 | 40a34ec9 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update | |||
2025/02/15 06:13 | upstream | 04f41cbf03ec | 40a34ec9 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: use-after-free Read in crypto_poly1305_update |